Cisco Global Site Selector Configuration Guide Book-Length PDF v1.1

Cisco Global Site Selector
Configuration Guide
Software Version 1.1
January 2004
Corporate Headquarters
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, CA 95134-1706
USA
http://www.cisco.com
Tel: 408 526-4000
800 553-NETS (6387)
Fax: 408 526-4100
Text Part Number: OL-4327-01

THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT
NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT
ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR
THEIR APPLICATION OF ANY PRODUCTS.
THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION
PACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO
LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.
The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as
part of UCB’s public domain version of the UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California.
NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE
PROVIDED “AS IS” WITH ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED
OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE.
IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL
DAMAGES, INCLUDING, WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR
INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH
DAMAGES.
CCIP, CCSP, the Cisco Arrow logo, the Cisco Powered Network mark, Cisco Unity, Follow Me Browsing, FormShare, and StackWise are trademarks of
Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Learn, and iQuick Study are service marks of Cisco Systems, Inc.; and Aironet, ASIST,
BPX, Catalyst, CCDA, CCDP, CCIE, CCNA, CCNP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, the Cisco IOS logo, Cisco Press,
Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Empowering the Internet Generation, Enterprise/Solver, EtherChannel, EtherSwitch,
Fast Step, GigaStack, Internet Quotient, IOS, IP/TV, iQ Expertise, the iQ logo, iQ Net Readiness Scorecard, LightStream, MGX, MICA, the Networkers
logo, Networking Academy, Network Registrar, Packet, PIX, Post-Routing, Pre-Routing, RateMUX, Registrar, ScriptShare, SlideCast, SMARTnet,
StrataView Plus, Stratm, SwitchProbe, TeleRouter, The Fastest Way to Increase Your Internet Quotient, TransPath, and VCO are registered trademarks of
Cisco Systems, Inc. and/or its affiliates in the U.S. and certain other countries.
All other trademarks mentioned in this document or Web site are the property of their respective owners. The use of the word partner does not imply a
partnership relationship between Cisco and any other company. (0304R)
Cisco Global Site Selector Configuration Guide

Copyright © 2003 Cisco Systems, Inc. All rights reserved.
C O N T E N T S
Preface xix
Audience xx
How to Use This Guide xx
Related Documentation xxi
Symbols and Conventions xxii
Obtaining Documentation xxiv
Cisco.com xxiv
Documentation CD-ROM xxiv
Ordering Documentation xxv
Documentation Feedback xxv
Obtaining Technical Assistance xxvi
Cisco TAC Website xxvi
Opening a TAC Case xxvi
TAC Case Priority Definitions xxvii
Obtaining Additional Publications and Information xxviii
CHAPTER 1 Introducing the Global Site Selector 1-1

GSS Overview 1-2
DNS Routing 1-3
DNS Name Servers 1-4
Request Resolution 1-5
GSLB Using the GSS 1-6

OL-4327-01 iii
Contents
GSS Architecture 1-9

Global Site Selectors and Global Site Selector Managers 1-10
GSS 1-10
Primary GSSM 1-10
Standby GSSM 1-11
DNS Rules 1-12
Hosted Domains and Domain Lists 1-13
Source Address and Source Address Lists 1-13
Answers and Answer Groups 1-14
VIP Answers 1-15
Name Server Answers 1-16
CRA Answers 1-16
Keepalives 1-17
ICMP 1-18
TCP 1-18
HTTP-HEAD 1-18
KAL-AP 1-19
CRA 1-19
Name Server 1-20
None 1-20
Adjusting Failure Detection Time for Keepalives 1-20
Balance Methods 1-24
Ordered List 1-24
Round-Robin 1-25
Weighted Round-Robin 1-25
Least Loaded 1-25
Hash 1-26
Boomerang (DNS Race) 1-26
Balance Method Options for Answer Groups 1-27
Locations and Regions 1-30

iv OL-4327-01
Contents
Owners 1-30
GSS Network Deployment 1-31
Locating GSS Devices 1-31
Locating GSS Devices Behind Firewalls 1-32
Communication Between GSS Nodes 1-33
Deployment Within Data Centers 1-34
GSS Network Management 1-34
CLI-Based GSS Management 1-34
GUI-Based Primary GSSM Management 1-35
Understanding the Primary GSSM Graphical User Interface 1-36
Graphical User Interface Organization 1-38
List Pages 1-38
Details Pages 1-40
Navigation 1-41
Primary GSSM GUI Icons and Symbols 1-41
Primary GSSM GUI Online Help 1-47
Where to Go Next 1-48
CHAPTER 2 Setting Up Your GSS 2-1

Accessing the GSS CLI 2-2
Accessing the CLI Using a Direct Serial Connection 2-2
Enabling Remote Access on a GSS Device 2-3
Accessing the CLI Using a Remote Connection 2-4
Accessing the GSS CLI Using a Private and Public Key Pair 2-5
Performing Network Configuration of the GSS 2-6
Configuring the GSS Using the Setup Script 2-8
Configuring the GSS from the CLI 2-10
Configuring a Primary GSSM or Standby GSSM 2-12
Configuring a Global Site Selector 2-14

OL-4327-01 v
Contents
Logging Into the Primary GSSM Graphical User Interface 2-15

Creating and Modifying GSS Devices 2-18
Activating GSS Devices 2-18
Modifying GSS Device Configuration 2-21
Deleting GSS Devices 2-22
Global Server Load-Balancing Summary 2-23
CHAPTER 3 Configuring Resources 3-1

Organizing Your GSS Network 3-2
Creating and Modifying Locations and Regions 3-3
Creating Regions 3-3
Creating Locations 3-6
Modifying Regions 3-8
Modifying Locations 3-9
Deleting Locations and Regions 3-10
Creating and Modifying Owners 3-11
Creating Owners 3-11
Modifying Owners 3-14
Deleting Owners 3-15
Grouping GSS Resources by Location, Region, and Owner 3-16
CHAPTER 4 Configuring Source Address Lists 4-1

Creating Source Address Lists 4-2
Modifying Source Address Lists 4-5
Deleting Source Address Lists 4-7

vi OL-4327-01
Contents
CHAPTER 5 Configuring Domain Lists 5-1

Domain List Overview 5-1
Creating Domain Lists 5-2
Modifying Domain Lists 5-8
Deleting Domain Lists 5-10
CHAPTER 6 Configuring KeepAlives 6-1

Modifying Global KeepAlive Properties 6-1
Global KeepAlive Configuration—ICMP 6-3
Global KeepAlive Configuration—TCP 6-6
Global KeepAlive Configuration—HTTP HEAD 6-9
Global KeepAlive Configuration—KAL-AP 6-12
Global KeepAlive Configuration—CRA 6-15
Global KeepAlive Configuration—Name Server 6-16
Configuring and Modifying Shared VIP KeepAlives 6-17
Creating a Shared VIP KeepAlive 6-17
Shared KeepAlive Configuration—ICMP 6-21
Shared KeepAlive Configuration—TCP 6-22
Shared KeepAlive Configuration—HTTP HEAD 6-24
Shared KeepAlive Configuration—KAL-AP 6-26
Modifying a Shared KeepAlive 6-28
Deleting a Shared KeepAlive 6-29

OL-4327-01 vii
Contents
CHAPTER 7 Configuring Answers and Answer Groups 7-1

Configuring and Modifying Answers 7-1
Creating a VIP-Type Answer 7-2
VIP Answer—ICMP KeepAlive 7-7
VIP Answer—TCP KeepAlive 7-9
VIP Answer—HTTP HEAD KeepAlive 7-11
VIP Answer—KAL-AP KeepAlive 7-13
Creating a CRA-Type Answer 7-14
Creating a Name Server-Type Answer 7-17
Modifying an Answer 7-19
Suspending an Answer 7-20
Reactivating an Answer 7-21
Suspending or Reactivating All Answers in a Location 7-21
Deleting an Answer 7-22
Configuring and Modifying Answer Groups 7-23
Creating an Answer Group 7-24
Modifying an Answer Group 7-29
Suspending or Reactivating an Answer Group 7-30
Suspending or Reactivating All Answers in an Answer Group Associated with
an Owner 7-32
Deleting an Answer Group 7-35
CHAPTER 8 Building and Modifying DNS Rules 8-1

DNS Rule Configuration Overview 8-2
DNS Rule Wizard 8-2
DNS Rule Builder 8-4

viii OL-4327-01
Contents
Building DNS Rules Using the Wizard 8-5

DNS Rule Wizard—Source Address List Page 8-7
DNS Rule Wizard—Source Address List Page 2 8-8
DNS Rule Wizard—Source Address List Page 3 8-9
DNS Rule Wizard—Domain List Page 8-10
DNS Rule Wizard—Domain List Page 2 8-12
DNS Rule Wizard—Domain List Page 3 8-13
DNS Rule Wizard—Answer Group Page 8-15
DNS Rule Wizard - Answer Group Page 2 8-16
DNS Rule Wizard—Balance Method Page 8-22
DNS Rule Wizard—Summary 8-25
Building DNS Rules Using the DNS Rule Builder 8-27
Modifying DNS Rules 8-33
Suspending a DNS Rule 8-34
Reactivating a DNS Rule 8-35
Suspending or Reactivating All DNS Rules Belonging to an Owner 8-36
Deleting a DNS Rule 8-38
Configuring DNS Rule Filters 8-38
Removing DNS Rule Filters 8-42
Delegation to GSS Devices 8-42
CHAPTER 9 GSS Administration and Troubleshooting 9-1

Performing Advanced GSS Configuration Tasks 9-2
Logically Removing a GSS or Standby GSSM from the Network 9-2
Changing the GSSM Role in the GSS Network 9-4
Switching the Roles of the Primary and Standby GSSMs 9-4
Reversing the Roles of the Interim Primary and Standby GSSMs 9-6

OL-4327-01 ix
Contents
Modifying Network Configuration Settings of a GSS 9-7

Changing the Startup and Running Configuration Files 9-8
Loading the Startup Configuration from an External File 9-9
Configuring the Primary GSSM Graphical User Interface 9-10
Printing and Exporting GSSM Data 9-12
Configuring GSS Security 9-13
Creating and Managing GSSM Login Accounts 9-13
Creating a GSSM GUI User Account 9-14
Modifying a GSSM GUI User Account 9-16
Removing a GSSM GUI User Account 9-17
Changing Your GSSM GUI Password 9-17
Creating and Managing GSS CLI Login Accounts 9-19
Creating a GSS User Account Using the CLI 9-19
Modifying a GSS User Account Using the CLI 9-20
Deleting a GSS User Account Using the CLI 9-20
Resetting the CLI Administrator Account Password 9-21
Segmenting GSS Traffic by Interface 9-22
Filtering GSS Traffic Using Access Lists 9-24
Creating an Access List 9-25
Associating an Access List with a GSS Interface 9-27
Disassociating an Access List from a GSS Interface 9-28
Adding Rules to an Access List 9-28
Removing Rules from an Access List 9-29
Viewing Access Lists 9-30
Deploying GSS Devices Behind Firewalls 9-30
Configuring SNMP on Your GSS Network 9-33
Configuring SNMP on Your GSS 9-34
Viewing SNMP Status 9-35
Viewing MIB Files on the GSS 9-36

x OL-4327-01
Contents
Backing Up the GSSM 9-37

Determining When and What Type of Backup to Perform 9-39
When to Perform a Full Backup 9-39
When to Perform a Database Backup 9-39
Performing a Full GSSM Backup 9-39
Performing a GSSM Database Backup 9-40
Upgrading the Cisco GSS Software 9-41
Verifying the GSSM Role in the GSS Network 9-42
Backing up and Archiving the Primary GSSM 9-43
Obtaining the Software Upgrade 9-43
Upgrading Your GSS Devices 9-45
Downgrading and Restoring Your GSS Devices 9-48
Restoring an Earlier Software Version on Your GSS Devices 9-49
Restoring Your GSSM from a Full Backup 9-49
Restoring Your GSSM Database from a Database-Only Backup 9-52
Viewing Third-Party Software Versions 9-54
Primary GSSM Error Messages 9-56
Answer Error Messages 9-56
Answer Group Error Messages 9-60
DNS Rule Error Messages 9-61
Domain List Error Messages 9-68
Shared KeepAlive Error Messages 9-72
KeepAlive Error Messages 9-74
Location Error Messages 9-76
Owner Error Messages 9-77
Region Error Messages 9-77
GSSM Error Messages 9-78
Source Address List Error Messages 9-79
User Error Messages 9-81

OL-4327-01 xi
Contents
CHAPTER 10 Monitoring GSS Performance 10-1

Monitoring GSS and GSSM Status 10-1
Monitoring the Online Status of GSS Devices from the CLI 10-2
Monitoring the Status of Your GSS Network from the CLI 10-3
Monitoring the Status of the Boomerang Server on Your GSS 10-3
Monitoring the Status of the DNS Server on Your GSS 10-4
Monitoring the Status of Keepalives on Your GSS 10-5
Monitoring GSS Device Status from the Primary GSSM GUI 10-6
Monitoring GSSM Database Status 10-6
Monitoring the Database Status 10-7
Validating Database Records 10-7
Creating a Database Validation Report 10-8
Monitoring Global Load-Balancing Status 10-9
Monitoring Answer Hit Counts 10-10
Monitoring Answer Keepalive Statistics 10-11
Monitoring Answer Status 10-14
Monitoring DNS Rule Statistics 10-15
Monitoring Domain Statistics 10-17
Monitoring Source Address Statistics 10-18
Monitoring Global Statistics 10-20
Viewing Log Files 10-22
Understanding GSS Logging Levels 10-22
Viewing Device Logs from the CLI 10-23
Viewing the gss.log File from the CLI 10-24
Viewing Subsystem Log Files from the CLI 10-25
Rotating Existing Log Files from the CLI 10-26
Viewing System Logs from the Primary GSSM GUI 10-28
Viewing System Logs from the GUI 10-28
Purging System Log Messages from the GUI 10-30
System Log Messages 10-31

xii OL-4327-01
Contents
GLOSSARY
INDEX

OL-4327-01 xiii
Contents

xiv OL-4327-01
F I G U R E S
Figure 1-1 Domain Name Space 1-3
Figure 1-2 DNS Request Resolution 1-5
Figure 1-3 GLSB Using the Cisco Global Site Selector 1-8
Figure 1-4 Effect of the Number of Retries Value on the Keepalive Transmission Interval 1-23
Figure 1-5 Primary GSSM Welcome Window 1-37
Figure 1-6 Answers List Page 1-39
Figure 1-7 Modifying Answer Details Page 1-40
Figure 1-8 GSSM Online Help 1-47
Figure 2-1 Primary GSSM Welcome Window 2-17
Figure 2-2 Global Site Selectors List Page - Inactive Status 2-19
Figure 2-3 Modifying GSS Details Page 2-20
Figure 2-4 Global Site Selectors List Page - Active Status 2-21
Figure 3-1 Regions List Page 3-4
Figure 3-2 Creating New Region Details Page 3-5
Figure 3-3 Locations List Page 3-6
Figure 3-4 Creating New Location Details Page 3-7
Figure 3-5 Modifying Region Details Page 3-8
Figure 3-6 Modifying Location Details Page 3-9
Figure 3-7 Owners List Page 3-12
Figure 3-8 Creating New Owner Details Page 3-13
Figure 3-9 Modifying Owner Details Page 3-14
Figure 4-1 Source Address Lists List Page 4-2
Figure 4-2 Creating New Source Address List - General Configuration 4-3

OL-4327-01 xiii
Figures
Figure 4-3 Creating New Source Address List - Add Addresses 4-4
Figure 4-4 Creating Source Address List - Current Members List 4-5
Figure 4-5 Modifying Source Address List - Remove Addresses 4-6
Figure 4-6 Modifying Source Address List - Delete Icon 4-8
Figure 5-1 Domain Lists Page 5-3
Figure 5-2 Creating New Domain List Details Page - General Configuration 5-4
Figure 5-3 Creating New Domain List - Add Domains 5-5
Figure 5-4 Creating Domain List - Current Members List 5-7
Figure 5-5 Modifying Domain List - Remove Domains 5-9
Figure 5-6 Modifying Domain List - Delete Icon 5-11
Figure 6-1 Configure Global KeepAlive Properties Details Page 6-2
Figure 6-2 ICMP Global KeepAlive—Standard KAL Type 6-3
Figure 6-3 ICMP Global KeepAlive—Fast KAL Type 6-4
Figure 6-4 TCP Global KeepAlive—Standard KAL Type 6-6
Figure 6-5 TCP Global KeepAlive—Fast KAL Type 6-7
Figure 6-6 HTTP HEAD Global KeepAlive—Standard KAL Type 6-9
Figure 6-7 HTTP HEAD Global KeepAlive—Fast KAL Type 6-10
Figure 6-8 KAL-AP Global KeepAlive—Standard KAL Type 6-12
Figure 6-9 KAL-AP Global KeepAlive—Fast KAL Type 6-13
Figure 6-10 Global KeepAlives Details Page—CRA KeepAlive 6-15
Figure 6-11 Global KeepAlives Details Page—Name Server KeepAlive 6-16
Figure 6-12 Shared KeepAlives Lists Page 6-18
Figure 6-13 Creating New Shared KeepAlives Details Page 6-19
Figure 6-14 Shared KeepAlives Details Page—ICMP KeepAlive (Fast KAL Type) 6-21
Figure 6-15 Shared KeepAlives Details Page—TCP KeepAlive (Fast KAL Type) 6-22
Figure 6-16 Shared KeepAlives Details Page—HTTP HEAD KeepAlive (Fast KAL Type) 6-24
Figure 6-17 Shared KeepAlives Details Page—KAL-AP KeepAlive (Fast KAL Type) 6-26

xiv OL-4327-01
Figures
Figure 6-18 Modifying Shared KeepAlive Details Page 6-28
Figure 7-1 Answers List Page 7-3
Figure 7-2 Creating New Answer Details Page 7-4
Figure 7-3 Creating New Answer—VIP Details Page 7-5
Figure 7-4 Answer Details Page—ICMP KeepAlive VIP Answer 7-7
Figure 7-5 Answer Details Page—TCP KeepAlive VIP Answer 7-9
Figure 7-6 Answer Details Page—HTTP HEAD KeepAlive VIP Answer 7-11
Figure 7-7 Answer Details Page—KAL-AP Keepalive VIP Answer 7-13
Figure 7-8 Creating New Answer—CRA Answer 7-16
Figure 7-9 Creating New Answer—Name Server Answer 7-18
Figure 7-10 Modifying Answer Details Page 7-20
Figure 7-11 Answer Group List Page 7-24
Figure 7-12 Creating New Answer Group Details Page—General Configuration 7-25
Figure 7-13 Creating New Answer Group Details Page—Add Answers 7-27
Figure 7-14 Creating New Answer Group Details Page—Current Members 7-28
Figure 7-15 Modifying Answer Group - Remove Answers 7-30
Figure 7-16 Modifying Answer Group - Suspend Answers Icon 7-31
Figure 7-18 Modifying Owners Details Page 7-34
Figure 8-1 DNS Rule Wizard - Introduction Page 8-3
Figure 8-2 DNS Rule Builder Window 8-4
Figure 8-3 DNS Rules List Page 8-5
Figure 8-4 DNS Rule Wizard—Introduction Page 8-6
Figure 8-5 DNS Rule Wizard—Source Address List Page 1 8-7
Figure 8-8 DNS Rule Wizard—Domains List Page 1 8-11

OL-4327-01 xv
Figures
Figure 8-11 DNS Rule Wizard—Answer Group Page 1 8-15
Figure 8-15 DNS Rule Wizard—Balance Method Page 8-22
Figure 8-16 DNS Rule Wizard—Summary Page 8-25
Figure 8-17 DNS Rules List Page 8-28
Figure 8-18 Create New DNS Rule Window 8-29
Figure 8-20 Modifying Owners Details Page 8-37
Figure 8-21 Configure DNS Rule List Filter Details Page 8-39
Figure 9-1 GUI Configuration Details Page 9-11
Figure 9-2 GSSM User Administration List Page 9-14
Figure 9-3 GSSM User Administration Details Page 9-15
Figure 9-4 GSSM Change Password Details Page 9-18
Figure 9-5 GSSM Third-Party Software List Page 9-55
Figure 10-1 Answer Hit Counts List Page 10-10
Figure 10-2 Answer Keepalive Statistics List Page 10-12
Figure 10-3 Answer Status List Page 10-14
Figure 10-4 DNS Rule Statistics List Page 10-16
Figure 10-5 Domain Hit Counts List Page 10-17
Figure 10-6 Source Address List Statistics List Page 10-19
Figure 10-7 Global Statistics List Page 10-20
Figure 10-8 System Log List Page 10-29

xvi OL-4327-01
T A B L E S
Table 1-1 Keepalive Transmission Rates 1-21
Table 1-2 Balance Method Options for Answer Types 1-28
Table 1-3 GSSM GUI Icons and Symbols 1-42
Table 3-1 GSS Network Groupings 3-16
Table 8-1 DNS Rules Filter Parameters 8-40
Table 9-1 GSS-Related Ports and Protocols (Inbound Traffic) 9-25
Table 9-2 Inbound Traffic Going Through a Firewall to the GSS 9-31
Table 9-3 Outbound Traffic Originating from the GSS 9-32
Table 10-1 Field Descriptions for Answer Hit Counts List Page 10-11
Table 10-2 Field Descriptions for Answer Keepalive Statistics List Page 10-12
Table 10-3 Field Descriptions for Answer Status List Page 10-15
Table 10-4 Field Descriptions for DNS Rule Statistics List Page 10-16
Table 10-5 Field Descriptions for Domain Statistics List Page 10-18
Table 10-6 Field Descriptions for Source Address Statistics List Page 10-19
Table 10-7 Field Descriptions for Global Statistics List Page 10-21
Table 10-8 GSS Logging Levels 10-22
Table 10-9 System Log Messages 10-31

OL-4327-01 xvii
Tables

xviii OL-4327-01
Preface
This guide includes information on configuring the Cisco Global Site Selector
(GSS). It provides procedures for the proper setup, global server load balancing
configuration, administration, and monitoring of the GSS product. Steps for
troubleshooting many common problems are also provided.
This preface describes the following topics:
• Audience
• How to Use This Guide
• Related Documentation
• Symbols and Conventions
• Obtaining Documentation
• Obtaining Technical Assistance
• Obtaining Additional Publications and Information

OL-4327-01 xix
Preface
Audience
Audience
To use this configuration guide, you should be familiar with the Cisco
Global Site Selector Series hardware. In addition, you should be familiar with
basic TCP/IP and networking concepts, router configuration, Domain Name
System (DNS), theBerkeley Internet Name Domain (BIND) software or similar
DNS products, and your organization’s specific network configuration.
How to Use This Guide

This guide includes the following chapters:
Chapter/Title Description
Chapter 1, Introducing Describes the basic concepts underlying the GSS
the Global Site Selector product as well as important GSS-related terms.
Chapter 2, Setting Up Describes the process of configuring the Global Site
Your GSS Selector Series hardware to act as a Global Site
Selector Manager (GSSM) or Global Site Selector
(GSS) device.
Chapter 3, Configuring Instructions on organizing resources on your GSS
Resources network as locations, regions, and owners.
Chapter 4, Configuring Describes the creation and modification of source
Source Address Lists address lists.
Chapter 5, Configuring Describes the creation and modification of domain
Domain Lists lists.
Chapter 6, Configuring Describes the modification of global keepalive
KeepAlives parameters and the creation of shared keepalives.
Chapter 7, Configuring Describes the creation of GSS answers and answer
Answers and Answer groups.
Groups
Chapter 8, Building and Describes constructing the DNS rules that govern all
Modifying DNS Rules global server load balancing on your GSS network.

xx OL-4327-01
Preface
Related Documentation
Chapter/Title Description
Chapter 9, GSS Covers the procedures necessary to properly manage
Administration and and maintain your GSSM and GSS devices,
Troubleshooting including login security, software upgrades, GSSM
database administration, and GSSM error messages.
Chapter 10, Monitoring Describes the tools that you can use to monitor the
GSS Performance status of your GSS devices and of global load
balancing on your GSS network.
Related Documentation
In addition to this document, the GSS documentation set includes the following:
Document Title Description

Global Site Selector Intended to help you install your Cisco Global Site
Hardware Installation Selector and get it ready for operation. It describes
Guide how to prepare your site for installation, how to
install the GSS in an equipment rack, and how to
maintain and troubleshoot the system hardware.
Release Note for the Cisco Provides information on operating considerations,
Global Site Selector caveats, and commands for the Global Site Selector
software.
Cisco Global Site Selector Provides an alphabetical list of all GSS Command
Command Reference Line Interface (CLI) commands including syntax,
options, and related commands. This document
also describes how to use the CLI interface.

OL-4327-01 xxi
Preface
Symbols and Conventions

This guide uses the following symbols and conventions to emphasize certain
information.
Command descriptions use the following conventions:
boldface font Commands and keywords are in boldface.

italic font Variables for which you supply values are in italics.
[ ] Elements in square brackets are optional.
{x | y | z} Alternative keywords are grouped in braces and separated
by vertical bars.
[x | y | z] Optional alternative keywords are grouped in brackets and
separated by vertical bars.
string A nonquoted set of characters. Do not use quotation marks
around the string, or the string will include the quotation
marks.
Screen examples use the following conventions:
screen font Terminal sessions and information the system displays are
in screen font.
boldface screen Information you must enter is in boldface screen font.
font
italic screen Variables for which you supply values are in italic screen
font font.
This pointer highlights an important line of text in an
example.
^ The symbol ^ represents the key labeled Control—for
example, the key combination ^D in a screen display means
hold down the Control key while you press the D key.
< > Nonprinting characters, such as passwords, are in angle
brackets.

xxii OL-4327-01
Preface
[ ] Default responses to system prompts are in square brackets.

!, # An exclamation point (!) or a pound sign (#) at the
beginning of a line of code indicates a comment line.
Graphical user interface elements use the following conventions:
boldface text Instructs the user to enter a keystroke or act on a GUI

element.
Courier text Indicates text that appears in a command line, including the
CLI prompt.
Courier bold Indicates commands and text you enter in a command line.
text
italic text Directories and filenames are in italic font.
Caution A caution means that a specific action you take could cause a loss of data or
adversely impact use of the equipment.
Note A note provides important related information, reminders, and recommendations.
1. A numbered list indicates that the order of the list items is important.
a. An alphabetical list indicates that the order of the secondary list items is
important.
• A bulleted list indicates that the order of the list topics is unimportant.
– An indented list indicates that the order of the list subtopics is
unimportant.

OL-4327-01 xxiii
Preface
Obtaining Documentation
Cisco provides several ways to obtain documentation, technical assistance, and
other technical resources. These sections explain how to obtain technical
information from Cisco Systems.
Cisco.com
You can access the most current Cisco documentation on the World Wide Web at
this URL:
http://www.cisco.com/univercd/home/home.htm
You can access the Cisco website at this URL:
http://www.cisco.com
International Cisco websites can be accessed from this URL:
http://www.cisco.com/public/countries_languages.shtml
Documentation CD-ROM
Cisco documentation and additional literature are available in a Cisco
Documentation CD-ROM package, which may have shipped with your product.
The Documentation CD-ROM is updated regularly and may be more current than
printed documentation. The CD-ROM package is available as a single unit or
through an annual or quarterly subscription.
Registered Cisco.com users can order a single Documentation CD-ROM (product
number DOC-CONDOCCD=) through the Cisco Ordering tool:
http://www.cisco.com/en/US/partner/ordering/ordering_place_order_ordering_t
ool_launch.html
All users can order annual or quarterly subscriptions through the online
Subscription Store:
http://www.cisco.com/go/subscription

xxiv OL-4327-01
Preface
Ordering Documentation
You can find instructions for ordering documentation at this URL:
http://www.cisco.com/univercd/cc/td/doc/es_inpck/pdi.htm
You can order Cisco documentation in these ways:
• Registered Cisco.com users (Cisco direct customers) can order Cisco product
documentation from the Networking Products MarketPlace:
http://www.cisco.com/en/US/partner/ordering/index.shtml
• Nonregistered Cisco.com users can order documentation through a local
account representative by calling Cisco Systems Corporate Headquarters
(California, USA.) at 408 526-7208 or, elsewhere in North America, by
calling 800 553-NETS (6387).
Documentation Feedback
You can submit comments electronically on Cisco.com. On the Cisco
Documentation home page, click Feedback at the top of the page.
You can send your comments in e-mail to bug-doc@cisco.com.
You can submit comments by using the response card (if present) behind the front
cover of your document or by writing to the following address:
Cisco Systems
Attn: Customer Document Ordering
170 West Tasman Drive
San Jose, CA 95134-9883
We appreciate your comments.

OL-4327-01 xxv
Preface
Obtaining Technical Assistance

For all customers, partners, resellers, and distributors who hold valid Cisco
service contracts, the Cisco Technical Assistance Center (TAC) provides 24-hour,
award-winning technical support services, online and over the phone. Cisco.com
features the Cisco TAC website as an online starting point for technical assistance.
Cisco TAC Website

The Cisco TAC website (http://www.cisco.com/tac) provides online documents
and tools for troubleshooting and resolving technical issues with Cisco products
and technologies. The Cisco TAC website is available 24 hours a day, 365 days a
year.
Accessing all the tools on the Cisco TAC website requires a Cisco.com user ID
and password. If you have a valid service contract but do not have a login ID or
password, register at this URL:
http://tools.cisco.com/RPF/register/register.do
Opening a TAC Case

The online TAC Case Open Tool (http://www.cisco.com/tac/caseopen) is the
fastest way to open P3 and P4 cases. (Your network is minimally impaired or you
require product information). After you describe your situation, the TAC Case
Open Tool automatically recommends resources for an immediate solution. If
your issue is not resolved using these recommendations, your case will be
assigned to a Cisco TAC engineer.
For P1 or P2 cases (your production network is down or severely degraded) or if
you do not have Internet access, contact Cisco TAC by telephone. Cisco TAC
engineers are assigned immediately to P1 and P2 cases to help keep your business
operations running smoothly.

xxvi OL-4327-01
Preface
To open a case by telephone, use one of the following numbers:

Asia-Pacific: +61 2 8446 7411 (Australia: 1 800 805 227)
EMEA: +32 2 704 55 55
USA: 1 800 553-2447
For a complete listing of Cisco TAC contacts, go to this URL:
http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml
TAC Case Priority Definitions

To ensure that all cases are reported in a standard format, Cisco has established
case priority definitions.
• Priority 1 (P1)—Your network is “down” or there is a critical impact to your
business operations. You and Cisco will commit all necessary resources
around the clock to resolve the situation.
• Priority 2 (P2)—Operation of an existing network is severely degraded, or
significant aspects of your business operation are negatively affected by
inadequate performance of Cisco products. You and Cisco will commit
full-time resources during normal business hours to resolve the situation.
• Priority 3 (P3)—Operational performance of your network is impaired, but
most business operations remain functional. You and Cisco will commit
resources during normal business hours to restore service to satisfactory
levels.
• Priority 4 (P4)—You require information or assistance with Cisco product
capabilities, installation, or configuration. There is little or no effect on your
business operations.

