Professional Documents
Culture Documents
AX GSLB Guide v2 7 0-20121010 PDF
AX GSLB Guide v2 7 0-20121010 PDF
AX GSLB Guide v2 7 0-20121010 PDF
Patents Protection
A10 Networks products including all AX Series products are protected by one or more of the following US patents and patents pending: 8291487, 8266235, 8151322, 8079077, 7979585, 7716378, 7675854, 7647635, 7552126, 20120216266,
20120204236, 20120179770, 20120144015, 20120084419, 20110239289, 20110093522, 20100235880, 20100217819,
20090049537, 20080229418, 20080148357, 20080109887, 20080040789, 20070283429, 20070282855, 20070271598,
20070195792, 20070180101
Confidentiality
This document contains confidential materials proprietary to A10 Networks, Inc. This document and information and ideas
herein may not be disclosed, copied, reproduced or distributed to anyone outside A10 Networks, Inc. without prior written
consent of A10 Networks, Inc. This information may contain forward looking statements and therefore is subject to change.
Disclaimer
The information presented in this document describes the specific products noted and does not imply nor grant a guarantee
of any technical performance nor does it provide cause for any eventual claims resulting from the use or misuse of the products described herein or errors and/or omissions. A10 Networks, Inc. reserves the right to make technical and other changes
to their products and documents at any time and without prior notification.
No warranty is expressed or implied; including and not limited to warranties of non-infringement, regarding programs, circuitry, descriptions and illustrations herein.
Environmental Considerations
Some electronic components may possibly contain dangerous substances. For information on specific component types,
please contact the manufacturer of that component. Always consult local authorities for regulations regarding proper disposal of electronic components in your area.
Further Information
For additional information about A10 products, terms and conditions of delivery, and pricing, contact your nearest A10
Networks location, which can be found by visiting www.a10networks.com.
transfer, assign or sublicense its license rights to any other person or entity,
or use the Software on unauthorized or secondhand A10 Networks equipment
b.
make error corrections to or otherwise modify or adapt the Software or create derivative works based upon the Software, or permit third parties to do
the same
Performance by Design
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
3 of 260
d.
b.
c.
THE MAKING AND USE OF ADDITIONAL COPIES IS LIMITED TO NECESSARY BACKUP PURPOSES ONLY.
Term and Termination. This Agreement and the license granted herein shall remain
effective until terminated. All confidentiality obligations of Customer and all limitations of liability and disclaimers and restrictions of warranty shall survive termination
of this Agreement.
Export. Software and Documentation, including technical data, may be subject to
U.S. export control laws, including the U.S. Export Administration Act and its associated regulations, and may be subject to export or import regulations in other countries. Customer agrees to comply strictly with all such regulations and acknowledges
that it has the responsibility to obtain licenses to export, re-export, or import Software and Documentation.
Trademarks
A10 Networks, the A10 logo, aACI, aCloud, ACOS, aDCS, aDNS, aELB, aFleX, aFlow, aGalaxy,
aPlatform, aUSG, aVCS, aWAF, aXAPI, IDAccess, IDSENTRIE, IP to ID, SmartFlow, SoftAX,
Unified Service Gateway, Virtual Chassis, VirtualADC, and VirtualN are trademarks or registered
trademarks of A10 Networks, Inc. All other trademarks are property of their respective owners.
Patents Protection
A10 Networks products including all AX Series products are protected by one or more of the following US patents and patents pending: 8291487, 8266235, 8151322, 8079077, 7979585,
7716378, 7675854, 7647635, 7552126, 20120216266, 20120204236, 20120179770,
20120144015, 20120084419, 20110239289, 20110093522, 20100235880, 20100217819,
20090049537, 20080229418, 20080148357, 20080109887, 20080040789, 20070283429,
20070282855, 20070271598, 20070195792, 20070180101
4 of 260
Performance by Design
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
Performance by Design
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
5 of 260
6 of 260
Performance by Design
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
Corporate Headquarters
A10 Networks, Inc.
3 West Plumeria Dr
San Jose, CA 95134 USA
Tel: +1-408-325-8668 (main)
Tel: +1-888-822-7210 (support toll-free in USA)
Tel: +1-408-325-8676 (support direct dial)
Fax: +1-408-325-8666
www.a10networks.com
7 of 260
As an alternative to saving the output in a log file captured by your terminal emulation application, you can export the output from the CLI using
the following command:
show techsupport export [use-mgmt-port] url
(For syntax information, see the AX Series CLI Reference.)
8 of 260
Performance by Design
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
Make sure to use the basic deployment instructions in the AX Series Installation Guide for your AX model, and in the AX Series System Configuration
and Administration Guide. Also make sure to set up your devices Lights
Out Management (LOM) interface, if applicable.
Performance by Design
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
9 of 260
Audience
This document is intended for use by network architects for determining
applicability and planning implementation, and for system administrators
for provision and maintenance of A10 Networks AX Series products.
Documentation Updates
Updates to these documents are published periodically to the A10 Networks
support site, on an updated documentation CD (posted as a zip archive). To
access the latest version, please log onto your A10 support account and navigate to the following page: Support > AX Series > Technical Library.
http://www.a10networks.com
10 of 260
Performance by Design
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
Audience................................................................................................................................................ 10
Documentation Updates ...................................................................................................................... 10
A10 Virtual Application Delivery Community..................................................................................... 10
GSLB Overview
17
GSLB Configuration
27
Overview................................................................................................................................................ 27
Configure Health Monitors................................................................................................................... 28
Configure the DNS Proxy..................................................................................................................... 29
Configure a GSLB Policy ..................................................................................................................... 31
Enabling / Disabling Metrics ........................................................................................................... 32
Changing the Metric Order .................................................................................................................. 34
Configuring Active-Round Delay Time ............................................................................................ 35
Configuring BW-Cost Settings ........................................................................................................ 42
How Bandwidth Cost Is Measured .............................................................................................. 42
Configuration Requirements ........................................................................................................ 42
Configuring Bandwidth Cost ........................................................................................................ 43
Configuring Alias Admin Preference ............................................................................................... 47
Configuring Weighted Alias ............................................................................................................ 48
Loading or Configuring Geo-Location Mappings ............................................................................ 49
Geo-location Overlap .................................................................................................................. 57
Performance by Design
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
11 of 260
Configure Services................................................................................................................................61
Gateway Health Monitoring ............................................................................................................ 62
CLI ExampleSite with Single Gateway Link ................................................................................ 65
CLI ExampleSite with Multiple Gateway Links ............................................................................ 65
Multiple-Port Health Monitoring ...................................................................................................... 66
Configure Sites......................................................................................................................................67
Configure a Zone...................................................................................................................................69
Enable the GSLB Protocol....................................................................................................................70
Resetting or Clearing GSLB .................................................................................................................70
Auto-mapping
73
Configuration ............................................................................................................................... 74
77
97
99
CLI Example...........................................................................................................................................99
Configuration on the GSLB AX Device (GSLB Controller) ............................................................. 99
Configuration on Site AX Device AX-A ......................................................................................... 101
Configuration on Site AX Device AX-B ......................................................................................... 101
GUI Example ........................................................................................................................................102
Configuration on the GSLB AX Device (GSLB Controller) ........................................................... 102
Configuration on Site AX Devices ................................................................................................ 112
113
Overview ..............................................................................................................................................113
GSLB Group Parameters ....................................................................................................................116
Configuration.......................................................................................................................................117
12 of 260
Performance by Design
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
121
131
DNSSEC Support
133
Overview.............................................................................................................................................. 133
DNS without Security .................................................................................................................... 134
DNSSEC (DNS with Security) ...................................................................................................... 137
Building the Chain of Trust ........................................................................................................... 140
Performing Key Rollovers ............................................................................................................. 142
ZSK Key Rollovers .................................................................................................................... 143
KSK Key Rollovers .................................................................................................................... 144
Importing and Exporting the Delegation Signature Keyset ........................................................... 145
DNSSEC Templates .................................................................................................................. 146
Configuration ...................................................................................................................................... 148
Configuration Examples .................................................................................................................... 151
CLI Example #1
CLI Example #2
CLI Example #3
CLI Example #4
............................................................................................................................ 151
............................................................................................................................ 151
............................................................................................................................ 152
............................................................................................................................ 152
153
13 of 260
14 of 260
Performance by Design
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
Performance by Design
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
15 of 260
16 of 260
Performance by Design
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
GSLB Overview
This chapter provides an overview of Global Server Load Balancing
(GSLB).
Global Server Load Balancing (GSLB) uses Domain Name Service (DNS)
technology and extends load balancing to global geographic scale.
AX Series GSLB provides the following key advantages:
Protects businesses from down time due to site failures
Ensures business continuity and applications availability
Provides faster performance and improved user experience by directing
ple sites
In AX Release 2.7.0, all AX models and software do not have any code for Passive round trip time (RTT) for the time difference between receiving a TCP SYN
and a TCP ACK for the TCP connection for GSLB. The code was completely
removed starting from 2.7.0 because there was no single customer using this
round trip time capability for GSLB.
Performance by Design
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
17 of 260
server. In proxy mode, the AX device can update the A and AAAA
records in its response to client requests, but it forwards requests for all
other record types to the external DNS server.
Server mode The AX device directly responds to queries for specific
GSLB Policy
GSLB by default is not enabled. Use of the feature requires proper configuration. GSLB deals with multiple sites, and each site has unique IP address
or IP addresses.
GSLB uses an array of fixed site IP addresses and the new site selection
algorithm is illustrated below using an innovative method of interactive in-
18 of 260
Performance by Design
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
Site IP
Metric
Health-check
Geo-location
Admin-preference
Response back
in round robin
Site1-IP
Site2-IP
Site3-IP
M
M
Site4-IP
M
M
M
Site5-IP
Site6-IP
M
M
M
As Site4-IP and Site6-IP are marked at the end of evaluation, these the two addresses will be
selected in round robin manner and that means there is no determination of any single best network address.
Each site IP is tagged with Marked (M) or Un-marked for each evaluated
parameter. The subsequent evaluation of the parameters is performed only
on the previously marked sites and continues until the end of all the parameters in the metric policy regardless of how many sites are remaining as
Marked. In other words, the AX device does not stop the evaluation even if
there is one single site left, and continues with the evaluation until the end
of the user configured metric parameters.
At the end of the evaluation, the responses corresponding to the marked
sites are sent back in a round-robin manner and there is no determination of
any single best network address.
Policy Metrics
A GSLB policy consists of one or more of the following metrics:
1. Health-Check Services that pass health checks are preferred.
2. Weighted-IP Service IP addresses with higher administratively
assigned weights are used more often than service IP addresses with
lower weights. (See Weighted-IP and Weighted-Site on page 21.)
3. Weighted-Site Sites with higher administratively assigned weights are
used more often than sites with lower weights. (See Weighted-IP and
Weighted-Site on page 21.)
4. Session-Capacity Sites with more available sessions based on respective maximum Session-Capacity are preferred.
Performance by Design
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
19 of 260
20 of 260
Note:
Note:
If DNS caching is used, the cycle starts over if the cache aging timer
expires.
Tie-Breaker
The AX device uses Round-Robin as a tie-breaker to select a site. This is
true even if the Round-Robin metric is disabled in the GSLB policy. (See
Configure a GSLB Policy on page 31.)
Health Checks
The Health-Check metric checks the availability (health) of the real servers
and service ports. Sites whose real servers and service ports respond to the
health checks are preferred over sites in which servers or service ports are
unresponsive to the health checks.
GSLB supports health check methods for the following services:
ICMP (Layer 3 health check), TCP, UDP, HTTP, HTTPS, FTP, SMTP,
POP3, SNMP, DNS, RADIUS, LDAP, RTSP, SIP
You can use the default health methods or configure new methods for any of
these services.
Note:
By default, the GSLB protocol generates its own packets when sending a
health check to a service. If the GSLB protocol cannot reach the service,
then another health check is performed using standard network traffic.
Health-Check Precedence
Health monitoring for a GSLB service can be performed at the following
levels and in the following order:
1. Gateway health check
Performance by Design
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
21 of 260
Geo-Location
You can configure GSLB to prefer site VIPs for DNS replies that are geographically closer to the clients. For example, if a domain is served by sites
in both the USA and Asia, you can configure GSLB to favor the USA site
for USA clients while preferring the Asian site for Asian clients.
To configure geo-location:
Leave the Geographic GSLB metric enabled; it is enabled by default.
Load geo-location data. You can load geo-location data from a file or
Each of the aliases in the list above can be associated with a different geolocation:
If a clients IP address is within the geo-location that is associated with
www.1.a10.com, then GSLB places a CNAME record for www.1.a10.com
in the DNS reply to that client.
22 of 260
Performance by Design
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
DNS response from the DNS answer, GSLB selects a DNS A record
using IP metrics, and then tries to insert the DNS CNAME record into
the answer based on geo-location settings. While inserting the CNAME
record, if the Alias metrics are enabled, GSLB may remove some
CNAME records and related service IPs.
DNS server If applicable, enable the backup-alias option. If there is no
DNS A record to return, GSLB tries to insert all backup DNS CNAME
records. During insertion, if Alias metrics are enabled, GSLB may
remove some CNAME records. No DNS A records are returned.
This option also requires the dns-cname-record as-backup option on the
service.
DNS Options
DNS options provide additional control over the IP addresses that are listed
in DNS replies to clients.
The following DNS options can be set in GSLB policies:
dns action Enable GSLB to perform DNS actions specified in the ser-
vice configurations.
dns active-only Removes IP addresses for services that did not pass
Performance by Design
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
23 of 260
replies for A records, when the device is configured for DNS proxy or
cache mode.
dns auto-map Enables creation of A and AAAA records for IP
resources configured on the AX device. For example, this option is useful for auto-mapping VIP addresses to service-IP addresses.
dns backup-alias Returns the alias CNAME record configured for the
service, if GSLB does not receive an answer to a query for the service
and no active DNS server exists. This option is valid in server mode or
proxy mode.
dns backup-server Designates one or more backup servers that can be
enabled, the GSLB-AX applies the zone and service policy to the
Cname record instead of applying it to the address record.
dns delegation Enables sub-zone delegation. The feature allows you to
vice IP. If this option is disabled, the internal address is returned instead.
dns external-soa Replaces the internal SOA record with an external
geo-location.
dns hint Enables hints, which appear in the Additional Section of the
DNS response. Hints are A or AAAA records that are sent in the
response to a clients DNS request. These records provide a mapping
between the host names and IP addresses.