OL-4327-01 xxvii
Preface
Obtaining Additional Publications and Information

Information about Cisco products, technologies, and network solutions is
available from various online and printed sources.
• The Cisco Product Catalog describes the networking products offered by
Cisco Systems, as well as ordering and customer support services. Access the
Cisco Product Catalog at this URL:
http://www.cisco.com/en/US/products/products_catalog_links_launch.html
• Cisco Press publishes a wide range of networking publications. Cisco
suggests these titles for new and experienced users: Internetworking Terms
and Acronyms Dictionary, Internetworking Technology Handbook,
Internetworking Troubleshooting Guide, and the Internetworking Design
Guide. For current Cisco Press titles and other information, go to Cisco Press
online at this URL:
http://www.ciscopress.com
• Packet magazine is the Cisco quarterly publication that provides the latest
networking trends, technology breakthroughs, and Cisco products and
solutions to help industry professionals get the most from their networking
investment. Included are networking deployment and troubleshooting tips,
configuration examples, customer case studies, tutorials and training,
certification information, and links to numerous in-depth online resources.
You can access Packet magazine at this URL:
http://www.cisco.com/go/packet
• iQ Magazine is the Cisco bimonthly publication that delivers the latest
information about Internet business strategies for executives. You can access
iQ Magazine at this URL:
http://www.cisco.com/go/iqmagazine

xxviii OL-4327-01
Preface
• Internet Protocol Journal is a quarterly journal published by Cisco Systems

for engineering professionals involved in designing, developing, and
operating public and private internets and intranets. You can access the
Internet Protocol Journal at this URL:
http://www.cisco.com/en/US/about/ac123/ac147/about_cisco_the_internet_
protocol_journal.html
• Training—Cisco offers world-class networking training. Current offerings in
network training are listed at this URL:
http://www.cisco.com/en/US/learning/index.html

OL-4327-01 xxix
Preface

xxx OL-4327-01
C H A P T E R 1
Introducing the Global Site Selector
This chapter describes the Cisco Global Site Selector (GSS) and introduces you
to the terms and concepts necessary to properly understand and operate the GSS
product.
This chapter contains the following major sections:
• GSS Overview
• DNS Routing
• GSLB Using the GSS
• GSS Architecture
• GSS Network Deployment
• GSS Network Management
• Understanding the Primary GSSM Graphical User Interface
For background material on DNS-based global server load balancing (GSLB), as
it applies to the GSS, refer to the Business Case for Global Server Load Balancing
white paper available on Cisco.com.

OL-4327-01 1-1
Chapter 1 Introducing the Global Site Selector
GSS Overview
GSS Overview
With the growth of the Internet and of Internet-based commerce, there is an
increasing demand for high-end networking solutions that can handle
sophisticated customer transactions and high traffic loads. Improved content
routing is a core technology behind such networking solutions.
Global load-balancing devices such as the Cisco Content Services Switch (CSS)
and Cisco Content Switching Module (CSM) can balance content requests among
two or more servers containing the same content that are connected to a corporate
LAN or the Internet. Server load balancing devices ensure that the content
consumer is directed to the host that is best suited to handle that consumer’s
request.
Increasingly, organizations with a global reach or businesses that provide web and
application hosting services require network devices that can perform such
complex request routing to two or more redundant, geographically dispersed data
centers, improving response times while also providing disaster recovery and
failover protection through so-called “global server load balancing,” or GSLB.
The Cisco Global Site Selector (GSS) is a next-generation networking product
that provides these services, allowing customers to leverage global content
deployment across multiple distributed and mirrored data locations, optimizing
site selection, improving Domain Name System (DNS) responsiveness, and
ensuring data center availability.
Inserted into the traditional DNS routing hierarchy and closely integrated with
your Cisco CSS, Cisco CSM, or third-party server load balancers (SLBs), the GSS
monitors the health and load of the SLBs in each of your data centers and then
uses that information along with customer-controlled routing algorithms to select
the best-suited and least-loaded data center in real time.
Just as important, the GSS is capable of detecting site outages, ensuring that
web-based applications are always online and that customer requests to data
centers that suddenly go offline are quickly rerouted to available resources.
Finally, the GSS offloads tasks from traditional DNS servers by taking control of
the domain resolution process for parts of your domain name space. Because it
can respond to requests at a rate of thousands of requests per second, the GSS
greatly improves DNS responsiveness to those subdomains.

1-2 OL-4327-01
DNS Routing
DNS Routing
Before you can begin using the GSS product, you must first understand content
routing as it currently exists, including DNS and how the introduction of GSS
devices on your network will affect content routing and delivery to your
customers. This section explains some of the key DNS routing concepts behind
the GSS product.
Since the early 1980s, content routing on the Internet has been handled using the
Domain Name System (DNS), a distributed database of host information that
maps domain names to IP addresses. A radical departure from the largely manual
system of maintaining lists of domain names that preceded it, DNS vastly
improved the ability of those responsible for maintaining the Internet to manage
network traffic and load, as well as maintain a consistent and unique list of valid
Internet hosts.
Almost all transactions that occur across the Internet rely on DNS, including
electronic mail, remote terminal access such as Telnet, file transfers using FTP,
and web surfing. DNS makes possible the use of easy-to-remember alphanumeric
host names instead of numeric IP addresses that bear no relationship to the content
on the host.
DNS is a robust and flexible system for managing a nearly infinite number of host
names, called the domain name space (Figure 1-1). DNS is particularly effective
in that it allows local administration of segments (individual domains) of the
overall database, yet makes it possible for data in any segment to be available
across the entire network, a process known as delegation.
Figure 1-1 Domain Name Space
com lnt net org gov mil edu
cisco
vassar
www
78664
ftp
www admissions alumni

OL-4327-01 1-3
DNS Routing
DNS Name Servers

Information about the domain name space is stored on name servers that are
distributed throughout the Internet, each server storing the complete information
about its small part of the total domain name space, called a zone. End users
requiring data from a particular domain or machine generate a recursive DNS
request on their client that is sent first to the local name server (NS), sometimes
called the D-proxy. The job of the D-proxy is to return the IP address of the
requested domain to the end user.
The DNS structure is based on a hierarchical tree structure similar to common file
systems. The key components in this infrastructure include:
• DNS Resolvers (DNSR)—Clients that access client name servers.
• Client Name Server (CNS)—A server running DNS software and has the
responsibility of finding the requested web site. The CNS is sometimes called
the client DNS proxy (D-proxy).
• Root Name Servers (RNS)—A server that resides at the top of the DNS
hierarchy. The RNS knows how to locate every extension after the “.” in the
host name. There are many top-level domains, the most common include .org,
.edu, .net, .gov, and .mil. There are approximately 13 root servers worldwide
for handling all Internet requests.
• Intermediate Name Server (INS)—A server that is used for scaling
purposes. When the root name server does not have the IP address of the
authoritative name server (ANS), it sends the requesting client name server to
an intermediate name server. The intermediate name server then sends the
client name server to the authoritative name server.
• Authoritative Name Server (ANS)—A server that is run by an enterprise or
is outsourced to a service provider and is authoritative for the domain
requested. The authoritative name server responds directly to the client name
server (not to the client) with the requested IP address.

1-4 OL-4327-01
DNS Routing
Request Resolution
If the local D-proxy does not have the information requested by the end user, it
sends out iterative requests to the name servers that it knows are authoritative for
domains close to the requested domain.For example, a request for www.cisco.com
causes the D-proxy to check first for another name server that is authoritative for
www.cisco.com.
The process outlined below summarizes the sequence performed by the DNS
infrastructure to return an IP address when a client tries to access the
www.cisco.com website. Figure 1-2 illustrates how the DNS request resolution
process works.
Figure 1-2 DNS Request Resolution
www.cisco.com
2 "."
com ns
Root Name Server

www.cisco.com
cisco.com ns 3 com
Intermediate Name Server

(supporting .com)
cisco
www.cisco.com
www.cisco.com 4
hr
support
Authoritative Name Server
(supporting Cisco.com and
all sub-domains, such as
www.cisco.com)
tac svc software
www.cisco.com
5 Desktop system
78668
www.cisco.com?
Client Name Server 1
(D-proxy)

OL-4327-01 1-5
GSLB Using the GSS
1. The resolver (client) sends a query for www.cisco.com to the local client
name server (D-proxy).
2. The local D-proxy does not have the IP address for www.cisco.com so it
sends a query to a root name server (“.”) asking for the IP address. The root
name server responds by referring the D-proxy to the specific name server
supporting the .com domain. The root name server can respond to the request
in two different ways, the most common way, is to send the D-proxy directly
to the authoritative name server for tac.support.cisco.com. Another method,
called iterated query, is when the root name server sends the D-proxy to an
intermediate name server that knows the address of the authoritative name
server tac.support.cisco.com.
3. The local D-proxy sends a query to the intermediate name server which
responds, referring the D-proxy to the authoritative name server for
cisco.com and all the associated sub-domains.
4. The local D-proxy sends a query to the cisco.com authoritative name server.
This name server is authoritative for cisco.com which is the top-level domain.
www.cisco.com is a sub-domain of cisco.com so this name sever is
authoritative for the requested domain and sends the IP address to the
D-proxy.
5. The D-proxy sends the IP address (198.133.219.25) to the client browser. The
browser uses this IP address and initiates a connection to the www.cisco.com
web site
GSLB Using the GSS

The GSS addresses critical disaster recovery needs by globally load balancing
distributed data centers. The GSS is designed to coordinate the efforts of SLBs,
such as the Cisco CSS, Cisco CSM, Cisco IOS-compliant SLB, LocalDirector, a
Web server, a cache or other geographically dispersed SLB in a global network
deployment.
Running on a Cisco Global Site Selector Series platform, the GSS can support up
to 256 unique SLBs and over 4000 separate VIP addresses. The GSS coordinates
the activities of SLBs by acting as the authoritative DNS server for those devices
under its control.

1-6 OL-4327-01
GSLB Using the GSS
When the Cisco GSS is responsible for GSLB services, the DNS process migrates
to the GSS. The DNS configuration is the same process as described in the
“Request Resolution” section. The only exception is that the NS-records point to
the GSSs located at each data center. Ultimately, the Cisco GSS device determines
which data center site should receive the client traffic.
As the authoritative name server for a domain or subdomain, the GSS can consider
additional information about the resources under its control when it receives
requests from client name servers.
Among the additional factors that the GSS is capable of considering when
responding to a request are:
• Availability—Which servers are online and available to respond to the
query?
• Proximity—Which server responded the fastest to a query?
• Load—What type of traffic load is each server handling in the domain?
• Source of the Request—From which D-proxy did the content request
originate?
• Preference—What is the first, second, or third choice of algorithm to use in
responding to a query?
This type of load balancing helps to ensure not only that end users are always
directed to resources that are online, but also that requests are forwarded to the
most suitable device, resulting in increased response time for users.
In resolving DNS requests, the Cisco GSS performs a series of distinct operations
that take into account the resources under its control and return the best possible
answer to the requesting client’s D-proxy.
The process outlined below discuss how the GSS interacts with various clients as
part of the website selection process to return the IP address of the requested
content site. Figure 1-3 illustrates how this process works.

OL-4327-01 1-7
GSLB Using the GSS
Figure 1-3 GLSB Using the Cisco Global Site Selector
Client Name DNS Name

Servers Server
(D-Proxy) GSS 1
1 2 3
Data Center
3
5 4
Mobile
DNS Global
Control Plane
Fixed Wireless
GSS 2
IP Global
Forwarding Plane
Cable
Data Center Data Center

DSL 1 2
Dedicated ATM/
Frame Relay
ISDN/Dial
Clients
Requesting
Web sites
Cisco GSS's Response Cisco GSS Tracking
97789
Clients DNS Requests Global Resources

Layer 3 Communications
1. A client starts to download an updated version of software from

www.cisco.com and types www.cisco.com in the location or address field of
the browser. This application is supported at three different data centers.
2. The request is processed by the DNS global control plane infrastructure and
arrives at the Cisco GSS device.

1-8 OL-4327-01
GSS Architecture
3. The Cisco GSS offloads the site selection process from the DNS global
control plane. The request and site selection are based on the load and health
information in conjunction with customer-controlled load-balancing
algorithms. The Cisco GSS, in real time, selects a data center that is available
and not overloaded.
4. The Cisco GSS sends the IP address of the “best” server load balancer at a
specific data center, in this case the SLB at Data Center 2.
5. The web browser processes the transmitted IP address.
6. The client is directed to the SLB at Data Center 2 by the IP control and
forwarding plane.
GSS Architecture
This section describes the key components of a GSS deployment, including
hardware and software, as well as GSS networking concepts. It includes:
• Global Site Selectors and Global Site Selector Managers
• DNS Rules
• Hosted Domains and Domain Lists
• Source Address and Source Address Lists
• Answers and Answer Groups
• Keepalives
• Balance Methods
• Locations and Regions
• Owners

OL-4327-01 1-9
GSS Architecture
Global Site Selectors and Global Site Selector Managers

The Global Site Selector solution relies on three distinct but closely related
devices:
• GSS
• Primary GSSM
• Standby GSSM
GSS
The GSS is a Cisco Global Site Selector platform running GSS software and
performing routing of DNS queries based on DNS rules and conditions configured
using the GSSM.
Each GSS is known to and synchronized with the primary GSSM, but individual
GSSs do not report their presence or status to one another. Each GSS on your
network must delegate authority to the parent domain GSS DNS server that serves
the DNS requests.
Each GSS is managed separately using the Cisco CLI. GUI support is not
available on a GSS device.
A device that acts as a GSS may also be serving as the primary GSSM for a GSS
network.
Primary GSSM
The primary GSSM is a Cisco Global Site Selector platform running Cisco GSS
software and performing content routing as well as centralized management
functions for the GSS network.
The primary GSSM serves as the organizing point of the GSS network, hosting
the embedded GSS database that contains configuration information for all your
GSS resources, such as individual GSSs and DNS rules. Other GSS devices report
their status to the primary GSSM. Configuration changes initiated on the primary
GSSM using the graphical user interface are automatically communicated to each
device that the primary GSSM manages.
Any GSS device can serve as a GSSM.

1-10 OL-4327-01
GSS Architecture
In addition to content routing configuration, a subset of device-monitoring and

logging features is accessible from the GSSM GUI, though more extensive
inquiries may require access to the GSS CLI for an individual device.
Communication between administrators and the primary GSSM uses secure
HTTP (HTTPS), and access to the primary GSSM graphical user interface is
password-protected.
Standby GSSM
The standby GSSM is a Cisco Global Site Selector platform running Cisco GSS
software and performing GSLB functions for the GSS network even while
operating in standby mode. In addition, the standby GSSM can be configured to
act as the GSSM should the primary GSSM go offline or become unavailable to
communicate with other GSS devices.
As with the primary GSSM, the standby GSSM is configured to run the GSSM
GUI and contains a duplicate copy of the embedded GSS database that is currently
installed on the primary GSSM. Any configuration or network changes affecting
the GSS network are synchronized between the primary and the standby GSSM
so that the two devices are never out of step.
The GUI is inaccessible on the standby GSSM until it is designated as the primary
GSSM. The standby GSSM can be enabled as the primary GSSM using the gssm
standby-to-primary CLI command. You must make sure that your original
primary GSSM is offline before attempting to enable the standby GSSM as the
new primary GSSM. Having two primary GSSMs active at the same time may
result in the inadvertent loss of configuration changes for your GSS network. If
this dual primary GSSM configuration occurs, the two primary GSSMs revert to
standby mode and you will need to reconfigure one of the GSSMs as the primary
GSSM.
The standby GSSM is capable of temporarily taking over the role as the primary
GSSM is the event that the primary GSSM is unavailable (for example, you need
to move the primary GSSM or you want to take it offline for repair or
maintenance). The switching of roles between the designated primary GSSM and
the standby GSSM is intended to be a temporary GSS network configuration until
the original primary GSSM is back online. The interim primary GSSM can be
used to monitor GSS behavior and make configuration changes if necessary. Once
the original primary GSSM is available, reassign the two GSSMs to their original
roles in the GSS network as described in Chapter 9, GSS Administration and
Troubleshooting, the “Logically Removing a GSS or Standby GSSM from the
Network” section.

OL-4327-01 1-11
GSS Architecture
DNS Rules
The GSS uses DNS rules, as configured by the administrator through the primary
GSSM GUI to:
• Provide you with centralized command and control of how the GSS will
globally load balances a given hosted domain
• Define the IP address(es) to send to the client’s name server (D-proxy)
• Define the recovery method to use (using up to three load balance clauses)
DNS rules determine how the GSS responds to each query it receives by matching
requests received from a known source, or D-proxy, to the most suitable member
of a collection of name servers or virtual IP addresses (VIPs).
Each DNS rule takes into account four variables:
• The source IP address of the requesting D-proxy
• The requested hosted domain
• An answer group, which is a group of resources considered for the response
• A balance method, an algorithm for selecting the best server, together with an
answer group, makes up a clause
A DNS rule defines how a request is handled by the GSS by answering the
following question:
When traffic arrives from a DNS proxy, querying a specific domain name,
what resources should be considered for the response, and how should they
be balanced?
Each GSS network supports a maximum of 4000 DNS rules.
Up to three possible response answer group and balance method clauses are
available for each DNS rule. Each clause specifies that a particular answer group
serve the request and a specific balance method be used to select the best resource
from that answer group. These clauses are evaluated in order, with parameters
established to determine when one clause should be skipped in the event that the
first answer group and balance method specified does not yield an answer, and the
next clause is used.

1-12 OL-4327-01
GSS Architecture
Hosted Domains and Domain Lists

A hosted domain (HD) is any domain or subdomain that has been delegated to the
GSS and configured using the primary GSSM GUI for DNS query responses. In
other words, a hosted domain is a DNS domain name for which the GSS is
authoritative.
All DNS queries must match a domain belonging to a configured domain list, or
else they are denied by the GSS. Queries that do not match domains on any GSS
domain lists can also be forwarded by the GSS to an external DNS name server
for resolution.
Hosted domains may or may not correspond to standard third-level domain names
but cannot exceed 128 characters in length. Domain names that use wildcards are
supported by the GSS. The GSS supports POSIX 1003.2 extended regular
expressions when matching wildcards.
The following examples could be domain or sub-domain names configured on the
GSS:
cisco.com
www.cisco.com
www.support.cisco.com
.*\.cisco\.com
Domain lists are groups of hosted domains that have been delegated to the GSS.
Each GSS can support a maximum of 2000 hosted domains and 2000 hosted
domain lists, with a maximum of 500 hosted domains supported for each domain
list.
Using the DNS rules feature of the primary GSSM graphical user interface,
requests for any member of a domain list are matched to an answer—a resource
hosting the content being requested—using one of a number of balance methods.
Refer to Chapter 5, Configuring Domain Lists for more information on
configuring domain lists.
Source Address and Source Address Lists

The term source address refers to the source of DNS queries received by the GSS.
Source addresses might point to an IP address or block of addresses representing
client D-proxies from which queries originate.

OL-4327-01 1-13
GSS Architecture
Using DNS rules, the GSS matches source addresses to domains hosted by the
GSS using one of a number of different balance methods.
Source addresses are taken from the D-proxy (the local name server) to which a
requesting client issued a recursive request. The D-proxy iterates the client
queries to multiple name servers, eventually querying the GSS, which matches the
D-proxy address against its list of configured source addresses.
DNS queries received by the GSS do not have to match a specific D-proxy in order
to be routed; default routing can be performed on requests that do not emanate
from a known source address. A fail safe “Anywhere” source address list is
provided by default. Incoming queries that do not match your configured source
address lists are matched to this list.
In addition to specific IP addresses, source addresses can also be set up to
represent address blocks using variable-prefix-length classless interdomain
routing (CIDR) block masking. For example, the following would all be
acceptable GSS source addresses:
192.168.1.110
192.168.1.110/32
192.168.1.0/24
192.168.0.0/16
Source addresses are grouped into lists, referred to as source address lists, for the
purposes of routing requests. Source address lists can contain between 1 and 30
source addresses, or unique address blocks. Each GSS supports up to 60 source
address lists.
Answers and Answer Groups

In a GSS network, the term answers refers to resources to which the GSS resolves
DNS requests that it receives. There are three types of possible answers on a GSS
network. These answers include:
• VIP—Virtual IP (VIP) addresses associated with an SLB such the Cisco CSS,
Cisco CSM, Cisco IOS-compliant SLB, LocalDirector, a Web server, a cache
or other geographically dispersed SLBs in a global network deployment.
• Name Server—Configured DNS name server on your network that can
answer queries that the GSS cannot resolve.
• CRA—Content routing agents that use a resolution process called DNS race
to send identical and simultaneous responses back to a user’s D-proxy.

1-14 OL-4327-01
GSS Architecture
As with domains and source addresses, answers are configured using the primary
GSSM GUI by identifying the IP address to which queries can be directed.
Once created, answers are grouped together as resource pools called answer
groups, from which the GSS, using up to three possible response answer group
and balance method clauses in a DNS rule, can choose the most appropriate
resource to serve each user request. Each balance method provides a different
algorithm for selecting one answer from a configured answer group. Each clause
specifies that a particular answer group serve the request and a specific balance
method be used to select the best resource from that answer group.
Depending on the type of answer, further intelligence can be applied to DNS
queries to choose the best host. For example, a request that is routed to a VIP
associated with a Cisco CSS is routed to the best resource based on load and
availability, as determined by the CSS. A request that is routed to a CRA is routed
to the best resource based on proximity, as determined in a DNS race conducted
by the GSS.
VIP Answers
VIP answers are used by SLBs to represent content hosted on one or more servers
under their control. The use of VIP answers allows for traffic to be balanced
among multiple origin servers, application servers, or transaction servers in a way
that results in faster response times for users and less network congestion for the
host.
When queried by a client’s D-proxy for a domain associated with a VIP answer
type, the GSS responds with the VIP address of the SLB best suited to handle that
request. The requesting client then contacts the SLB, which load balances the
request to the server best suited to respond.

OL-4327-01 1-15
GSS Architecture
Name Server Answers

A name server answer specifies the IP address of a DNS name server to which
DNS queries are forwarded from the GSS.
Using the name server forwarding feature, queries are forwarded to an external
(non-GSS) name server for resolution, with the answer passed back to the GSS
name server and from there to the requesting D-proxy. As such, the name server
answer type can act as a guaranteed fallback resource—a way to resolve requests
that the GSS cannot resolve itself—because of the following reasons:
• The requested content is unknown to the GSS.
• The resources that typically handle such requests are unavailable.
• To use DNS server features that are not supported by the GSS, such as mail
exchanger (type MX) records.
• To use a third-party content provider for failover and error recovery.
• To build a tiered DNS system.
CRA Answers
The CRA (content routing agent) answer relies on content routing agents and the
GSS to choose a suitable answer for a given query based on the proximity of two
or more possible hosts to the requesting D-proxy.
With the CRA answer, requests received from a particular D-proxy are served by
the content server that responds first to the request. Response time is measured
using a DNS race, coordinated by the GSS and content routing agents running on
each content server. In the DNS race, multiple hosts respond simultaneously to an
A-record request. The server with the fastest response time (the shortest network
delay between itself and the client’s D-proxy) is chosen to serve the content.
For the GSS to initiate a DNS race it needs two pieces of information:
• The delay between the GSS and each of the CRAs in each data center. With
this data the GSS computes how much time to delay the race from each data
center so each CRA starts the race simultaneously.
• The online status of the CRA through the use of keepalives.
The boomerang balance method uses the DNS race to determine the best site.
See the “Boomerang (DNS Race)” section for more information on this
balance method.

1-16 OL-4327-01
GSS Architecture
Keepalives
In addition to specifying a resource, each answer also provides you with the
option of specifying a keepalive for that resource, a method by which the GSS can
periodically check to see if the resource is still active. A keepalive is a specific
interaction (handshake) between the GSS and another device using a commonly
supported protocol. A keepalive is designed to test if a specific protocol on the
device is functioning properly. If the handshake is successful, then the device is
available, active, and able to receive traffic. If the handshake fails, then the device
is considered to be unavailable and inactive. All answers are validated by
configured keepalives and are not returned by the GSS to the D-proxy if the
keepalive indicates that the answer is not viable.
The GSS uses keepalives to collect and track information on everything from the
simple online status of VIPs to services and applications running on a server.
Depending on the type of resource that you are configuring as a GSS answer (for
example, a VIP address associated with a Cisco CSS or a virtual server IP address
associated with a CSM), you have the option of configuring a keepalive for that
answer that is used to monitor its online status continually and report that
information to the GSSM. Routing decisions involving that answer consider that
online status information.
The GSS also supports the use of shared keepalives to minimize traffic between
the GSS and the SLBs that it is monitoring. A shared keepalive identifies a
common address or resource that can provide status for multiple answers. Shared
keepalives are not used with name server or CRA answers.
The sections that follow explain the various keepalive types supported by the
GSS:
• ICMP
• TCP
• HTTP-HEAD
• KAL-AP
• CRA
• Name Server
• None
• Adjusting Failure Detection Time for Keepalives

OL-4327-01 1-17
GSS Architecture
ICMP
An ICMP keepalive is used when the GSS answer that you are testing is a VIP
address, IP address, or a virtual server IP address. The Internet Control Message
Protocol (ICMP) keepalive type monitors the health of resources by issuing
queries containing ICMP packets to the configured VIP address (or a shared
keepalive address) for the answer. Online status is determined by a response from
the targeted address, indicating simple connectivity to the network. The GSS
supports up to 500 ICMP keepalives when using the standard detection method
and up to 100 ICMP keepalives when using the fast detection method. See the
“Adjusting Failure Detection Time for Keepalives” section for details.
TCP
A TCP keepalive is used when the GSS answer that you are testing is to a GSLB
devices that may be something other than a CSS or CSM. These GSLB remote
devices could include webservers, LocalDirectors, WAP gateways, and other
devices that can be checked using a TCP keepalive. The TCP keepalive initiates a
TCP connection to the remote device by performing the three-way handshake
sequence.
Once the TCP connection is established, the GSS terminates the connection. You
can choose to terminate the connection from two termination methods: Reset
(immediate termination using a hard reset) or Graceful (standard three-way
handshake termination).
The GSS supports up to 500 TCP keepalives when using the standard detection
method and up to 100 TCP keepalives when using the fast detection method. Refer
to the “Adjusting Failure Detection Time for Keepalives” section for details.
HTTP-HEAD
An HTTP HEAD keepalive is used when the GSS answer that you are testing is
an HTTP web server acting as a standalone device or managed by an SLB device
such as a Cisco CSS, Cisco CSM, Cisco IOS-compliant SLB, or Cisco
LocalDirector. The HTTP-HEAD keepalive type sends a TCP formatted HTTP
HEAD request to a web server at an address that you specify, returning the online
status of the device in the form of an HTTP Response Status Code of 200 (for
example, HTTP/1.0 200 OK).

1-18 OL-4327-01
GSS Architecture
Once the HTTP HEAD connection is established, the GSS terminates the
connection. You can choose to terminate the connection from two termination
methods: Reset (immediate termination using a hard reset) or Graceful (standard
three-way handshake termination).
The GSS supports up to 500 HTTP HEAD keepalives when using the standard
detection method and up to 100 HTTP HEAD keepalives when using the fast
detection method. Refer to the “Adjusting Failure Detection Time for Keepalives”
section for details.
KAL-AP
A KAL-AP (KeepAlive-Appliance Protocol) keepalive is used when the GSS
answer that you are testing is a VIP associated with a Cisco CSS or a Cisco CSM.
The KAL-AP keepalive type sends a detailed query to both a primary (master) and
an optional secondary (backup) circuit address that you specify, returning the
online status of each interface as well as information on load.
Depending on your GSS network configuration, the KAL-AP keepalive can be
used to either query a VIP address directly (KAL-AP By VIP) or query an address
by way of an alphanumeric tag (KAL-AP By Tag). Using a KAL-AP By Tag
keepalive query can be particularly useful in the following cases:
• You are attempting to determine the online status of a device that is located
behind a firewall that is performing Network Address Translation (NAT).
• There are multiple content rule choices on the SLB.
The GSS supports up to 128 primary and 128 secondary KAL-AP keepalives
when using the standard detection method and up to 40 primary and 40 secondary
KAL-AP keepalives when using the fast detection method. See the “Adjusting
Failure Detection Time for Keepalives” section for details.
CRA
The CRA keepalive is used when you are testing a CRA answer that responds to
DNS race requests. The CRA keepalive type tracks the time required (in
milliseconds) for a packet of information to reach the CRA and return to the GSS.
The GSS supports up to 200 CRA keepalives.