24 of 260
Performance by Design
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
DNS server. The AX device must be in GSLB proxy mode for the feature to work.
dns selected-only Returns only the selected IP addresses.
dns server Enables the GSLB AX device to act as a DNS server, for
sticky
server
cache
proxy
GSLB does not have a separately configurable proxy option. The proxy
option is automatically enabled when you configure the DNS proxy as
part of GSLB configuration.
The site address selected by the first option that is applicable to the client
and requested service is used.
TTL Override
GSLB ensures that DNS replies to clients contain the optimal set of IP
addresses based on current network conditions. However, if the DNS TTL
value assigned to the Address records is long, the local DNS servers used by
clients might cache the replies for a long time and send those stale replies to
clients. Thus, even though the GSLB AX device has current information,
clients might receive outdated information.
Performance by Design
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
25 of 260
In DNS server mode, the DNS response from the AX device includes an
IP TTL (maximum number of Layer 3 hops), with a default value equal to
255. This IP TTL can be configured using the following CLI command:
gslb system ip-ttl.
More Information
See Advanced DNS Options on page 77.
Note:
26 of 260
Enabling the GSLB protocol is also required if you are using the default
health-check methods. However, if you modify the default health checks,
then the GSLB protocol does not need to be enabled. (See Health
Checks on page 21.)
Performance by Design
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
GSLB Configuration
This chapter describes the configuration of Global Server Load Balancing
(GSLB).
Overview
Configuration is required on the GSLB AX device (GSLB controller) and
the site AX devices.
Note:
The AX device provides an optional mechanism to automatically synchronize GSLB configurations and service IP status among multiple
GSLB controllers for a GSLB zone. If you plan to use automatic GSLB
configuration synchronization among controllers, first see GSLB Configuration Synchronization on page 113.
Note:
This chapter shows the GUI pages for detailed configuration. The GUI
also provides pages for simple GSLB configuration. Navigate to Config
Mode > Getting Started > GSLB Easy Config. See the online help or
AX Series GUI Reference for information.
Configuration on GSLB Controller
To configure GSLB on the GSLB AX device:
1. Configure health monitors for the DNS server to be proxied and for the
GSLB services to be load balanced.
2. Configure a DNS proxy.
3. Configure a GSLB policy (unless you plan to use the default policy settings, described in GSLB Policy on page 18).
4. Configure services.
5. Configure sites.
6. Configure a zone.
7. Enable the GSLB protocol for the GSLB controller function.
Note:
If you plan to run GSLB in server mode, the proxy DNS server does not
require configuration of a real server or service group. Only the VIP is
required. However, if you plan to run GSLB in proxy mode, the real
Performance by Design
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
27 of 260
The following sections describe the GSLB configuration steps in the GUI
and in the CLI. Required commands and commonly used options are listed.
For advanced commands and options, see CLI Command Reference on
page 153.
Note:
Each of the following sections shows the CLI and GUI configuration. For
complete configuration examples, see GSLB Configuration Examples
on page 99.
28 of 260
Performance by Design
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
The GUI will not accept the configuration if the IP address you enter here
is the same as the real DNS server IP address you enter when configuring
the service group for this proxy (below).
5. (Optional) To add this proxy configuration of the DNS server to a High
Availability (HA) group, select the group.
6. In the GSLB Port section, click Add.
7. In the Port field, enter the DNS port number, if not already filled in.
8. In the Service Group field, select create. The Service Group and
Server sections appear.
9. In the Name field, enter a name for the service group.
Performance by Design
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
29 of 260
30 of 260
Performance by Design
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
All other metrics are disabled. (For detailed information about policy
parameters and their defaults, see Policy Configuration Commands on
page 188 or the AX Series GUI Reference or online help.)
Note:
Note:
Performance by Design
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
31 of 260
To disable a GSLB metric, use the no form of the command for the metric, at the configuration level for the policy. For example, to disable the
Health-Check metric, enter the following command at the configuration
level for the policy:
AX(config gslb-policy)#no health-check
32 of 260
Performance by Design
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
Performance by Design
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
33 of 260
34 of 260
Performance by Design
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
Note:
delay-time (aRDT) for a client, the site AX device sends queries for the
domain name to a clients local DNS. An aRDT sample consists of the
time between when the site AX device sends a query and when it
receives the response.
Only one aRDT domain can be configured. It is recommended to use a
domain name that is likely to be in the cache of each clients local DNS.
The default domain name is google.com.
The AX device averages multiple aRDT samples together to calculate
the aRDT measurement for a client. (See the description of Track
below.)
Interval Specifies the number of seconds between queries. You can
data for a client after a query fails. You can specify 1-300 seconds. The
default is 3.
Performance by Design
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
35 of 260
collects samples for a client. The samples collected during the track time
are averaged together, and the averaged value is used as the aRDT measurement for the client. You can specify 3-16383 seconds. The default is
60 seconds.
The averaged aRDT measurement is used until it ages out. The aging
time for averaged aRDT measurements is 10 minutes by default and is
configurable on individual sites, using the aRDT aging-time command.
To configure global aRDT options, use the following command at the global
configuration level of the CLI:
[no] gslb active-rdt
{
domain domain-name |
interval seconds |
retry num |
sleep seconds |
timeout ms |
track seconds
}
Default Settings
When you enable aRDT, a site AX device sends some DNS requests to the
GSLB domains local DNS. The GSLB AX device then averages the aRDT
times of 5 samples.
Single Sample (Single Shot)
To take a single sample and use that sample indefinitely, use the single-shot
option. This option instructs each site AX device to send a single DNS
query to the GSLB local DNS.
The single-shot option is useful if you do not want to frequently update the
aRDT measurements. For example, if the GSLB domain's clients tend to
remain logged on for long periods of time, using the single-shot option
ensures that clients are not frequently sent to differing sites based on aRDT
measurements.
36 of 260
Performance by Design
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
wait for the DNS reply. If the reply does not arrive within the specified
timeout, the site becomes ineligible for selection, in cases where selection is based on the aRDT metric. You can specify 1-255 seconds. The
default is 3 seconds.
skip Specifies the number of site AX devices that can exceed their sin-
gle-shot timeouts, without the aRDT metric itself being skipped by the
GSLB AX device during site selection. You can skip from 1-31 sites.
The default is 3.
Multiple Samples
To periodically retake aRDT samples, do not use the single-shot option. In
this case, the AX device uses the averaged aRDT value based on the number
of samples measured for the intervals.
For example, if you set aRDT to use 3 samples with an interval of 5 seconds, the aRDT is the average over the last 3 samples, collected in 5-second
intervals. If you configure single-shot instead, a single sample is taken.
The number of samples can be 1-8. The default is 5 samples.
Store-By
By default, the GSLB AX device stores one aRDT measurement per site
SLB device. Optionally, you can configure the GSLB AX device to store
one measurement per geo-location instead. This option is configurable on
individual GSLB sites. (See Changing aRDT Settings for a Site on
page 39.)
Tolerance
The default measurement tolerance is 10 percent. If the aRDT measurements for more than one site are within 10 percent, the GSLB AX device
considers the sites to be equal in terms of aRDT. You can adjust the tolerance to any value from 0-100 percent.
Performance by Design
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
37 of 260
38 of 260
Performance by Design
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
The following commands access the configuration level for GSLB policy
gslbp3 and enable the aRDT metric, using single-shot settings:
AX(config)#gslb policy gslbp3
AX(config gslb-policy)#active-rdt single-shot
AX(config gslb-policy)#active-rdt skip 3
In this example, each site AX device will send a single DNS query to the
GSLB domains local DNS, and wait 3 seconds (the default) for a reply. The
site AX devices will then send their aRDT measurements to the GSLB AX
device. However, if more than 3 site AX devices fail to send their aRDT
measurements to the GSLB AX device, the AX device will not use the
aRDT metric.
Changing aRDT Settings for a Site
You can adjust the following aRDT settings on individual sites:
aging-time Specifies the maximum amount of time a stored aRDT
result can be used. You can specify 1-60 minutes. The default is 10 minutes.
bind-geoloc Stores the aRDT measurements on a per geo-location
basis. Without this option, the measurements are stored on a per siteSLB device basis.
ignore-count Specifies the ignore count if aRDT is out of range. You
128.
limit Specifies the limit. You can specify 1-16383. The default is
16383 milliseconds.
mask Based on the subnet mask or mask length, the entry can be a host
surement can differ from the previous measurement. If the new measurement differs from the previous measurement by more than the
allowed percentage, the new measurement is discarded and the previous
measurement is used again.
Performance by Design
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
39 of 260
list, then load the entries from the black/white list into an IP list.
Use this command to configure individual IP list entries.
40 of 260
Performance by Design
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
In the current release, IP lists can not be configured using the GUI.
Performance by Design
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
41 of 260
Configuration Requirements
To use the BW-Cost metric, an SNMP template must be configured and
bound to each site. The GSLB SNMP template specifies the SNMP version
and other information necessary to access the SNMP agent on the site AX
device, and the Object Identifier (OID) of the MIB object to request.
In addition, the following BW-Cost parameters must be configured on each
site:
Bandwidth limit The bandwidth limit specifies the maximum value of
the requested MIB object for the site to be eligible for selection.
Bandwidth threshold For a site to regain eligibility when BW-Cost is
being compared, the SNMP objects value must be below the thresholdpercentage of the limit value.
For example, if the limit value is 80,000 and the threshold is 90 (percent), then the limit value must be 72,000 or less, for the site to become
eligible again based on bandwidth cost. Once a site again becomes eligible, the SNMP objects value is again allowed to increase up to the
bandwidth limit value (80,000 in this example).
42 of 260
Performance by Design
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
SNMP template configuration is not supported in the GUI. Use the CLI to
configure the template, then use the following GUI procedures.
If the object is part of a table, make sure to append the table index to the
end of the OID. Otherwise, the AX device will return an error.
Performance by Design
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
43 of 260
44 of 260
Performance by Design
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
Performance by Design
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
45 of 260
The following commands apply the SNMP template to a site and set the
bandwidth limit and threshold:
AX(config)#gslb site usa
AX(config gslb-site)#template snmp-1
AX(config gslb-site)#bw-cost limit 100000 threshold 90
AX(config gslb-site)#exit
The following commands enable the BW-Cost metric in the GSLB policy:
AX(config)#gslb policy pol1
AX(config-gslb policy)#bw-cost
AX(config-gslb policy)#exit
46 of 260
Performance by Design
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
The other commands are the same as those shown in CLI Example
SNMPv2c on page 46.
your deployment:
DNS backup-alias
DNS geoloc-alias
3. If using the backup-alias option, use the dns-cname-record as-backup
option on the service.
Performance by Design
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
47 of 260
your deployment:
DNS backup-alias
DNS geoloc-alias
3. If using the backup-alias option, use the dns-cname-record as-backup
option on the service.
48 of 260
Performance by Design
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
database from a file in comma-separated-values (CSV) format. However, before loading the file, you must first configure a CSV template on
the AX device because the data in the file is formatted by the template.
Note:
You can load more than one geo-location database. When you load a new
database, if the same IP address or IP address range already exists in a
previously loaded database, the address or range is overwritten by the new
database.
Geo-Location Mappings
A geo-location mapping consists of a geo-location name and an IP address
or IP range.
If you manually map a geo-location to an GSLB site, GSLB uses the
mapping.
If no geo-location is configured for a GSLB site, GSLB automatically
AX device to a geo-location.
Performance by Design
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
49 of 260
...
The example above shows how the CSV file appears when displayed in a
text editor. If the same data were displayed in a spreadsheet application, it
would appear like Figure 1 below.
FIGURE 1
The database file can contain more types of information (fields, or columns)
than are required for the GSLB database. When you load the CSV file into
the geo-location database, the CSV template on the AX device filters the
file to extract the required data, while ignoring the rest of the data. In the
example below, only the fields shown in bold type will be extracted and
placed into the geo-location database:
"1159363840","1159364095","US","UNITED STATES","NA","NORTH AMERICA","EST","MA","MASSACHUSETTS","COMMRAIL INC","MARLBOROUGH","MIDDLESEX","42.3495","-71.5482"
50 of 260
Performance by Design
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
The IP addresses in this example are in bin4 format. Dotted decimal format
(for example: 69.26.125.0) is also supported. If you use bin4 format, the AX
device automatically converts the addresses into dotted decimal format
when you load the database into GSLB.
Converting IP Addresses into bin4 Format
If you want to use bin4 format in the CSV file, here is how to convert an IP
address from dotted-decimal format to bin4 format:
1. Convert each node into Hex.
2. Convert the resulting Hex number into decimal.
3. Enter the decimal number into the database file.
Here is an example for IP address 69.26.125.0, the first IP address in the
example CSV file:
Dotted Decimal
Combined
Hex Number
Decimal
69.26.125.0
45.1a.7d.00
451a7d00
1159363840
51 of 260
52 of 260
Performance by Design
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
Performance by Design
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
53 of 260
(For information about the use-mgmt-port option, see the Using the Management Interface as the Source for Management Traffic chapter in the
AX Series System Configuration and Administration Guide.)
Loading the CSV File Data into the Geo-Location Database
To load the CSV file, use the following command at the global configuration level of the CLI:
[no] gslb geo-location load file-name
csv-template-name
Use the file name you specified when you imported the CSV file, and the
name of the CSV template to be used for extracting data from the file.
Note:
The file-name option is available only if you have already imported a geolocation database file.
To display information about CSV files as they are being loaded, use the
following command:
show gslb geo-location file [file-name]
Manually Configuring Geo-Location Mappings
54 of 260
Performance by Design
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
Performance by Design
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
55 of 260
The following commands initiate loading the data from the CSV file into
the geo-location database, and display the status of the load operation:
AX(config)#gslb geo-location load test1.csv test1-tmplte
AX(config)#show gslb geo-location file
T = T(Template)/B(Built-in), Per = Percentage of loading
Filename
T Template
Per Lines
Success Error
-----------------------------------------------------------------------------test1
T t1
98% 11
10
0
56 of 260
Performance by Design
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
Geo-location Overlap
The geo-location overlap option searches the geo-location database for the
match best instead of searching the database using the match first algorithm. This behavior may be helpful if you suspect that more than one host
has been mapped to a single public IP address.
Geo-location Databases Background
When configuring GSLB on the AX device, a geo-location file containing
mappings between geographic regions and IP addresses is imported onto the
AX device. For example, the IANA database is pre-installed on the AX
device prior to shipping, and it contains thousands of entries mapping geographic regions to IP address ranges.
Performance by Design
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
57 of 260
58 of 260
Performance by Design
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
Performance by Design
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
59 of 260
60 of 260
Performance by Design
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
Configure Services
A service is an application such as HTTP or FTP. For example: www.mydomain.com is a service where www is the http service or an application. Each
zone can be configured with one or more services.
To configure services in a GSLB zone, use one of the following procedures.
Performance by Design
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
61 of 260
62 of 260
Performance by Design
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
Performance by Design
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
63 of 260
64 of 260
Performance by Design
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
The following command displays the gateway health status for GSLB sites:
GSLB-AX(config)#show gslb slb-device
Attrs = Attributes, APF = Administrative Preference
Sesn-Num/Uzn = Number/Utilization of Available Sessions
GW = Gateway Status, IPCnt = Count of Service-IPs
P = GSLB Protocol, L = Local Protocol
Device
IP
Attrs APF Sesn-Num
Uzn GW
IPCnt
-------------------------------------------------------------------------------local:self
127.0.0.1
100 0
0%
0
local:self2
127.0.0.1
100 0
0%
0
local:self3
127.0.0.1
100 0
0%
2
remote:site-ax
10.1.1.1
100 0
0% UP 0
Performance by Design
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
65 of 260
If the same services can be reached through either link, an additional SLBdevice configuration is required:
GSLB-AX(config)#gslb site remote-link-both
GSLB-AX(config-gslb site)#slb-dev site-ax-lnkboth 20.1.1.1
66 of 260
Performance by Design
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
Note:
Applying a health monitor is required only if you do not plan to use the
default health monitors. (See Default Health Monitors on page 66.)
The following commands enable a multi-port health check for the HTTP
service www on service IP gslb-srvc2 in GSLB zone abc.com:
Configure Sites
To configure GSLB sites, use one of the following procedures.
Performance by Design
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
67 of 260
68 of 260
Performance by Design
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
Configure a Zone
To configure a GSLB zone, use one of the following procedures.
Performance by Design
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
69 of 260
4. Click OK.
70 of 260
Performance by Design
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
configuration.
no ip all At the configuration level for an IP-list, removes all
IP addresses from the list.
no gslb policy all Removes all GSLB policies from the AX
devices configuration.
no gslb service-ip all Removes all service IPs from the AX
devices configuration.
no gslb site all Removes all GSLB sites from the AX
devices configuration.
no ip-server all At the site configuration level, removes
all IP servers (real servers) from the site.
no slb-device all At the site configuration level, removes
all SLB devices.
no vip-server all At the configuration level for an SLB
device, removes all virtual servers from the device.
no gslb template csv all Removes all CSV templates from
Performance by Design
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
71 of 260
devices configuration.
To remove all GSLB configuration items at the same time, you can use the
following command instead:
no gslb all
72 of 260
Performance by Design
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
Auto-mapping
An AX device acting as a GSLB controller can retrieve the data needed to
build the DNS system by automatically returning DNS records by name.
This GSLB Auto-Mapping feature reduces the required amount of DNS
management work when deploying GSLB.
In releases prior to 2.7.0, manual configuration is required for each of the
services for which an AX device is to respond. This manual configuration
typically involves creating a service IP, applying it to a site, adding the zone,
and then mapping the service to the service IP.
With, GSLB Auto-mapping, however, the AX device allows you to automatically create the service by taking the name of a system resource, or
"module", and appending it to the front of a zone to create the service name
(DNS name).
Once the servers and other network devices have been configured with
basic information, auto-mapping enables the GSLB protocol to support
DNS queries for the following modules (or system resources):
SLB server
SLB virtual server
SLB device
GSLB site
GSLB service-IP
GSLB Group
Hostname
Details:
This feature only works with GSLB wildcard service.
There is no L3V support for SLB server or SLB virtual server.
Names exceeding 20 characters must be changed to DNS domain, with
Performance by Design
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
73 of 260
Configuration
Configuring DNS Auto-mapping requires the following steps:
1. Configure DNS Auto-mapping at the zone level or system level.
2. Enable DNS Auto-mapping the zone and/or system level.
Config Mode > Service > GSLB > Site > Add
Config Mode > Service > GSLB > Policy > Add
7. By default, all modules (resources) are selected. You can select or clear
the checkboxes to determine which modules or system resources for
which the GSLB protocol will support DNS queries.
74 of 260
Performance by Design
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
Performance by Design
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
75 of 260
76 of 260
Performance by Design
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
Performance by Design
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
77 of 260
DNS Active-only
By default, if all of the servers failed to pass the health check, then the
GSLB controller would return an empty list to the client, rather than sending
the list of IP addresses for the servers that had failed the health check.
You can configure the AX device to send the list of IP addresses (associated
with servers that failed their health checks) back to the client. The feature
can be enabled using the new dns active-only metric option.
In association with this feature, you can also designate one or more backup
servers, and the IP addresses for these servers will be sent to the client in the
event that all of the primary servers have failed. This behavior requires that
you enable the dns backup-server feature within the GSLB policy, and that
you specify the backup servers within the DNS A-record for the GSLB zone
service.
To summarize, there are now three options:
active-only (Old) Nothing is returned to the client if all servers fail the
health check.
active-only fail-safe (New) A list of IP addresses for the servers that
78 of 260
Performance by Design
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
ture. If all servers fail the health check, then nothing is returned to
the client. (Selecting this checkbox activates the Fail Safe checkbox.)
Fail Safe checkbox Select this sub-option to have the list of IP
addresses associated with failed servers returned to the client.
6. (Optional) Select the Backup Server checkbox if you would like one or
more backup servers to be returned to the client in the event that all of
the primary servers fail.
7. When finished, click OK to save your changes.
Performance by Design
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
79 of 260
Note:
80 of 260
Performance by Design
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
6. Enter the desired text string in the blank DNS TXT Record field. Then,
click the Add button, as shown in Figure 4.
Note:
Use quotation marks when entering text strings that contain spaces. If a
text string is entered without using quotation marks, this will cause the
content to be split into different sections of the record.
7. When finished, scroll to the bottom of the page and click OK to save
your changes.
81 of 260
The AX device has a special handler that enables you to enter non-printable characters that the CLI does not support. For details, please contact
A10 Support.
Displaying Records
To display the DNS TXT Records, use the following command:
show gslb service dns-txt-record
To display the DNS TXT switch, use the following command:
show gslb policy [name]
82 of 260
Performance by Design
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
Performance by Design
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
83 of 260
84 of 260
Performance by Design
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
Performance by Design
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
85 of 260
Figure 6 shows the root zone at the top of the DNS hierarchy. The figure
also illustrates the following important points:
The next level down are the Top Level Domains (TLDs), or the DNS
servers responsible for managing the resource records for the .com,
.org and other domains.
The parent zone is located beneath the TLDs. It is at this level within the
86 of 260
Performance by Design
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
zone level.
When delegating a sub-zone, the GSLB AX device must be in server
mode. The feature will not work with the GSLB AX device in proxy
mode.
Once a sub-zone has been delegated from the parent zone, client resolv-
ers will send a query for the NS record, and the response from the GSLB
AX device will have the NS record in the Authority section and the IP
address in the Additional section of the full DNS response.
Note:
Performance by Design
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
87 of 260
The following command applies the delegation policy at the zone level for
the service group level:
AX(config-gslb zone)#policy delegation
The following optional command can be used at the GSLB zone level to
configure a DNS glue record. This configuration helps prevent circular
dependencies:
AX(config-gslb zone)#service 53 ns.finance
AX(config-gslb zone-gslb service)#dns-a-record <service-ip name>
AX(config-gslb zone-gslb service)#exit
88 of 260
Performance by Design
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
The following commands configure a GSLB site called dc1. The site has
an AX device, dc1-ax at IP 10.10.10.50.
AX(config)#gslb site dc1
AX(config-gslb site)#slb-dev dc1-ax 10.10.10.50
AX(config-gslb site-slb dev)#vip-server dc1-vip
AX(config-gslb site-slb dev)#exit
The following commands configure a GSLB site called dc2. The site has
an AX device, dc2-ax at IP 172.16.10.50.
AX(config)#gslb site dc2
AX(config-gslb site)#slb-dev dc1-ax 172.16.10.50
AX(config-gslb site-slb dev)#vip-server dc2-vip
AX(config-gslb site-slb dev)#exit
Performance by Design
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
89 of 260
The following commands configure three GSLB policies: (1) the default
GSLB policy, (2) GSLB policy 5 (for delegation), and (3) GSLB policy
dns-server. The AX delegates authority for the sub-domain
sub.sub.a10networks.jp to nameserver "ns01.sub.sub.a10networks.jp".
AX(config)#gslb policy default
AX(config-gslb policy)#exit
AX(config)#gslb policy 5
AX(config-gslb policy)#dns delegation
AX(config-gslb policy)#dns server
AX(config-gslb policy)#exit
90 of 260
Performance by Design
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
The following command enables the GSLB and makes this AX device the
GSLB controller.
AX(config)#gslb protocol enable controller
Performance by Design
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
91 of 260
default action to be applied to the selected query type. The default action
is drop.
Selecting an action without specifying the query type will cause the fea-
Prior releases supported a similar DNS Blocking option, which essentially removed the dns-a-record information from DNS responses. By
using the no-resp option at the GSLB service level for a zone, dns-arecord information would be stripped from the DNS servers response.
This new command, however, simply blocks the clients DNS request
before it is received by the back-end DNS server.
Details:
The GSLB AX device must be operating in proxy mode to support the
92 of 260
Performance by Design
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
applied to those query types. Therefore, the first bullet below would be
an acceptable configuration, but the second bullet would not:
Reject both SRV and CNAME query types (OK)
Reject SRV but drop CNAME query types (Not OK)
4. Select the Drop or Reject Action radio button. If desired, you can select
the No radio button to disable the DNS Proxy Block feature.
5. Click the Type List drop-down menu and select the desired well-known
DNS query type that you would like to block. Then, click the Add
button. If you want to remove a query type from the list, select the
checkbox next to a query type and then click the Delete button.
Performance by Design
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
93 of 260
94 of 260
Performance by Design
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
To enter the action and query type on a single line, you must enter the
query type prior to entering the action. If the action is entered first, then
the query type must be entered on a separate line.
CLI Example
The following example shows the commands used to create a GSLB policy,
enable the DNS Proxy Block feature for A records, and then applies the policy to the zone called example.com for the service http.
Performance by Design
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
95 of 260
96 of 260
Performance by Design
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
Implementation Details
Partition-specific GSLB configuration is supported only for partitions in
vidual partitions. They can be configured only globally, for all partitions
on the AX device:
GSLB system-wide settings: gslb system, gslb dns, gslb protocol
and gslb active-rdt
GSLB geo-locations (gslb geo-location)
Duplicate names are not supported for GSLB items. For example, the
same zone name can not be configured in more than one partition.
For each partition, only one GSLB Group is supported to implement
mapping.
For each partition, you can create one group, the partition group.
In the current release, the following synchronization scenario is sup-
aVCS Notes
In an aVCS deployment there is more than one device in the virtual
97 of 260
figuration of GSLB in a member controller requires the config-anywhere option to be enabled in the GSLB group.
Note:
98 of 260
For additional information about Role Based Partitions, please see the
Role-Based Administration chapter in the AX Series System Configuration and Administration Guide.
Performance by Design
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
CLI Example
Configuration on the GSLB AX Device (GSLB Controller)
The following commands configure a health monitor for the local DNS
server to be proxied:
AX-Controller(config)#health monitor dns-53
AX-Controller(config-health:monitor)#method dns domain example.com
AX-Controller(config-real server)#exit
Performance by Design
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
99 of 260
The following command loads the IANA file into the geo-location database:
AX-Controller(config)#gslb geo-location load iana
The following commands configure the sites. For each site SLB device,
enter the IP address of the AX Series device that provides SLB at the site.
For the VIP server names, enter the service IP name specified above.
AX-Controller(config)#gslb site usa
AX-Controller(config-gslb site)#slb-dev ax-a 2.1.1.1
AX-Controller(config-gslb site-slb dev)#vip-server servicevip1
AX-Controller(config-gslb site-slb dev)#exit
AX-Controller(config-gslb site)#exit
AX-Controller(config)#gslb site asia
AX-Controller(config-gslb site)#slb-dev ax-b 3.1.1.1
AX-Controller(config-gslb site-slb dev)#vip-server servicevip2
AX-Controller(config-gslb site-slb dev)#exit
AX-Controller(config-gslb site)#exit
100 of 260
Performance by Design
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
Note:
The virtual server IP address must be the same as the GSLB service IP
address configured on the GSLB AX device.
The following command enables the GSLB protocol:
Performance by Design
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
101 of 260
GUI Example
Configuration on the GSLB AX Device (GSLB Controller)
Configure a Health Monitor for the DNS Proxy
1. Select Config Mode > Service > Health Monitor.
2. On the menu bar, select Health Monitor.
3. Click Add.
4. Enter a name for the monitor in the Name field.
5. In the Method section, select DNS from the Type drop-down list.
6. In the Domain field, enter the domain name. (Generally, this is the same
as the GSLB zone name you will configure.)