OL-4327-01 1-19
GSS Architecture
Name Server
The name server keepalive sends a query to the IP address of the name server for
a query domain that you specify (for example, www.cisco.com). Online Status for
the name server answer is determined by the ability of the name server or D-proxy
for the query domain to respond to the query and assign the domain to an address.
The GSS supports up to 100 name server keepalives.
None
With the keepalive set to None, the GSS assumes that the named answer is always
online. Setting the keepalive type to None prevents your GSS from taking online
status or load into account when routing. However, a keepalive of None can be
useful under certain conditions, such as when adding devices to your GSS
network that are not suited to other keepalive types. In general, ICMP is a simple
and flexible keepalive type that works with most devices. Using ICMP is
preferable to using the None option.
Adjusting Failure Detection Time for Keepalives

Failure detection time, as it relates to the GSS, is the amount of time between
when a device failure occurred (the answer resource goes offline) and when the
GSS realized the failure occurred. The failure detection window is the window of
time that the GSS may wait, once a keepalive cycle has been initiated, before
determining that an answer has failed. If a response packet fails to arrive back to
the GSS within this window the answer is marked offline.
The GSS supports two failure detection modes, standard and fast. The standard
GSS detection time is typically 60 seconds before the GSS detects that a failure
has occurred.
Standard mode allows adjustment of the following parameters:
• Response Timeout - The length of time allowed before the GSS retransmits
data to a device that is not responding to a request. The valid entries are 20 to
60 seconds. The default is 20 seconds.
• Minimum Interval - The minimum frequency with which the GSS attempts
to schedule a keepalive. The valid entries are 40 to 255 seconds. The default
is 40 seconds.

1-20 OL-4327-01
GSS Architecture
With fast mode, the GSS controls the failure detection time through use of the
following keepalive transmission interval formula:
(# Ack’d Packets * (Response TO + (Retry TO * # of Retries))) + Timed Wait
where:
# Ack’d Packets = Number of packets that require some form of
acknowledgement (how many packets require acknowledgement)
Response TO = Response Timeout (how long to wait for a reply for a packet
that requires acknowledgement)
Retry TO = Retry Timeout (how long to wait for a reply for a retransmitted
packet)
# of Retries = Number of Retries (how many times the GSS retransmits
packets to a potentially failed device before declaring the device offline)
Timed Wait = Time for remote side of the connection to close (TCP-based
keepalive only)
Table 1-1 summarizes how the GSS software calculates the fast keepalive
transmission rates.
Table 1-1 Keepalive Transmission Rates
# Ack’d Response Retry TO # of Retries Timed Wait Transmission

Packets TO (Fixed (User (Fixed Interval
(Fixed (Fixed Value) Selectable) Value)
Value) Value)
KAL-AP 1 2 seconds 2 seconds 1 0 4 seconds
ICMP 1 2 seconds 2 seconds 1 0 4 seconds
TCP (RST) 1 2 seconds 2 seconds 1 0 4 seconds
TCP (FIN) 2 2 seconds 1 second 1 2 seconds 10 seconds
HTTP HEAD 2 2 seconds 2 seconds 1 0 8 seconds
(RST)
HTTP HEAD 3 2 seconds 2 seconds 1 2 seconds 14 seconds
(FIN)

OL-4327-01 1-21
GSS Architecture
In the case of a TCP (RST) connection, the default transmission interval for a TCP
keepalive would be:
(1 * (2 + (2 * 1))) + 0 = 4 seconds
You can adjust the number of retries for the ICMP, TCP, HTTP HEAD, and
KAL-AP keepalive types. The number of retries defines how many times the GSS
retransmits packets to a potentially failed device before declaring the device
offline. The range is 1 to 10 retries. The default is 1. As you adjust the number of
retries, you change the detection time determined by the GSS. By increasing the
number of retries you increase the detection time. Reducing the number of retries
has the reverse effect.
The number of retries value is associated with every packet that requires some
form of acknowledgement before continuing with a keepalive cycle (ICMP
requests, TCP SYN, or TCP FIN). For example, to fully complete a TCP-based
keepalive cycle, the TCP-based keepalive retries the SYN packet for the specified
number of retries, and then retries the FIN packet for the specified number of
retries.
In the above example of a TCP (RST) connection, if you change the number of
retries from the default value of 1 to a setting of 5 the transmission interval would
be:
(1 * (2 + (2 * 5))) + 0 = 12 seconds
Figure 1-4 illustrates the effect on the keepalive transmission interval as you
increase the number of retries value.

1-22 OL-4327-01
GSS Architecture
Figure 1-4 Effect of the Number of Retries Value on the Keepalive Transmission
Interval
Fast Keepalive Intervals

80
70
KAL Interval in Seconds
60
50
40
30
20
10
0
0 1 2 3 4 5 6 7 8 9 10
Number of Retries
KALAP, ICMP, & TCP (Reset) TCP (Standard Close)
97788
HTTP-HEAD (Reset) HTTP-HEAD (Standard Close)
You can also define the number of consecutive successful keepalive attempts
(probes) that must occur before the GSS identifies that an offline answer is now
online. The GSS monitors each keepalive attempt to determine whether it has
been successful. The number of successful probes parameter identifies how many
consecutive successful keepalive attempts must be recognized by the GSS before
bringing an answer back online and reintroducing it back into the GSS network.

OL-4327-01 1-23
GSS Architecture
Balance Methods
The GSS supports six unique balance methods that allow you to specify how a
GSS answer should be selected to respond to a given DNS query. Each balance
method provides a different algorithm for selecting one answer from a configured
answer group. The sections that follow explain the various balance methods
supported by the GSS:
• Ordered List
• Round-Robin
• Weighted Round-Robin
• Least Loaded
• Hash (based on source address or hosted domain)
• Boomerang (DNS race)
Ordered List
Using the ordered list balance method, each resource within an answer group (for
example, an SLB VIP or a name server) is assigned a number that corresponds to
the rank of that answer within the group. The number you assign represents the
order of the answer on the list. Subsequent VIPs or name servers, on the list will
only be used in the event that preceding VIPs or name server on the list are
unavailable. The GSS supports gaps in numbering in an ordered list.
Note For answers that have the same order number in an answer group, the GSS will
only use the first answer that contains the number. We recommend that you
specify a unique order number for each answer in an answer group.
Using the ranking of each answer, the GSS tries each resource in the order that
has been prescribed, selecting the first available (“live”) answer to serve a user
request. List members are given precedence and tried in order, and a member is
not used unless all previous members fail to provide a suitable result.
The ordered list method is typically useful in managing resources across multiple
content sites in which a deterministic method for selecting answers is required.

1-24 OL-4327-01
GSS Architecture
See the “Balance Method Options for Answer Groups” section for information on
how the GSS determines which answer to select when using the ordered list
balance method.
Round-Robin
Using the round-robin balance method, each resource within an answer group is
tried in turn, with the GSS cycling through the list of answers, selecting the next
answer in line for each request. In this way, the GSS can resolve requests by
evenly distributing the load among possible answers.
The round-robin balance method is useful when balancing requests among
multiple, active data centers that are hosting identical content; for example
between SLBs at a primary and at an “active standby” site that serves requests.
how the GSS determines which answer to select when using the round-robin
balance method.
Weighted Round-Robin
As with the round-robin balance method, the weighted round-robin method cycles
through a list of defined answers, choosing each available answer in turn.
However, with weighted round-robin, an additional “weight” factor is assigned to
each answer, biasing the GSS toward certain servers, so that they are used more
often.
how the GSS determines which answer to select when using the weighted
round-robin balance method.
Least Loaded
Using the least loaded balance method, the GSS resolves requests to the least
loaded of all resources, as reported by the KAL-AP keepalive process, which
provides the GSS with detailed information on the SLB load and availability.
The least loaded balance method resolves the request by determining the least
number of connections on a CSM or the least-loaded CSS.

OL-4327-01 1-25
GSS Architecture
how the GSS determines which answer to select when using the least loaded
balance method.
Hash
Using the source address and domain hash balance method, elements of the
client’s DNS proxy IP address and the requesting client’s domain are extracted
and used to create a unique value, referred to as a hash value. The unique hash
value is attached to and used to identify a VIP that is chosen to serve the DNS
query.
The use of hash values makes it possible to “stick” traffic from a particular
requesting client to a specific VIP, ensuring that future requests from that client
are routed to the same VIP. This type of continuity can be used to facilitate
features such as online shopping baskets in which client-specific data is expected
to persist even when client connectivity to a site is terminated or interrupted.
The GSS supports two hashed balance method. The GSS allows you to apply one
or both hashed balance methods to the specified answer group.
• By Source Address—The GSS selects the answer based on a hash value
created from the source address of the request.
• By Domain Name—The GSS selects the answer based on a hash value
created from the requested domain name.
Boomerang (DNS Race)

The GSS supports the boomerang (DNS race) method of proximity routing, a type
of DNS resolution that is initiated by the GSS and is designed to load balance
between 2 and 20 sites.
Based on the concept that instantaneous proximity can be determined if a content
routing agent (CRA) within each data center sends an A-record (IP address) at the
exact same time to the client’s D-proxy, the DNS race method of DNS resolution
gives all possible CRAs (which can be either Cisco Content Engines or Content
Services Switches) a fair chance at resolving a client request and allows for
proximity to be determined without probing the client’s D-proxy. Whatever
A-record is received first by the D-proxy is by default the most proximate.

1-26 OL-4327-01
GSS Architecture
For the GSS to initiate a DNS race, it needs to establish two pieces of information
for each CRA:
• The delay between the GSS and each of the CRAs in each data center. With
this data, the GSS computes how long to delay the race from each data center,
so that each CRA starts the race simultaneously.
• The online status of the CRAs. With this data, the GSS knows not to forward
requests to any CRA that is not responding.
The Boomerang server on the GSS gathers this information by sending keepalive
messages at predetermined intervals. This data, along with the IP addresses of the
CRAs, is used to request the exact start time of the DNS race.
Finally, for the CRA response to be accepted by the D-proxy, each CRA must
spoof the IP address of the GSS to which the DNS request was sent when
responding.
Balance Method Options for Answer Groups

For most balance methods supported by the GSS, there are additional
configuration options that you must consider when you group specific answers in
an answer group. These configuration options ensure that the GSS properly
applies the balance method for answers, and they ensure that you are getting the
best possible results from your GSS device. Table 1-2 describes the available
balance method options for each answer type (VIP, CRA, or NS).

OL-4327-01 1-27
GSS Architecture
Table 1-2 Balance Method Options for Answer Types
Answer Type Balance Methods Used Balance Method Options

VIP Hash Order
Least loaded LT (Load Threshold)
Ordered list Weight
Round-robin
Weighted round-robin
Name server Hash Order
Ordered list Weight
Round-robin
Weighted round-robin
CRA Boomerang (DNS race) None
The following sections explain each of the balance method options available for
an answer in an answer group.
Order
The order option is used when the balance method for the answer group is Ordered
List. Answers on the list are given precedence based upon their position in the list
in responding to requests.
Weight
The weight option is used when the balance method for the answer group is
weighted round-robin or least loaded. Weights are specified by a number between
1 and 10 and indicate the capacity of the answer to respond to requests. The
weight is used to create a ratio that the GSS uses when directing requests to each
answer. For example, if Answer A has a weight of 10 and Answer B has a weight
of 1, Answer A receives 10 requests for every 1 directed to Answer B.

1-28 OL-4327-01
GSS Architecture
When used with the weighted round-robin balance method, the number listed is
used by the GSS to create a ratio of the number of times the answer is used to
respond before the next answer on the list is tried.
When used with the least-loaded balance method, the number listed is used by the
GSS as the divisor in calculating the load number associated with the answer,
which is used to create a bias in favor of answers with greater capacity.
Load Threshold
The load threshold is used when the answer type is VIP and the keepalive method
is KAL-AP to determine whether an answer is available, regardless of the balance
method used. The load threshold specifies a number between 2 and 254 that is
compared to the load being reported by the answer device. If the answer’s load is
greater than the specified threshold, the answer is considered offline and
unavailable to serve further requests.
The load threshold value can also be used in conjunction with the weight assigned
to an answer, with the weight acting as a divisor for the load threshold in
calculating capacity. When there are multiple answers to choose from, the GSS
software compares the load threshold to the load reported by the answer device to
determine if the answer is available, and then selects the answer.

OL-4327-01 1-29
GSS Architecture
Locations and Regions

As your GSS network grows, the job of organizing and administering your GSS
resources—answers and answer groups, domain lists, and DNS rules—becomes a
more complex problem. For that reason, the GSS makes features available to you
that help you make sense of and organize your resources. Among these resources
are:
• Locations—Logical groupings for GSS resources that correspond to
geographical areas such as a city, data center, or content site
• Regions—Higher-level geographical groupings that contain one or more
locations
In addition to allowing you to easily sort and navigate long lists of answers and
DNS rules, the use of logical groupings such as locations and regions makes it
easier to perform bulk administration of GSS resources. For example, in the
primary GSSM, you can suspend or activate all answers linked to a particular GSS
data center, shutting down a site for scheduled maintenance and then bringing it
back online with only a few mouse clicks.
Owners
Owners serve a purpose similar to that of locations and regions in the GSS,
providing a simple way to organize and identify groups of related GSS resources.
However, whereas regions and locations are used to make geographical sense of
your GSS network, owners are used to group resources according to other
organizational schemes.
For example, a service provider using the GSS to manage multiple hosting sites
might create an owner for each web or application hosting customer. With this
organizational scheme, domain lists containing that customer’s hosted content as
well as DNS rules, answer groups, and source address lists that specify how traffic
to those domains should be processed, can all be associated with and managed
through the owner.
Deployed on a corporate intranet, owners can be used to segregate GSS resources
on a department-by-department basis, or to allocate specific resources to IT
personnel. For example, you could create an owner for the finance, human
resources, and sales departments so that resources corresponding to each can be
viewed and managed together.

1-30 OL-4327-01
GSS Network Deployment

A typical GSS deployment may contain up to eight GSS devices deployed on a
corporate intranet or the Internet. At least one GSS—and no more than two
GSSs—must be configured as a primary GSSM and a standby GSSM. The GSSM
monitors other GSS devices on the network and offers features for managing and
monitoring request routing services using a GUI accessible through secure HTTP.
Only one GSSM can be “active” at any time, with the second GSSM serving as a
“standby,” or backup device.
The GSSM functionality is embedded on each GSS, and any GSS device can be
configured to act as a primary GSSM or a standby GSSM. Refer to Chapter 2,
Setting Up Your GSS for details.
Additional GSSs beyond the primary and standby GSSM that are configured on
the GSS network respond to DNS requests and transmit periodic keepalives to
provide resource state information about devices. These GSS devices do not
perform GSS network management tasks.
This section describes a typical network deployment of the GSS and includes:
• Locating GSS Devices
• Locating GSS Devices Behind Firewalls
• Communication Between GSS Nodes
• Deployment Within Data Centers
Locating GSS Devices

Although it is your organization that determines where your GSS devices are
deployed in your network, some general guidelines must be observed. Because the
GSS serves as the authoritative name server for one or more domains, each GSS
must be publicly or privately addressable on your enterprise network. That way,
the D-proxy clients that are requesting content can find the GSSs that have been
charged with handling requests for that content.

OL-4327-01 1-31
Options are available for delegating responsibility for your domain to your GSS
devices, depending on traffic patterns to and from your domain. For example,
given a network containing five GSS devices, you might choose to modify your
parent domain DNS servers so that all traffic sent to your domain is directed to
each of your GSS devices. Or you might choose to have a subset of your traffic
delegated to one or more of your GSSs, with other devices handling other
segments of your traffic.
Refer to Chapter 8, Building and Modifying DNS Rules, the “Delegation to GSS
Devices” section for information on modifying your network’s DNS
configuration to accommodate the addition of GSSs to your network.
Locating GSS Devices Behind Firewalls

Deploying a firewall can be of immense benefit in preventing unauthorized access
to your GSS network, as well as thwarting common denial of service (DoS)
attacks on your GSS devices. Besides being deployed behind your corporate
firewall, the GSS comes with robust packet-filtering features that enable GSS
administrators to permit and disallow traffic to any GSS device.
When positioning your GSS behind a firewall or enabling packet filtering on the
GSS itself, you must properly configure each device (the firewall and the GSS) to
allow valid network traffic to reach the GSS device on specific ports. In addition
to requiring HTTPS traffic to access the primary GSS graphical user interface,
you may want to configure your GSSs to allow FTP, Telnet, and SSH access
through certain ports. In addition, GSSs must be able to communicate their status
to and receive configuration information from the GSSM. Finally, primary and
standby GSSMs must be able to communicate and synchronize with one another.
Refer to Chapter 9, GSS Administration and Troubleshooting, the “Filtering GSS
Traffic Using Access Lists” for the discussion of the access-list and access-group
CLI commands for instructions on limiting incoming traffic. See the “Deploying
GSS Devices Behind Firewalls” section in that chapter as well for information on
which ports must be enabled and left open for the GSS to function properly.
Refer to the Cisco Global Site Selector Command Reference for detailed
descriptions of the CLI commands required to create a firewall that blocks all
non-GSS traffic to your GSS devices.

1-32 OL-4327-01
Communication Between GSS Nodes

The primary GSSM serves as the organizing point of the GSS network,
performing DNS queries and hosting the embedded GSS database that contains
configuration information for all your GSS resources, such as individual GSSs
and DNS rules. Configuration changes initiated on the primary GSSM using the
GSSM graphical user interface are automatically communicated to each
registered GSS device that the primary GSSM manages.
The standby GSSM performs GSLB functions for the GSS network. In addition,
the standby GSSM is configured to act as the GSSM should the primary GSSM
suddenly go offline or become unavailable to communicate with other GSS
devices. The standby GSSM can be quickly enabled as the primary GSSM using
the gss CLI command. GUI support is not available on a standby GSSM until it is
configured as a primary GSSM.
Th e GSS also runs GSS software and performs routing of DNS queries based on
DNS rules and conditions configured using the GSSM. Each GSS is managed
separately using the Cisco CLI. GUI support is not available on a GSS device.
Each GSS on your network must delegate authority to the parent domain GSS
DNS server that serves the DNS requests.
Each GSS is known to and synchronized with the GSSM, but individual GSSs do
not report their presence or status to one another. Should a GSS unexpectedly go
offline, other GSSs on the network responsible for the same resources are not
affected.
With both a primary and a standby GSSM deployed on your GSS network, device
configuration information and DNS rules are automatically synchronized between
the primary GSSM and a data store maintained on the standby GSSM.
Synchronization occurs automatically between the two devices whenever the GSS
network configuration changes. Updates are packaged and sent to the standby
GSSM using a secure connection between the two devices.
Should the primary GSSM suddenly become unavailable, the GSS network
continues to function and does not impact global server load balancing. If desired,
you can manually enable the standby GSSM as the primary GSSM using the CLI.
Refer to Chapter 2, Setting Up Your GSS for instructions on enabling the primary
GSSM and to Chapter 9, GSS Administration and Troubleshooting for details
about changing the GSSM role in the GSS network.

OL-4327-01 1-33
GSS Network Management
Deployment Within Data Centers

A typical GSS network consists of multiple content sites, such as data centers and
server farms, access to which is managed by one or more SLBs, such as the Cisco
CSS.
Each SLB is represented by one or more virtual IP addresses, or VIPs. These VIPs
act as the publicly addressable front-end of the data center. Behind each SLB are
transaction servers, database servers, and mirrored origin servers offering a wide
variety of content, from websites to applications.
The GSS communicates directly with the SLBs that are representing each data
center, collecting statistics on availability and load for each of the SLBs and VIPs
and using that data to direct requests to the best-suited data centers and the most
available resources within each data center.
In addition to SLBs, a typical data center deployment may also contain DNS name
servers that are not being managed by the GSS. These can be used to resolve
requests, through name server forwarding, that the GSS cannot resolve itself.

Management of your GSS network is divided into two types:
• CLI-Based GSS Management
• GUI-Based Primary GSSM Management
CLI-Based GSS Management

The CLI is used to configure installation and management of your Cisco GSS
software, including:
• Initial configuration of GSS and GSSM (primary and standby) devices
• Software upgrades and downgrades on GSSs and GSSMs
• Database and configuration backups, and database restore operations

1-34 OL-4327-01
In addition, the CLI is used for network configuration of your GSS devices,
including:
• Network address and host name configuration
• Network interface configuration
• Access control for your GSS devices, including IP filtering and traffic
segmentation
The CLI can also be used for status monitoring and logging for each GSS device.
Refer to the Cisco Global Site Selector Command Reference for an alphabetical
list of all GSS Command Line Interface (CLI) commands including syntax,
options, and related commands. This document also describes how to use the CLI
interface.
GUI-Based Primary GSSM Management

The primary GSSM offers a single, centralized graphical user interface (GUI) for
monitoring and administering your entire GSS network. The primary GSSM GUI
is used for:
• Configuring DNS request handling and global server load balancing through
the creation of DNS rules and monitoring of keepalives
• Monitoring GSS network resources
• Monitoring request routing and GSS statistics
See the “Understanding the Primary GSSM Graphical User Interface” section for
background details anout the GUI.

OL-4327-01 1-35
Understanding the Primary GSSM Graphical User Interface
Understanding the Primary GSSM Graphical User

Interface
The primary GSSM graphical user interface is a web-based tool that can be
viewed using any standard web browser such as Microsoft Internet Explorer
Version 5.0 and later and Netscape Navigator Version 4.79 or later. Basic
authentication is used to restrict GUI access. All GUI traffic is encrypted using
secure HTTP (HTTPS).
The primary GSSM GUI serves as a centralized management point for your entire
GSS network. Using the primary GSSM GUI, you can add GSS devices to your
network and build DNS rules that match groups of source addresses to hosted
domains using one of a number of possible load-balancing methods. In addition,
using the GSSM monitoring feature, you can obtain real-time statistics on the
performance of your GSS network or of individual devices on that network.
When you first log on to the primary GSSM, you see a Welcome window
(Figure 1-5). The current login account information appears in the User ID (upper
right) area of the Welcome window.

1-36 OL-4327-01
Figure 1-5 Primary GSSM Welcome Window
The sections describes the organization and structure of the primary GSSM GUI
and includes:
• Graphical User Interface Organization
• List Pages
• Details Pages
• Navigation
• Primary GSSM GUI Icons and Symbols
• Primary GSSM GUI Online Help
Review this information before using the primary GSSM to define global load
balancing for your GSS network.

OL-4327-01 1-37
Graphical User Interface Organization

The primary GSSM graphical user interface is organized into four main functional
areas that are accessed by clicking the appropriate tab. Each tab can be accessed
at any time to navigate to that particular section of the primary GSSM.
• DNS Rules Tab—Contains pages for creating and modifying DNS rules,
including the creation of source address lists, (hosted) domain lists, answers,
answer groups, and shared keepalives.
• Resources Tab—Contains pages for creating and modifying GSS network
resources such as GSSs, locations, regions, and owners. You can also modify
global keepalive properties from the Resources tab.
• Monitoring Tab—Contains pages for monitoring the performance of content
routing on your GSS network, such as displays of hit counts organized by
source address, domain, answer method, or DNS rule.
• Tools Tab—Contains pages for performing the administrative functions for
the GSS network, such as creating login accounts, managing account
passwords, and viewing system logs.
Within each of these major functional areas, you access specific pages by
choosing them from navigation links in the upper left-hand corner of the primary
GSSM GUI. The navigation link varies according to the selected tab. Navigation
links are present on all GUI pages.
Once you have selected a page, information on your GSS related to that feature is
further organized into two areas: list pages and details page, which are described
in the sections that follow.
List Pages
List pages appear throughout the primary GSSM GUI to provide you with a
feature-specific overview. For example, clicking the Answers tab (located on the
DNS Rules tab) displays the Answers list page showing all of the answers
currently configured on the listed GSS network.
List pages present data in tabular format, providing a detailed look at resources
available on your GSS network. List pages are also the location from which new
resources (for example, DNS rules or answer groups) are added to the GSS
network or existing resources modified.

1-38 OL-4327-01
List pages enable you to sort resources by any one of a number of properties that
are listed on the screen, quickly locating a particular resource by an identifying
characteristic such as name, owner, or type. You can sort information in ascending
or descending order by any column. To sort the information in a list page, click
the column header for the column containing the information by which you wish
to sort the list.
The GSS software temporarily retains information that you modify for a list page,
allowing you to navigate to any of the details pages associated with the active list
page while retaining the list page settings. The sort field, sort order, and rows per
page are temporarily stored in memory for the active list page. Once you navigate
to another list page the GSS software discards the modifications for the previous
list page.
Figure 1-6 shows an example of a primary GSSM Answers list page.
Figure 1-6 Answers List Page

OL-4327-01 1-39
Details Pages
Details pages appear throughout the primary GSS GUI to provide specific
configuration information for a specific GSS function, enabling you to create or
to modify those properties.
For example, in Figure 1-6, clicking the Answers navigation link displays the
Answers list page. Adjacent to each answer is an icon depicting a pad and pencil,
called the Modify icon. Clicking the Modify icon displays the details page for that
answer (Figure 1-7), allowing you to modify the properties of an answer or
deleting the answer.
Figure 1-7 Modifying Answer Details Page

1-40 OL-4327-01
Navigation
Although the primary GSSM graphical user interface is viewed as a series of web
pages using a standard browser, navigating among pages is not the same as
moving around different websites, or even within a single site. Instead, you
navigate from one content area of the primary GSSM GUI using the tabs for each
of the major funational areas: DNS Rules, Resources, Monitoring, and Tools.
Online Help is located as a navigation link at the top of each page.
Once within a major content area, you access a particular feature or move between
features using the navigation links. Choosing a feature from the navigation links
immediately transfers you to that page in the graphical user interface. To move
back from a details page to the corresponding list page, click another navigation
link, or click either the Submit or Cancel buttons from the details page.
For example, to return to the Global Site Selectors list page after viewing the
details for one of your GSSs, click a different navigation link (or click the Cancel
button). If you made configuration changes to a GSS that you wish to retain, click
the Submit button. Any of these actions returns you to the Global Site Selectors
list page.
Note Do not use your web browser Back or Forward buttons to move between pages in
the primary GSSM GUI. Clicking Back cancels any unsaved changes in the
primary GSSM.
Primary GSSM GUI Icons and Symbols

Table 1-3 lists and explains some common icons and graphical symbols in the
primary GSSM graphical user interface. These icons are referenced throughout
this guide in explaining how to use the features of the primary GSSM GUI.

OL-4327-01 1-41
Table 1-3 GSSM GUI Icons and Symbols
Icon or Symbol Purpose Location

Modify icon. Opens the associated List pages
item for editing in a details page,
displaying configuration settings
on the details page.
Sort icon. Indicates that the items List pages
listed in a list table are sorted in
descending order according to the
property listed in this column.
Create icon/Open DNS Rules List pages
Builder icon. Opens the associated
details page to accept user input
for configuration.
Print icon. When you view GSS List pages and Detail
resources or monitor GSS network pages
activity, clicking Print allows you
to print data displayed in the page
using your local or network printer
Export to CSV icon. When you List pages
view GSS resources or monitor
GSS network activity, clicking
Export allows you to save data
displayed in the window to a
comma-delimited flat file for use
in other applications.
Refresh icon. When you view GSS List pages
resources or monitor GSS network
activity, clicking Refresh forces
the GSSM window to update its
content.
Run Wizard icon. Opens the DNS Rules list page
associated DNS rule for editing
using the DNS Rules Wizard.

1-42 OL-4327-01
Table 1-3 GSSM GUI Icons and Symbols (continued)

Filter DNS Rule List icon. DNS Rules list page
Provides filters that can be applied
to your DNS rules, allowing you to
view only those rules that have the
properties you are interested in.
Show All DNS Rules icon. DNS Rules list page
Removes all filters, displaying a
complete list of DNS rules for your
GSS.
* Asterisk. Required field. Indicates Details pages
that a value is required in the
adjacent field before the item can
be successfully saved.
Submit icon. Saves the Detail pages
configuration information. When
editing specific GSS system or
device configuration information,
clicking Submit returns you to the
associated list screen.
Cancel icon. Cancels any Detail pages
configuration changes that were
entered. When editing specific
GSS system and device
configuration information,
clicking Cancel returns you to the
associated list screen.

OL-4327-01 1-43

Delete icon. When you view Detail pages
configuration information for GSS
resources, clicking Delete allows
you to delete the resource from the
GSS network.
Note Deletions of any kind
cannot be undone in the
primary GSSM GUI. If you
might want to use the
deleted data at a later point
in time, we recommend
performing a database
backup of your GSSM.
Refer to Chapter 9, GSS
Administration and
Troubleshooting for
details.
Next icon. Moves forward to the DNS Rules wizard
next page in the DNS Rules
Wizard. Alternatively, use the
links under the Wizard Contents
table of contents to jump back and
forth to any step in the wizard.
Back icon. Moves backwards to DNS Rules wizard
the previous page in the DNS
Rules Wizard. Alternatively, use
the links under the Wizard
Contents table of contents to jump
back and forth to any step in the
wizard.

1-44 OL-4327-01

Finish icon. Saves changes to the DNS Rules wizard
DNS rule. You return to the DNS
Rules list page.
Activate Answer icon. Reactivates Modifying Answer,

a single suspended answer, all Modifying Owner, and
suspended answers associated with Modifying Location
an owner, or all suspended answers detail page
associated with a location.
Suspend Answer icon. Modifying Answer,
Temporarily stops the GSS from Modifying Owner, and
using a single answer, all answers Modifying Location
in all groups for an owner, or all detail page
answers in a location.
Activate DNS Rule icon. Modify DNS Rules
Reactivates a single suspended and Modifying Owner
DNS Rule or all suspended DNS detail pages
Rules associated with an Owner.
Suspend DNS Rules icon. Stop Modify DNS Rules
requests from being processed by a and Modifying Owner
single DNS rule or all suspended detail pages
DNS rules associated with an
owner on your GSS.

OL-4327-01 1-45

Set Answers KAL ICMP icon. Modifying Shared
Disassociates all answers from a Keepalive details page
selected shared keepalive and sets
the keepalive type of each of those
answers to ICMP using the
answer’s own VIP.
Set Answers KAL None icon. Modifying Shared
Disassociates all answers from a Keepalive details page
selected shared keepalive and sets
the keepalive type of each of those
answers to none, meaning that the
GSS assumes they are always
alive.