Configure the DNS Proxy
1. Begin configuring the proxy:
a. Select Config Mode > Service > GSLB.
b. On the menu bar, select DNS Proxy.
c. Click Add.
d. Enter a name for the proxy in the Name field.
e. In the IP Address field, enter the IP address that will be advertised
as the authoritative DNS server for GSLB zone.
Note:
The GUI will not accept the configuration if the IP address you enter here
is the same as the real DNS server IP address you enter when configuring
the service group for this proxy. (below).
f. In the GSLB Port section, click Add. The GSLB Port section
appears.
102 of 260
Performance by Design
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
Performance by Design
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
103 of 260
FIGURE 10
selected
104 of 260
Configure > Service > GSLB > DNS Proxy - service group
Performance by Design
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
Configure > Service > GSLB > DNS Proxy - GSLB port
FIGURE 12
configured
Configure > Service > GSLB > DNS Proxy - DNS proxy
105 of 260
106 of 260
Performance by Design
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
Performance by Design
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
107 of 260
108 of 260
Performance by Design
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
Configure > Service > GSLB > Site - site parameters selected
Configure a Zone
1. Select Config Mode > Service > GSLB.
2. On the menu bar, select Zone.
3. Click Add.
4. Enter the zone name in the Name field.
5. In the Service section, click Add. (See Figure 16 on page 110.)
The service configuration sections appear.
6. In the Service field, enter the service name.
Performance by Design
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
109 of 260
110 of 260
Performance by Design
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
Performance by Design
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
111 of 260
112 of 260
Performance by Design
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
Overview
The AX device provides a mechanism to automatically synchronize GSLB
configurations and service IP status among multiple GSLB controllers for a
GSLB zone. (A GSLB controller is an AX device on which GSLB is configured and on which the GSLB controller option is enabled.)
To use this feature, add the GSLB controllers to a GSLB controller group.
The group members (controllers) elect a master controller for the group.
The master controller updates the GSLB configurations on each of the other
group members. The master controller also checks the service IPs for their
status and sends the status information to the other group members.
Note:
Performance by Design
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
113 of 260
To designate a master controller for the GSLB group, set the priority of
the desired AX device to a higher value than the other members. It is recommended that you make GSLB configuration changes for the groupwide parameters (shown below) on the master. The group synchronization
feature will push your configuration to the other group members.
GSLB Synchronization
The master in a GSLB controller group synchronizes the following GSLB
configuration items by updating the configurations on the other controllers:
Service IPs
Sites, including SLB-device parameters
Zones, including services
GSLB policies (only those that are used by services)
SLB information for DNS proxy
GSLB protocol settings
The master controller sends the following status information to the other
controllers:
aRDT data
Connection load data
Virtual port status
114 of 260
Performance by Design
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
network and they are using the same public NAT address, only one of
the controllers will be accepted as a member of the GSLB group. The
AX GSLB controller will reject the other connection request if it comes
from the same external IP.
In HA or VRRP-A deployments, the GSLB configuration synchroniza-
tion feature synchronizes with the active device, which then pushes the
GSLB configuration changes to the standby.
Starting in Release 2.6.1-P3, the AX devices CLI prompt displays the
AX devices role within the GSLB group, which can be either Master
or Member, as shown in the examples below:
AX2500-Master(config)#
AX2500-Member(config)#
Display of the group role can be disabled by using the no terminal gslbprompt command at the global config level.
Performance by Design
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
115 of 260
Parameter
Group name
Group state
Priority
Supported Values
default
Note: The current release does not support this feature in the GUI.
State of the group on the AX device.
Enabled or disabled
[no] enable
Default: disabled
Note: The current release does not support this feature in the GUI.
Value used during master election for the group.
Higher priority values are preferred over lower priority values. For example, priority value 200 is preferred over priority value 100.
0-255
Default: 100
Primary
controller
Note: The current release does not support this feature in the GUI.
IP addresses of the other GSLB controllers to connect to within the group.
Valid IP address
Default: not set
Learning
Note: The current release does not support this feature in the GUI.
Allows the device to learn the IP addresses of additional group members from the primary controller(s).
Enabled or disabled
Default: enabled
[no] learn
Automatic
configuration
save
Note: The current release does not support this feature in the GUI.
Automatically saves the configuration on a group
member when the configuration is saved on the
groups master controller.
Enabled or disabled
Default: enabled
[no] config-save
Note: The current release does not support this feature in the GUI.
116 of 260
Performance by Design
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
Configuration
At a minimum, to add an AX device to a GSLB controller group:
1. On the controller you plan to use as the master:
a. Configure the GSLB parameters that will be synchronized with the
other controllers.
b. Configure local GSLB parameters as applicable to your deployment.
c. Add the device to the GSLB controller group and change the group
priority value to 255.
d. Enable the devices membership in the group.
2. On each of the other controllers:
a. Add the device to the GSLB controller group. Set the priority to a
value that is less than the master.
b. Enable the AX devices membership in the group.
c. Configure local GSLB parameters as applicable to your deployment.
Performance by Design
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
117 of 260
Member
----------------------------------------------------------------------------default
100 L
192.168.101.72
118 of 260
Performance by Design
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
Field
Attrs
Description
GSLB group attributes of this member:
D Member is disabled.
L Group learning is enabled on this member.
P Members connection with this member (the member
on which you enter the show gslb group command) is
passive.
The group connection between any two controller group
members is a client-server connection. The group member
that initiates the connection is the client, and has the passive side of the connection. The other member is the
server.
* Member is the current master for the group.
Note: Attributes are displayed only when at least two group
members are connected.
IP address of the current master for the group.
Number of GSLB controllers in the group. This number
includes all configured group members and all learned group
members.
Master
Member
ID
Pri Attrs
Status
----------------------------------------------------------------------------local
22e40d29 255 L*
OK
192.168.1.131
941a1229 100
Synced
192.168.1.132
ab301229 100 P
Synced
Field
Member
Description
GSLB controllers currently in the group.
ID
Performance by Design
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
119 of 260
Status
120 of 260
Performance by Design
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
white list)
The AX device determines a clients location by looking up the clients subnet in the geo-location database used by Global Server Load Balancing
(GSLB).
Note:
This feature requires you to load a geo-location database, but does not
require any other configuration of GSLB. The AX system image includes
the Internet Assigned Numbers Authority (IANA) database. By default,
the IANA database is not loaded but you can easily load it, as described in
the configuration procedure later in this section.
L US 1
L US.CA 2
L US.CA.SJ 3
The following commands import the class list onto the AX device, configure a policy template, and bind the template to a virtual port. The connec-
Performance by Design
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
121 of 260
122 of 260
Performance by Design
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
AX device.
Local option Enter the black/white list directly into a management
GUI window.
With either method, the syntax is the same. The black/white list must be a
text file that contains entries (rows) in the following format:
L "geo-location" group-id #conn-limit
The L indicates that the clients location will be determined using information in the geo-location database.
The geo-location is the string in the geo-location database that is mapped to
the clients IP address; for example, US, US.CA, or US.CA.SanJose.
The group-id is a number from 1 to 31 that identifies a group of clients (geolocations) in the list. The default group ID is 0, which means no group is
assigned. On the AX device, the group ID specifies the action to perform on
client traffic.
The #conn-limit specifies the maximum number of concurrent connections
allowed from a client. The # is required only if you do not specify a group
ID. The connection limit is optional. For simplicity, the examples in this
section do not specify a connection limit.
Performance by Design
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
123 of 260
L "US.CA"
L "JP"
3. Click OK.
To configure an SLB policy (PBSLB) template:
1. Select Config Mode > Service > Template.
2. On the menu bar, select Application > PBSLB Policy.
3. Click Add.
4. In the Name field, enter a name for the template.
5. From the drop-down list below the Name field, select the black/white
list.
6. Select a group ID from the Group ID drop-down list.
7. Select one of the following from the Action drop-down list.
Drop Drops new connections until the number of concurrent con-
nections on the virtual port falls below the ports connection limit.
(The connection limit is set in the black/white list.)
Reset Resets new connections until the number of concurrent connections on the virtual port falls below the connection limit.
124 of 260
Performance by Design
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
AX device is listed.
create This option displays the configuration sections for creating
a new service group.
8. Optionally, enable logging. (The AX device uses the same log rate limiting and load balancing features for PBSLB logging as those used for
ACL logging. See the "Log Rate Limiting section in the "Basic
Setup chapter of the AX Series System Configuration and Administration Guide.)
9. Click Add.
10. Repeat step 6 through step 9 for each group ID.
11. Click OK.
To load the IANA geo-location database:
1. Select Config Mode > Service > GSLB.
2. On the menu bar, select Geo-location > Import.
3. In the Load/Unload section, enter iana in the File field. Leave the
Template field blank.
4. Click Add.
Note:
Performance by Design
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
125 of 260
126 of 260
Performance by Design
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
Performance by Design
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
127 of 260
Full-Domain Checking
By default, when a client requests a connection, the AX device checks the
connection count only for the specific geo-location level of the client. If the
connection limit for that specific geo-location level has not been reached,
then the clients connection is permitted. Likewise, the permit counter is
incremented only for that specific geo-location level.
Table 5 shows an example set of geo-location connection limits and current
connections.
TABLE 5
Geo-location
US
US.CA
US.CA.SanJose
Connection Limit
100
50
20
Current
Connections
100
37
19
Using the default behavior, the connection request from the client at
US.CA.SanJose ia allowed even though CA has reached its connection
limit. Likewise, a connection request from a client at US.CA is allowed.
However, a connection request from a client whose location match is simply
US is denied.
128 of 260
Performance by Design
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
Full-Domain Checking
When full-domain checking is enabled, the AX device checks the current
connection count not only for the clients specific geo-location, but for all
geo-locations higher up in the domain tree.
Based on full-domain checking, all three connection requests from the clients in the example above are denied. This is because the US domain has
reached its connection limit. Likewise, the counters for each domain are
updated as follows:
US Deny counter is incremented by 1.
US.CA Deny counter is incremented by 1.
Performance by Design
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
129 of 260
130 of 260
Performance by Design
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
For this release, the feature supports IPv4 resource records and does not
support IPv6 records.
131 of 260
The following commands configure three sites for each web-based service
provider:
AX(config)#gslb site sanjose
AX(config-gslb site)#slb-dev AX5200 192.168.1.2
AX(config-gslb site-slb dev)#ip-server ip-server1
AX(config-gslb site-slb dev)#ip-server ip-server2
AX(config-gslb site-slb dev)#ip-server www
AX(config-gslb site-slb dev)#ip-server mail
132 of 260
Performance by Design
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
DNSSEC Support
This chapter describes the AX devices DNSSEC support.
Overview
An AX device configured as a Global Server Load Balancer (GSLB) controller can act as an authoritative DNS server for a domain zone. As the
authoritative DNS server for the zone, the AX device sends records in
response to requests from DNS clients. The AX device supports the ability
to respond to client requests for the following types of well-known resource
records:
A
AAAA
CNAME
NS
MX
PTR
SRV
TXT
Performance by Design
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
133 of 260
DNSSEC for GSLB is not supported in proxy mode for this release.
134 of 260
Performance by Design
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
135 of 260
136 of 260
Performance by Design
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
server uses the DS for a zone directly beneath it in the DNS hierarchy to
verify that signed resource records from the Authoritative DNS server
for that zone are legitimate.
Resource Record Signature (RRSIG) Digitally signs another resource
While Figure 18 on page 135 shows how basic DNS works without DNSSEC, Figure 19 on page 138 provides an updated version of this illustration
showing how the DNS lookup process works with DNSSEC.
The recursive lookup process remains largely unchanged, with the higher
level DNS servers pointing to lower level servers within the DNS hierarchy
in order to move the request closer to the authoritative server for the desired
domain.
However, when DNSSEC is added to this scenario, the additional records
(such as DS, RRSIG, and DNSKEY) are used to sign and authenticate the
communications from the DNS servers, thus proving to the client that each
of the name servers in the chain of trust are authoritative for their respective domains. For more details, See Building the Chain of Trust on
page 140.
Performance by Design
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
137 of 260
Figure 19 shows the resolution process for an address query from the DNS
resolver on a client for the IP address of zone1.example.org.
1. The DNS resolver on the client sends an address query for the IP
address of a host under zone1.example.org.
2. The Caching DNS server, which does not have the address, forwards the
request to the root server.
3. The root server redirects the Caching DNS server to the TLD DNS
server for the .org domain. This is accomplished by sending an NS
record with the IP address of that TLD server. The root server uses an
RRSIG record (used to store the private key) to sign the NS record, and
138 of 260
Performance by Design
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
Performance by Design
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
139 of 260
140 of 260
Performance by Design
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
Figure 20 above shows the Authoritative DNS Server for the zone1.example.org domain at the bottom left, and the Root DNS Server is located at the
upper right.
Starting from the lower left, the Authoritative DNS Server for the
zone1.example.org domain, has a DNS key record (DNSKEY). This DNSKEY record contains the public Zone Signing Key (ZSK) for zone1. The
ZSK is used to sign other record types, such as A records, for the zone. The
DNSKEY record is signed by another key, the Key Signing Key (KSK),
which also belongs to this zone.
Performance by Design
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
141 of 260
142 of 260
Performance by Design
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
1.
Performance by Design
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
143 of 260
1.
144 of 260
Performance by Design
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
Performance by Design
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
145 of 260
DNSSEC Templates
To configure DNSSEC on the AX device, templates are used to define
information required by the security standard. The following information is
required when configuring DNSSEC templates:
Combinations limits (on signatures)1 The parameter is used to spec-
lifetime for DNSSEC key resource records. The TTL can range from 1864,000 seconds, with a default of 14,400 seconds (or 4 hours).
Key Signing Key The key signing key (KSK) is needed to establish
the chain of trust and is the private counterpart to the public zone signing key used to sign authentication keys for the zone. At least one KSK
is needed to sign successfully, but no more than two KSKs can be configured. There is no default.
Return NSEC/NSEC3 This parameter is used to enable or disable the
1.
146 of 260
For more details, please refer to RFC 4033, 4034, 4035 and 4641.
Performance by Design
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
used to set the period for which a signature will remain valid. The time
can range from 5-30 days, and the parameter has a default of 10 days.
Zone Signing Key The zone signing key (ZSK) is used to sign the
Performance by Design
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
147 of 260
Configuration
To configure DNSSEC for GSLB:
1. Generate the DNS keys (or import them) to the AX device.
2. Configure the DNSSEC template.
3. Verify the DNSSEC template.
4. Apply the DNSSEC template to GSLB policy.
You must generate the keys before using them in a DNSSEC template.
To configure the DNSSEC template, use the following command at the
GSLB config level:
dnssec template name
Please refer to DNSSEC Templates on page 146 for details on configuring DNSSEC template sub-options.
Verify DNSSEC template using show command
After configuring a DNSSEC template, use the following command at the
GSLB config level to display information for the configured template:
show dnssec template name
Apply the DNSSEC template to GSLB policy
To apply the DNSSEC template and provide DNSSEC support for GSLB,
and to enable DNSSEC within the zone policy, use the following command
at the GSLB policy level:
dns server authoritative sec
148 of 260
Performance by Design
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
the DNSSEC key pair (ZSK and KSK). You can specify any of the
following algorithms:
RSASHA1 (default)
RSASHA256
RSASHA512
NSEC3RSASHA1
Selecting one of the first three algorithms (RSASHA1, RSASHA256, or
RSASHA512) will cause the standard NSEC resource record to be generated for the zone. However, selecting the fourth algorithm option
(NSEC3RSASHA1) causes the NSEC3/NSEC3PARAM record to be
generated for the zone, which is helpful in mitigating the threat posed by
zone walking.
Performance by Design
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
149 of 260
Different zones can use different DNSSEC templates and thus have different algorithms.
Keysize Specify the number of bits in the DNSSEC key, which can
The imported dnssec-key file is a compressed file with the .tar suffix. This
tar file includes both the private and public keys, with the respective suffixes of .private and .key. When an example tar file with the name
key01 is un-compressed, it includes the public key ("key01.key") and
the private key ("key01.private").
Zone Signing Commands
After the zone or DNSSEC template configuration is changed, the zone
signing will automatically begin 30 seconds later. However, you can use the
following command at the global config level to immediately trigger zonesigning:
dnssec sign-zone-now name
Specify the name for the DNS zone. Note that if a name is not specified,
then all zones will be checked for configuration changes and signed (if any
changes are found).
Details:
DNSSEC Signature timeout All zones will be checked every two
150 of 260
Performance by Design
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
record of the child zone is imported, the parent of that child zone will be
re-signed.
Configuration Examples
The following sections show DNSSEC configuration examples.
CLI Example #1
The following commands enable the DNSSEC option for GSLB, so that the
AX device can handle DNSSEC queries while in DNS server mode.
AX(config)#gslb policy default
AX(config-gslb policy)#dns server authoritative sec
AX(config-gslb policy)#exit
Note:
DNSSEC for GSLB is not supported in proxy mode for this release.
Note:
CLI Example #2
When configuring GSLB on the AX device, the default DNSSEC template
is used for each zone unless you specify another template. The commands
below generate an encryption key called keygen1, using the
NSEC3RSASHA1 encryption algorithm. Then, commands are used to create the DNSSEC template called dnssec1, which has a combinations-limit
of 10 and uses the key just created. The template is applied to a zone called
example.com:
AX(config)#dnssec key-generate keygen1 algorithm NSEC3RSASHA1 keysize 1024
AX(config)#dnssec template dnssec1
AX(config-dnssec)#combinations-limit 10
AX(config-dnssec)#ksk keygen1
AX(config-dnssec)#exit
AX(config)#gslb zone example.com
AX(config-gslb zone)#template dnssec dnssec1
AX(config-gslb zone)#exit
Performance by Design
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
151 of 260
CLI Example #3
The following command is used to display information for the DNSSEC
template created above:
AX(config)#show dnssec template dnssec1
dnssec template dnssec1
ksk keygen1
combinations-limit 10
CLI Example #4
The following command imports the DS record from the delegated child
zone (zone1.example.org) to the parent zone (example.org), for which
the AX device is the authoritative DNS server:
AX(config)#import dnssec-ds zone1.example.org scp://root@10.10.10.13/root/
dsset-zone1.example.org
Password []?******
Importing ...
...0 minutes 3 seconds
Done.
152 of 260
Performance by Design
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
gslb active-rdt
Description
Syntax
Description
Specifies the query domain. To measure the
active-Round Delay Time (aRDT) for a client,
the site AX device sends queries for the domain
name to a clients local DNS. An aRDT sample
consists of the time between when the site AX
device sends a query and when it receives the
response.
Performance by Design
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
153 of 260
Specifies the number of seconds between queries. You can specify 1-16383 seconds.
port portnum
retry num
sleep seconds
timeout ms
track seconds
Default
154 of 260
Performance by Design
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
Mode
Globally drop or reject DNS queries from the local DNS server.
Syntax
Description
drop
reject
Default
Not set
Mode
Syntax
Globally set DNS logging parameters. When this option is enabled, the
GSLB DNS log messages appear in the AX log.
[no] gslb dns logging
{
both | query | response | none |
}
Parameter
Default
Description
both
query
response
none
Logs nothing.
Disabled
Performance by Design
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
155 of 260
gslb geo-location
Description
Syntax
Description
Name of the location. Use a period between each
string label (range). Each range can contain up to
15 alphanumeric characters. The entire name can
contain up to 127 alphanumeric characters.
Example: Asia.japan.123456789.xyz
The AX device can perform a partial match for a
geo-location. For example, if IP 1.1.1.1 belongs
to Asia.japan, but only Asia is configured,
the AX device still knows which site to select.
start-ip-addr
mask ip-mask
Network mask.
end-ip-addr
all
N/A
Mode
156 of 260
Performance by Design
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
mapping.
If no geo-location is configured for a GSLB site, GSLB automatically
AX device to a geo-location.
Example
Description
Deletes all manually configured geo-locations
from the configuration.
Default
N/A
Usage
Mode
Performance by Design
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
157 of 260
Load a geo-location database into GSLB. Loading a pre-configured geolocation database provides a convenient alternative to manually configuring
each geo-location separately.
Syntax
iana
file-name
csv-templatename
Note:
Description
The file-name option is available only if you have already imported a geolocation database file. To display a list of filenames, enter the following:
gslb geo-location load ?
all
Default
Mode
Usage
You can load more than one geo-location database. When you load a new
database, if the same IP address or IP address range already exists in a previously loaded database, the address or range is overwritten by the new
database.
158 of 260
Performance by Design
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
Example
gslb group
Description
Syntax
[no] configmerge
[no]
config-save
[no] dnsdiscover
Description
Allows GSLB to be configured on any group
member, without restricting the changes to the
master controller.
If this option is used and the current GSLB controller has the highest priority of all group members, then this current controller will attempt to
retrieve the config file from the master GSLB
controller before assuming control.
Enables automatic configuration save on this
GSLB group member when the configuration is
saved on the group master.
Discover member via DNS protocol. When this
option is used, you do not need to configure a
primary IP address, because GSLB will send a
DNS query (based on the group name) to
discover other group members.
For example, if group name is group.a10.com
then GSLB will send the DNS discover query
with domain name group.a10.com.
Performance by Design
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
159 of 260
[no] inherit
[no] learn
[no] primary
ipaddr
Specifies the IP address of another group member, to be a primary member. After the GSLB
process starts on an AX device, the device joins
the controller group by connecting to the primary
group members to exchange group management
traffic.
You can specify up to 15 primary members.
Enter the command separately for each member.
[no] priority
num
Default
This option allows you to configure the DNS suffix that will be used for dns-discovery. You can
specify the suffix (or name) that GSLB will
append to the domain name when sending the
dns-discover query. For example, if the group
name is group and the suffix is a10.com,
then the concatenated strings are sent in the DNS
discovery query as group.a10.com.
160 of 260
Performance by Design
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
Mode
gslb ip-list
Description
Syntax
Configure a list of IP addresses and group IDs to use as input to other GSLB
commands.
[no] gslb ip-list list-name
no gslb ip-list all
The command changes the CLI to the configuration level for the list, where
the following IP-list-related commands are available:
(The other commands are common to all CLI configuration levels. See the
AX Series CLI Reference.)
Command
[no] ip ipaddr
[subnet-mask |
/mask-length]
id group-id
no ip all
[no] load
bwlist-name
all
Default
Description
Creates an IP entry in the list. Based on the subnet mask or mask length, the entry can be a host
address or a subnet address. The id option adds
the entry to a group. The group-id can be 0-31.
Removes all manually configured IP addresses
from the IP list.
Loads the entries from a black/white list into the
IP list. For information on configuring a black/
white list, see the Policy-Based SLB (PBSLB)
section in the Traffic Security Features chapter
of the AX Series System Configuration and
Administration Guide.
Removes all GSLB IP lists from the configuration. The all option is valid only with the no
form of the command shown above.
None
Performance by Design
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
161 of 260
Usage
list, then load the entries from the black/white list into an IP list.
Use this command to configure individual IP list entries.
Example
The following commands configure a GSLB IP list and use the list to
exclude IP addresses from aRDT data collection:
gslb ping
Description
Syntax
Command
Mode
162 of 260
site-name
ipaddr
Performance by Design
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
gslb policy
Description
Syntax
Description
default
policy-name
all
Removes all GSLB policies from the configuration. The all option is valid only with the no
form of the command shown above.
This command changes the CLI to the configuration level for the specified
GSLB policy. For information about the commands available at the GSLB
policy level, see Policy Configuration Commands on page 188.
Default
N/A
Mode
Example
gslb protocol
Description
Syntax
For the limit options, see gslb protocol limit on page 165.
Performance by Design
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
163 of 260
Description
status-interval
seconds
Changes the number of seconds between GSLB
status messages. You can specify 1-300 seconds.
use-mgmt-port
Default
Mode
Usage
The A10 Networks GSLB protocol uses port 4149. The protocol is registered on this port for both TCP and UDP.
AX devices use the GSLB protocol for GSLB management traffic. The protocol must be enabled on the GSLB controller, and it is recommended (but
not required) that you enable the protocol on the site AX devices.
The following GSLB policy metrics require the protocol to be enabled on
both the site AX devices as well as the GSLB controller:
Session-Capacity
aRDT
Connection-Load
Num-Session
The GSLB protocol is also required for the Health-Check metric, if the
default health checks are used. If you modify the health checks, the GSLB
protocol is not required.
164 of 260
Performance by Design
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
Example
Default
Description
ardt-query
ardt-response
ardt-session
conn-response
response
message
Performance by Design
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
165 of 260
Mode
gslb service-ip
Description
Syntax
Description
service-name
ipaddr
all
This command changes the CLI to the configuration level for the specified
service, where the following GSLB-related commands are available:
Command
disable
enable
[no] external-ip
ipaddr
166 of 260
Description
Performance by Design
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
Maps the specified IPv6 address to an IPv4 service IP. This option also requires IPv6 DNS
AAAA support to be enabled in the GSLB policy. (See the ipv6-mapping option in dns on
page 197.)
{tcp | udp}
Default
Performance by Design
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
167 of 260
Usage
If you leave the health monitor for a service left at its default setting (the
default ICMP ping health check), the health checks are performed within
the GSLB protocol.
If you use a custom health monitor, or you explicitly apply the default
Layer 3 health monitor to the service, the GSLB protocol is not used for any
of the health checks.
If you use a custom health monitor for a service port, the port number specified in the service configuration is used instead of the port number specified in the health monitor configuration.
The following policy metric options are not supported for IPv6 service IPs:
active-rdt
ip-list
dns external-ip
dns ipv6 mapping
geo-location
Example
The following example creates a GSLB service IP address named gslbsrvc2 with IP address 192.160.20.99:
gslb site
Description
Syntax
168 of 260
Description
site-name
all
Performance by Design
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
Description
Configures options for the aRDT metric:
aging-time minutes Specifies the maximum amount of time a stored aRDT result can
be used. You can specify 1-15360 minutes. The
default is 10 minutes.
bind-geoloc Stores the aRDT measurements on a per geo-location basis. Without this
option, the measurements are stored on a per siteSLB device basis.
ignore-count num Specifies the ignore
count if aRDT is out of range. You can specify 115. The default is 5.
limit num Specifies the maximum aRDT
allowed for the site. If the aRDT measurement
for a site exceeds the configured limit, GSLB
does not eliminate the site. Instead, GSLB moves
to the next metric in the policy. You can specify
0-16383 milliseconds (ms). The default is 16383.
mask {/mask-length | mask-ipaddr}
Specifies the IPv4 client subnet mask length. The
default mask length is 32.
range-factor num Specifies the maximum percentage a new aRDT measurement can
differ from the previous measurement. If the new
measurement differs from the previous measurement by more than the allowed percentage, the
new measurement is discarded and the previous
measurement is used again.
For example, if the range-factor is set to 25 (the
default), a new measurement that has a value
from 75% to 125% of the previous value can be
used. A measurement that is less than 75% or
more than 125% of the previous measurement
can not be used.
You can specify 1-1000. The default is 25.
smooth-factor num Blends the new
measurement with the previous one, to smoothen
the measurements.
Performance by Design
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
169 of 260
[no] bw-cost
options
[no] disable
170 of 260
Performance by Design
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
[no] ip-server
service-ip
no ip-server
all
[no] slb-dev
device-name
ip-addr
Performance by Design
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
171 of 260
172 of 260
Performance by Design
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
See above.
Mode
Example
The following example creates a site named NY-site and adds SLB
AX Series site-ax-1 with IP address 10.10.10.10 to the site:
Default
Disabled
Mode
Usage
Syntax
Configure the TTL for DNS A or AAAA records created by the auto-mapping feature.
[no] gslb system auto-map ttl seconds
Performance by Design
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
173 of 260
Default
Description
Maximum number of seconds for which an A or
AAAA record created by auto-mapping is valid.
You can specify 1-65535 seconds.
300
Description
TTL, 1-255.
num
Default
255
Mode
Usage
This option applies only to DNS server mode. The option does not apply to
DNS proxy mode.