1-46 OL-4327-01
Primary GSSM GUI Online Help

The Help navigation link in the upper right corner of each primary GSSM GUI
page launches the Online Help system (Figure 1-8), which contains information
on using that page as well as the features of the primary GSSM GUI. The Online
Help topic associated with the form displays in a separate child browser window.
Each page in the primary GSSM GUI has a context-sensitive online Help file
associated with it. These Help files (in HTML format) contain detailed
information related to the form you are using. Online Help also includes a series
of quick start procedures to assist you in navigating through the specific forms in
the user interface and performing specific configuration procedures (for example,
using the DNS Rules wizard to create a DNS rule).
Figure 1-8 GSSM Online Help

OL-4327-01 1-47
Where to Go Next
The GSS Online Help system contains several navigational aids to assist you in
finding the information you need quickly and easily. The navigation frame is
contained in the left frame of each Help topic. The navigation frame contains the
following three tabs:
• Contents–Displays all the topics in the GSSM Online Help system in a tiered
format. Help topics are grouped into logical books by function. Books of Help
topics may contain sub-books with additional topics. You can expand or
collapse the contents to suit your needs. Note that the contents also
automatically synchronizes with the Help topic you are currently viewing.
• Index–Displays a list of terms that allows you to look up topics based on
keywords similar to the index at the back of a book. If only one topic is
associated with the Index entry, that topic displays immediately when you
double-click the entry. If more than one topic is associated with an Index
entry, the Help system displays a Topics Found dialog box that allows you to
select the topic you want to display from a list of topics.
• Search–Provides a full-text search tool that allows you to display a list of
Help topics related to words you enter in the text box. You can then select a
topic and click Display to view that topic.
Where to Go Next
Chapter 2, Setting Up Your GSS describes the process of configuring the Global
Site Selector Series hardware to act as a Global Site Selector Manager (GSSM) or
Global Site Selector (GSS) device.

1-48 OL-4327-01
C H A P T E R 2
Setting Up Your GSS
This chapter describes how to configure your GSS devices to connect to your
network. This includes the initial network configuration of a GSS and the
configuration of a primary or as a standby GSSM. Network connectivity is
configured for each device using the GSS command-line interface (CLI).
• Accessing the GSS CLI
• Performing Network Configuration of the GSS
• Creating and Modifying GSS Devices
• Global Server Load-Balancing Summary
For detailed instructions on command syntax and use of GSS CLI commands,
refer to the Cisco Global Site Selector Command Reference.

OL-4327-01 2-1
Chapter 2 Setting Up Your GSS
Accessing the GSS CLI

You can access the GSS CLI by establishing a remote connection using Telnet or
Secure Shell (SSH) from a PC or by a direct connection to the device using a
dedicated terminal. If required for your SSH connection, you may also login to
the GSS using an externally generated private and public key pair.
This section contains the following procedures:
• Accessing the CLI Using a Direct Serial Connection
• Enabling Remote Access on a GSS Device
• Accessing the CLI Using a Remote Connection
• Accessing the GSS CLI Using a Private and Public Key Pair
Accessing the CLI Using a Direct Serial Connection

To access the GSS CLI using a serial connection, establish a direct serial
connection between your terminal and the GSS device. Once you are connected,
you can use any terminal communications application to access the CLI. The
following procedure uses HyperTerminal for Windows. For information on how
to establish a serial connection with your device, refer to the Cisco Global Site
Selector Hardware Installation Guide.
To access the GSS CLI using a direct serial connection:
1. Launch HyperTerminal. The Connection Description window appears.
2. Enter a name for your session in the Name field.
3. Click OK. The Connect To window appears.
4. From the drop-down list, choose the COM port to which the device is
connected.
5. Click OK. The Port Properties window appears.
6. Set the port properties as follows:
• Baud Rate = 9600
• Data Bits = 8
• Flow Control = none
• Parity = none
• Stop Bits = 1

2-2 OL-4327-01
7. Click OK to connect.
8. Press Enter to display the CLI prompt.
Once a session is created, choose Save As from the File menu to save the
connection description. Saving the connection description has the following two
advantages:
• The next time you launch HyperTerminal, the session is listed as an option
under Start > Programs > Accessories > HyperTerminal >
Name_of_session. This option lets you reach the CLI prompt directly
without going through the configuration steps.
• You can connect your cable to a different device without configuring a new
HyperTerminal session. If you use this option, make sure that you connect to
the same port on the new device as was configured in the saved
HyperTerminal session. Otherwise, a blank screen appears without a prompt.
Enabling Remote Access on a GSS Device

To monitor the performance of your GSS devices and administer them once they
are deployed, you must be able to access those devices. Accordingly, once you
have basic network connectivity on your GSS device you may want to use the CLI
to enable remote access to the device using the SSH, Telnet, or FTP protocols.
To enable SSH, Telnet, or FTP on your GSS device:
1. Enable privileged EXEC mode and then global configuration mode on the
device. For example:
localhost.localdomain> enable
localhost.localdomain# config
localhost.localdomain(config)#
2. From global configuration mode, use the enable command to activate the
remote access protocol you need (SSH, Telnet, or FTP). For example, to
enable SSH connections to the GSS device, you would enter the following
command:
localhost.localdomain(config)# ssh enable

OL-4327-01 2-3
3. Repeat step 2 for each required remote access protocol using the ftp
command and the telnet command.
Note To disable SSH, Telnet, or FTP, use the no form of the command.
4. Save your configuration changes to memory. For example:

localhost.localdomain(config)# copy running-config startup-config
5. Exit global configuration mode.

localhost.localdomain(config)# exit
localhost.localdomain#
Accessing the CLI Using a Remote Connection

To access the GSS CLI using a remote connection, use Telnet or Secure Shell
(SSH) from a PC. In a single Telnet or SSH session, you cannot connect to more
than one device. You can, however, have several Telnet or SSH sessions running
in parallel for different devices. Be sure you enable Telnet or SSH as described in
the “Enabling Remote Access on a GSS Device” section.
Note We recommend using SSH connections because SSH lets you communicate
securely over insecure channels and provides strong authentication.
You must have physical access to the GSS device to setup remote access by Telnet
or SSH connection. Refer to the Cisco Global Site Selector
Hardware Installation Guide for instructions on connecting a console cable to
your Cisco Global Site Selector series hardware.
To access the GSS CLI using your preferred SSH or Telnet client:
1. Enter the host name or IP address of the GSS device (Global Site Selector or
Global Site Selector Manager).
2. Specify your GSS administrative username and password to log on to the GSS
device.
Once you have logged on remotely, use the CLI commands described in this
document and in the Cisco Global Site Selector Command Reference.

2-4 OL-4327-01
Accessing the GSS CLI Using a Private and Public Key Pair
The GSS supports remote login to the device over an SSH session using private
and public key pairs for authentication. In this method of remote connection, you
use a generated private/public key pair to participate in a secure communication
by encrypting and decrypting messages. Use of a private and public key pair
bypasses the normal username and password authentication process. This remote
access method may be useful when running scripts that connect to the GSS
automatically.
You generate the private key and the corresponding public key as a key pair on a
server separate from the GSS and then copy the public key to the GSS /home
directory.
To access the GSS CLI using a private and public key pair:
1. Generate the SSH private key and the corresponding SSH public key as a key
pair on a server separate from the GSS. Refer to the documentation included
with the SSH software for details on generating the private and public key
pair.
2. Enable privileged EXEC mode. For example:
3. Use the scp command to securely copy the generated public key from the server
to the GSS /home directory. For example:
localhost.localdomain# scp myusername@1myhost:~/mykey.pub .
myusername@1myhost password:
mykey.pub 100% |*****************************| 241 00:00
4. Use the type command to append the public key to the

/home/.ssh/authorized_keys file. The /home/.ssh/authorized_keys file is a
special file that the GSS software looks for when authenticating
public/private keys. For example:
localhost.localdomain# cd .ssh
localhost.localdomain# type ../mykey.pub >> authorized_keys
5. Activate an SSH session from the remote host to the GSS using the private
key. For example, on most Unix systems you would enter the following
command line:
ssh -i private.key gss.cisco.com

OL-4327-01 2-5
Performing Network Configuration of the GSS

When setting up your GSS, log in directly to the CLI on the GSS device and
configure the following basic setup configuration functions for the device:
• Specify a hostname for the GSS device
• Configure Ethernet 0 and Ethernet 1
• Configure a default gateway
• Enter the IP addresses of the name servers (up to 8)
• Configure a remote access protocol (FTP, Telnet, or SSH) so you can
administer the GSS device remotely in the future.
Depending on your network requirements for the GSS device, make your
configuration of GSSM (primary and standby) and GSS based on the following
information:
• Primary GSSM—The primary GSSM performs content routing as well as
centralized management functions for the GSS network. The primary GSSM
serves as the organizing point of the GSS network, hosting the embedded GSS
database that contains configuration information for all your GSS resources,
such as individual GSSs and DNS rules. Other GSS devices report their status
to the primary GSSM. The primary GSSM offers a single, centralized GUI for
monitoring and administering your entire GSS network.
• Standby GSSM—The standby GSSM performs GSLB functions for the GSS
network even while operating in standby mode. In addition, the standby
GSSM can be configured to act as the GSSM should the primary GSSM need
to go offline for repair or maintenance, or becomes unavailable to
communicate with other GSS devices. As with the primary GSSM, the
standby GSSM is configured to run the GSSM GUI and contains a duplicate
copy of the embedded GSS database that is currently installed on the primary
GSSM. Any configuration or network changes affecting the GSS network are
synchronized between the primary and the standby GSSM. The standby
GSSM can be enabled as the primary GSSM using the gssm
standby-to-primary CLI command.

2-6 OL-4327-01
Note The switching of roles between the designated primary GSSM and the
standby GSSM is intended to be a temporary GSS network configuration
until the original primary GSSM is back online. Once the original primary
GSSM is available, reassign the two GSSMs to their original roles in the
GSS network as described in Chapter 9, GSS Administration and
Troubleshooting, the “Logically Removing a GSS or Standby GSSM from
the Network” section.
• GSS—The GSS performs routing of DNS queries based on DNS rules and
conditions configured using the primary GSSM. Each GSS is known to and
synchronized with the GSSM, but individual GSSs do not report their
presence or status to one another. Each GSS on your network delegates
authority to the GSSs that serve DNS requests. Each GSS is managed
separately using the Cisco CLI. GUI support is not available on a GSS device.
A typical GSS deployment may contain up to eight GSS devices on a corporate
intranet or the Internet. At least one GSS—and no more than two GSSs—must be
configured as GSSMs. The primary GSSM monitors the other GSS devices on the
network and offer features for managing and monitoring request routing services
using a GUI accessible through secure HTTP. Only one primary GSSM can be
“active” at any time, with the second GSSM serving as a “standby,” or backup
device.
Network configuration requires that you enter into privileged EXEC mode on the
CLI, so your login must have adequate permissions to do so.
After you enable your GSSM and GSS devices, use the primary GSSM to activate
each device on your network. See the “Creating and Modifying GSS Devices”
section for more information.
This section includes the following procedures:
• Configuring the GSS Using the Setup Script
• Configuring the GSS from the CLI
• Configuring a Primary GSSM or Standby GSSM
• Configuring a Global Site Selector
• Logging Into the Primary GSSM Graphical User Interface

OL-4327-01 2-7
Configuring the GSS Using the Setup Script

When you boot the Cisco Global Site Selector platform for the first time and the
system boots without a startup-configuration file, a setup script automatically
runs to quickly guide you through the process of initially configuring the GSS.
To configure the GSS from the setup script:
1. If you have not already done so, power on and boot the GSS (as described in
the Cisco Global Site Selector Hardware Installation Guide).
2. At the Do you want to continue? (y/n) [no]: prompt type y to continue (or
press Enter to accept the default of No and bypass running the setup script).
If you chose to bypass the setup script, you can either:
• Manually configure the GSS from the CLI as described in the
“Configuring the GSS from the CLI” section.
• Use the setup CLI command at a later point in time to configure basic
configuration information (as described in this procedure).
Note The setup command cannot be executed while the GSS is running. You
must issue the gss stop command before executing the setup command.
3. At the Hostname prompt, specify a qualified hostname for the GSS device.
For example:
Enter the Hostname of this device: gssm1.yourdomain.com
4. At the Interface eth0 and eth1 prompts, specify the IP address and subnet
mask for each interface to be used on the GSS device. For example:
* Interface eth1 (Inactive)
Do you want to change this? (y/n) [n]: y
Do you want to activate this interface? (y/n) [n]: y
Enter the IP address: 192.168.1.3
Enter the netmask: 255.255.255.0
Once you run the setup script there are additional configuration parameters
that you can specify for each Ethernet interface using the interface ethernet
CLI command (such as the autosense, duplex, and speed options). Refer to
the Cisco Global Site Selector Command Reference for detailed information
on the interface ethernet command.

2-8 OL-4327-01
5. At the default gateway prompt, enter gateway information for the GSS device.
For example:
Do you want to configure a default gateway? (y/n) [y]:
Enter the default gateway [10.86.208.1]: 10.89.12.100
6. At the Name Servers prompt, configure the domain name server or servers to
be used by the GSS device. You can enter individual addresses or specify up
to eight name servers in a list. Enter a dash ('-') at a blank entry to instruct the
GSS to stop requesting name servers. For example:
Enter the IP addresses for up to 8 Name Servers.
Enter a dash ('-') at a blank entry to stop entering Name Servers.
At least one Name Server is required for this setup script.
Enter Name Server 1 [161.44.124.122]: 168.10.12.1
Enter Name Server 2: 192.168.1.2
Enter Name Server 3: -
7. At the Remote Access prompt, activate the remote access protocol required
for the GSS device. For example:
* Remote Access
Do you want to enable FTP access? (y/n) [y]: n
Do you want to enable Telnet access? (y/n) [n]: y
Do you want to enable SSH access? (y/n) [y]: y
8. The setup script prompts you through a series of questions about configuring
the device as a GSSM (primary or standby) or as a GSS. Perform one of the
following actions:
– If you want to configure the device as the primary GSSM:
a. At the Do you want to configure this GSS as a Manager
(gssm)? (y/n) [y]: prompt type y (or press Enter).
b. At the Do you want to configure this GSSM as the Primary?
(y/n) [y]: prompt type y (or press Enter).
– If you want to configure the device as the standby GSSM:
(gssm)? (y/n) [y]: prompt type y (or press Enter).
b. At the Do you want to configure this GSSM as the Primary?
(y/n) [y]: prompt type n.
c. At the Enter the Hostname or IP address of the Primary GSSM
[192.168.3.4]:prompt specify the hostname or IP address of the
primary GSSM for your network.

OL-4327-01 2-9
– If you want to configure the device as a GSS:

(gssm)? (y/n) [y]: prompt type n.
b. At the Enter the Hostname or IP address of the Primary GSSM
[192.168.3.4]:prompt specify the hostname or IP address of the
primary GSSM for your network.
9. When completed, the software prompts you to perform one of the following:
– Apply as the Running Configuration—Applies setup configuration
changes to the running-configuration file.
– Edit This Configuration—Return to the beginning of setup and edit
specific configuration information.
– Discard Configuration and Quit Setup—Cancel making initial
configuration changes.
Once configuration setup is complete, the GSS software prompts you to log into
the primary GSSM GUI and finish device setup (as described in the “Logging Into
the Primary GSSM Graphical User Interface” section).
Configuring the GSS from the CLI

To configure the GSS from the CLI:
1. If you have not already done so, power on and boot the GSS (as described in
the Cisco Global Site Selector Hardware Installation Guide).
2. Log on to the CLI, following the instructions in “Accessing the GSS CLI”.
The GSS CLI prompt appears.
By default, the hostname for GSS devices is localhost.localdomain. This
name changes once you configure the hostname for the device.

2-10 OL-4327-01
4. Configure a qualified hostname and default gateway information for the GSS
Host(config)# hostname gssm1.yourdomain.com
gssm1.yourdomain.com(config)# ip default-gateway 10.89.12.100
5. From global configuration mode, enter interface configuration mode and

configure the attributes of GSS interface Ethernet 0 or Ethernet 1. Each GSS
device contains two Ethernet interfaces, 0 and 1. For example:
gssm1.yourdomain.com(config)# interface ethernet 0
gssm1.yourdomain.com(config-eth0)# speed 100
gssm1.yourdomain.com(config-eth0)# duplex full
Refer to the Cisco Global Site Selector Command Reference for detailed
information on the interface ethernet command.
Note Interface commands cannot be executed while the GSS is running (for
example, serving DNS requests). You must issue the gss stop command
before executing the interface ethernet command.
6. Use the gss-communications command to configure a GSS Ethernet

interface as the designated network interface for GSS device
communications. For example:
gssm1.yourdomain.com(config-eth0)# gss-communications
Note Interface commands cannot be executed while the GSS is running (for
example, serving DNS requests). You must issue the gss stop command
before executing the gss-communications command.
7. Configure the IP address and subnet mask that are to be used by the interface.
For example:
gssm1.yourdomain.com(config-eth0)# ip address 10.89.3.24
255.255.255.0
gssm1.yourdomain.com(config-eth0)# exit
gssm1.yourdomain.com(config)#

OL-4327-01 2-11
8. Configure the domain name server or servers to be used by the GSS device.
You can enter individual addresses or specify up to eight name servers using
a comma-separated or space-separated list. For example:
gss1.yourdomain.com(config)# ip name-server 128.10.12.1
gss1.yourdomain.com(config)# ip name-server 128.100.12.1,
128.110.12.1

gssm1.yourdomain.com(config)# copy running-config startup-config
The next step is to configure the device as either a GSSM (primary or standby) or
as a GSS:
• If configuring the device as a GSSM (primary or standby), proceed to the
“Configuring a Primary GSSM or Standby GSSM” section.
• If configuring the device as a GSS, proceed to the “Configuring a Global Site
Selector” section.
Configuring a Primary GSSM or Standby GSSM

Before you begin configuring request routing or adding GSSs to your GSS
network, you must first configure a primary GSSM with which the individual
GSSs will be associated.
When configuring a GSSM, you need to configure both the network connectivity
of the GSSM as well as the embedded GSS database that resides on the GSSM and
holds GSS device and network configuration information. You must also indicate
whether the GSSM serves as the primary or redundant (standby) manager.
To configure a GSS device to function as either a primary GSSM or a standby
GSSM:
1. If you have not already done so:
a. Log on to the CLI (see the “Accessing the GSS CLI” section).
b. At the CLI prompt, enable privileged EXEC mode and then global
configuration mode on the device. For example:

2-12 OL-4327-01
c. Ensure the GSS is properly configured (see either the “Configuring the
GSS Using the Setup Script” section or the “Configuring the GSS from
the CLI” section).
2. Perform one of the following steps:
– If this GSSM is to be the primary (default) routing manager for your GSS
network, use the gss enable gssm-primary command to enable your
GSS device and make it the primary GSSM. For example:
gssm1.yourdomain.com# gss enable gssm-primary
Note If a database already exists on this GSS device an error message appears.
Use the gss disable command to disable the selected GSS device and
remove any existing configuration, including deleting the GSSM database
from the GSS device. This option returns the GSS device to the initial,
disabled state.
– If this GSSM is to be a standby (backup) GSSM for your GSS, use the
gss enable gssm-standby command to place the GSSM in standby mode
and associate it with the DNS name or IP address of the primary GSSM.
The standby GSSM is intended to be a backup device to be used on a
temporary basis until the primary GSSM can come back online. For
example:
gssm1.yourdomain.com# gss enable gssm-standby 192.168.1.110
Note You must have a primary GSSM configured and enabled before you
can enable a standby GSSM.

gssm1.yourdomain.com# copy running-config startup-config
If you fail to save your configuration changes, the GSS device reverts to its
previous settings upon a reboot.

OL-4327-01 2-13
For the primary GSSM, you can now access the GUI using your preferred web
browser by pointing that browser to the URL of the primary GSSM. See the
“Logging Into the Primary GSSM Graphical User Interface” section for details.
After enabling the primary GSSM GUI, you can use it to activate each GSS device
on your network. See the “Creating and Modifying GSS Devices” section.
If, at a later point, you need to move the primary GSSM or you want to take it
offline for repair or maintenance, the standby GSSM is capable of temporarily
taking over the role as the primary GSSM until the original primary GSSM is back
online. Once the original primary GSSM is available, reassign the two GSSMs to
their original roles in the GSS network. Refer to Chapter 9, GSS Administration
and Troubleshooting, the “Logically Removing a GSS or Standby GSSM from the
Network” section.
Configuring a Global Site Selector

You must configure and enable your primary GSSM before you can configure
additional GSS devices. If you have not already done so, see the “Configuring a
Primary GSSM or Standby GSSM” section for information on configuring and
enabling your primary and optional standby GSSMs.
To configure a device to function as a GSS:
1. If you have not already done so:
a. Log on to the CLI (see the “Accessing the GSS CLI” section).
b. At the CLI prompt, enable privileged EXEC mode and then global
c. Ensure the GSS is properly configured (see either the “Configuring the
GSS Using the Setup Script” section or the “Configuring the GSS from
the CLI” section).
d. Enable a remote access protocol on the GSS device (such as Telnet or
SSH). See the“Enabling Remote Access on a GSS Device” section.

2-14 OL-4327-01
2. Exit global configuration mode and then use the gss command to enable your
GSS device as a GSS and direct it to the primary GSSM in your GSS network.
Specify either the domain name or the network address of the primary GSSM.
For example:
gss1.yourdomain.com(config)# exit
gss1.yourdomain.com# gss enable gss gssm1.yourdomain.com

gss1.yourdomain.com# copy running-config startup-config
If you fail to save your configuration changes, the device reverts to its
previous settings upon a reboot.
4. Use the primary GSSM to activate each GSS device on your network. See the
“Creating and Modifying GSS Devices” section.
Logging Into the Primary GSSM Graphical User Interface

After you configure and enable your primary GSSM, you are ready to access the
GUI. The GSSM uses secure HTTP (HTTPS) to communicate with web clients.
For example, if your primary GSSM is named gssm1.yourdomain.com, enter the
following to display the primary GSSM logon dialog box and access the GUI:
https://gssm1.yourdomain.com
When first logging on to the primary GSSM GUI, you can use the system default
administrative account and password. After accessing the GUI, create and
maintain additional user accounts and passwords using the user administration
features primary GSSM. Refer to Chapter 9, GSS Administration and
Troubleshooting for more information on creating user accounts.
Note The user accounts and passwords that you create for the primary GSSM GUI are
maintained separately from the usernames and passwords used to log on to your
GSS devices using the CLI (using the username command).
To log on to the primary GSSM GUI:

1. Open your preferred Internet web browser application, such as Internet
Explorer or Netscape Navigator.

OL-4327-01 2-15
2. In the address field, enter the secure HTTP address of your GSSM. For
example:
https://gssm1.yourdomain.com
Note If you have trouble locating the primary GSSM DNS name, remember
that the GSS network uses secure connections, so the address of the
GSSM will feature https:// (secure HTTP) in the place of the more
common http://.
3. If prompted to accept a certificate from the primary GSSM, click Yes to

accept the certificate signed by Cisco Systems and proceed to the GUI.
– If you are using Internet Explorer and want to install the certificate, at the
Security Alert dialog box click View Certificate, and then choose the
Install Certificate option and follow the prompts of the Certificate
Manager Import Wizard.
– If you are using Netscape and you want to install the certificate, at the
New Site Certificate dialog box click Next and follow the prompts of the
New Site Certificate Wizard.
Note Take the extra steps to trust certificates from Cisco Systems, Inc., which
prevents you from having to approve a certificate every time you log on
to a GSSM. Refer to the online help for your browser for instructions on
trusting certificates from a particular owner or website.
4. When prompted to log on to the primary GSSM, enter your username and
password in the fields provided, then click OK. If this is your first time
logging on to the GSSM, use the default account name and password to access
the GUI as follows:
– Username—admin
– Password—default
5. The GSSM Welcome page appears (Figure 2-1). Refer to Chapter 1,
Introducing the Global Site Selector, the “Understanding the Primary GSSM
Graphical User Interface” section for information on navigating through the
primary GSSM GUI.

2-16 OL-4327-01
Figure 2-1 Primary GSSM Welcome Window

OL-4327-01 2-17
Creating and Modifying GSS Devices

A first step in configuring global server load balancing on your GSS network is
to activate and configure your GSS devices. Using the Global Site Selectors tab
of the primary GSSM GUI, you activate GSS devices (GSSs and standby GSSMs)
that have been added to your GSS network, name the GSS devices, and, if
necessary, delete those devices from the GSS network.
• Activating GSS Devices
• Modifying GSS Device Configuration
• Deleting GSS Devices
Activating GSS Devices

After you have configured your GSS devices to act as GSSs or GSSMs, you must
activate those devices from the primary GSSM GUI before they receive and
process user requests. The one exception to this rule is the primary GSSM, which
does not need to be activated after initial configuration.
To activate a GSS or a standby GSSM from the primary GSSM GUI:
1. From the primary GSSM GUI, click the Resources tab.

2-18 OL-4327-01
2. Click the Global Site Selectors navigation link. The Global Site Selectors list
page appears (Figure 2-2). All active devices are listed with an Online status.
The devices you need to activate are listed with an Inactive status.
Figure 2-2 Global Site Selectors List Page - Inactive Status

OL-4327-01 2-19
3. Click the Modify GSS icon for the first GSS that you wish to activate. The
Modifying GSS details page appears (Figure 2-3).
Figure 2-3 Modifying GSS Details Page
4. Check the Activate check box. (This check box does not appear in the
Modifying GSS details page after a GSS device has been activated.)
5. Click the Submit button. You return to the Global Site Selector list page. The
status of the device that you activated is listed as Online. Assuming that the
device is functioning properly and that network connectivity between the
device and the primary GSSM is good, the status of the device changes to
Online within approximately 30 seconds.

2-20 OL-4327-01
Figure 2-4 Global Site Selectors List Page - Active Status
6. Repeat Steps 1 through 5 for each inactive GSS or standby GSSM that you
need to activate.
Modifying GSS Device Configuration

You can modify the name and location of any of your GSS devices using the
primary GSSM GUI. To modify other network information such as the hostname,
IP address, or role, however, you must access the CLI on the device.
To modify the name and location of a GSS device:
page appears (see Figure 2-2). All active devices are listed with an online
status. The devices you need to activate are listed with an inactive status.

OL-4327-01 2-21
3. Click the Modify GSS icon for the first GSS that you wish to activate. The
Modifying GSS details page appears (see Figure 2-3).
4. In the Global Site Selector Name field, enter a new name for the device. This
is not the same name as the hostname, which can only be changed using the
CLI. It is used to easily distinguish one GSS device from another in the
primary GSSM list pages, where many devices may appear together.
5. From the Location drop-down list, select a new device location.
6. Click Submit to save your changes. You return to the Global Site Selector list
page.
Deleting GSS Devices

With the exception of the primary GSSM, you can delete GSS devices from your
network using the primary GSSM GUI. Deleting a GSS device such as a GSS or
a standby GSSM allows you to remove nonfunctioning GSS devices from your
network, or to reconfigure and then reactivate a device.
To delete a GSS device:
page appears.
3. From the Global Site Selectors list, click the Modify GSS icon located to the
left of the GSS device you want to delete. The Modifying GSS details page
appears.
4. Click the Delete icon in the upper right corner of the page. The GSS software
prompts you to confirm your decision to delete the GSS device.
5. Click OK to confirm your decision. You return to the Global Site Selectors
list page with the deleted device removed from the list.
6. To reconfigure the GSS device, refer to either the “Configuring a Primary
GSSM or Standby GSSM” section or the “Configuring a Global Site
Selector” section.

2-22 OL-4327-01
Global Server Load-Balancing Summary
Global Server Load-Balancing Summary

Once you have created your GSSM (primary and standby) and GSS devices and
configured them to connect to your network, you are ready to begin configuring
request routing and global server load balancing on your GSS network. Global
server load balancing on your GSS network is managed through the centralized
GUI on the primary GSSM. Using this interface, you can identify your network
resources (GSSs) through the use of keepalives and create the DNS rules to
process incoming content requests.
Because you will be creating DNS rules that route incoming DNS requests to the
most available data centers and resources on your network, you must configure
the elements that constitute your DNS rules before creating the rules themselves
Use the following order when configuring your GSS devices and resources from
the primary GSSM:
1. Create regions, locations, and owners—Optional. Use these groupings to
organize your GSS network resources by customer account, physical
location, owner, or other organizing principle. Refer to Chapter 3,
Configuring Resources for details.
2. Create one or more source address lists—Optional. Use these lists of
addresses to identify the name servers (D-proxy) that forward requests for the
specified domains. The default source address list is Anywhere to match any
incoming DNS request to the domains. Refer to Chapter 4, Configuring
Source Address Lists for details.
3. Create one or more domain lists—Establish lists of Internet domains,
possibly using wildcards, that are managed by the GSS and queried by users.
Refer to Chapter 5, Configuring Domain Lists for details.
4. Modify the default global keepalive settings or create any shared
keepalives—Optional. These are GSS network resources that are regularly
polled to monitor the online status of one or more GSS resources linked to the
keepalive. Shared keepalives are required for any answer that uses the
KAL-AP keepalive type. Refer to Chapter 6, Configuring KeepAlives for
details.
5. Create one or more answers—Answers are resources that match requests to
domains. Refer to Chapter 7, Configuring Answers and Answer Groups for
details.

OL-4327-01 2-23
Where to Go Next
6. Create one or more answer groups—Answer groups are collections of

resources that balance requests for content. Refer to Chapter 7, Configuring
Answers and Answer Groups for details.
7. Build your DNS rules—Processes incoming DNS requests using the DNS
Rule Builder or DNS Rule Wizard. Refer to Chapter 8, Building and
Modifying DNS Rules for details.
Because of the complexity of DNS rules, the primary GSSM GUI provides you
with a choice of two methods for creating a DNS rule:
• DNS Rule Wizard—An easy-to-use tool that guides you through the process
of creating a DNS rule.
• DNS Rule Builder—If you are an experienced GSS user, you can use the
DNS Rule Builder to quickly assemble DNS rules from source address lists,
domain lists, owners, and answers that you have already created.
Where to Go Next
Chapter 3, Configuring Resources, includes instructions on organizing resources
on your GSS network as locations, regions, and owners.