The TTL value is used in all replies, regardless of the clients original TTL.
Syntax
Default
Mode
174 of 260
Performance by Design
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
Syntax
Default
N/A
Mode
Usage
This command unloads all geo-location files, and reloads the default iana
file.
This command does not remove the GSLB configuration. If you want to
entirely remove the GSLB configuration, see no gslb all on page 187.
Description
Length of the delay, 0-16384 seconds.
Default
Mode
Syntax
Performance by Design
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
175 of 260
Note:
Description
template-name
all
Removes all CSV templates from the configuration. The all option is valid only with the no
form of the command shown above.
To remove all CSV templates and SNMP templates, use the following
command: no gslb template all
This command changes the CLI to the configuration level for the specified
template, where the following commands are available.
(The other commands are common to all CLI configuration levels. See the
AX Series CLI Reference.)
Command
[no] delimiter
{character |
ASCII-code}
Description
Default
176 of 260
There is no default CSV template. When you configure one, the field locations are not set. The default delimiter character is a comma ( , ).
Performance by Design
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
Usage
To load a geo-location data file and use the CSV template to extract the
data, see gslb geo-location load on page 158.
Example
Configure an SNMP template to query data for use by the BW-Cost metric.
Syntax
Note:
Description
template-name
all
Removes all SNMP templates from the configuration. The all option is valid only with the no
form of the command shown above.
To remove all CSV templates and SNMP templates, use the following
command: no gslb template all
This command changes the CLI to the configuration level for the specified
template, where the following commands are available.
(The other commands are common to all CLI configuration levels. See the
AX Series CLI Reference.)
Command
[no] auth-key
string
Description
Specifies the authentication key. The key string
can be 1-127 characters long. This command is
applicable if the security level is auth-no-priv or
auth-priv.
Performance by Design
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
177 of 260
[no] community
communitystring
[no] contextengine-id id
[no] contextname id
[no] interface
id
[no] oid
oid-value
If the object is part of a table, make sure to append the table index to the
end of the OID. Otherwise, the AX device will return an error.
[no] port
portnum
[no] priv-key
string
[no] priv-proto
{aes | des}
178 of 260
[no] host
ipaddr
[no] interval
seconds
Note:
Specifies the authentication protocol. This command is applicable if the security level is authno-priv or auth-priv.
Performance by Design
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
[no] securitylevel
{no-auth |
auth-no-priv |
auth-priv}
[no] username
name
[no] version
{v1 | v2c | v3}
Default
See above.
Mode
Usage
Example
Performance by Design
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
179 of 260
gslb zone
Description
Configure a GSLB zone, which identifies the top-level name for the services load balanced by GSLB.
Syntax
Description
Name of the zone, up to 127 alphanumeric
characters, or * (wildcard character matching on
all zone names).
You can use lower case characters and upper case
characters. However, since Internet domain
names are case-insensitive, the AX device internally converts all upper case characters in GSLB
zone names to lower case.
all
Removes all GSLB zones from the configuration. The all option is valid only with the no
form of the command shown above.
This command changes the CLI to the configuration level for the specified
zone, where the following zone-related commands are available:
180 of 260
Performance by Design
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
Description
Disables all services in the GSLB zone.
Note:
If you want the GSLB AX device to return the IP address of the mail service in response to MX requests, you must configure Address records for
the mail service.
[no] dns-nsrecord
domain-name
[no] dns-soarecord
[external]
dns-server-name
mailbox-name
[expire
seconds]
[refresh
seconds]
[retry seconds]
[serial num]
[ttl seconds]
Configures a DNS start of authority (SOA)
record for the GSLB zone.
The external option causes the AX device to
replace the internal SOA record with an external
SOA record when a request is received from an
external client. This prevents external clients
from gaining access to internal information. The
feature must also be enabled in the GSLB policy.
Performance by Design
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
181 of 260
[no] service
port
[service-name]
Adds a service to the zone. The port option specifies the service port and can be a well-known
name recognized by the CLI or a port number
from 1 to 65535. The service-name can be 1-31
alphanumeric characters or * (wildcard character
matching on all service names).
For the same reason described for zone names,
the AX device converts all upper case characters
in GSLB service names to lower case.
This command changes the CLI to the configuration level for the service, where the following
GSLB-related commands are available:
182 of 260
Performance by Design
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
Use of the actions configured for services also must be enabled in the
GSLB policy, using the dns action command at the configuration level
for the policy. See dns on page 197.
disable Disables all services in the GSLB
zone.
dns-a-record
{service-name | ip service-ipaddr}
{as-backup | as-replace | no-resp
| static | ttl num | weight num}
Configures a DNS Address (A) record for the
service, for use with the DNS replace-ip option
in the GSLB policy. (See dns on page 197.)
as-backup This option is used to specify
the backup servers in the dns-a-record within
the GSLB zone. These are the servers that
will be returned to the client if the primary
servers fail and backup server mode is
enabled.
as-replace This option is used with the
ip-replace option in the policy. When both
options are set (as-replace here and ip-
Performance by Design
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
183 of 260
The no-resp option is not valid with the static or as-replace option. If
you use no-resp, you cannot use static or as-replace.
dns-cname-record alias [alias ...]
[as-backup]
[admin-preference num]
[weight num] Configures DNS Canonical
Name (CNAME) records for the service.
as-backup Specifies that the record is a
backup record.
admin-preference num Default is
100. Please contact A10 Networks for information.
weight num Please contact A10 Networks for information.
dns-mx-record name priority Configures a DNS Mail Exchange (MX) record for
the service. The name is the fully-qualified
domain name of the mail server for the service.
184 of 260
Performance by Design
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
If you want the GSLB AX device to return the IP address of the mail service in response to MX requests, you must configure A records for the
mail service.
dns-ns-record domain-name
[as-backup] Configures a DNS name
server record. The as-backup option specifies
that the record is a backup record. To use the asbackup option, you also must use the dns
backup-alias command in the policy. (See dns
on page 197.)
dns-ptr-record domain-name Configures a DNS pointer record.
dns-srv-record domain-name
priority [port portnum]
[weight num] Configures a DNS service
record.
The priority can be 0-65535. There is no
default.
The port portnum specifies the protocol port
to return to the client, and can be 0-65534.
There is no default. If you do not specify the
port, GSLB finds the port for the SRV record
and sends it to the client. If you do specify
the port, GSLB sends the specified port to
the client.
The weight num specifies the weight and can
be 0-65535. The default is 10.
dns-txt-record aaaa bbbb cccc
Enables use of DNS TXT resource records to
carry multiple pieces of DNS TXT data within
one TXT record.
Note:
The AX device has a special handler that enables you to enter non-printable characters that the CLI does not support. For details, please contact
A10 Support.
Performance by Design
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
185 of 260
This option also requires the dns server txt command at the configuration
level for the GSLB policy.
geo-location location-name [...]
{action action | alias url |
policy policy-name} Configures geolocation settings. The location must already be
configured. (See gslb geo-location on
page 156.)
action action Specifies the action to perform for DNS traffic. The action options are
the same as those for the action command
described above.
alias url Maps an alias configured with the
alias option (see above) to the specified
location for this service.
policy policy-name Applies the specified
GSLB to clients from the geo-location.
health-check
{gateway | port portnum [...]}
Please contact A10 Networks for information.
admin-ip
{service-name | service-ipaddr} [...]
Specifies the list of service IP addresses in the
DNS reply.
policy policy-name Applies the specified GSLB policy to the service.
no gslb service
all
[no] template
dnssec
template-name
[no] ttl
seconds
186 of 260
Performance by Design
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
Mode
Example
Example
The following example uses the wildcard character at the end of the gslb
zone command. This has the result of identifying all GSLB zones so that the
next line of the configuration creates a positive match on all DNS domains
that have the prefix of www.
AX#configure
AX(config)#gslb zone *
AX(config-gslb zone)#service http www
Example
The following commands create a default GSLB policy and then specify
that a backup server at IP 192.168.123.1 will be returned to the client if the
primary servers fail.
no gslb all
Description
Syntax
Default
N/A
Mode
Performance by Design
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
187 of 260
If you only want to reset GSLB instead of removing the GSLB configuration, see gslb system reset on page 175.
The all option is also supported with the no forms of the GSLB configuration commands described in the other sections in this chapter. For syntax
information, see the sections for the individual commands.
active-rdt
Description
Syntax
[no] active-rdt
[difference num]
[fail-break]
[ignore-id group-id]
[keep-tracking]
[limit ms]
[samples num-samples]
[single-shot]
[skip count]
[timeout seconds]
[tolerance num-percentage]
Parameter
difference
num
fail-break
Description
Number from 0 to 16383 specifying the rounddelay-time difference.
Enables GSLB to stop if the configured aRDT
limit in a policy is reached. The fail-break action
depends on whether the GSLB controller is running in server mode or proxy mode:
Server mode: If a backup-alias is configured,
the GSLB controller returns the backup-alias to
188 of 260
Performance by Design
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
To configure the aRDT limit, use the limit option (describe below).
To configure GSLB to return a CNAME record as a backup, enable the
backup-alias option using the dns backup-alias command at the configuration level for the policy. To configure the backup alias for a service
within a zone, use the following command at the configuration level for
the service: dns-cname-record alias-name as-backup
ignore-id
group-id
keep-tracking
limit ms
samples
num-samples
Performance by Design
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
189 of 260
timeout
seconds
tolerance
num-percentage
Default
Disabled. When you enable the aRDT metric, it has the following default
settings:
difference 0
fail-break disabled
ignore-id not set
keep-tracking disabled
limit 16383 ms
samples 5
single-shot Disabled. Multiple samples are taken at regular intervals.
skip 3
timeout 3 seconds
tolerance 10 percent.
Mode
GSLB Policy
Usage
This metric requires the GSLB protocol to be enabled both on the GSLB
controller and on the site AX devices.
190 of 260
Performance by Design
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
AX(config gslb-policy)#active-rdt
active-servers
Description
Configure the Active-Servers metric, which prefers the VIP with the highest
number of active servers.
Active-servers is a measure of the number of active real servers bound to a
virtual port residing on a GSLB site.
Syntax
Description
Enables GSLB to stop if the number of active
servers for all services is 0. The fail-break action
depends on whether the GSLB controller is running in proxy mode or server mode:
Server mode: If a backup-alias is configured,
the GSLB controller returns the backup-alias to
the client; otherwise, the controller returns a
SERVFAIL error to the client.
Proxy mode: If a backup-alias is configured,
the GSLB controller returns the backup-alias to
the client; otherwise, the controller returns the
response from the backend DNS server.
Default
Disabled
Mode
GSLB Policy
Usage
Use this command to eliminate inactive real servers from being eligible for
selection.
Example
AX(config gslb-policy)#active-servers
Performance by Design
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
191 of 260
admin-ip
Description
Syntax
Description
Returns only the first (top) IP address in the IP
list. This option overrides the default behavior, in
which GSLB sends all IP addresses to the
requesting client after those addresses have been
vetted according to the metrics in the policy.
Default
Disabled
Mode
GSLB Policy
Usage
The prioritized list is sent to the next metric for further evaluation. If
admin-ip is the last metric, the prioritized list is sent to the client. To configure the ordered list of IP addresses for a service, use the ip-order command
at the service configuration level for the GSLB zone. See gslb zone on
page 180.
admin-preference
Description
Syntax
Default
Disabled
Mode
GSLB Policy
Usage
To set the GSLB Admin-Preference value for a site, use the admin-preference command at the configuration level for the SLB device within the site.
(See gslb site on page 168.)
Example
AX(config gslb-policy)#admin-preference
192 of 260
Performance by Design
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
alias-admin-preference
Description
Syntax
Enable or disable the Alias Admin Preference metric, which selects the
DNS CNAME record with the highest administratively set preference. This
metric is similar to the Admin Preference metric, but applies only to DNS
CNAME records.
[no] alias-admin-preference
Default
Disabled
Mode
GSLB Policy
Usage
Metric order does not apply to this metric. When enabled, this metric
always has high priority.
To configure the Alias Admin Preference metric:
1. At the configuration level for the GSLB service, use the admin-preference preference command to assign an administrative preference to the
DNS CNAME record for the service. (See gslb service-ip on
page 166.)
2. At the configuration level for the GSLB policy:
Use the alias-admin-preference command to enable the Alias
bw-cost
Description
Syntax
Configure the BW-Cost metric. This mechanism queries the bandwidth utilization of each site, and selects the site(s) whose bandwidth utilization has
not exceeded a configured threshold during the most recent query interval.
[no] bw-cost [fail-break]
Performance by Design
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
193 of 260
Description
Enables GSLB to stop if the current BW-Cost
value is over the limit. The fail-break action
depends on whether the GSLB controller is running in proxy mode or server mode:
Server mode: If a backup-alias is configured,
the GSLB controller returns the backup-alias to
the client; otherwise, the controller returns a
SERVFAIL error to the client.
Proxy mode: If a backup-alias is configured,
the GSLB controller returns the backup-alias to
the client; otherwise, the controller returns the
response from the backend DNS server.
Default
Disabled
Mode
GSLB Policy
Example
AX(config gslb-policy)#bw-cost
capacity
Description
Configure the TCP/UDP Session-Capacity metric. This mechanism provides a way to shift load away from a site before the site becomes congested.
Example:
Site As maximum session capacity is 800,000 and Site Bs maximum session capacity is 500,000. If the Session-Capacity threshold is set to 90, then
for Site A the capacity threshold is 90% of 800,000, which is 720,000. Likewise, the capacity threshold for Site B is 90% of 500,000, which is 450,000.
Syntax
194 of 260
Description
Number from 0 to 100 specifying the maximum
percentage of a site AX Series session table that
can be used. If the session table utilization is
greater than the specified percentage, the GSLB
AX Series prefers other sites over this site.
Performance by Design
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
Default
Disabled. When you enable the capacity metric, the default threshold is 90
percent.
Mode
GSLB Policy
Usage
This metric requires the GSLB protocol to be enabled both on the GSLB
controller and on the site AX devices.
Example
The following command enables the capacity metric at the default value of
90% utilization of TCP/UDP session capacity:
AX(config gslb-policy)#capacity
connection-load
Description
Syntax
Configure the Connection-Load metric, which prefers sites that have not
exceeded their thresholds for new connections.
[no] connection-load
[limit number-of-connections] |
[samples number-of-samples interval seconds]
[fail-break]
Parameter
limit numberof-connections
Description
Number that specifies the maximum average
number of new connections per second the site
AX Series can have. You can specify from 1 to
999999999 (999,999,999).
Performance by Design
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
195 of 260
Default
Disabled. When you enable the Connection-Load metric, the default limit is
not set (unlimited). The default number of samples is 5, and the default
interval is 5 seconds.
Mode
GSLB Policy
Usage
This command applies only to GSLB selection of a site. The command does
not affect the number of connections the site AX Series itself allows.
This metric requires the GSLB protocol to be enabled both on the GSLB
controller and on the site AX devices.
Example
The following command sets the connection load limit to 1000 new connections:
196 of 260
Performance by Design
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
dns
Description
Syntax
Performance by Design
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
197 of 260
Enable GSLB to perform the DNS actions specified in the service configurations.
action
Note:
Description
To configure the DNS action for a service, use the action action-type
command at the configuration level for the service. See gslb zone on
page 180.
active-only
[fail-safe]
addition-mx
auto-map
backup-alias
backup-server
cache
[aging-time
seconds| ttl]
198 of 260
Performance by Design
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
delegation
external-ip
external-soa
Replaces the internal SOA record with an external SOA record to prevent external clients from
gaining information that should only be available
to internal clients. If this option is disabled, the
internal address is returned instead.
The external SOA record must be configured in
the GSLB zone. (Use the external-soa record
command at the gslb zone configuration level.)
geoloc-action
Performs the DNS traffic handling action specified for the clients geo-location. The action is
specified as part of service configuration in a
zone.
Performance by Design
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
199 of 260
To configure the DNS action for a service, use the geo-location locationname action-type command at the configuration level for the service. See
gslb zone on page 180.
geoloc-alias
geoloc-policy
hint
{addition |
answer |
none}
ip-replace
ipv6 options
200 of 260
Performance by Design
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
Blocks DNS t queries from being sent to an internal DNS server. The AX device must be in
GSLB proxy mode for the feature to work. The
options can be one or more of the following:
a
aaaa
ns
mx
srv
cname
Performance by Design
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
201 of 260
server
[options]
202 of 260
Performance by Design
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
The server option is not valid with the ip-replace option. They are mutually exclusive.
Performance by Design
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
203 of 260
If you enable the sticky option, the sticky time must be as long or longer
than the zone TTL. (Use the ttl command at the configuration level for the
zone. See gslb zone on page 180.)
ttl num
Default
disabled by default
addition-mx disabled
auto-map disabled
204 of 260
Performance by Design
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
for a cached DNS reply is the TTL set by the DNS server in the reply
cname-detect enabled
delegation disabled
external-ip enabled
geoloc-action disabled
geoloc-alias disabled
geoloc-policy disabled
hint enabled for addition option
ip-replace disabled
ipv6 all options disabled
logging disabled
proxy disabled
selected-only disabled
server disabled
sticky disabled; when you enable this option, the default prefix is /
32, the default aging time is 5 minutes, and the default IPv6 mask length
is 128.
ttl 10 seconds
Mode
GSLB Policy
Usage
If more than one of the following options are enabled, GSLB uses them in
the order listed, beginning with sticky:
1.
2.
3.
4.
sticky
server
cache
proxy (The command does not have a separately configurable proxy
option. The proxy option is automatically enabled when you configure
the DNS proxy.)
Performance by Design
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
205 of 260
Example
The following configuration excerpt uses the ipv6 mix option to enable
mixing of IPv4 and IPv6 service-ip addresses in DNS answers. Both A and
AAAA records will be included in replies to either A or AAAA requests
from clients.
gslb service-ip ip1 20.20.20.100
port 80 tcp
gslb service-ip ip2 20.20.20.102
port 80 tcp
gslb service-ip ipv61 fe80::1
port 80 tcp
gslb service-ip ipv62 fe80::2
port 80 tcp
gslb service-ip ipv63 fe80::3
port 80 tcp
gslb policy p8
dns ipv6 mix
dns server
gslb zone a8.com
policy p8
service http www
dns-a-record ip2 static
dns-a-record ip1 static
dns-a-record ipv61 static
dns-a-record ipv62 static
dns-a-record ipv63 static
Example
206 of 260
The following configuration excerpt uses the ipv6 smart option. For IPv4IPv6 mapping records, an A query will be answered by an A record and an
AAAA query will be answered by an AAAA record. More specifically, if a
client sends an A query, GSLB returns A records in the answer section, and
AAAA records in the additional section. If a client sends an AAAA query,
Performance by Design
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
dnssec key-generate
Description
Syntax
Description
name
algorithm
Note:
Performance by Design
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
207 of 260
Default
N/A
Mode
Global config
export dnssec-dnskey
Description
Syntax
Export the DS keyset from the child zone to the parent zone.
[no] import dnssec-dnskey authoritative-zone-name
[use-mgmt-port] url
Parameter
Description
zone-name
use-mgmt-port
url
Default
208 of 260
N/A
Performance by Design
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
Global config
Usage
geo-location
Description
Syntax
Description
location-name
start-ip-addr
mask ip-mask
Network mask.
end-ip-addr
Default
None.
Mode
GSLB Policy
Usage
To prefer the location configured with this command over a globally configured location, use the gslb policy geo-location match-first policy command. (See geo-location match-first on page 209.)
Example
geo-location match-first
Description
Performance by Design
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
209 of 260
Description
global
policy
Default
global
Mode
GSLB Policy
Example
geo-location overlap
Description
Syntax
Description
global
policy
Default
Disabled
Mode
GSLB Policy
Usage
If you suspect a public IP address in your domain is not unique and the same
IP address may be associated with different hosts, you can enable the geolocation overlap option. This causes the AX device to search the geo-location database for the match best (or longest matching IP address). Otherwise, the AX device will use its default behavior, which is to scan the
specified geo-location database using the match first algorithm, which
uses the first IP address-region mapping discovered. (See Geo-location
Overlap on page 57.)
210 of 260
Performance by Design
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
geographic
Description
Syntax
Default
Enabled
Mode
GSLB Policy
Usage
Example
health-check
Description
Syntax
Enable or disable the Health-Check metric. The Health-Check metric prefers sites that pass their health checks.
[no] health-check
Default
Enabled
Mode
GSLB Policy
Usage
This metric requires the GSLB protocol to be enabled both on the GSLB
controller and on the site AX devices, if the default health checks are used
on the service IPs.
If you use a custom health monitor, or you explicitly apply the default
Layer 3 health monitor to the service, the GSLB protocol is not used for any
of the health checks. In this case, the GSLB protocol is not required to be
enabled on the site AX devices, although use of the protocol is still recommended.
Example
Performance by Design
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
211 of 260
import dnssec-dnskey
Description
Syntax
Import the DNSKEY keyset from the child zone to the parent zone.
[no] import dnssec-dnskey authoritative-zone-name
[use-mgmt-port] url
Parameter
authoritativezone-name
Description
Authoritative zone name of the dnskey.
use-mgmt-port
url
Default
N/A
Mode
Global config
Usage
212 of 260
Performance by Design
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
import dnssec-ds
Description
Syntax
Import the DS keyset from the child zone to the parent zone.
[no] import dnssec-ds child-zone-name [use-mgmtport] url
Parameter
Description
url
Default
N/A
Mode
Global config
Usage
Performance by Design
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
213 of 260
ip-list
Description
Syntax
Default
None
Usage
Example
The following commands configure a GSLB IP list and use the list to
exclude IP addresses from aRDT data collection:
least-response
Description
Syntax
Enable or disable the Least-Response metric, which prefers VIPs that have
the fewest hits.
[no] least-response
Default
Disabled
Mode
GSLB Policy
Example
AX(config gslb-policy)#least-response
214 of 260
Performance by Design
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
metric-fail-break
Description
Syntax
Default
Disabled
Mode
GSLB Policy
metric-force-check
Description
Syntax
Force the GSLB controller to always check all metrics in the policy.
[no] metric-force-check
Default
By default, the GSLB controller stops evaluating metrics for a site once a
metric comparison definitively selects or rejects a site.
Mode
GSLB Policy
metric-order
Description
Syntax
Configure the order in which the GSLB metrics in this policy are used.
[no] metric-order metric [metric ...]
Parameter
metric
[metric ...]
Description
One or more of the following metrics:
active-rdt
active-servers
admin-preference
bw-cost
capacity
connection-load
geographic
health-check
least-response
Performance by Design
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
215 of 260
Mode
GSLB Policy
Usage
The first metric you specify with this command becomes the primary metric. If you specify additional parameters, they are used in the priority you
specify. All remaining metrics are prioritized to follow the metrics you
specify.
The GSLB AX Series uses each metric, in the order specified, to compare
the IP addresses returned in DNS replies to clients. If a metric is disabled,
the metric order does not change. The GSLB AX Series skips the metric and
continues to the next enabled metric.
The Round-Robin metric can not be re-ordered.
To display the metric order used in a policy, see show gslb policy on
page 234.
216 of 260
Performance by Design
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
num-session
Description
Configure the Num-Session metric, which evaluates a site based on available session capacity and tolerance threshold compared to another site. Sites
that are at or below their thresholds of current available sessions are preferred over sites that are above their thresholds.
Example:
Site A has 800,000 sessions available and Site B has 600,000 sessions available. If Num-Session is enabled, then Site A is preferred because it has a
larger number of available sessions than site B.
If the tolerance option is enabled (with a default value of 10 percent), and if
Site A has 800,000 sessions available and Site B has 600,000 sessions available, then Site A will continue to be preferred until Site Bs available sessions exceed Site As available sessions by more than 10 percent. In this
case, Site A will remain the preferred site until Site Bs available sessions
exceed 800,000 by more than ten percent (or 80,000 sessions). If Site As
available sessions remain constant, and Site Bs available sessions increase
to the point that they exceed 880,000 sessions, the Site B would become the
preferred site.
Note:
Syntax
When dealing with smaller base numbers, a small fluctuation in the number of available sessions can cause flapping from one site to another.
Thus, when configuring sites with smaller capacities, it is recommended
to use a larger tolerance number to prevent frequent flapping between preferred sites.
[no] num-session [tolerance num]
Parameter
num-percentage
Description
Number from 0 to 100 specifying the percentage
by which the number of available sessions on site
SLB devices can differ without causing the NumSession metric to select one site device over
another. (See the Usage description.)
Default
Disabled. When you enable the Num-Session metric, the default tolerance is
10 percent.
Mode
GSLB Policy
Usage
The GSLB AX Series considers site SLB devices to be equal if the difference in the number of available sessions on each device does not exceed the
tolerance percentage. The tolerance percentage ensures that minor differ-
Performance by Design
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
217 of 260
round-robin
Description
Syntax
Default
Enabled
Mode
GSLB Policy
Usage
The AX device uses Round-Robin to select a site at the end of the policy
parameters evaluation. This is true even if the Round-Robin metric is disabled in the GSLB policy.
Example
weighted-alias
Description
Syntax
Enable the Weighted Alias metric, which prefers CNAME records with
higher weight values over CNAME records with lower weight values. This
metric is similar to Weighted-IP, but applies only to DNS CNAME records.
[no] weighted-alias
Default
Disabled
Mode
GSLB Policy
218 of 260
Performance by Design
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
your deployment:
DNS backup-alias
DNS geoloc-alias
(See dns on page 197.)
3. If using the backup-alias option, use the dns-cname-record as-backup
option on the service. (See gslb service-ip on page 166.)
weighted-ip
Description
Syntax
Description
First sends requests to the service IP addresses
that have fewer hits. After all service IP
addresses have the same number of hits, GSLB
sends requests based on weight. This option is
disabled by default.
Default
Disabled
Mode
GSLB Policy
Usage
As a simple example, assume that the Weighted-IP metric is the only enabled metric, or at least always ends up being used as the tie breaker. The
total-hits option is disabled. IP address 10.10.10.1 has weight 4 and IP
address 10.10.10.2 has weight 2. During a given session aging period, the
first 4 requests go to 10.10.10.1, the next 2 requests go to 10.10.10.2, and so
on, (4 to 10.10.10.1, then 2 to 10.10.10.2).
Performance by Design
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
219 of 260
weighted-site
Description
Syntax
Configure the Weighted-Site metric, which uses sites with higher weight
values more often than sites with lower weight values.
[no] weighted-site [total-hits]
Parameter
total-hits
Description
First sends requests to the sites that have fewer
hits. After all service sites have the same number
of hits, GSLB sends requests based on weight.
This option is disabled by default.
Default
Disabled. When you enable the Weighted-Site metric, the default weight of
each site is 1.
Mode
GSLB Policy
Usage
As a simple example, assume that the Weighted-Site metric is the only enabled metric, or at least always ends up being the tie breaker. Site A has
weight 4 and site B has weight 2. During a given session aging period, the
first 4 requests go to site A, the next 2 requests go to site B, and so on, (4 to
A, then 2 to B).
Here is an example using the same two sites and weights, with the total-hits
option enabled. Site A has weight 4 with total hits 8, and site B has weight 2
with total hits 0. In this case, the first 4 requests go to site B, then requests
are sent as described above. Four requests go to site A, then 2 requests go to
site B, and so on.
220 of 260
Performance by Design
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
Performance by Design
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
221 of 260
Show Commands
This section describes the GSLB show commands.
Show the DNS messages cached on the GSLB AX device. The GSLB AX
device caches DNS replies if either of the following GSLB policy options
are enabled:
DNS caching
aRDT metric (if the single-shot option is used)
Syntax
Description
zone-name
service-name
Mode
All
Example
222 of 260
Performance by Design
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
Mode
All
Usage
The show gslb config command can be used in shared partitions, private
partitions, and gslb-view.