2-24 OL-4327-01
C H A P T E R 3
Configuring Resources
This chapter describes what you need to establish global server load-balancing
resources. Before you configure request routing, make sure that you have
configured your hardware devices as described in Chapter 2, Setting Up Your
GSS. You must have a primary GSSM configured and enabled before you can
configure request routing and server load balancing on the GSS network. Ideally,
you have a standby GSSM configured as well.
If you will be deploying GSSs in addition to your primary GSSM and standby
GSSM, these devices will identify themselves to the primary GSSM and appear
on the GSSM GUI when you access the Resources tab and click the Global Site
Selectors navigation link.
• Organizing Your GSS Network
• Creating and Modifying Locations and Regions
• Creating and Modifying Owners
• Grouping GSS Resources by Location, Region, and Owner

OL-4327-01 3-1
Chapter 3 Configuring Resources
Organizing Your GSS Network
Organizing Your GSS Network

The primary GSSM provides you with a number of tools that allow you to group
and organize resources on your GSS network. These include:
• Locations—Logical groupings for GSS resources that correspond to
geographical entities such as a city, data center, or content site
• Regions—Higher-level geographical groupings that contain one or more
locations
• Owners—Groupings that correspond to business or organizational
relationships; for example, customers, internal departments, and IT personnel
Keep in mind that it is not a requirement that regions and locations correspond to
actual geographical sites. They are simply organizing concepts that allow you to
group GSS resources and exist in a one (region) to many (locations) relationship.
In addition to providing an organizational scheme for your GSS network,
locations can also be used for bulk management of GSS resources, such as
answers. Answers can be grouped and managed according to a GSS location that
has been established and with which answers have been associated. Using a
location to manage your answers makes it easier for you to quickly suspend or
activate answers in a particular area of your network, for example, shutting down
one or more data centers for the purposes of software upgrades or regular
maintenance. Refer to Chapter 7, Configuring Answers and Answer Groups, for
more information.

3-2 OL-4327-01
Creating and Modifying Locations and Regions

The process for creating and maintaining locations and regions is essentially
identical, except that in addition to their other configuration information,
locations are associated with regions in a many-to-one relationship. Use the
following procedures to set up regions and locations on your GSS network.
Note We recommend that you create regions before you create locations.

• Creating Regions
• Creating Locations
• Modifying Regions
• Modifying Locations
• Deleting Locations and Regions
Creating Regions
To create a region:
2. Click the Regions navigation link. The Regions list page appears
(Figure 3-1).

OL-4327-01 3-3
Figure 3-1 Regions List Page
3. Click the Create Regions icon. The Creating New Region details page
appears (Figure 3-2).

3-4 OL-4327-01
Figure 3-2 Creating New Region Details Page
4. In the Name field, enter the name for your new region.
5. In the Comments field, enter descriptive information or important notes
regarding the new region.
6. Click Submit to save changes to your new region. You return to the Region
list page. Your new region appears in the list and can be used to help you
organize other GSS resources.

OL-4327-01 3-5
Creating Locations
To create a location:
2. Click the Locations navigation link. The Locations list page appears
(Figure 3-3).
Figure 3-3 Locations List Page
3. Click the Create Location icon. The Creating New Location details page

3-6 OL-4327-01
Figure 3-4 Creating New Location Details Page
4. In the Name field, enter the name for your new location.
5. Click the Region drop-down list and choose a region with which the location
will be associated. There should be a logical connection between region and
location.
6. In the Comments field, enter descriptive information or important notes
regarding the new region or location.
7. Click Submit to save your new location. You return to the Locations list page.
Your new location appears in the list and can be used to help you organize
other GSS resources.

OL-4327-01 3-7
Modifying Regions
To modify a GSS region:
2. Click the Regions navigation link. The Regions list page appears.
3. From the Regions list, click the Modify Region icon located to the left of the
list you want to modify. The Modifying Region details page appears
(Figure 3-5).
Figure 3-5 Modifying Region Details Page
4. In the Name field, change the name of the region, if desired.

5. In the Comments field, enter or modify the descriptive information or notes
regarding the region.

3-8 OL-4327-01
6. Click Submit to save the changes to your region. You return to the Regions
list page.
Modifying Locations
To modify a GSS location:
2. Click the Locations navigation link. The Locations list page appears.
3. From the Locations list, click the Modify Location icon located to the left of
the list you want to modify. The Modifying Location details page appears
(Figure 3-6).
Figure 3-6 Modifying Location Details Page

OL-4327-01 3-9
4. In the Name field, change the name of the location, if desired.

5. If wish to move the location to a new region, click the Region drop-down list
and select a new region with which the location will be associated.
regarding the location.
7. Click Submit to save the changes to your location. You return to the
Locations list page.
Deleting Locations and Regions

Before deleting a region or location, be sure that you know what dependencies are
associated with a resource. For example, regions that have locations associated
with them cannot be deleted. In addition, answers associated with locations that
are deleted are automatically associated with the “Unspecified” location.
Caution Deletions of any kind cannot be undone in the primary GSSM. If you might want
to use the deleted data at a later point in time, we recommend performing a
database backup of your primary GSSM. Refer to Chapter 9, GSS Administration
and Troubleshooting for details.
To delete regions and locations:

2. Click either the Locations or Regions navigation link, depending on what
type of resource you intend to delete. The list page appears.
3. Click the Modify icon for the location or region that you want to delete. The
details page appears, displaying configuration information for that resource.
prompts you to confirm your decision to delete the Region or Location.
5. Click OK. You return to the list page with the Region or Location removed.
If an error appears informing you that a GSS resource is still linked to the region
or location you want to delete, disassociate that resource and then attempt to
delete the grouping again.

3-10 OL-4327-01
Creating and Modifying Owners

Owners are logical groupings for GSS network resources that correspond to
business or organizational structures. For example, an owner might be a hosting
customer, an internal department such as human resources, or an IT staff resource.
Owners are created and managed separately from either GSS or GSSM logins, and
there is no necessary connection between the two. As with locations, owner
designations can be used for bulk management of GSS resources. Using a GSS
owner to manage your answer groups makes it easier for you to quickly suspend
or activate related answers.
For information on using owners to manage your GSS network, see the following
chapters and sections:
• Chapter 7, Configuring Answers and Answer Groups, the Suspending or
Reactivating All Answers in an Answer Group Associated with an Owner
section
• Chapter 8, Building and Modifying DNS Rules, the Suspending or
Reactivating All DNS Rules Belonging to an Owner section
Creating Owners
To create an owner:
2. Click the Owners navigation link. The Owners list page appears displaying a
list of all configured owners on your GSS network and providing an overview
of the resources assigned to each owner (Figure 3-7).

OL-4327-01 3-11
Figure 3-7 Owners List Page
3. Click the Create Owner icon. The Creating New Owner details page appears
(Figure 3-8).

3-12 OL-4327-01
Figure 3-8 Creating New Owner Details Page
4. In the Name field, enter the contact name for your new Owner.
5. In the Comments field, enter other descriptive or contact information for the
new owner.
6. Click Submit to save the new Owner. You return to the Owners list page.
Your new owner is listed and can now be used to help you organize other GSS
resources.

OL-4327-01 3-13
Modifying Owners
To modify an owner:
2. Click the Owners navigation link. The Owners list page appears.
3. From the Owners list, click the Modify Owner icon located to the left of the
list you want to modify. The Modifying Owner details page appears
(Figure 3-9).
Figure 3-9 Modifying Owner Details Page
4. In the Name field, enter a new name for your new owner, if desired.

3-14 OL-4327-01

regarding the owner.
6. Click Submit to save the changes to the owner. You return to the Owners list
page.
Deleting Owners
Before you attempt to delete an owner, be sure that you know what dependencies
that resource has. For example, answer groups, DNS rules, and domain lists
associated with an owner will, if that owner is deleted, automatically be
associated with the “System” owner account.
database backup of your GSSM. Refer to Chapter 9, GSS Administration and
Troubleshooting for details.
To delete an owner:
2. Click the Owners navigation link. The Owners list page appears.
3. From the Owners list, click the Modify Owner icon located to the left of the
list you want to delete. The Modifying Owner details page appears.
prompts you to confirm your decision to delete the owner.
5. Click OK. You return to the Owners list screen with the owner removed.

OL-4327-01 3-15
Grouping GSS Resources by Location, Region, and Owner
Grouping GSS Resources by Location, Region, and

Owner
After you create your locations, regions, and owners, you can begin to use these
tools to help organize your GSS resources. To associate a particular resource with
a location, region, or owner, edit the properties of that resource and then choose
the location, region, or owner from the drop-down list provided. Table 3-1
indicates which GSS resources can be grouped by locations, regions, and owners.
Table 3-1 GSS Network Groupings
GSS Network Resource Grouped By Grouped Using

GSS Location Global Site Selector details page
Locations Region Locations details page
Region — —
Owner — —
DNS rules Owner DNS Rule Builder
DNS Rule Wizard
Source address lists Owner Source Address Lists details page
Domain lists Owner Domain Lists details page
Answer group Owner Answer Group details page
Answer Location Answer details page
Where to Go Next
Chapter 4, Configuring Source Address Lists describes the creation of source
address lists, collections of IP addresses or address blocks for known client DNS
proxies (or D-proxies).

3-16 OL-4327-01
C H A P T E R 4
Configuring Source Address Lists
The next step in configuring DNS request handling on your GSS network is to
define the addresses from which requests are sent to the GSS. This is
accomplished through the creation of source address lists, collections of IP
addresses or address blocks for known client DNS proxies (or D-proxies).
Note The deployment of source address lists is an optional process. A default source
address list, named Anywhere, is supplied with the GSS software and matches any
request for a domain.
Using the source address lists feature, you can enter one or more IP addresses, up
to 30 addresses for each list, representing DNS proxies from which requests
originate. Each GSS supports up to 60 source address lists.
In addition to adding individual addresses, the primary GSSM also allows you to
enter IP address blocks conforming to the classless interdomain routing (CIDR)
IP addressing scheme.
• Creating Source Address Lists
• Modifying Source Address Lists
• Deleting Source Address Lists

OL-4327-01 4-1
Chapter 4 Configuring Source Address Lists
Creating Source Address Lists

To configure a source address list:
1. From the primary GSSM GUI, click the DNS Rules tab.
2. Click the Source Address Lists navigation link. The Source Address Lists
list page appears (Figure 4-1).
Figure 4-1 Source Address Lists List Page
3. Click the Create Source Address List icon. The Creating New Source
Address List details page appears (Figure 4-2).

4-2 OL-4327-01
Figure 4-2 Creating New Source Address List - General Configuration
4. In the General Configuration details page (General Configuration

navigation link), perform the following:
a. In the Name field, enter a name for the new Source Address List. Source
Address List names cannot contain spaces.
b. From the Owner drop-down list, select the GSS network resource with
which the Source Address List is associated. The owner may be a hosting
customer, an internal department such as human resources, or an IT staff
resource.
c. In the Comments text area, enter any comments for the new Source
Address List.
5. Click the Add Address navigation link to access the Add Addresses section
of the page. Add new addresses or address blocks to your list of source
addresses (Figure 4-3).

OL-4327-01 4-3
Figure 4-3 Creating New Source Address List - Add Addresses
6. In the Add Addresses section of the page, perform the following:

a. Enter the IP addresses, or CIDR address blocks. If you are entering
multiple addresses, separate each one with a semicolon. You can enter up
to 30 addresses for each list. You use this interface to add new addresses
or address blocks to your list of source addresses. For example:
192.168.100.0/24; 10.89.0.0/16; 10.68.10.1
b. Click the Add button. The GSS software adds the addresses to the Source
Address List.
7. Click the General Configuration navigation link to view the address block
associated with the source address list. The addresses appear under the
Current Members section of the details page (Figure 4-4).

4-4 OL-4327-01
Modifying Source Address Lists
Figure 4-4 Creating Source Address List - Current Members List
8. When you are satisfied with your Source Address List, click the Submit
button to save your changes. You return to the Source Address Lists list page.
You can add or remove source addresses from the list at any time. See the
“Modifying Source Address Lists” section that follows.

To modify an existing source address list:
2. Click the Modify Source Address List icon located to the left of the Source
Address List you want to modify. The Modifying Source Address List details
page appears.

OL-4327-01 4-5

navigation link), use the fields provided to modify the name, comments, or
owner for the source address list (see Figure 4-2). Source address list names
cannot contain spaces.
4. To add more source addresses to the list, click the Add Addresses navigation
link. Use the field provided (see Figure 4-3) to enter the names of source
address lists you wish to add. Click the Add button to append the new source
address to the existing list.
5. To remove addresses from the Source Address List, click the Remove
Addresses navigation link. The Remove Addresses section of the page
appears (Figure 4-5). Click the check box accompanying each source address
you wish to remove from the list, then click the Remove Selected button to
remove the selected source addresses from the list.
Figure 4-5 Modifying Source Address List - Remove Addresses

4-6 OL-4327-01
Deleting Source Address Lists
6. Review your updated source address list under the Current Members section
of the details page (see Figure 4-4).
7. Click the Submit button to save your modified source address list. You return
to the Source Address List list page.
Deleting Source Address Lists

You cannot delete source address lists that are associated with an existing DNS
rule. Before proceeding with these instructions, first verify that none of your DNS
rules reference the source address list that you are deleting.
To delete a source address list from your GSS network:

2. Click the Source Address Lists navigation link. The Source Address Lists
list page appears.
3. Click the Modify Source Address List icon located to the left of the Source
Address List you want to remove. The Source Address Lists details page
appears.
4. Click the Delete Source Address List icon in the upper right corner of the
page (Figure 4-6). The GSS software prompts you to confirm your decision
to delete the Source Address List.
Note If an error appears informing you that the source address list is
referenced by an existing DNS rule, disassociate the source address
list from the DS rule and then attempt to delete the source address list
again.

OL-4327-01 4-7
Where to Go Next
Figure 4-6 Modifying Source Address List - Delete Icon
5. Click OK. You return to the Source Address Lists list page. The source
address list is removed from the list.
Where to Go Next
Chapter 5, Configuring Domain Lists, describes the creation of domain lists,
collections of domain names for Internet or intranet resources, sometimes referred
to as hosted domains, that are being requested by your users.

4-8 OL-4327-01
C H A P T E R 5
Configuring Domain Lists
This chapter describes how to create domain lists.

• Domain List Overview
• Creating Domain Lists
• Modifying Domain Lists
• Deleting Domain Lists
Domain List Overview

Domain lists are collections of domain names for Internet or intranet
resources, sometimes referred to as “hosted domains,” that are being
requested by your users.
Domain lists contain one or more domain names that point to content for which
the GSS is acting as the authoritative DNS server and for which you wish to use
the GSS technology to balance traffic and user requests. Using the domain lists
feature, you can enter complete domain names or any valid regular expression that
specifies a pattern by which the GSS can match incoming addresses. The GSS
supports POSIX 1003.2 extended regular expressions when matching wildcards.

OL-4327-01 5-1
Chapter 5 Configuring Domain Lists
Creating Domain Lists
For example, if you had three hosted domains—www.cisco.com,

support.cisco.com, and customer.cisco.com—for which the GSS was responsible,
you might want to enter only those domains in your domain list, as follows:
www.cisco.com; support.cisco.com; customer.cisco.com
However, if you had 20 or more possible domains for which the GSS was
responsible—www1.cisco.com, www2.cisco.com, and so on—manually entering
each address may be time-consuming. In such a situation, you could create a
wildcard expression that would cover all those domains, as follows:
.*\.cisco\.com
Any request for a hosted domain that matches the pattern is directed accordingly.
Each GSS can support a maximum of 2000 hosted domains and 2000 hosted
domain lists, with a maximum of 500 hosted domains supported for each domain
list.

To create a domain list:
2. Click the Domain Lists navigation link. The Domain Lists list page appears
(Figure 5-1).

5-2 OL-4327-01
Figure 5-1 Domain Lists Page
3. Click the Create Domain List icon. The Creating New Domain List details
page appears. (Figure 5-2.)

OL-4327-01 5-3
Figure 5-2 Creating New Domain List Details Page - General Configuration

a. In the Name field, enter a name for the new Domain List. Domain List
names cannot contain spaces.
b. From the Owner drop-down list, select the contact with whom the
Domain List will be associated.
c. In the Comments text area, enter any comments for the new Domain List.

5-4 OL-4327-01
5. Click the Add Domains navigation link to access the Add Domains section
of the page. Use this section to add new hosted domains to your list.
Figure 5-3 Creating New Domain List - Add Domains
6. In the text box provided, enter the names of any hosted domains that you want
to add to the domain list. Hosted domains may or may not correspond to
standard third-level domain names but cannot exceed 128 characters in
length. The following examples could be domain names configured on the
GSS:
cisco.com
www.cisco.com
www.support.cisco.com

OL-4327-01 5-5
Domain names that use wildcards are also supported by the GSS. You can
enter complete domain names or any regular expression that specifies a
pattern by which the GSS can match incoming addresses. For example:
.*\.cisco\.com
These should be the domain names of resources for which the GSS is acting
as the authoritative DNS server.
Domain names that do not use wildcards cannot exceed 128 characters. For
domain names with wildcards that are valid regular expressions, the GSS can
match strings up to 256 characters long.
If you are entering multiple domain names, separate each one with a
semicolon, for example:
www.cisco.com; support.cisco.com; cdn.cisco.com
7. Click the Add button. The domains you entered are added to the Domain List.
8. Click the General Configuration navigation link and view the domains list.
The domain names appear under the Current Members section of the details
page (Figure 5-4).
9. Click the Submit button to save your domain list changes.

5-6 OL-4327-01
Figure 5-4 Creating Domain List - Current Members List

OL-4327-01 5-7
Modifying Domain Lists

To modify an existing domain list:
(see Figure 5-1).
3. From the Domain Lists list, click the Modify Domain List icon located to the
left of the Domains List you want to modify. The Modifying Domain List
details page appears.
navigation link), use the fields provided to modify the name, comments, or
owner for the domain list (see Figure 5-2). Domain List names cannot contain
spaces.
5. To add more domains to the list, click the Add Domains navigation link. Use
the text box (see Figure 5-3) provided to enter the names of domains you wish
to add. Click the Add button to append the new domains to the existing list.
6. To remove domains from the domain list, click the Remove Domains
navigation link. The Remove Domains section of the page appears
(Figure 5-5). Click the check box accompanying each domain you wish to
remove from the list, then click the Remove Selected button. The deleted
domain lists have been removed from the page.

5-8 OL-4327-01
Figure 5-5 Modifying Domain List - Remove Domains
7. Review your updated domain lists under the Current Members section of the
details page (see Figure 5-4).
8. Click the Submit button to save your changes. You return to the Domain List
list page.

OL-4327-01 5-9
Deleting Domain Lists

You cannot delete domain lists that are associated with an existing DNS rule.
Before proceeding with these instructions, first verify that none of your DNS rules
reference the domain list that you are deleting.
To delete a domain list from your GSS network:

1. From the primary GSSM GUI, click the DNS Rules tab
listing existing Domain Lists.
3. Click the Modify Domain List icon located to the left of the Domain List you
want to remove. The Modifying Domain Lists details page appears
(Figure 5-5).

5-10 OL-4327-01
Figure 5-6 Modifying Domain List - Delete Icon
4. Click the Delete Domain List icon in the upper right corner of the page. The
GSS software prompts you to confirm your decision to delete the domain list.
Note If an error appears informing you that the domain list is referenced by a
DNS rule, disassociate the domain list from the DNS rule and then
attempt to delete the domain list again. Refer to Chapter 8, Building and
Modifying DNS Rules.
5. Click OK. You return to the Domain List list page. The domain list is
removed from the list.

OL-4327-01 5-11
Where to Go Next
Where to Go Next
Chapter 6, Configuring KeepAlives, describes the modification of global
keepalives and the creation of shared keepalives.

5-12 OL-4327-01
C H A P T E R 6
Configuring KeepAlives
A keepalive is a method by which the GSS periodically checks to see if a resource

associated with an answer is still active. All answers are validated by configured
keepalives as being either online or offline.
The GSS uses keepalives to collect and track information on everything from the
simple online status of VIPs to services and applications running on a server.
Depending on the type of answer being tracked, the GSS also monitors load and
connection information on SLBs that can be used to perform load-based
redirection.
• Modifying Global KeepAlive Properties
• Configuring and Modifying Shared VIP KeepAlives
Modifying Global KeepAlive Properties

The GSS includes a set of global keepalive properties that function as the default
or minimum values used by the GSS when no other keepalive values are specified.
You can modify your global keepalive properties for the GSS using the fields on
the Global KeepAlive Properties details page from the Resources tab. Changing a
global keepalive property and applying that change is immediate and it modifies
the default values of keepalives currently in use by the GSS. For example, if a VIP
answer uses a TCP keepalive with all of its associated defaults, and you change
the default port value from port 80 to port 23, port 23 automatically becomes the
default for the TCP keepalive.

OL-4327-01 6-1
Chapter 6 Configuring KeepAlives
Note Changing global keepalive properties is an optional process.
To modify the GSS keepalive properties:

2. Click the KeepAlive Properties navigation link. The Configure Global
KeepAlive Properties details page appears (Figure 6-1).
Figure 6-1 Configure Global KeepAlive Properties Details Page
3. Use the navigation links on the left side of the page to access the individual
GSS global keepalive details page and to modify the global properties of the
keepalive.

6-2 OL-4327-01
The following procedures describe how to modify the default properties for
the individual global keepalives.
– Global KeepAlive Configuration—ICMP
– Global KeepAlive Configuration—TCP
– Global KeepAlive Configuration—HTTP HEAD
– Global KeepAlive Configuration—KAL-AP
– Global KeepAlive Configuration—CRA
– Global KeepAlive Configuration—Name Server
Global KeepAlive Configuration—ICMP

To modify the ICMP global keepalive configuration settings, see Figure 6-2 and
Figure 6-3 and perform the following steps.
Figure 6-2 ICMP Global KeepAlive—Standard KAL Type

OL-4327-01 6-3
Figure 6-3 ICMP Global KeepAlive—Fast KAL Type
1. Select the ICMP keepalive rate by clicking one of the KAL Type option
buttons. You can specify whether the GSS is to use the standard or fast ICMP
keepalive transmission rate. The failure detection time, as it relates to the
GSS, is the amount of time between when a device failure occurs and when
the GSS determines the failure occurred. This is the longest period of time the
GSS will take to mark an answer offline.
– Standard—Uses the default detection time of 60 seconds.
– Fast—Uses the user-selectable Number of Retries parameter to control
the keepalive transmission rate. The default detection time is 4 seconds.
Note The GSS supports up to 500 ICMP keepalives when using the standard
detection method and up to 100 ICMP keepalives when using the fast
detection method.

6-4 OL-4327-01
2. If you selected the Standard KAL Type, in the Minimum Interval field change
the minimum frequency with which the GSS attempts to schedule ICMP
keepalives. The valid entries are 40 to 255 seconds. The default is 40 seconds.
3. If you selected the Fast KAL Type, modify the following parameters:
– In the Number of Retries field, specify the number of times the GSS
retransmits an ICMP echo request packet before declaring the device
offline. As you adjust the Number of Retries parameter, you change the
detection time determined by the GSS. By increasing the number of
retries you increase detection time. Reducing the number of retries has
the reverse effect. The range is 1 to 10 retries. The default is 1.
– In the Number of Successful Probes field, specify the number of
consecutive successful ICMP keepalive attempts (probes) that must be
recognized by the GSS before bringing an answer back online (and
reintroducing it into the GSS network). The range is 1 to 5 probes. The
default is 1.
Note For background details on keepalive detection time, refer to

Chapter 1, Introducing the Global Site Selector, the “Keepalives”
section.
4. Click the Submit button to save your ICMP global keepalive modifications.

OL-4327-01 6-5
Global KeepAlive Configuration—TCP

To modify the TCP global keepalive global configuration settings, see Figure 6-4
and Figure 6-5 and perform the following steps:
Figure 6-4 TCP Global KeepAlive—Standard KAL Type

6-6 OL-4327-01
Figure 6-5 TCP Global KeepAlive—Fast KAL Type
1. Select the TCP keepalive rate by clicking one of the KAL Type option
buttons. You can specify whether the GSS is to use the standard or fast TCP
keepalive transmission rate. The failure detection time, as it relates to the
GSS, is the amount of time between when a device failure occurs and when
the GSS determines the failure occurred. This is the longest period of time the
GSS will take to mark an answer offline.
Note The GSS supports up to 500 TCP keepalives when using the standard
detection method and up to 100 TCP keepalives when using the fast
detection method.

OL-4327-01 6-7
2. In the Destination port field, enter the port on the remote device that is to
receive the TCP keepalive request from the GSS. The port range is 1 to 65535.
The default port is 80.
3. Specify the TCP keepalive connection termination method:
– Reset—The GSS immediately terminates the TCP connection by using a
hard reset. This is the default termination method.
– Graceful—The GSS initiates the graceful closing of a TCP connection
by using the standard three-way connection termination method.
4. If you selected the Standard KAL Type, specify the following parameters:
– In the Response Timeout field, specify the length of time allowed before
the GSS re-transmits data to a device that is not responding to a request.
The valid entries are 20 to 60 seconds. The default is 20 seconds.
– In the Minimum Interval field, specify the minimum frequency with
which the GSS attempts to schedule TCP keepalives. The valid entries
are 40 to 255 seconds. The default is 40 seconds.
5. If you selected the Fast KAL Type, modify the following parameters:
retransmits a TCP packet before declaring the device offline. As you
adjust the Number of Retries parameter, you change the detection time
determined by the GSS. By increasing the number of retries you increase
the detection time. Reducing the number of retries has the reverse effect.
The range is 1 to 10 retries. The default is 1.
Note When using the Graceful termination sequence, there are two packets
that require acknowledgement: SYN and FIN.

consecutive successful TCP keepalive attempts (probes) that must be
default is 1.

section.

6-8 OL-4327-01
6. Click the Submit button to save your TCP global keepalive modifications.
Global KeepAlive Configuration—HTTP HEAD

To modify the HTTP HEAD keepalive global configuration settings, see
Figure 6-6 and Figure 6-7 and perform the following steps:
Figure 6-6 HTTP HEAD Global KeepAlive—Standard KAL Type

OL-4327-01 6-9
Figure 6-7 HTTP HEAD Global KeepAlive—Fast KAL Type
1. Select the HTTP HEAD keepalive rate by clicking one of the KAL Type
option buttons. You can specify whether the GSS is to use the standard or fast
HTTP HEAD keepalive transmission rate. The failure detection time, as it
relates to the GSS, is the amount of time between when a device failure occurs
and when the GSS determines the failure occurred. This is the longest period
of time the GSS will take to mark an answer offline.
Note The GSS supports up to 500 HTTP HEAD keepalives when using the
standard detection method and up to 100 HTTP HEAD keepalives when
using the fast detection method.

6-10 OL-4327-01
2. In the Destination port field, enter the port on the remote device that is to
receive the HTTP HEAD-type keepalive request from the GSS. The port
range is 1 to 65535. The default port is 80.
3. In the Path field, enter the default path that is relative to the server website
being queried in the HTTP HEAD request. For example: /company/owner
4. Specify the HTTP HEAD keepalive connection termination method:
– Reset—The GSS immediately terminates the HTTP HEAD connection
by using a hard reset. This is the default termination method.
– Graceful—The GSS initiates the graceful closing of a HTTP HEAD
connection by using the standard three-way connection termination
method.
5. If you selected the Standard KAL Type, specify the following parameters:
– In the Response Timeout field, change the length of time allowed before
the GSS retransmits data to a device that is not responding to a request.
The valid entries are 20 to 60 seconds. The default is 20 seconds.
– In the Minimum Interval field, change the minimum frequency with
which the GSS attempts to schedule HTTP HEAD keepalives. The valid
entries are 40 to 255 seconds. The default is 40 seconds.
6. If you selected the Fast KAL Type, specify the following parameters:
retransmits an HTTP HEAD packet before declaring the device offline.
As you adjust the Number of Retries parameter, you change the detection
time determined by the GSS. By increasing the number of retries you
increase the detection time. Reducing the number of retries has the
reverse effect. The range is 1 to 10 retries. The default is 1.
Note When using the Graceful termination sequence, there are three
packets that require acknowledgement: SYN, HEAD, and FIN.

consecutive successful HTTP HEAD keepalive attempts (probes) that
must be recognized by the GSS before bringing an answer back online
(and reintroducing it into the GSS network). The range is 1 to 5 probes.
The default is 1.

OL-4327-01 6-11

section.
7. Click the Submit button to save your HTTP HEAD global keepalive
modifications.
Global KeepAlive Configuration—KAL-AP

To modify the KAL-AP keepalive global configuration setting, see Figure 6-8 and
Figure 6-9 and perform the following steps:
Figure 6-8 KAL-AP Global KeepAlive—Standard KAL Type

6-12 OL-4327-01
Figure 6-9 KAL-AP Global KeepAlive—Fast KAL Type
1. Select the KAL-AP keepalive rate by clicking one of the KAL Type option
buttons. You can specify whether the GSS is to use the standard or fast
KAL-AP keepalive transmission rate. The failure detection time, as it relates
to the GSS, is the amount of time between when a device failure occurs and
when the GSS determines the failure occurred. This is the longest period of
time the GSS will take to mark an answer offline.

OL-4327-01 6-13
Note The GSS supports up to 128 primary and 128 secondary KAL-AP
keepalives when using the standard detection method and up to 40
primary and 40 secondary KAL-AP keepalives when using the fast
detection method.
2. If you intend to use Content and Application Peering Protocol (CAPP)

encryption, in the CAPP Hash Secret field enter an alphanumeric encryption
key value. This is the alphanumeric value used to encrypt interbox
communications using CAPP. The same encryption value must also be
configured on the Cisco CSS or CSM. The default CAPP Hash Secret string
is hash-not-set.
3. If you selected the Standard KAL Type, in the Minimum Interval field,
change the minimum frequency with which the GSS attempts to schedule
KAL-AP By Tag or KAL-AP By VIP keepalives. The valid entries are 40 to
4. If you selected the Fast KAL Type, specify the following parameters:
retransmits an KAL-AP packet before declaring the device offline. As
you adjust the Number of Retries parameter, you change the detection
reverse effect. The range is 1 to 10 retries. The default is 1.
consecutive successful KAL-AP keepalive attempts (probes) that must be
default is 1.

section.
5. Click the Submit button to save your KAL-AP global keepalive

modifications.

6-14 OL-4327-01
Global KeepAlive Configuration—CRA

To modify the CRA keepalive global configuration settings, see Figure 6-10 and
perform the following steps:
Figure 6-10 Global KeepAlives Details Page—CRA KeepAlive
1. In the Timing Decay field, change the value to specify how heavily the GSS
should weigh recent DNS Round Trip Time (RTT) probe results relative to
earlier RTT metrics, with 1 indicating that recent results should not be
weighed any more than previous RTT results. The valid entries are 1 to 10.
The default is 2.
2. In the Minimum Interval field, change the minimum frequency with which
the GSS attempts to schedule CRA-type keepalives. The valid entries are 1 to
3. Click the Submit button to save your CRA global keepalive modifications.

OL-4327-01 6-15
Global KeepAlive Configuration—Name Server

To modify the Name Server keepalive global configuration settings, see
Figure 6-11 and perform the following steps:
Figure 6-11 Global KeepAlives Details Page—Name Server KeepAlive
1. In the Query Domain field, change the globally defined domain name that is
used to query when utilizing the name server (NS) keepalive. The default is
".".
2. In the Minimum Interval field, change the minimum frequency with which
the GSS attempts to schedule name server query keepalives. The valid entries
are 40 to 255 seconds. The default is 40 seconds.
3. Click the Submit button to save your Name Server global keepalive
modifications.

6-16 OL-4327-01
Configuring and Modifying Shared VIP KeepAlives

The GSS supports the use of shared keepalives to minimize traffic between the
GSS and the SLBs that it is monitoring. A shared keepalive identifies a common
address or resource that can provide status for multiple answers. Shared
keepalives are used to periodically provide state information (online, offline) to the
GSS for multiple VIP answer types. Once created, you can associated the shared
keepalives with VIPs when you create a VIP answer type.
Note Shared keepalives are not used with name server or CRA answers.
All answers are validated by configured keepalives and are not returned if the
keepalive indicates that the answer is not viable. If a shared keepalive fails to
return a status, all VIPs associated with that shared keepalive are assumed to be
offline.
If you intend to use the KAL-AP keepalive method with a VIP answer you must
configure a shared keepalive. The use of shared keepalives are an option for the
ICMP, TCP, and HTTP HEAD keepalive types.
• Creating a Shared VIP KeepAlive
• Modifying a Shared KeepAlive
• Deleting a Shared KeepAlive
Creating a Shared VIP KeepAlive

To create a shared VIP keepalive:
2. Click the Shared KeepAlives navigation link. The Shared KeepAlives list
page appears listing all existing shared keepalives (Figure 6-12).

OL-4327-01 6-17
Figure 6-12 Shared KeepAlives Lists Page
3. Click the Create Shared KeepAlive icon. The Creating New Shared
KeepAlives details page appears (Figure 6-13).

6-18 OL-4327-01
Figure 6-13 Creating New Shared KeepAlives Details Page
4. At the Type section at the top of the page, choose from one of the four
keepalive types as the shared VIP keepalive:
– ICMP—Sends an ICMP echo message (ping) to the specified address.
Online status is determined by the response received from the device,
indicating simple connectivity to the network.
– TCP—Sends a TCP handshake to the specified IP address and port
number of the remote device to determine service viability (three-way
handshake and connection termination method), returning the online
status of the device.

OL-4327-01 6-19
– HTTP-Head—Sends a TCP format HTTP HEAD request to an origin

web server at a specified address. Online status of the device is
determined in the form of an HTTP Response Status Code of 200 (for
example, HTTP/1.0 200 OK) from the server as well as information on
the web page status and content size.
– KAL-AP—Sends a detailed query to the Cisco CSS or CSM to extract
load and availability. Online status is determined when these SLBs
respond with information about a hosted domain name, host VIP address,
or a configured tag on a content rule.
The following procedures describe how to configure the properties for the
individual VIP shared keepalives. The default values used for each VIP
keepalive is determined by the values specified in the Global Keepalive
Properties details page.
– Shared KeepAlive Configuration—ICMP
– Shared KeepAlive Configuration—TCP
– Shared KeepAlive Configuration—HTTP HEAD
– Shared KeepAlive Configuration—KAL-AP

6-20 OL-4327-01
Shared KeepAlive Configuration—ICMP

To define the ICMP shared keepalive configuration, see Figure 6-14 and perform
the following steps:
Figure 6-14 Shared KeepAlives Details Page—ICMP KeepAlive (Fast KAL Type)
1. Enter the IP address used to test the online status for the linked VIPs.
2. If the ICMP global keepalive configuration is set to the Fast KAL Type,
specify the following parameters in the Fast Keepalive Settings section:
retries you increase the detection time. Reducing the number of retries
has the reverse effect. The range is 1 to 10 retries. If you do not specify
a value, the GSS uses the globally configured value.

OL-4327-01 6-21

reintroducing it into the GSS network). The range is 1 to 5 probes. If you
do not specify a value, the GSS uses the globally configured value.
Note For background details on keepalive detection time, refer to Chapter 1,

Introducing the Global Site Selector, the “Keepalives” section.
3. Click the Submit button to save your ICMP shared keepalive configuration.
You return to the Shared KeepAlives list page.
Shared KeepAlive Configuration—TCP

To define the TCP shared keepalive configuration, refer to Figure 6-15 and
perform the procedure outlined below.
Figure 6-15 Shared KeepAlives Details Page—TCP KeepAlive (Fast KAL Type)

6-22 OL-4327-01
2. In the Destination port field enter the port on the remote device that is to
receive the TCP keepalive request. The port range is 1 to 65535. If you do not
specify a destination port, the GSS uses the globally configured value.
3. Specify the TCP keepalive connection termination method:
– Default—Always use the globally defined TCP keepalive connection
method.
hard reset.
4. If the TCP global keepalive configuration is set to the Fast KAL Type, specify
the following parameters in the Fast Keepalive Settings section:
The range is 1 to 10 retries. If you do not specify a value, the GSS uses
the globally configured value.


section.

OL-4327-01 6-23
5. Click the Submit button to save your TCP shared keepalive configuration.
You return to the Shared KeepAlives list page.
Shared KeepAlive Configuration—HTTP HEAD

To define the HTTP HEAD shared keepalive configuration, see Figure 6-16 and
Figure 6-16 Shared KeepAlives Details Page—HTTP HEAD KeepAlive (Fast KAL
Type)
2. In the Destination port field enter the port on the remote device that receives
the HTTP HEAD-type keepalive request from the GSS. The port range is 1 to
65535. If you do not specify a destination port, the GSS uses the globally
configured value.

6-24 OL-4327-01
3. In the Host Tag field, enter an optional domain name that is sent to the VIP
as part of the HTTP HEAD query in the Host tag field. This tag allows an SLB
to resolve the keepalive request to a particular website even when multiple
sites are represented by the same VIP.
4. In the Path feld, enter the default path that is relative to the server website
being queried in the HTTP HEAD request. If you do not specify a default
path, the GSS uses the globally configured value. For example:
/company/owner
5. Specify the HTTP HEAD keepalive connection termination method:

– Default—Always use the globally defined HTTP HEAD keepalive
connection method.
– Reset—The GSS immediately terminates the TCP formatted HTTP
HEAD connection by using a hard reset.
– Graceful—The GSS initiates the graceful closing of a TCP formatted
HTTP HEAD connection by using the standard three-way connection
termination method.
6. If the HTTP-HEAD global keepalive configuration is set to the Fast KAL
Type, specify the following parameters in the Fast Keepalive Settings section:
retransmits an HTTP HEAD packet before declaring the device offline.
As you adjust the Number of Retries parameter, you change the detection
reverse effect. The range is 1 to 10 retries. If you do not specify a value,
the GSS uses the globally configured value.

(and reintroducing it into the GSS network). The range is 1 to 5 probes.
If you do not specify a value, the GSS uses the globally configured value.

OL-4327-01 6-25

section.
7. Click the Submit button to save your HTTP HEAD shared keepalive
configuration. You return to the Shared KeepAlives list page.
Shared KeepAlive Configuration—KAL-AP

To define the KAL-AP shared keepalive configuration, see Figure 6-17 and
Figure 6-17 Shared KeepAlives Details Page—KAL-AP KeepAlive (Fast KAL Type)

6-26 OL-4327-01
1. Enter the primary (master) and secondary (backup) IP addresses that will be
tested for online status in the fields provided. The secondary IP address is
optional. The purpose of the secondary IP address is to query a second Cisco
CSS or CSM in a virtual IP (VIP) redundancy and virtual interface redundancy
configuration.
2. If you intend to use Content and Application Peering Protocol (CAPP)
encryption, check the CAPP Secure box and enter an alphanumeric
encryption key value in the CAPP Hash Secret field. This is the alphanumeric
value used to encrypt interbox communications using CAPP. The same
encryption value must also be configured on the Cisco CSS or CSM.
3. If the KAL-AP global keepalive configuration is set to the Fast KAL Type,
specify the following parameters in the Fast Keepalive Settings section:
retransmits an KAL-AP packet before declaring the device offline. As
you adjust the Number of Retries parameter, you change the detection
reverse effect. The range is 1 to 10 retries. If you do not specify a value,
the GSS uses the globally configured value.
consecutive successful KAL-AP keepalive attempts (probes) that must be

section.
4. Click Submit to create the new shared keepalive. You return to the Shared
KeepAlives list page.

OL-4327-01 6-27
Modifying a Shared KeepAlive

To modify an existing shared keepalive:
2. Click the Shared KeepAlives navigation link. The Shared KeepAlives list
page appears (see Figure 6-12).
3. Click the Modify Shared KeepAlive icon located to the left of the shared
keepalive you want to modify. The Modify Shared KeepAlive details page
Figure 6-18 Modifying Shared KeepAlive Details Page

6-28 OL-4327-01
4. Use the fields provided to modify the shared keepalive configuration.

5. Click Submit to save your configuration changes. You return to the Shared
KeepAlive list page.
Deleting a Shared KeepAlive

To delete a shared keepalive from your GSS network, and that shared keepalive is
in use by the GSS, you must first disassociate any answers that are using the
keepalive. Use the procedure that follows to disassociate your answers and
remove a shared keepalive from your GSS network.
To delete a shared keepalive:

2. Click the Shared KeepAlives navigation link. The Shared KeepAlives lists
page appears listing all existing shared keepAlives.
3. Click the Modify Shared KeepAlive icon located to the left of the shared
keepalive you want to remove. The Modifying Shared KeepAlive details page
appears.
4. If the shared keepalive is associated with an answer, perform one of the
following:
– To disassociate all answers from the selected shared keepalive and set the
keepalive type of each of those answers to ICMP using the answer’s own
VIP, click the Set Answers KAL ICMP icon in the upper right corner of
the page.
– To disassociate all answers from the selected shared keepalive and set the
keepalive type of each of those answers to none, meaning that the GSS
assumes they are always alive, click the Set Answers KAL None icon in
the upper right corner of the page.
The GSS software prompts you to confirm your decision to disassociate all
the answers from the existing shared keepalive.

OL-4327-01 6-29
Where to Go Next
5. Click the Delete button in the upper right corner of the page. The GSS
software prompts you to confirm your decision to delete the shared keepalive.
6. Click OK to confirm your decision. You return to the Shared KeepAlives lists
page.
Where to Go Next
Chapter 7, Configuring Answers and Answer Groups, provides you with all the
information you need to create and configure GSS answers and answer groups,
which are resources that respond to DNS queries.

6-30 OL-4327-01
C H A P T E R 7
Configuring Answers and Answer
Groups
This chapter describes how to create and configure GSS answers and answer
groups. It contains the following major sections:
• Configuring and Modifying Answers
• Configuring and Modifying Answer Groups
Configuring and Modifying Answers

In a GSS network, the term answers refers to resources that respond to content
queries. When you create an answer using the primary GSSM, you are simply
identifying a resource on your GSS network to which queries can be directed and
that can provide your user’s D-proxy with the address of a valid host to serve their
request.
Examples of GSS answers are:
• VIP—Virtual IP (VIP) addresses associated with an SLB such as the Cisco
CSS, Cisco CSM, Cisco IOS-compliant SLB, LocalDirector, a Web server,
cache, or other geographically dispersed SLBs in a global network
deployment.
• Name Server—A configured DNS name server on your network that can
• CRA—Content routing agents that use a resolution process called DNS race
to send identical and simultaneous responses back to a user’s D-proxy.

OL-4327-01 7-1
Chapter 7 Configuring Answers and Answer Groups
Once created, answers are grouped together as resource pools from which the
GSS, using one of a number of available balance methods in a DNS rule, can
choose the most appropriate answer for each user request.
In addition, once the query is passed to the answer, intelligence on that resource
can be applied in choosing the best host. For example, a request that is routed to
VIP associated with a CSS is evaluated by the CSS after it is received and directed
to the most suitable host managed by that CSS.
In addition to specifying a resource, each answer also provides you with the
option of specifying a keepalive for that resource a method by which the GSS can
periodically check to see if the resource is still up and running. The keepalive
monitoring method available to you varies with the resource type, as explained in
this section.
• Creating a VIP-Type Answer
• Creating a CRA-Type Answer
• Creating a Name Server-Type Answer
• Modifying an Answer
• Suspending an Answer
• Reactivating an Answer
• Suspending or Reactivating All Answers in a Location
• Deleting an Answer
Creating a VIP-Type Answer

The VIP-type answer refers to a virtual IP address (VIP) associated with an SLB
device such as a Cisco CSS or CSM. When the GSS receives requests for content
that is managed by an SLB, the GSS returns an A-record containing the VIP of
the SLB that manages that content.
When configuring a VIP-type answer you have the option of configuring one of a
variety of different keepalive types to test for that answer. For a KAL-AP
keepalive, it is necessary to configure shared keepalives before configuring your
answer. Refer to Chapter 6, Configuring KeepAlives for more information on
creating shared keepalives.

7-2 OL-4327-01
Note Once an answer is created the Answer type cannot be modified (for example, from
VIP to CRA).
To configure a VIP-type answer:

2. Click the Answers navigation link. The Answers list page appears
(Figure 7-1).
Figure 7-1 Answers List Page
3. Click the Create Answer icon. The Creating New Answer detail page

OL-4327-01 7-3
Figure 7-2 Creating New Answer Details Page
4. In the Type field, click the VIP option button. The VIP Answer section
appears in the details page (Figure 7-3).

7-4 OL-4327-01
Figure 7-3 Creating New Answer—VIP Details Page
5. In the Name field, enter a name for the VIP-type answer you are creating.
Specifying a name for the answer is an optional step.
6. From the Location drop-down list, select an GSS location to which the answer
corresponds. Specifying a location for an answer is an optional step. For
details about creating a location, refer to Chapter 3, Configuring Resources.
7. In the VIP address field, enter the VIP address to which the GSS will forward
requests.
8. Choose from one of the five keepalive types for your VIP answer:
– None—Does not send keepalive queries to the VIP. The GSS assumes
that the VIP is always alive.
– ICMP—Sends an ICMP echo message (ping) to the specified address.
Online status is determined by the response received from the device,
indicating simple connectivity to the network.

OL-4327-01 7-5
– TCP—Sends a TCP handshake to the specified IP address and port

number of the remote device to determine service viability (three-way
handshake and connection termination method), returning the online
status of the device.
– HTTP-Head—Sends a TCP format HTTP HEAD request to an origin
web server at a specified address. Online status of the device is
determined in the form of an HTTP Response Status Code of 200 (for
example, HTTP/1.0 200 OK) from the server as well as information on
the web page status and content size.
– KAL-AP—Sends a detailed query to the Cisco CSS or CSM to extract
load and availability. Online status is determined when these SLBs
respond with information about a hosted domain name, host VIP address,
or a configured tag on a content rule.
individual VIP keepalives. The default values used for each of the VIP
keepalives are determined by the values specified in the Global Keepalive
Properties details page.
– VIP Answer—ICMP KeepAlive
– VIP Answer—TCP KeepAlive
– VIP Answer—HTTP HEAD KeepAlive
– VIP Answer—KAL-AP KeepAlive

7-6 OL-4327-01
VIP Answer—ICMP KeepAlive

To define the ICMP keepalive for your VIP answer, see Figure 7-4 and perform
the following steps:
Figure 7-4 Answer Details Page—ICMP KeepAlive VIP Answer
1. The VIP Address check box is automatically checked to instruct the GSS to
send an ICMP echo message (ping) to the VIP address of the remote device
and determine online status. If necessary, uncheck the VIP Address check box
and select an ICMP-type shared keepalive from the Shared ICMP Keepalive
drop-down list.

OL-4327-01 7-7
2. If the ICMP global keepalive configuration is set to the Fast KAL Type and
the VIP Address is checked, specify the following parameters in the Fast
Keepalive Settings section:
retries you increase the detection time. Reducing the number of retries
has the reverse effect. The range is 1 to 10 retries. If you do not specify
a value, the GSS uses the globally configured value.
reintroducing it back into the GSS network). The range is 1 to 5 probes.

section.
3. Click the Submit button to save your ICMP keepalive VIP answer. You return
to the Answers list page.

7-8 OL-4327-01
VIP Answer—TCP KeepAlive

To define the TCP shared keepalive for your VIP answer, see Figure 7-5 and
Figure 7-5 Answer Details Page—TCP KeepAlive VIP Answer
send a TCP keepalive to the VIP address of the remote device and determine
online status. If necessary, uncheck the VIP Address check box and choose a
TCP-type shared keepalive from the Shared TCP Keepalive drop-down list.
2. In the Destination Port field enter the port on the remote device that is to
receive the TCP keepalive request. The port range is 1 to 65535. If you do not
specify a destination port, the GSS uses the globally configured value.

OL-4327-01 7-9
3. If you enabled the VIP Address check box, specify the TCP keepalive
connection termination method:
– Default—Always use the globally defined TCP keepalive connection
method.
hard reset.
4. If the TCP global keepalive configuration is set to the Fast KAL Type and the
VIP Address is checked, specify the following parameters in the Fast
Keepalive Settings section:

reintroducing it back into the GSS network). The range is 1 to 5 probes.

section.
5. Click the Submit button to save your TCP keepalive VIP answer. You return
to the Answers list page.

7-10 OL-4327-01
VIP Answer—HTTP HEAD KeepAlive

To define the HTTP HEAD shared keepalive for your VIP answer, see Figure 7-6
and perform the following steps:
Figure 7-6 Answer Details Page—HTTP HEAD KeepAlive VIP Answer
send a TCP format HTTP HEAD request to the web server at an address you
specified and determine online status. If necessary, uncheck the VIP Address
check box and select an HTTP-type shared keepalive from the Shared HTTP
HEAD keepalive drop-down list.
2. In the Destination Port field enter the port on the remote device that receives
the HTTP HEAD-type keepalive request from the GSS. The port range is 1 to
65535. If you do not specify a destination port, the GSS uses the globally
configured value.

OL-4327-01 7-11
3. In the Host Tag field, enter an optional domain name that is sent to the VIP
as part of the HTTP HEAD query in the Host tag field. This tag allows an SLB
to resolve the keepalive request to a particular website even when multiple
sites are represented by the same VIP.
4. In the Path field, enter the path that is relative to the server website being
queried in the HTTP HEAD request. If you do not specify a default path, the
GSS uses the globally configured value. For example: /company/owner
5. If you enabled the VIP Address check box, specify the HTTP HEAD
keepalive connection termination method:
– Default—Always use the globally defined HTTP HEAD keepalive
connection method.
– Reset—The GSS immediately terminates the TCP formatted HTTP
HEAD connection by using a hard reset.
– Graceful—The GSS initiates the graceful closing of a TCP formatted
HTTP HEAD connection by using the standard three-way connection
termination method.
6. If the HTTP HEAD global keepalive configuration is set to the Fast KAL
Type and the VIP Address is checked, specify the following parameters in the
Fast Keepalive Settings section:

(and reintroducing it back into the GSS network). The range is 1 to 5
probes. If you do not specify a value, the GSS uses the globally
configured value.

7-12 OL-4327-01

section.
7. Click the Submit button to save your HTTP HEAD keepalive VIP answer.
You return to the Answers list page.
VIP Answer—KAL-AP KeepAlive

To define the KAL-AP shared keepalive for your VIP answer, see Figure 7-7 and
Figure 7-7 Answer Details Page—KAL-AP Keepalive VIP Answer

OL-4327-01 7-13
1. From the KAL-AP Type drop-down list, select the format of the KAL-AP
keepalive query. Your choices are:
– KAL-AP By Tag—Embeds an alphanumeric tag associated with the VIP
in the KAL-AP request. The tag value is used to match the correct shared
keepalive VIP, thus avoiding confusion that can be caused when probing
for the status of a VIP that is located behind a firewall network address
translation (NAT).
– KAL-AP By VIP—Embeds the keepalive VIP address in the KAL-AP
request. The KAL-AP queries the keepalive address to determine online
status.
2. If you chose KAL-AP By VIP, select the appropriate KAL-AP type keepalive
from the Shared KAL-AP Keepalive drop-down list.
3. If you chose KAL-AP By Tag, select the appropriate KAL-AP type keepalive
from the Shared KAL-AP Keepalive drop-down list, then enter a unique
alphanumeric value in the Tag field. This is used as a “key” by the CSS or
GSSM that matches the KAL-AP request with the appropriate VIP.
4. Click the Submit button to save your KAL-AP keepalive VIP answer. You
return to the Answers list page.
Creating a CRA-Type Answer

The content routing agent (CRA) answer type relies on content routing agents and
the GSS to choose a suitable answer for a given query based on the proximity of
two or more possible hosts to the requesting D-proxy.
With the CRA answer type, requests received from a particular D-proxy are
served by the content server that responds first to the request. Response time is
measured using a DNS race, coordinated by the GSS and content routing agents
running on each content server. In the race, multiple hosts respond simultaneously
to a request. The server with the fastest response time (the shortest network delay
between itself and the client’s D-proxy) is chosen to serve the content.
The CRA answer type is designed to work with the GSS when the boomerang
balance method is selected for a DNS rule (utilizing the Boomerang Server
component of the GSS).

7-14 OL-4327-01
Closeness is determined when multiple hosts reply to the requesting D-proxy

simultaneously in what is referred to as a “DNS race.” The GSS coordinates the
start of the race so that all CRAs initiate their response at the same time. The first
DNS reply to reach the D-proxy is chosen by the name server as the host
containing the answer.
CRA to VIP).
To configure a CRA-type answer type:

2. Click the Answers navigation link. The Answers list page appears (see
Figure 7-1).
3. Click the Create Answer icon. The Creating New Answer details page
appears (see Figure 7-2).
4. In the Type selection field, click the CRA option button. The CRA Answer
section appears in the details page (Figure 7-8).

OL-4327-01 7-15
Figure 7-8 Creating New Answer—CRA Answer
5. In the Name field enter a name for the CRA-type answer being created.
Specifying a name for the answer is an optional step.
6. Click the Location drop-down list and select a location for the answer.
Specifying a location for the answer is an optional step. For details about
creating a location, refer to Chapter 3, Configuring Resources.
7. In the CRA Address field enter the interface or circuit address of the CRA.
8. If you want the GSS to perform keepalive checks on the CRA answer, click
the Perform KeepAlive Check check box. Uncheck the Perform KeepAlive
option if a static one-way delay value is used.
9. If a one way delay time is required, enter a value, in milliseconds, in the One
Way Delay field. This value is used by the GSS to calculate a static round-trip
time (RTT), with the one-way delay constituting one-half of the round-trip
time that is used for all DNS races involving this answer.

7-16 OL-4327-01
10. Click Submit to create your new CRA-type answer. You return to the
Answers list page.
Creating a Name Server-Type Answer

A name server (NS) answer type specifies the IP address of a DNS name server to
which DNS queries are forwarded from the GSS. Using the name server
forwarding feature, queries are forwarded to an external (non-GSS) name server
for resolution, with the answer passed back to the GSS name server and from there
to the requesting D-proxy. As such, the name server answer type acts as a
guaranteed fallback resource—a way to resolve requests that the GSS cannot
resolve itself—either because the requested content is unknown to the GSS, or
because the resources that typically handle such requests are unavailable.
name server to VIP).
To configure a Name Server-type answer:

Figure 7-1).
3. Click the Create Answer icon. The Creating New Answer details page
4. In the Type field, click the Name Server option button. The Name Server
Answer section appears in the Creating New Answer details page
(Figure 7-9).

OL-4327-01 7-17
Figure 7-9 Creating New Answer—Name Server Answer
5. In the Name field, enter a name for the name server-type answer you are
creating. Specifying a name for the answer is an optional step.
6. From the Location drop-down list, select a GSS location to which the answer
corresponds. Specifying a location for the answer is an optional step. For
details about creating a location, refer to Chapter 3, Configuring Resources.
7. In the Name Server Address field, enter the IP address of the name server that
the GSS is to forward requests to.
8. If you want the GSS to perform keepalive checks on the specified Name
Server, click the Perform KeepAlive Check check box. The GSS queries the
specified name server address to determine online status.

7-18 OL-4327-01
9. If you wish to have the GSS query the name server for a specific domain in
determining online status, enter the domain name in the KeepAlive Query
Domain field.
If no domain is specified, the GSS queries the default query domain. For
instructions on configuring the default query domain, see Chapter 6,
Configuring KeepAlives.
10. Click Submit to create your new name server-type answer. You return to the
Answers list page.
Modifying an Answer
Once you have configured your answers, they can be modified at any time.
However, once an answer is created the answer type cannot be modified (for
example, from VIP to CRA).
To modify an existing answer:
2. Click the Answers navigation link. The Answers list page appears.
3. Click the Modify Answer icon located to the left of the answer you want to
modify. The Modifying Answer details page appears (Figure 7-10).

OL-4327-01 7-19
Figure 7-10 Modifying Answer Details Page
4. Use the fields provided to modify the answer configuration.

5. Click Submit to save your configuration changes. You return to the Answers
list page.
Suspending an Answer
If you have created an answer but wish to temporarily stop the GSS from using it,
use the suspend feature on the primary GSSM GUI to prevent that answer from
being used by any of the currently configured DNS rules.
If you have already suspended an answer, use the activate feature to reactivate
the answer (see the “Reactivating an Answer” section).
To suspend an answer:

7-20 OL-4327-01
Figure 7-1).
suspend. The Modifying Answer details page appears (see Figure 7-10).
4. Click the Suspend Answer icon in the upper right corner of the page to
suspend an answer.
5. Click OK to confirm your decision to suspend the answer. You return to the
Answers list screen. The modified answer has a status of Suspended.
Reactivating an Answer
If you have already suspended an answer, use the activate feature to reactivate
the answer.
To reactivate an answer:
Figure 7-1).
activate. All suspended answers have a status of Suspended in the list. The
Modifying Answer details page appears (see Figure 7-10).
4. Click the Activate Answer icon in the upper right corner of the page to
reactivate an answer.
5. Click OK to confirm your decision to reactivate the answer. You return to the
Answers list screen. The modified answer has a status of Active.
Suspending or Reactivating All Answers in a Location

Answers can be grouped and managed according to an established GSS location.
Using a location to manage your answers makes it easier for you to quickly
suspend or activate answers in a particular area of your network, for example,
shutting down one or more data centers for the purposes of software upgrades or
regular maintenance.
The GSS automatically detects and routes requests around suspended answers.

OL-4327-01 7-21
Note Suspending all answers in a location overrides the active or suspended state of an
individual answer.
To suspend or reactivate answers based on their location:

2. Click the Locations navigation link. The Locations list page appears.
3. Click the Modify Location icon located to the left of the location that
includes answers that you want to suspend or reactivate. The Modifying
Location details page appears.
4. Perform one of the following:
– To suspend answers associated with this location, click the Suspend All
Answers in This Location icon.
– To reactivate suspended answers associated with this location, click the
Activate All Answers in This Location icon.
5. Confirm your decision to suspend or activate the answers associated with this
location.
6. Click OK. You return to the Locations list page.
Deleting an Answer
If you have created an answer but wish to delete it from the GSS, use the delete
feature on the primary GSSM GUI to remove that answer.
To delete an answer:
Figure 7-1).

7-22 OL-4327-01
Configuring and Modifying Answer Groups
remove. The Modifying Answer details page appears (see Figure 7-10).
4. Click the Delete Answer icon in the upper right corner of the page. The GSS
software prompts you to confirm your decision to delete the answer.
5. Click OK to confirm your decision. You return to the Answers list page.

Answer groups are lists of GSS resources that are candidates to respond to DNS
queries received from a user for a hosted domain. Using the DNS rules feature,
these lists of network resources are associated with a particular balance method,
which is used to resolve the request.
• In the case of a VIP answer group type, the GSS selects one or more VIPs
using the balance method specified in the DNS rule.
• In the case of a CRA answer group type, all CRAs in the answer group are
queried and then “race” to respond first to the D-proxy with their IP address.
• In the case of a name server answer group type, the GSS selects a name server
using the balance method specified in the DNS rule and forwards the client’s
request to that name server.
A DNS rule can have up to three balance clauses, each specifying a different
answer group from which an answer can be chosen, after taking load threshold,
order, and weight factors into account for each answer.
Before creating your answer groups, you must first configure the answers that
make up those groups. See the “Configuring and Modifying Answers” section for
more information on creating GSS answers.
• Creating an Answer Group
• Modifying an Answer Group
• Suspending or Reactivating an Answer Group
• Suspending or Reactivating All Answers in an Answer Group Associated
with an Owner
• Deleting an Answer Group

OL-4327-01 7-23
Creating an Answer Group

To create an answer group:
2. Click the Answer Groups navigation link. The Answer Groups list page
Figure 7-11 Answer Group List Page
3. Click the Create Answer Group icon. The Creating New Answer Group
details page appears (Figure 7-12).