When used in shared partitions
When used within a shared partition, the show gslb config command can
include the following:
active-rdt: Show GSLB aRDT configuration
dns: Show GSLB global DNS configuration
geo-location: Show GSLB global geo-location configuration
Performance by Design
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
223 of 260
Note:
When the show gslb config command is used within a private partition,
the following command completions are not supported: active-rdt, dns,
geo-location, protocol, system, and view.
When used in gslb-view
When used in gslb-view, the show gslb config command can include the
following:
group: Show GSLB Group configuration
ip-list: Show GSLB IP list configuration
policy: Show GSLB policy configuration
site: Show GSLB site configuration
224 of 260
Performance by Design
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
Note:
When the show gslb config command is used in gslb-view, the following
command completions are not supported: active-rdt, dns, geo-location,
protocol, service-ip, system, and view.
Details about L3V Deployments
When using the new show gslb config command filters in L3V partitions,
only the following command completions are supported: group, ip-list,
policy, service-ip, site, template, and zone.
The following show gslb config command options are not supported in
L3V deployments, and by extension, not supported by the new gslb show
command enhancements: active-rdt, dns, geo-location, protocol, system and
view.
Performance by Design
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
225 of 260
226 of 260
Performance by Design
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
Mode
All
Introduced in Release
2.7.0
Usage
This command allows you to show various parameters for an FQDN, such
as:
DNS cache information
DNS A Record Service-IP statistics
Statistics for MX, PTR, SRV, CNAME and other record types
DNS session information
Performance by Design
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
227 of 260
Description
db [options]
Displays the geo-location database. If you specify a geo-location name, only the entries for that
geo-location are shown. Otherwise, entries for all
geo-locations are shown.
ip-range Displays entries for the specified IP
address range.
depth num Specifies how many nodes within
the geo-location data tree to display. For example, to display only continent and country entries
and hide individual state and city entries, specify
depth 2. By default, the full tree (all nodes) is displayed.
directory num Please contact A10 Networks
for information.
top num [percent [global]] Please contact A10
Networks for information.
statistics Displays client statistics for the specified geo-location.
file
[file-name]
228 of 260
Performance by Design
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
rdt [options]
Mode
All
Usage
The matched client IP address and the hits counter indicate the working status of the geo-location configuration.
Example
Field
Geo-location
From
Description
Name of the geo-location.
Beginning address in the address range assigned to the geolocation.
Performance by Design
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
229 of 260
Field
To
Description
Ending address in the address range assigned to the geo-location.
Client IP address that most recently matched the geo-location. If the value is empty, no client addresses have
matched.
Total number of client IP addresses that have matched the
geo-location.
Number of sublocations within the geo-location. For example, if you configure the following geo-locations, geo-location pc has two sublocations, pc.office and pc.lab.
Last
Hits
Sub
P-Name
Example
The following command shows the load status information for a geo-location database file:
Example
230 of 260
Performance by Design
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
Mode
All
Example
Member
-----------------------------------------------------------------------------default
255 L*
local
Performance by Design
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
231 of 260
Field
Pri
Attrs
Description
Priority of the master controller.
GSLB group attributes of this member:
D Member is disabled.
L Group learning is enabled on this member.
P Members connection with this member (the member
on which you enter the show gslb group command) is
passive.
The group connection between any two controller group
members is a client-server connection. The group member
that initiates the connection is the client, and has the passive side of the connection. The other member is the
server.
* Member is the current master for the group.
Note: Attributes are displayed only when at least two group
members are connected.
IP address of the current master for the group.
Number of GSLB controllers in the group. This number
includes all configured group members and all learned group
members.
Master
Member
ID
Pri Attrs
Status
----------------------------------------------------------------------------local
22e40d29 255 L*
OK
192.168.1.131
941a1229 100
Synced
192.168.1.132
ab301229 100 P
Synced
232 of 260
Field
Member
Description
GSLB controllers currently in the group.
ID
Performance by Design
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
Status
Performance by Design
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
233 of 260
Mode
Mode
Mode
All
Example
234 of 260
Performance by Design
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
Performance by Design
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
235 of 260
Description
Name of the GSLB policy.
Name of the GSLB metric.
For GSLB metrics, indicates the order in which the metrics
are used.
Metric or option name.
For metric, indicates whether they are enabled (yes or no).
For options, indicates the value.
Description of the metric or option.
Syntax
Mode
236 of 260
Show the status of the GSLB protocol on the GSLB AX Series and the SLB
devices (site AX Series).
show gslb protocol
[[geo-location-name] port portnum]
All
Performance by Design
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
0
1
0
34411
1407
0
0
1
0
34411
1407
Description
geo-location
slb-device
local-info
active
Performance by Design
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
237 of 260
depth num
Specifies how many nodes within the geo-location data tree to display. For example, to display
only continent and country entries and hide individual state and city entries, specify depth 2. By
default, the full tree (all nodes) is displayed.
ip ipaddr [...] Displays aRDT data only for the specified clients.
Mode
All
Usage
All of the options except local-info are applicable when you enter the command on a GSLB AX device. To display local aRDT data on a site AX
device, enter the command on the site AX device and use the local-info
option.
Example
Here is an example of the output for this command when entered on the
GSLB AX device:
TTL
T|
-----------------------------------------------------------------------------10.10.10.2
10
A|
20.20.20.21
10
A|
41
40
29
46
38
42
34
30
192.168.217.1
10
A|
38
54
46
50
43
38
192.168.217.11
10
A|
41
40
29
46
38
42
34
30
T|
Device: site2/local
IP
TTL
-----------------------------------------------------------------------------10.10.10.2
10
A|
35
52
35
40
54
56
44
48
20.20.20.21
10
A|
20
20
16
16
20
16
20
18
192.168.217.1
10
A|
16
44
20
16
20
18
192.168.217.11
10
A|
20
20
16
16
20
16
20
18
238 of 260
Performance by Design
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
Site
T RDT TS
-----------------------------------------------------------------------------cn.sh
cn.bj
jp
us
site1
A 38
10
site2
A 18
10
site1
A 30
10
site2
A 18
10
site1
A 30
10
site2
A 18
10
site1
A 0
10
site2
A 48
10
This example shows the default display (with no additional options). The
TTL results are organized by site AX device, then by geo-location.
Table 11 describes the fields in the command output.
TABLE 11 show gslb rdt fields
Field
Device
IP
TTL
T
1-8
Geo-location
Site
T
RDT
TS
Description
Site AX device.
IP address at the other end of the aRDT exchange.
Time-to-live for the Active-TT entry.
RDT type, which can be A (aRDT).
Individual aRDT measurements (in units of seconds).
Geo-location name for which aRDT measurements have
been taken.
GSLB site name within the geo-location.
RDT type. (See descriptions above.)
Individual aRDT measurements (in units of seconds).
System time stamp of the aRDT measurement.
Performance by Design
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
239 of 260
Description
service-name |
vipaddr
port-num
range-start
range
range-start
range-end
Mode
All
Usage
The number of connections on the site is sampled based on the GSLB status
interval. (This is configurable using the gslb protocol command. See gslb
protocol on page 163.) Samples are listed row by row. The first 7 samples
appear on row 1, the second 7 samples appear on row 2, and so on.
If you disable the GSLB protocol, the data is cleared.
Example
The following example shows connection activity for virtual port 80 on virtual server china.
Description
num-samples
num-samples
service-name |
vipaddr
240 of 260
Performance by Design
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
Mode
All
Example
In this example, five samples, taken at 5-second intervals, are shown for
each of four services (ip1:80 to ip4:80). The services are listed by service IP
and service port.
In each section, the numbers across the top are column numbers. The numbers along the leftmost column are row numbers. The other numbers are the
actual connection load data. For example, for ip1:80 (service port 80 on service IP ip1), there were no connections during the first or second data
samples, and 11 connections during the third sample.
Performance by Design
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
241 of 260
Description
geo-locationname
slb-device
local-info
active
site site-name
depth num
Specifies how many nodes within the geo-location data tree to display. For example, to display
only continent and country entries and hide individual state and city entries, specify depth 2. By
default, the full tree (all nodes) is displayed.
Mode
All
Usage
Eight aRDT samples are displayed for each device. Times are shown in 10millisecond (ms) increments. In the example below, the first aRDT time for
Device1 is 50 ms.
If you disable the GSLB protocol, the data is cleared.
242 of 260
Performance by Design
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
dns-a-record
dns-cnamerecord
dns-mx-record
dns-ns-record
dns-ptr-record
dns-srv-record
dns-txt-record
session
service-name
zone zone-name
ip ipaddr
{subnet-mask |
/mask-length}
Mode
Description
All
Performance by Design
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
243 of 260
Example
Description
service-name |
vipaddr
local-info
244 of 260
Description
Device name and service IP name.
IP address of the service.
Indicates whether the service IP is a virtual server IP address
(Y) or a real server IP address (N).
Indicates whether the service IP is enabled.
Indicates the service IP state: UP or DOWN.
Number of service ports on the service IP.
Number of times the service IP has been selected.
Performance by Design
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
Show information about the GSLB service ports configured on the sites.
show gslb service-port [local-info]
Option
local-info
Description
Shows local SLB virtual-port information.
Mode
All
Example
The following command shows information about all the configured GSLB
service ports.
Description
Service IP address and service port number.
Indicates whether the service port is reached using the GSLB
protocol or the local (SLB) protocol.
Indicates the service state: IP or DOWN.
Number of active real servers for the service.
Current number of connections to the service.
Performance by Design
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
245 of 260
Mode
Description
service-name
zone zone-name
ip ipaddr
{subnet-mask |
/mask-length}
All
Description
site-name
bw-cost
statistics
Displays statistics.
Mode
All
Example
246 of 260
Performance by Design
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
Description
GSLB site name.
Device name and device IP address or real server name and
real server IP address.
Virtual IP address for the service.
Virtual port number.
Virtual port state.
Number of times the service IP was selected.
Table 15 describes the fields in the command output when the bw-cost
option is used.
TABLE 15 show gslb site bw-cost fields
Field
Site
Template
Current
Highest
Limit
U
Type
Len
Value
TI
Example
Description
GSLB site name.
SNMP template name.
Current value of the SNMP object used for measurement.
Highest value of the SNMP object used for measurement.
Limit configured for the BW-Cost metric.
Indicates whether the site is usable, based on the BW-Cost
measurement.
Data type of the SNMP object.
Data length of the SNMP object.
Value of the SNMP object.
Time interval between measurements.
Performance by Design
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
247 of 260
Description
GSLB site name.
Number of times the site was selected.
Site that was most recently selected.
Description
device-name
local-info
rdt options
Mode
248 of 260
All
Performance by Design
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
Description
Site name and device name.
SLB devices IP address.
Administrative preference for the device.
Current session utilization on the device.
Number of sessions available on the device.
Number of service IPs on the device.
Mode
All
Usage
To collect state information, enable GSLB debugging and use the state
option. (See the example below.)
Example
Show statistics for the GSLB protocol, for sites, or for zones.
show gslb statistics {message | site | zone}
Performance by Design
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
249 of 260
All
Usage
The show gslb statistics message command shows the same output as the
show gslb protocol command. Similarly, the show gslb statistics site command shows the same output as the show gslb site statistics command, and
the show gslb statistics zone command shows the same output as the show
gslb zone statistics command.
Example
0
1
3
5101
1218
0
0
1
1
0
22
1
0
0
0
1
0
22
1
0
0
250 of 260
Performance by Design
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
Description
zone-name
dns-mx-record
dns-ns-record
dns-soa-record
statistics
Mode
All
Example
Example
Description
Zone name.
Service type and service name.
GSLB policy name.
DNS TTL value set by GSLB in DNS replies to queries for
the zone address.
Performance by Design
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
251 of 260
Example
Description
Zone and service name to which the MX record belongs.
Name of the MX record.
Priority (preference) set for the MX record.
Number of times the record has been used.
Most recent time the record was used.
M-Svr
252 of 260
Description
Zone name.
Number of GSLB services configured for the zone.
Performance by Design
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
Description
Number of DNS replies sent to clients by the AX device to
keep the clients on the same site. (This statistic applies only
if the DNS sticky option is enabled in the policy.)
Performance by Design
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
253 of 260
Clear Command
clear
Description
Syntax
254 of 260
Description
all
cache
debug
fqdn
geo-location
group
ip-list
memory
protocol
rdt
samples
server
service
session
site
slb-device
statistics
options
zone
Performance by Design
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
DNSSEC Commands
This section describes the commands for DNSSEC.
(For more on this feature, see DNSSEC Support on page 133.)
dnssec key-generate
Description
Syntax
Description
Key filename.
RSA SHA algorithm to use to generate the DNSSEC key pair (ZSK and KSK). You can specify
any of the following algorithms:
RSASHA1 (default)
RSASHA256
RSASHA512
NSEC3RSASHA1
Selecting one of the first three algorithms
(RSASHA1, RSASHA256, or RSASHA512)
will cause the standard NSEC resource record to
be generated for the zone. However, selecting the
fourth algorithm option (NSEC3RSASHA1)
causes the NSEC3/NSEC3PARAM record to be
generated for the zone, which is helpful in mitigating the threat posed by zone walking.
Different zones can use different DNSSEC templates and thus have different algorithms.
keysize num
Performance by Design
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
255 of 260
See above.
Mode
dnssec template
Description
Syntax
[no] dnskey-ttl
seconds
[no] ksk name
Description
256 of 260
Performance by Design
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
Default
Mode
dnssec sign-zone-now
Description
Syntax
Description
Name of the DNS zone.
Default
Signing begins 30 seconds after the zone or DNSSEC template configuration is changed.
Mode
Performance by Design
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
257 of 260
258 of 260
Performance by Design
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
Performance by Design
Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
259 of 260
Performance by Design
Corporate Headquarters
A10 Networks, Inc.
3 West Plumeria Dr
San Jose, CA 95134 USA
Tel: +1-408-325-8668 (main)
Tel: +1-888-822-7210 (support toll-free in USA)
Tel: +1-408-325-8676 (support direct dial)
Fax: +1-408-325-8666
www.a10networks.com
260