7-24 OL-4327-01
Figure 7-12 Creating New Answer Group Details Page—General Configuration

– In the Name field, enter a name for the new answer group. The answer
group name cannot contain spaces.
– From the Type drop-down list, choose one of the three options:
• Name Server—The answer group consists of configured name
servers
• CRA—The answer group consists of content routing agents (CRAs)
for use with the Boomerang Server component of the GSS
• VIP—The answer group consists of virtual IPs controlled by an SLB
device such as a CSS or CSM

OL-4327-01 7-25
5. From the Owner drop-down list, select the GSS owner with which the answer
group will be associated. For details about creating an owner, refer to
Chapter 3, Configuring Resources.
6. In the Comments text area, enter a description or other instructions regarding
the new answer group.
7. Click the Add Answers navigation link to access the Add Answers section of
the page (Figure 7-13). Perform the following:
a. Click the check box corresponding to each answer you wish to add to the
answer group. If the list of answers on your GSS network spans more
than one page, select the answers from only the first page of answers and
proceed to the next step.
b. Click the Add Selected button. The selected answers are added to the
answer group. Answers can belong to more than one answer group
simultaneously.
c. Repeat Steps a and b if your answers span multiple pages.
Note If an answer is added to multiple answer groups, when viewing the hit
count of answers from either the Answer Status list page or the show
statistics dns CLI command output, the number of hits provided
represents the aggregate number of hits for that answer across all
answer groups.

7-26 OL-4327-01
Figure 7-13 Creating New Answer Group Details Page—Add Answers
8. Click the General Configuration navigation link to return to the General

Configuration section. The newly added answers appear in the Current
Members section (Figure 7-14). There are different configuration options
depending on the type of answer group.

OL-4327-01 7-27
Figure 7-14 Creating New Answer Group Details Page—Current Members
Note If you are unsure of the purpose of the order, weight, or load threshold
settings, refer to Chapter 1, Introducing the Global Site Selector, the
“Balance Methods” section for background information.
– If configuring a Name Server type answer group, assign an order and

weight to each Answer in the answer group using the field and drop-down
list provided.
– If configuring a VIP type answer group, assign an order, load threshold
(LT), and weight to each answer in the answer group using the fields and
drop-down lists provided.

7-28 OL-4327-01
Note Load thresholds, which allow the GSS to make routing decisions
based on how heavily a particular resource is being tasked, can only
be assigned to answers using the KAL-AP keepalive.
– If configuring CRA, no configuration parameters are required.

10. Click the Submit button to save your answer group.
Modifying an Answer Group

Once you have created your answer groups, you can use the primary GSSM GUI
to make modifications to their configurations, adding and removing answers,
changing the order, weight, and load thresholds of individual answers. Answers
can belong to more than one answer group. However, once you have added
answers to an answer group, you cannot change the type of an answer group (for
example, from VIP to CRA).
To modify an answer group:
3. Click the Modify Answer Group icon located to the left of the answer group
you want to modify. The Modify Answer Group details page appears.
navigation link), use the fields provided to modify the name, owner, or
comments for the answer group.
5. Click the Add Answers navigation link. Click the check box corresponding
to each answer you wish to add to the answer group. If the list of answers on
your GSS network spans more than one page, select the answers from only
the first page of answers, then click Add Selected, before proceeding to
another page of answers.
6. To remove answers from the answer group, click the Remove Answers
navigation link. The Remove Answers section of the page appears
(Figure 7-15). Click the check box accompanying each answer you wish to
remove from the list, then click the Remove Selected button. The deleted
answers are removed from the page.

OL-4327-01 7-29
Figure 7-15 Modifying Answer Group - Remove Answers
7. Review your updated answer group under the Current Members section of the
General Configuration details page (see Figure 7-14).
8. Click the Submit button to save your changes. You return to the Answer
Groups Lists page.
Suspending or Reactivating an Answer Group

If you have created an answer group but wish to temporarily stop the GSS from
directing requests to it, you can use the suspend answer group feature on the
primary GSSM GUI to temporarily suspend the answers that make up that group,
preventing that answer group from being used by any of the currently configured
DNS rules.

7-30 OL-4327-01
Note Suspending the answers in one answer group also affects any other answer groups
to which those answers belong.
If you have already suspended the answers in an answer group, use the activate
answers feature to reactivate the answer group.
To suspend or reactivate an answer group:
you want to suspend or reactivate. The Modifying Answer Group details page
Figure 7-16 Modifying Answer Group - Suspend Answers Icon

OL-4327-01 7-31
4. To suspend an answer group, click the Suspend Answers button in the upper
right corner of the page.
5. If you are reactivating a suspended answer group, click the Activate Answers
icon.
6. Click OK to confirm your decision to suspend or reactivate the answers in the
answer group. You return to the Answer Groups list page.
7. To view the status of the answers that you suspended or activated, refer to
Chapter 10, Monitoring GSS Performance.
Suspending or Reactivating All Answers in an Answer Group

Associated with an Owner
Answers that have been added to answer groups can be grouped and managed
according to a GSS owner. Using a GSS owner to manage your answer groups
makes it easier for you to quickly suspend or activate related answers.
To suspend or reactivate all answers in answer groups associated with a GSS
owner:
2. Click the Owners navigation link. The Owners list page appears
(Figure 7-17).

7-32 OL-4327-01
3. Click the Modify Owner icon located to the left of the answer group you
want to suspend or reactivate. The Modifying Owner details page appears
(Figure 7-18).

OL-4327-01 7-33
Figure 7-18 Modifying Owners Details Page

– To suspend all answers in all answer groups associated with this owner,
click the Suspend All Answers in All Groups for This Owner icon in
the upper-right corner of the details page.
– To reactivate all suspended answers associated with this owner, click the
Activate All Answers in All Groups for This Owner icon in the
upper-right corner of the details page.
5. Confirm your decision to suspend or activate the answers. Click OK. You
return to the Owner list page.

7-34 OL-4327-01
Where to Go Next
Deleting an Answer Group

If you have created an answer group and want to delete it from the GSS, use the
delete feature on the primary GSSM GUI to remove that answer group. You
cannot delete answer groups that are linked to DNS rules. Disassociate your
answer group from all DNS rules before attempting to delete it (refer to Chapter 8,
Building and Modifying DNS Rules). Deleting an answer group does not delete
the answers contained in the answer group.
Caution Deletions of any kind cannot be undone in the primary GSSM. If you might use
the deleted data at a later point in time, we recommend performing a database
backup of your GSSM. Refer to Chapter 9, GSS Administration and
To delete an answer group:

1. From the primary GSSM GUI, click DNS Rules tab.
appears.
you want to remove. The Modifying Answer Group details page appears (see
Figure 7-16).
4. Click the Delete Answer Group icon in the upper right corner of the page.
The GSS software prompts you to confirm your decision to delete the answer
group.
5. Click OK to confirm your decision. You return to the Answer Groups list
page.
Where to Go Next
Chapter 8, Building and Modifying DNS Rules, describes constructing the DNS
rules that govern all global server load balancing on your GSS network.

OL-4327-01 7-35
Where to Go Next

7-36 OL-4327-01
C H A P T E R 8
Building and Modifying DNS Rules
Once you have configured your source address lists, domain lists, answers, and
answer groups, you are ready to begin constructing the DNS rules that will govern
all global server load balancing on your GSS network.
When building DNS rules, you specify actions for the GSS to take when it
receives a request from a known source (a member of a source address list) for a
known hosted domain (a member of a domain list).
The DNS rule specifies which response (answer) is given to the requesting user’s
local DNS host (D-proxy) and how that answer is chosen. One of a variety of
balance methods is used to determine the best response to the request, based on
the status and load of your GSS host devices.
Note Before creating your DNS rules, review Chapter 1, Introducing the Global Site
Selector, the “GSS Architecture” section.

• DNS Rule Configuration Overview
• Building DNS Rules Using the Wizard
• Building DNS Rules Using the DNS Rule Builder
• Modifying DNS Rules
• Suspending a DNS Rule
• Reactivating a DNS Rule
• Suspending or Reactivating All DNS Rules Belonging to an Owner

OL-4327-01 8-1
Chapter 8 Building and Modifying DNS Rules
DNS Rule Configuration Overview
• Deleting a DNS Rule

• Configuring DNS Rule Filters
• Removing DNS Rule Filters
• Delegation to GSS Devices

Because of the complexity of DNS rules, the primary GSSM GUI provides you
with a choice of two methods for creating a DNS rule:
• DNS Rule Wizard
• DNS Rule Builder
DNS Rule Wizard

The DNS Rule Wizard (Figure 8-1) is an easy-to-use tool that guides you through
the process of creating a DNS rule. The DNS Rule Wizard provides explanations
for each step in the rule authoring process. The DNS Rule Wizard allows you to
create source address lists, domain lists, answer groups, and balance methods on
the fly.
Note Owners, regions, and locations are not created as part of the DNS Rule Wizard
and must be created prior to using the wizard.

8-2 OL-4327-01
Figure 8-1 DNS Rule Wizard - Introduction Page
When you use the wizard, the Next and Back buttons step you forward and
backward through the rule-building process. Alternatively, use the navigation
links under the Wizard Contents heading to move back and forth to any step in the
wizard.
To access the DNS Rule Wizard, click the DNS Rules tab and then click the Rule
Wizard icon. See the “Building DNS Rules Using the Wizard”section for details.

OL-4327-01 8-3
DNS Rule Builder

If you are an experienced GSS user, you can use the DNS Rule Builder
(Figure 8-2) to quickly assemble DNS rules from source address lists, domain
lists, owners, and answers that you have already created. Using the fields and
drop-down menus provided, you can assign a name for your rule and then
configure the rule with up to three balance clauses for the GSS to choose an
answer.
Figure 8-2 DNS Rule Builder Window
Because the DNS Rule Builder is launched in its own window, you can leave it
open and return to the primary GSSM GUI to review or add answers, answer
groups, owners, domain lists, and more. Any changes made to your GSS network
configuration while the DNS Rule Builder is open are immediately reflected
in the DNS Rule Builder. For example, an answer group added while the DNS
Rule Builder window is open automatically appears in the drop-down list of
answer groups.
To access the DNS Rule Builder, click the DNS Rules tab and then click the
Open Rule Builder icon. See the “Building DNS Rules Using the DNS Rule
Builder”section for details.

8-4 OL-4327-01
Building DNS Rules Using the Wizard

To create a DNS rule using the DNS Rule Wizard:
Note Owners, regions, and locations are not created as part of the DNS Rule Wizard
and must be creating prior to using the wizard.
1. From the primary GSSM GUI, click the DNS Rules tab, then the DNS Rules
navigation link. The DNS Rules list appears (Figure 8-3).
Figure 8-3 DNS Rules List Page
2. Click the Rule Wizard icon. The DNS Rule Wizard introduction page
appears (Figure 8-4). Read this page carefully; it provides an overview of the
steps necessary to create a DNS rule.

OL-4327-01 8-5
Figure 8-4 DNS Rule Wizard—Introduction Page
3. Click the Next and Back buttons to step forward or backwards through the
DNS rule-building process. Alternatively, use the links under the Wizard
Contents table of contents to jump back and forth to any step in the Wizard.
individual pages in the DNS Rule Wizard.
– DNS Rule Wizard—Source Address List Page
– DNS Rule Wizard—Domain List Page
– DNS Rule Wizard—Answer Group Page
– DNS Rule Wizard—Balance Method Page
– DNS Rule Wizard—Summary

8-6 OL-4327-01
DNS Rule Wizard—Source Address List Page

This step uses the Source Address List section of the DNS Rule Wizard
(Figure 8-5) to identify your source address list.
Figure 8-5 DNS Rule Wizard—Source Address List Page 1
Perform one of the following:

• To have this DNS rule apply to requests originating from any DNS proxy,
click the Any Address option, then click Next. See the DNS Rule
Wizard—Domain List Page section for information on using the Domain List
detail page in the wizard.
• To have this DNS Rule apply to requests originating from a list of DNS
proxies that you have not yet configured but now want to configure, click the
Manually-entered source address list option, then click Next. See the DNS
Rule Wizard—Source Address List Page 2 section for information on using
the Source Address List detail page in the wizard.

OL-4327-01 8-7
• To have this DNS rule apply to requests originating from a list of DNS proxies
that you have already configured using the Source Address Lists feature, click
the Predefined source address list option, then click Next. See the DNS
Rule Wizard—Source Address List Page 3 section for information on using
the Domain List detail page in the wizard.
DNS Rule Wizard—Source Address List Page 2

If you chose the Manually-entered Source Address List option in the Source
Address List section of the wizard, perform the following steps to create your
Source Address List (Figure 8-6). Once you configure your Source Address List
using the wizard, it is available for other DNS rules as well.

8-8 OL-4327-01
1. Enter a name for your Source Address List in the List Name field.
2. Optionally, click the List Owner drop-down list and select a GSS owner
name.
3. In the space provided, enter one or more source CIDR-format IP addresses
that make up the list. You can enter individual IP addresses or address blocks.
If you wish to enter multiple IP addresses, separate the addresses using
semicolons.
For example:
192.168.1.110/32; 192.168.10.0/24; 192.161.0.0/16
4. Click Next to proceed to the Domain List detail page of the DNS Rule
Wizard. See the DNS Rule Wizard—Domain List Page section for
information.
DNS Rule Wizard—Source Address List Page 3

If you selected the Predefined Source Address List option in the Source Address
List section of the wizard, perform the following procedure to create your Source
Address List (Figure 8-7).

OL-4327-01 8-9
1. Click the name of the Source Address List in the list to highlight it.
2. Click Next to proceed to the Domain List detail page of the DNS Rule
Wizard. See the DNS Rule Wizard—Domain List Page section for
information.
DNS Rule Wizard—Domain List Page

This step uses the Domain List section of the DNS Rule Wizard (Figure 8-8) to
specify the domains that users will be requesting. Each GSS can support a
maximum of 2000 hosted domains and 2000 hosted domain lists, with a maximum
of 500 hosted domains supported for each domain list. If using a KAL-AP type
answer, the GSS can support up to 1024 domains managed by any single server
load balancing device such as a Cisco Content Services Switch (CSS) or Content
Switching Module (CSM).

8-10 OL-4327-01
Figure 8-8 DNS Rule Wizard—Domains List Page 1

• To have the DNS rule apply to requests for a hosted domain that you have not
yet configured but now want to configure, click the Manually-entered
domain list option, then click Next. See the DNS Rule Wizard—Domain List
Page 2 section for information on using this Domain List detail page in the
wizard.
• To have the DNS Rule apply to requests for a domain from a list of hosted
domains already configured using the Domain Lists feature of the primary
GSSM, click the Predefined domain list option, then click Next. See the
DNS Rule Wizard—Domain List Page 3 section for information on using this
Domain List detail page in the wizard.

OL-4327-01 8-11
DNS Rule Wizard—Domain List Page 2

If you chose the Manually-entered Domain List option in the Domain List section
of the wizard, perform the following steps to manually configure the domains that
users will be requesting(Figure 8-9). Once you have configured your Domain List
using the DNS Rule Wizard, it is available for other DNS rules as well.
1. Enter a name for your Domain List in the List Name field.
2. Optionally, click the List Owner drop-down list and select an owner name.
3. In the space provided, enter one or more domain names that make up the list.
You can enter complete domain names, or any regular expression that
specifies a pattern by which the GSS can match incoming addresses. Any
request for a hosted domain that matches that pattern is directed accordingly.

8-12 OL-4327-01
For example, if you had only three hosted domains—www.cisco.com,

support.cisco.com, and customer.cisco.com—for which the GSS was
responsible, you might want to enter only those domains in your domain list,
as follows:
www.cisco.com; support.cisco.com; customer.cisco.com
However, if you had 20 or more possible domains for which the GSS was
responsible—www1.cisco.com, www2.cisco.com, and so on—manually
entering each address is time consuming. In such a situation, you could create
a wildcard expression that would cover all those domains, as follows:
.*\.cisco\.com
4. When you complete entering the domain names, click Next to proceed to the
Answer Group detail page of the DNS Rule Wizard. See the DNS Rule
Wizard—Answer Group Page section for information.
DNS Rule Wizard—Domain List Page 3

If you selected the Predefined Domain List option, this step allows you to select
from a list of previously configured domains (Figure 8-10).

OL-4327-01 8-13
1. Click the name of the domain list so that its name is highlighted.
2. Click Next to proceed to the Answer Group detail page of the DNS Rule
Wizard. See the DNS Rule Wizard—Answer Group Page section for
information.

8-14 OL-4327-01
DNS Rule Wizard—Answer Group Page

This step of the DNS Rule Wizard uses the Answer Groups section of the wizard
(Figure 8-11) to configure an Answer Group.
Figure 8-11 DNS Rule Wizard—Answer Group Page 1

OL-4327-01 8-15

• To have this DNS rule respond to the request for the hosted domain using
resources (answers) that you have not yet configured, click the Enter
addresses option, then click Next. See the DNS Rule Wizard - Answer Group
Page 2 section for information on using this Answer Group detail page in the
wizard.
• To have this DNS rule respond to the request for the hosted domain using
resources (answers) that you already configured using the Answers and
Answer Group features, click the Select an existing answer group option,
then click Next. See the DNS Rule Wizard - Answer Group Page 4 section for
information on using this Answer Group detail page in the wizard.
DNS Rule Wizard - Answer Group Page 2

If you chose the Enter Addresses option in the Answer Group section of the
wizard (Figure 8-12), perform the following steps to create your answers and
answer group. Once you configure your Answer Group using the Wizard, it is
available for other DNS Rules as well.

8-16 OL-4327-01
1. Enter a name for your answer group in the Group Name field.
2. Optionally, select an owner for the answer group by clicking the Group
Owner drop-down list and selecting a GSS owner from the list.
3. Select an answer group type by clicking one of the three option buttons
provided. Once you select an answer group type, only answers of that type
(VIP, NS, or CRA) can be added to the group.
– VIP—Virtual IP (VIP) addresses associated with an SLB as such the
Cisco CSS, Cisco CSM, Cisco IOS-compliant SLB, LocalDirector, web
server, cache or other geographically dispersed SLBs in a global network
deployment.
– Name Server—A configured DNS name server on your network that can
– CRA—Content routing agents that use a resolution process called DNS
race to send identical and simultaneous requests back to a user’s D-proxy.

OL-4327-01 8-17
4. Click Next to begin configuring answers for your answer group. See the DNS
Rule Wizard - Answer Group Page 3 section for information on using this
Answer Group detail page in the wizard.

This step uses the Answer Group page of the DNS Rule Wizard to configure
answers for the specified answer group type: VIP, NS, or CRA (Figure 8-13).

8-18 OL-4327-01

– If configuring a VIP type answer group, use the following steps to
identify the VIPs that provide the answers that make up the answer
group. Assign an order, load threshold, and weight to each answer in the
answer group.
a. Enter the address of each VIP that belongs to the answer group in
the IP Address fields provided.
b. Click the Location drop-down list and select an optional Location.
c. If using the Weighted Round Robin balance method, click the
Weight drop-down list and assign a weight between 1 and 10 to
each answer in the answer group.
d. If using the Ordered List balance method, assign an order to each
VIP listed in the answer group using the Order field provided. The
number you assign represents the order of the answer in the list.
Subsequent VIPs on the list will only be used in the event that
preceding VIPs on the list are unavailable. The GSS supports gaps
in numbering in an ordered list.
Note For answers that have the same order number in an answer group, the
GSS will only use the first answer that contains the number. We
recommend that you specify a unique order number for each answer
in an answer group.
e. If using a KAL-AP-type answer, assign a load threshold between 0

and 255 using the Load Threshold field. If the VIP answer reports
a load above the specified threshold the GSS will deem the device
unavailable to handle further requests.
– If configuring a new name server-type answer group, use the following
steps to identify the name servers that provide the answers that make up
the answer group:
a. Enter the address of each name server that belongs to the answer
group to the IP Address fields provided.
b. For each name server IP address select an optional location by
clicking the Location drop-down list.

OL-4327-01 8-19
c. If using the Weighted Round Robin balance method, click the

Weight drop-down list and assign a weight between 1 and 10 to
each answer in the answer group. The weight is used to create a
ratio that the GSS uses when directing requests to each answer. For
example, if Answer A has a weight of 10 and Answer B has a
weight of 1, Answer A will receive 10 requests for every 1 directed
to Answer B.
d. If you are using the Ordered List balance method with this answer
group, assign an order to each name server listed in the answer
group using the Order drop-down list provided. The number you
assign represents the order of the answer in the list. Subsequent
name servers on the list will only be used in the event that preceding
name servers on the list are unavailable. The GSS supports gaps in
numbering in an ordered list.
in an answer group.
– If configuring a CRA type answer group, use the following steps to

identify the content routing agents (CRAs) that provide the answers that
make up the answer group, then assign a location for each answer in the
answer group.
a. Enter the address of each CRA that belong to the answer group in
the IP Address fields provided.
b. For each CRA IP address, select an optional location by clicking on
the Location drop-down list.
2. Click Next to proceed to the Balance Method details page of the DNS Rule
Wizard. See the DNS Rule Wizard—Balance Method Page section for
information.

8-20 OL-4327-01

If you selected the Select an Existing Answer Group option, this step allows you
to select from a series of previously configured answers (Figure 8-14).
1. Click the name of the answer group in the list so that the name is highlighted.
2. Click Next to proceed to the Balance Method details page of the DNS Rule
Wizard. See the DNS Rule Wizard—Balance Method Page section for
information.

OL-4327-01 8-21
DNS Rule Wizard—Balance Method Page

This step of the DNS Rule Wizard uses the Balance Method page of the wizard
(Figure 8-15) to select a balance method to use when selecting the answer from
your answer group that is best suited to respond to the DNS query. Your choice of
balance methods is limited by the type of answer group (name server, VIP, or
CRA) you selected. The DNS Rule Wizard only supports selection of a single
balance clause. If necessary, you can modify the DNS rule and add additional
balance clauses using the DNS Rule Builder (see the “Modifying DNS Rules”
section).
Figure 8-15 DNS Rule Wizard—Balance Method Page

8-22 OL-4327-01

1. If configuring a VIP or name server answer group to respond to requests,
choose from the following balance methods for each of your DNS rule
clauses:
– Hashed—The GSS selects the answer based on a unique value created
from information stored in the request. The GSS supports two hashed
balance method. The GSS allows you to apply one or both hashed balance
methods to the specified answer group.
• By Source Address—The GSS selects the answer based on a hash
value created from the source address of the request.
• By Domain Name—The GSS selects the answer based on a hash
value created from the requested domain name.
– Least Loaded—Available for VIP-type answer groups only using a
KAL-AP keepalive. The GSS selects an answer from the list based on the
load reported by each VIP in the answer group. The answer reporting the
lightest load is chosen to respond to the request.
– Ordered List—The GSS selects an answer from the list based on
precedence; answers with a lower order number are tried first, while
answers further down the list are tried only if preceding responses or
answer are unavailable to respond to the request. The GSS supports gaps
in numbering in an ordered list.
in an answer group.
– Round Robin—The GSS cycles through the list of answers that are
available as requests are received.
– Weighted Round Robin—The GSS cycles through the list of answers
that are available as requests are received, but sends requests to favored
answers in a ratio determined by the weight value assigned to that
resource.

OL-4327-01 8-23
2. If you configured a CRA Answer Group to respond to requests:

– Boomerang is automatically assigned by the GSS software as the balance
method.
– Enter a “last gasp” address in the Last Gasp field provided. This address
serves as the answer in the event that no content routing agents reply to
the request. If you specify a “last gasp” address, the GSS automatically:
• Creates an answer for this address
• Creates an answer group that contains the “last gasp” answer
• Adds a second balance clause to the DNS rule with the suffix
-GROUP and uses ordered list as the balance method.
3. Click Next to proceed to the Summary page of the DNS Rule Wizard. An
overview of your rule is provided that supplies information on the selected
source address list, domain List, answer group, and balance method. See the
DNS Rule Wizard—Summary section for information.

8-24 OL-4327-01
DNS Rule Wizard—Summary

The Summary page (Figure 8-16) provides an overview of your rule, including
information on the source address list, domain List, answer group, and balance
method chosen.
Figure 8-16 DNS Rule Wizard—Summary Page
Using the fields provided on the Summary page, complete your DNS rule as
follows:
1. Enter a name for your DNS Rule in the Rule Name field.
2. Optionally, associate the rule with an GSS owner by selecting an owner name
from the Rule Owner drop-down list.

OL-4327-01 8-25
3. Indicate what type of DNS queries applies to this rule by selecting a query
type from the Match DNS Query Type drop-down list:
– All - The DNS rule is applied to all DNS queries originating from a host
on the configured source address list. For any request other than an
A-record query (for example, MX or CNAME record), the GSS forwards
the request to a name server configured in one of the three Balance
Clauses. When the GSS receives the response from the name server, it
then delivers the response to the requesting client D-proxy.
Note When you select All as the Match DNS Query Type you must
configure one Balance Clause to include a name server-type answer
group.
– A record - The DNS rule is applied only to answer address record (A

record) requests originating from a host on the configured source address
list. For any request with an unsupported query types (for example, MX,
PTR, or CNAME record) that match this DNS rule, those query types will
be dropped and not answered by the GSS. For an AAAA query with a
configured host domain, the GSS returns a NODATA (No Answer, No
Error) response in order for the requester to then make a subsequent
A-record query.
4. Select an operating status for the rule from the Rule Status drop-down list:
– Active—The DNS rule immediately begins processing requests
– Suspended—The DNS rule is listed on the DNS Rules list page, but has
a status of “suspended”. The DNS rule is not used to process any
incoming DNS queries.
5. Click Finish to save your DNS Rule. You return to the DNS Rules list page.

8-26 OL-4327-01
Building DNS Rules Using the DNS Rule Builder

If you are comfortable with the process of building a DNS rule and have already
configured your domain lists, answers, and answer groups, use the DNS Rule
Builder to quickly assemble a DNS rule.
The DNS Rule Builder is an interface that pulls together all the GSS elements
needed to create new DNS rules. Because the DNS Rule Builder is launched in its
own window, you can leave it open and return to the primary GSSM GUI to review
or add answers, answer groups, owners, domain lists, and more. Any changes
made to your GSS network configuration while the DNS Rule Builder is open are
immediately reflected in the DNS Rule Builder.
In addition, the DNS Rule Builder allows you to configure multiple clauses for
your DNS rule; that is, additional answer group and balance method pairs that can
be tried in the event that the first answer group and balance method specified does
not yield an answer.
To create a DNS rule using the DNS Rule Builder:
1. From the primary GSSM GUI, click the DNS Rules tab, then the DNS Rules
navigation link. The DNS Rules list appears (Figure 8-17).

OL-4327-01 8-27
Figure 8-17 DNS Rules List Page
2. Click the Open Rule Builder icon. The DNS Rule Builder page opens in a
separate window (Figure 8-18.)

8-28 OL-4327-01
Figure 8-18 Create New DNS Rule Window
3. In the Rule Name field, enter a name for your new DNS Rule. Rule names
cannot contain spaces.
4. From the Rule Owner drop-down list, choose a contact with whom the rule
will be associated. The default Rule Owner is System.
5. From the Source Address List drop-down list, choose a Source Address List
from which requests will originate. The DNS rule is applied only to requests
coming from one of the addresses in the source address list. If you do not
choose a source address list, the GSS automatically uses the default list
Anywhere.

OL-4327-01 8-29
6. From the Domain List drop-down list, choose a domain list to which DNS
queries will be addressed. The DNS rule is applied only to requests coming
from one of the addresses in the source address list and for a domain on the
specified domain list.
7. From the Match DNS Query Type drop-down list, indicate what type of DNS
queries applies to this rule:
– All - The DNS rule is applied to all DNS queries originating from a host
on the configured source address list. For any request other than an
A-record query (for example, MX or CNAME record), the GSS forwards
the request to a name server configured in one of the three Balance
Clauses. When the GSS receives the response from the name server, it
then delivers the response to the requesting client D-proxy.
Note When you select All as the Match DNS Query Type you must
configure one Balance Clause to include a name server-type answer
group.
– A record - The DNS rule is applied only to answer address record (A

record) requests originating from a host on the configured source address
list. For any request with an unsupported query types (for example, MX,
PTR, or CNAME record) that match this DNS rule, those query types will
be dropped and not answered by the GSS. For an AAAA query with a
configured host domain, the GSS returns a NODATA (No Answer, No
Error) response in order for the requester to then make a subsequent
A-record query.
8. At the Balance Clause 1 heading:
– Select the answer group component of your first answer group/balance
method pairing from the drop-down list. This is the first effort the GSS
uses to select an answer for the DNS query.
– Select the balance method for the answer group from the drop-down list.
Your choice of balance methods changes based on the type of answer
group (Name Server, VIP, or CRA) you selected.

8-30 OL-4327-01
9. If you selected a VIP or name server answer group to respond to requests,

choose from the following balance methods for each of your DNS rule
clauses:
Note If you selected a CRA-type Answer Group, the balance method is

automatically set to Boomerang.
– Hashed—The GSS selects the answer based on a unique value created

from information stored in the request. The GSS supports two hashed
balance method. The GSS allows you to apply one or both hashed balance
methods to the specified answer group.
• By Source Address—The GSS selects the answer based on a hash
value created from the source address of the request.
• By Domain Name—The GSS selects the answer based on a hash
value created from the requested domain name.
– Least Loaded—Available for VIP-type answer groups only using a
KAL-AP keepalive. The GSS selects an answer from the list based on the
load reported by each VIP in the answer group. The answer reporting the
lightest load is chosen to respond to the request.
– Ordered List—The GSS selects an answer from the list based on
precedence; answers with a lower order number are tried first, while
answers further down the list are tried only if preceding answers are
unavailable to respond to the request. The GSS supports gaps in
numbering in an ordered list.
in an answer group.
– Round Robin—The GSS cycles through the list of answers that are
available as requests are received.
– Weighted Round Robin—The GSS cycles through the list of answers
that are available as requests are received, but sends requests to favored
answers in a ratio determined by the weight value assigned to that
resource.

OL-4327-01 8-31
10. If you selected a VIP-type answer group, configure the following

configuration information in the fields provided:
– DNS TTL—The duration of time in seconds that the requesting DNS
proxy caches the response sent from the GSS and considers it to be a
valid answer.
– Return Record Count—The number of address records (A-records) that
you want the GSS to return for requests that match the DNS rule.
11. If you selected a CRA-type answer group, configure the following
configuration information in the fields provided:
– DNS TTL—The duration of time in (units) that the requesting DNS
proxy caches the response sent from the GSS and consider it to be a valid
answer.
– Fragment Size—The preferred size of the boomerang race response that
is produced by a match to a DNS rule and sent to the requesting client.
– Pad Size—The amount of extra data (in bytes) included with each CRA
response packet and used to evaluate CRA bandwidth as well as latency
when making load balancing decisions.
– IP TTL—The maximum number of network hops that should be utilized
when returning a response to a CRA from a match on a DNS rule.
– Secret—A text string, up to 64 characters, that is used to encrypt critical
data sent between the GSS boomerang server and CRAs. This key must
be the same for each configured CRA.
– Max Prop. Delay—The maximum propagation delay, the maximum
delay (in milliseconds) that is observed before the boomerang server
component of the GSS forwards a DNS request to a CRA.
– Server Delay—The maximum delay (in milliseconds) that is observed
before the boomerang server component of the GSS returns the address
of its “last gasp” server as a response to the requesting name server.
12. If you wish, repeat Step 8 through Step 10 to select additional answer
group/balance method pairings for Balance Clause 2 and Balance Clause 3.
These answer pairs are only applied if the preceding clause is unable to
provide an answer for the DNS query.
13. Click Save to save your DNS Rule. You return to the DNS Rules list page.
The DNS rule is now active and processing incoming DNS requests.

8-32 OL-4327-01
Modifying DNS Rules
Modifying DNS Rules

As with the creation of DNS rules, you can also use the DNS Rule Builder or the
DNS Rule Wizard to modify a DNS rule. To modify a previously created DNS
rule, perform one of the following:
To modify a DNS rule using the DNS Rule Builder:
1. From the primary GSSM GUI, click the DNS Rules tab. The DNS Rules list
appears.
2. Click the Modify DNS Rule Using Rule Builder Interface button located to
the left of the DNS rule you want to modify. The Modify DNS Rule details
page opens in a separate window.
3. Make modifications as necessary to the DNS rule. See “Building DNS Rules
Using the DNS Rule Builder” for details about using the DNS Rule Builder.
4. Click Save when you complete your modifications. You return to the DNS
Rules list page.
To modify a DNS rule using the DNS Rule Wizard:
appears.
2. Click the Modify DNS Rule Using Wizard button located to the left of the
DNS rule you want to modify. The Modify DNS Rule Wizard appears.
3. Make modifications as necessary to the DNS rule in the DNS Rule Wizard.
Click here “Building DNS Rules Using the Wizard” for details about using
the DNS Rule Wizard.
4. Click Finish when you complete your modifications. You return to the DNS
Rules list page.

OL-4327-01 8-33
Suspending a DNS Rule
Suspending a DNS Rule

If you want to stop requests from being processed by a DNS rule on your GSS,
use the suspend feature to temporarily deactivate the rule. You can use the suspend
feature to temporarily halt traffic to particular answers while those resources are
receiving maintenance.
Once a rule has been suspended, you must reactivate it from the primary GSSM
GUI before it can again be used to process incoming DNS queries.
To suspend a DNS rule from the DNS Rule Builder:
page appears.
2. Click the Modify DNS Rule Using Rule Builder Interface icon located to
the left of the DNS rule you want to suspend. The DNS Rule Builder page
appears in a separate browser window.
3. Click the Suspend icon in the upper right corner of the page. The GSS
software prompts you to confirm your decision to suspend the DNS rule.
4. Click OK to confirm your decision. You return to the DNS Rule list page. The
status of the DNS rule appears as Suspended.
To suspend a DNS rule from the DNS Rule Wizard:
page appears.
2. Click the Modify DNS Rule Using Wizard icon located to the left of the
DNS rule you want to suspend. The DNS Rule Wizard appears.
3. Click the Summary navigation link in the Wizard Contents table of contents.
The Summary page appears (see Figure 8-16).
4. From the Rule Status drop down list, select the Suspended operating status
for the DNS rule.
5. Click Finish to confirm your decision. You return to the DNS Rule list page.
The status of the DNS rule appears as Suspended.

8-34 OL-4327-01
Reactivating a DNS Rule
Reactivating a DNS Rule

To reactivate operation of a suspended DNS rule from the DNS Rule Builder:
page appears.
2. Click the Modify DNS Rule Using Rule Builder Interface icon located to
the left of the DNS rule you want to activate. All suspended DNS rules have
a status of Suspended in the list. The DNS Rule Builder window appears.
3. Click the Activate icon in the upper right corner of the page. The GSS
software prompts you to confirm your decision to activate the DNS rule.
4. Click OK to confirm your decision. You return to the DNS Rule list page. The
status of the DNS rule appears as Active.
To reactivate operation of a suspended DNS rule from the DNS Rule Wizard:
page appears.
2. Click the Modify DNS Rule Using Wizard icon located to the left of the
DNS rule you want to suspend. The DNS Rule Wizard appears.
3. Click the Summary navigation link in the Wizard Contents table of contents.
The Summary page appears (see Figure 8-16).
4. From the Rule Status drop down list, select the Active operating status for the
DSN rule.
5. Click Finish to confirm your decision. You return to the DNS Rule list page.
The status of the DNS rule appears as Active.

OL-4327-01 8-35
Suspending or Reactivating All DNS Rules Belonging to an Owner
Suspending or Reactivating All DNS Rules

Belonging to an Owner
DNS rules can be grouped and managed according to a GSS owner that has been
established and with which the DNS rules have been associated. Using owners to
manage your DNS rules makes it easier for you to quickly suspend or activate
rules related to a particular group or department within your organization (for
example, HR or Sales) without requiring to individually edit each rule that serves
that owner.
To suspend or reactivate DNS rules belonging to an owner:
1. From the primary GSSM GUI, click Resources tab.
2. Click the Owners navigation link. The Owners list page appears
(Figure 8-19).

8-36 OL-4327-01
Suspending or Reactivating All DNS Rules Belonging to an Owner
3. Click the Modify Owner icon located to the left of the owner responsible for
the DNS rules you want to suspend or reactivate. The Modifying Owner
Figure 8-20 Modifying Owners Details Page

– To suspend all DNS rules associated with this owner, click the Suspend
All DNS Rules for This Owner icon in the upper-right corner of the
details page.
– To reactivate all suspended DNS rules associated with this owner, click
the Activate All DNS Rules for This Owner icon in the upper-right
corner of the details page.
5. Confirm your decision to suspend or activate the answers. Click OK. You
return to the Owner list page.

OL-4327-01 8-37
Deleting a DNS Rule
Deleting a DNS Rule

Use the delete feature on the primary GSSM GUI to remove a previously created
DNS rule from the GSSM database. Deleting a DNS rule does not delete the
source address lists, domain lists, owners, and answer groups associated the DNS
rule.
Caution Deletions of any kind cannot be undone in the GSSM. If you might want to use
the deleted data at a later point in time, we recommend performing a database
backup of your GSSM. Refer to Chapter 9, GSS Administration and
To delete a DNS rule:

page appears.
2. Click the Modify DNS Rule using rule builder interface icon located to the
left of the DNS rule you want to delete. The DNS Rule Builder window
appears.
prompts you to confirm your decision to delete the DNS rule.
4. Click OK to confirm your decision. You return to the DNS Rule list page.
Configuring DNS Rule Filters

As your GSS network grows, so will your collection of DNS rules for handling
traffic to and from your network. In time, it may become difficult to locate the
rules that you need. For that reason, the GSS GUI provides filters that can be
applied to your DNS rules, allowing you to view only those rules that have the
properties you are interested in. For example, you can create a filter that will limit
your view of the DNS rules to include only those that involve a certain source
address list or domain list, use a certain balance method, are owned by a particular
user, or have a status of “active.”
To configure a DNS rule filter:

8-38 OL-4327-01
2. Click the Filter DNS Rule List icon. The Configure DNS Rule List Filter
Figure 8-21 Configure DNS Rule List Filter Details Page
3. To filter your list by any of the properties displayed on the Filter List page,
enter a complete or partial (wildcard) value into the fields provided. This page
is divided by Source Address List Filter Parameters, Domain List Filter
Parameters, Balance Clause Filter Parameters, and DNS Rule Filter
Parameters The GSS supports filtering combinations in the properties of all
four sections of the details page.
Table 8-1 lists the parameters that can be used to filter your DNS rules list and
provides explanations and sample entries for each parameter.

OL-4327-01 8-39
Table 8-1 DNS Rules Filter Parameters
Parameter Description Selection Examples

Source Address List Filter Parameters
Name Name assigned to a source VIP1
address list associated with
VIP*
the DNS rule
NameServerList
IP Address Block IP address or address block 192.168.110.100
assigned to a source
192.168.*
the DNS rule
Owner Name of the owner Any
assigned to the source System
the DNS rule Education
Domain List Filter Parameters
Name Name assigned to a domain CiscoSystems
list associated with the
Cisco*
DNS rule
Domain Domain included on the www.cisco.com
domain list associated with support.cisco.com
the DNS rule
www.*
assigned to the domain list System
associated with the DNS
rule Sales
Balance Clause Filter Parameters
Answer Group Name Name assigned to an VIP_answer_Group_1
answer group associated
VIP_answer_Group_2
with the DNS rule
VIP_*

8-40 OL-4327-01
Table 8-1 DNS Rules Filter Parameters (continued)
Parameter Description Selection Examples

Answer Group Owner Name of the owner Any
assigned to the answer System
group associated with the
DNS rule HR
Answer Group Type Type of answer group CRA
associated with the DNS
Name Server
rule
VIP
Contains Answer Answer belonging to an 192.161.1.2
answer group associated
192.168.*
with the DNS rule
Balance Method Type of balance method Boomerang
(such as boomerang and Hashed
ordered list) associated
with the DNS rule Least Loaded
Order List
Round-Robin
Weighted Round-Robin
DNS Rule Filter Parameters
Name Name of the DNS rule Cisco_Rule
Cisco*
assigned to the DNS rule System
Sales
Status Status of the DNS rule, Any
either active or suspended Active
Suspended

OL-4327-01 8-41
Removing DNS Rule Filters
4. Click Submit to confirm your decision. The DNS Rule list page reappears.
The displayed DNS rules are those DNS rules that match your search criteria.
If no DNS Rule parameters match the parameters that you used to filter the
list, a message appears:
No DNS rules match the filter specification.
Removing DNS Rule Filters

Use the Show All DNS Rules icon on the DNS Rules list page to remove any
filters that have been applied to your DNS Rules. The Show All DNS Rules icon
removes all filters and displays a complete list of DNS Rules on your GSS
network.
To remove DNS rule filters:
page appears.
2. Click the Show All DNS Rules icon. The DNS Rule Filter list page refreshes,
displaying all configured DNS rules.
Delegation to GSS Devices

Once you have configured your GSS devices to connect to your network and have
created the logical resources (source address lists, domain lists, answers and
answer groups, and DNS rules) required for global server load balancing, you are
ready to complete the final step that integrates your new global server
load-balancing device into your network’s DNS infrastructure and starts
delivering user queries to your GSS: modifying your parent domain’s DNS server
to delegate parts of its name space to your GSSs.
Note You should carefully review and perform a test of your GSS deployment before
making changes to your DNS server configuration that will affect your public or
enterprise network configuration.

8-42 OL-4327-01
Modifying your DNS servers to accommodate your GSS devices involves the
following steps:
1. Adding name server (NS) records to your DNS zone configuration file that
delegates your domain or subdomains to one or more of your GSSs
2. Adding “glue” address (A) records to your DNS zone configuration file that
map the DNS name of each of your GSS devices to an IP address
Example 8-1 provides an example of a DNS zone configuration file for a fictitious
cisco.com domain that has been modified to delegate primary DNS authority for
three domains to two GSS devices. Relevant lines are shown in bold type.
In Example 8-1, the delegated domains are:
• www.cisco.com
• ftp.cisco.com
• media.cisco.com
The GSS devices are:
• gss1.cisco.com
• gss2.cisco.com

OL-4327-01 8-43
Example 8-1 Sample BIND Zone Configuration File Delegating GSSs
cisco.com. IN SOA ns1.cisco.com. postmaster.cisco.com. (

2001111001; serial number
36000; refresh 10 hours
3600 ; retry 1 hour
3600000; expire 42 days
360000; minimum 100 hours )
; Corporate Name Servers for cisco.com

IN NS ns1.cisco.com.
IN NS ns2.cisco.com.
ns1 IN A 192.168.157.209
ns2 IN A 192.168.150.100
; Sub-domains delegated to GSS Network

www IN NS gss1.cisco.com.
IN NS gss2.cisco.com.
media IN CNAME www
ftp IN NS gss1.cisco.com.
IN NS gss2.cisco.com.
; “Glue” A records with GSS interface addresses

; Cisco GSS Dallas
gss1 IN A 172.16.2.3
; Cisco GSS London
gss2 IN A 192.168.3.6
.
.
.
When reviewing this zone file, remember that there are any number of possible
GSS deployments that you can use, some of which may suit your needs and your
network better than the example listed. For example, instead of having all
subdomains shared by all GSS devices, you may want to allocate specific
subdomains to specific GSSs.

8-44 OL-4327-01
C H A P T E R 9
GSS Administration and
Troubleshooting
This chapter covers the procedures necessary to properly manage and maintain
your GSSM and GSS devices, including login security, software upgrades, GSSM
database administration, and GSSM error messages.
• Performing Advanced GSS Configuration Tasks
• Configuring the Primary GSSM Graphical User Interface
• Printing and Exporting GSSM Data
• Configuring GSS Security
• Configuring SNMP on Your GSS Network
• Backing Up the GSSM
• Upgrading the Cisco GSS Software
• Downgrading and Restoring Your GSS Devices
• Viewing Third-Party Software Versions
• Primary GSSM Error Messages

OL-4327-01 9-1
Chapter 9 GSS Administration and Troubleshooting
Performing Advanced GSS Configuration Tasks

These sections describe the following advanced GSS configuration tasks:
• Logically Removing a GSS or Standby GSSM from the Network
• Changing the GSSM Role in the GSS Network
• Modifying Network Configuration Settings of a GSS
• Changing the Startup and Running Configuration Files
• Loading the Startup Configuration from an External File
Logically Removing a GSS or Standby GSSM from the Network

This section describes the steps to logically remove a GSS or standby GSSM
device from your network. You may need to logically remove a GSS from your
network when you:
• Move a GSS device between GSS networks
• Send the GSS or standby GSSM out for repair or replacement
Before removing or replacing a GSS or standby GSSM, you should logically
remove the GSS from the network before physically removing it.
Note Do not logically remove the primary GSSM from the GSS network. If you need
to take the primary GSSM offline for either maintenance or repair, temporarily
switch the roles of the primary and standby GSSMs as outlined in the “Changing
the GSSM Role in the GSS Network” section.
To logically remove a GSS or standby GSSM from the network, follow these
steps. The first four steps in the instructions assume that the GSS or standby
GSSM is operational. If that is not the case, proceed directly to step 5.
1. Log on to the CLI, following the instructions in Chapter 2, Setting Up Your
GSS, the “Accessing the GSS CLI” section. The CLI prompt appears.
2. At the CLI prompt, enable privileged EXEC mode and then global

9-2 OL-4327-01
3. If possible, use the copy startup-config disk command to backup the startup
configuration file on the GSS or standby GSSM device. For example:
localhost.localdomain# copy startup-config disk configfile
4. Use the gss stop command to stop the GSS software running on the GSS. For
example:
localhost.localdomain# gss stop
5. Use the gss disable command to disable the selected GSS and remove any
existing configuration, including deleting the GSSM database from the GSS
device. This option returns the GSS to the initial, disabled state. If the GSS
device is to be powered down, also enter the shutdown command. For
example:
localhost.localdomain# gss disable
localhost.localdomain# shutdown
6. To logically remove a GSS or a standby GSSM from the network, access the
primary GSSM graphical user interface and click the Resources tab.
page appears.
8. From the Global Site Selectors list, click the Modify GSS icon located to the
left of the GSS device you want to delete. The Modifying GSS details page
appears.
prompts you to confirm your decision to delete the GSS device.
10. Click OK to confirm your decision. You return to the Global Site Selectors
list page with the deleted device removed from the list.
For details on physically removing or replacing a GSS from your network, refer
to the Cisco Global Site Selector Hardware Installation Guide.
To add a GSS or standby GSSM back into the GSS network, follow the procedures
outlined in Chapter 2, Setting Up Your GSS.
After you configure the GSS or standby GSSM, you may reload the backup copy
of the GSS device startup configuration settings (see the “Loading the Startup
Configuration from an External File” section).
.

OL-4327-01 9-3
Changing the GSSM Role in the GSS Network

The GSS software supports multiple GSSMs on a single GSS network, with one
GSSM acting as the primary GSSM and another GSSM acting as a standby device.
The standby GSSM is capable of temporarily taking over the role as the primary
GSSM is the event that the primary GSSM is unavailable (for example, you need
to move the primary GSSM or you want to take it offline for repair or
maintenance).
Using the CLI, you can manually switch the roles of your primary and standby
GSSMs at any time. Before switching GSSM roles, however, both a primary and
a standby GSSM must be configured and enabled in your GSS network.
Do not attempt to switch roles before both a primary and a standby GSSM have
been configured and enabled (refer to Chapter 2, Setting Up Your GSS). In
addition, ensure that the designated primary GSSM is offline before you attempt
to enable the standby GSSM as the new primary GSSM. Having two primary
GSSMs active at the same time may result in the inadvertent loss of configuration
changes for your GSS network. Although request routing continues to function in
such a situation, GUI configuration changes made on one or both devices may be
lost or overwritten, and may not be communicated to your GSS devices. If this
dual primary GSSM configuration occurs, the two primary GSSMs change to
standby mode and you will need to reconfigure one of the GSSMs as the primary
GSSM.
Note that the switching of roles between the designated primary GSSM and the
standby GSSM is intended to be a temporary GSS network configuration until the
original primary GSSM is back online. The interim primary GSSM can be used to
monitor GSS behavior and make configuration changes if necessary.
Switching the Roles of the Primary and Standby GSSMs

Use the following steps to change the roles of your primary and standby GSSMs.
These instructions assume that your primary GSSM is online and functional at the
time you are switching GSSM roles. If this is not the case (for example, the
primary GSSM is not functional), ignore any steps that apply to accessing the
primary GSSM.
1. Log on to the CLI of the primary GSSM, following the instructions in
Chapter 2, Setting Up Your GSS, the “Accessing the GSS CLI” section. The
CLI prompt appears.

9-4 OL-4327-01

gssm1.yourdomain.com> enable
3. If you have not already done so, perform a full backup of your primary GSSM
to preserve your current network and configuration settings (see the
“Performing a Full GSSM Backup” section).
4. Configure the current primary GSSM as the standby GSSM. Use the gssm
primary-to-standby command to place the primary GSSM in standby mode.
For example:
gssm1.yourdomain.com# gssm primary-to-standby
5. If the GSSM is to be powered down, also enter the shutdown command. For
example:
gssm1.yourdomain.com# shutdown
6. Exit from the CLI of the GSSM.

7. Log on to the standby GSSM. You cannot log in to the GUI of the old primary
GSSM once it begins acting in a standby capacity.
9. Configure the current standby GSSM to be the temporary primary GSSM for
your GSS network. Use the gssm standby-to-primary command to enable
your standby GSSM and make it the primary GSSM. For example:
gssm2.yourdomain.com# gssm standby-to-primary
The standby GSSM begins to function in its new role as the primary GSSM.
Note The configuration changes do not take effect immediately. It can take up
to five minutes for the other GSS devices in the network to learn about the
new primary GSSM.
10. Exit privileged EXEC mode. The interim primary GSSM is now fully
functional and you can now access the GUI.

OL-4327-01 9-5
Reversing the Roles of the Interim Primary and Standby GSSMs

To reverse the roles of the interim primary and standby GSSMs back to the
original GSS network deployment (assuming both devices are online):
Note If your original primary GSSM has been replaced by Cisco Systems, contact the
Cisco Technical Assistance Center (TAC).
1. Log on to the CLI of the interim primary GSSM. The CLI prompt appears.
3. Perform a full backup of the interim primary GSSM to preserve the current
network and configuration settings (see the “Performing a Full GSSM
Backup” section).
4. Use the gssm primary-to-standby command to place the current interim
primary GSSM in standby mode and resume its role in the GSS network as
the standby GSSM. For example:
gssm2.yourdomain.com# gssm primary-to-standby
5. Exit from the CLI of the standby GSSM.

6. Log on to the CLI of the primary GSSM from the original network
deployment. The CLI prompt appears.
8. Use the gssm standby-to-primary command to return the GSS device back
to the role as the primary GSSM in the GSS network. For example:
gssm1.yourdomain.com# gssm standby-to-primary

9-6 OL-4327-01
Modifying Network Configuration Settings of a GSS

Once you have configured your GSS devices in your network, you can use the CLI
to modify the configuration settings of those devices.
To modify the network configuration of a GSS device:
GSS, the “Accessing the GSS CLI” section. The GSS CLI prompt appears.
3. Use the gss stop command to stop your GSS servers. For example:
gssm1.yourdomain.com# gss stop
4. Enter global configuration mode. For example:

gssm1.yourdomain.com# configure
5. Use the no form of the network configuration commands to erase

configuration settings. For example, to change the IP address assigned to a
GSS interface, you would enter:
gssm1.yourdomain.com(config-eth0)# no ip address 10.89.3.24
255.255.255.0
gssm1.yourdomain.com(config-eth0)# exit
Once you have removed a GSS device setting, you can reregister it with the
primary GSSM by following the instructions in Chapter 2, Setting Up Your GSS.

OL-4327-01 9-7
Changing the Startup and Running Configuration Files

The network configuration for a GSS device includes:
• Interface—Ethernet interface being used
• IP address—Network address and subnet mask assigned to the interface
• GSS communications—Which interface (Ethernet 0 or Ethernet 1) is
designated for handling GSS-related communications on the device
• GSS TCP keepalives—Which interface (Ethernet 0 or Ethernet 1) is
designated for outgoing keepalives of type TCP and HTTP HEAD
• Host name—Host name assigned to the GSS
• IP default gateway—Network gateway used by the device
• IP name server—Network DNS server being used by the device
• IP routes—All static IP routes
• SSH enable—Whether SSH is enabled on the device
• Telnet enable—Whether Telnet is enabled on the device
• FTP enable—Whether FTP is enabled on the device
Each GSS device tracks two such configurations:
• Startup configuration—The default network configuration. These
configuration settings are loaded each time the device is booted.
• Running configuration—The network configuration currently being used by
the GSS device.
Usually, the running configuration and the startup configuration file are identical.
However, once a configuration parameter is modified for any reason, the two must
be reconciled using the CLI in one of the following ways:
• The running configuration can be saved as the new startup configuration
using the copy running-config startup-config command. Any changes to the
network configuration of the device are retained and used when the device is
next rebooted.
• The startup configuration can be maintained. In this case, the running
configuration is used up until the point at which the device is rebooted, at
which time the running configuration is discarded and the startup
configuration is restored.

9-8 OL-4327-01
To change the startup configuration file for a GSS device:

By default, the host name for GSS devices is localhost.localdomain. This
name changes once you configure the host name for the device.
gssm1.yourdomain.com# config
3. Make any desired changes to the network configuration of the device. For
example, if you wanted to change the device host name, you would use the
following command:
gssm1.yourdomain.com(config)# hostname new.yourdomain.com
new.yourdomain.com(config)#
4. Use the copy running-config startup-config command to install the current

running configuration as the new startup configuration for the device. For
example:
new.yourdomain.com(config)# copy running-config startup-config
5. Alternatively, use the copy command to achieve the same result, copying the
running configuration to the startup configuration. For example:
new.yourdomain.com(config)# copy running-config startup-config
Loading the Startup Configuration from an External File

In addition to copying your running configuration as a new startup configuration,
internally you can also upload or download GSS device configuration information
from an external file using the copy command.
Before attempting to load the startup configuration from a file, make sure that the
file has been moved to a local directory on the GSS device.
To copy the GSS device startup configuration to or from a disk:

OL-4327-01 9-9
Configuring the Primary GSSM Graphical User Interface

3. Use the copy command to install a new startup configuration from a file. For
example:
gssm1.yourdomain.com# copy disk startup-config filename
where filename is the name of the file containing the startup configuration
settings.
4. Alternatively, copy the current startup configuration to a file for use on other
devices or for backup purposes. For example:
gssm1.yourdomain.com# copy startup-config disk filename
where filename is the name of the file created to contain the startup
configuration settings.
Configuring the Primary GSSM Graphical User

Interface
The primary GSSM GUI provides you with a number of configuration options for
modifying the behavior and performance of the primary GSSM web-based GUI.
Among the settings you can modify are:
• GUI Session Inactivity Timeout Enable—Check box that enables or
disables the use of the GUI Session Inactivity Timeout function.
• GUI Session Inactivity Timeout—Number of minutes of inactivity that
must pass before your primary GSSM GUI session is automatically
terminated
• GSS Reporting Interval—Interval (in seconds) at which GSS devices report
their status to the primary GSSM
• Monitoring Screen Refresh Interval—Interval (in seconds) at which the
primary GSSM GUI refreshes displayed content

9-10 OL-4327-01
Configuring the Primary GSSM Graphical User Interface
To modify any GUI session settings:

1. From the primary GSSM GUI, click the Tools tab.
2. Click the GUI Configuration navigation link. The GUI Configuration details
page appears (Figure 9-1) listing fields for modifying your GUI session
settings.
Figure 9-1 GUI Configuration Details Page
3. Perform one or more of the following:

– To adjust the amount of time without GUI activity that must pass before
the primary GSSM automatically terminates the GUI session, click the
GUI Session Inactivity Timeout Enable check box and enter a number
in the GUI Session Inactivity Timeout field. This value is the length of
time, in minutes, that passes without any user activity before the session
is terminated.

OL-4327-01 9-11
Printing and Exporting GSSM Data
– To adjust the amount of time that must pass before GSS devices report
their status to the primary GSSM, enter a number in the GSS Reporting
Interval field. This value is the length of time, in seconds, that passes
between reports.
– To increase the length of time that passes between automatic screen
refreshes when viewing GSS information from the primary GSSM GUI,
enter a number in the Monitoring Screen Refresh Interval field. This
value is the length of time, in seconds, that passes between automatic
screen refreshes.
4. Click Submit to update the primary GSSM. The Transaction Complete icon
appears in the lower left corner of the configuration area to inform you that
the GUI session has been successfully updated.
Printing and Exporting GSSM Data

You can send any data displayed on the primary GSSM GUI to a local or network
printer configured on your workstation, or export that data to a flat file for use
with other office applications. When printing or exporting data, all information
displayed on the primary GSSM GUI is dumped. You cannot select individual
pieces of data to output.
To print or export GSSM data:
1. From the primary GSSM GUI, navigate to the list page or details page
containing the data you wish to export or print.
– To export the data, click the Export button. You are prompted to either
save the exported data as a comma-delimited file or open it using your
designated CSV editor.
– To print the data, click the Print button. The Print dialog box on your
workstation appears, allowing you to choose a printer.
Note If you need to export the output of all configured fields from the primary GSSM
GUI from the GSS CLI (intended for use by a Cisco technical support
representative), specify the show tech-support config. Refer to the Cisco Global
Site Selector Command Reference.

9-12 OL-4327-01
Configuring GSS Security

Using the primary GSSM GUI, you can control access to the GUI. Using the CLI,
you can control login access to individual GSS devices, as well as incoming traffic
to your GSS devices.
• Creating and Managing GSSM Login Accounts
• Creating and Managing GSS CLI Login Accounts
• Segmenting GSS Traffic by Interface
• Filtering GSS Traffic Using Access Lists
• Deploying GSS Devices Behind Firewalls
Creating and Managing GSSM Login Accounts

Using the user administration feature of the GSSM, you can create and maintain
login accounts for the primary GSSM GUI. In addition to login name and
password information, the user administration feature also allows you to maintain
contact information for each user.
Note Only users who log in to the primary GSSM GUI as administrator have the
privileges to create, modify, or remove a GSSM GUI account.

• Creating a GSSM GUI User Account
• Modifying a GSSM GUI User Account
• Removing a GSSM GUI User Account
• Changing Your GSSM GUI Password

OL-4327-01 9-13
Creating a GSSM GUI User Account

To create a GSSM GUI user account:
2. Click the User Administration navigation link. The GUI Configuration list
page appears (Figure 9-2).
Figure 9-2 GSSM User Administration List Page
3. Click the Create User icon. The Creating New User details page appears
(Figure 9-3).

9-14 OL-4327-01
Figure 9-3 GSSM User Administration Details Page
4. In the User Account area, enter the login name for the new account in the
Username field. Usernames can contain spaces.
5. In the Password field, enter the alphanumeric password for the new account.
6. In the Re-type Password field, reenter the password for the new account.
7. In the Personal Information area, enter the user’s first name in the First Name
field.
8. In the Last Name field, enter the user’s last name. The first and last name will
be displayed next to the user’s login, whenever the user logs on to the primary
GSSM.

OL-4327-01 9-15
9. Optionally, fill in the rest of the user’s contact information as follows:

– Job title—User’s position within your organization
– Department—User’s department
– Phone—User’s business telephone number
– E-mail—User’s e-mail address
– Comments—Any important information or comments about the user
account
10. Click Submit to create your new user account. You return to the User
Administration list page.
Modifying a GSSM GUI User Account

To modify an existing GSSM user account:
page appears (see Figure 9-2) listing existing user accounts.
3. Click the Modify User icon to the left of the user account that you wish to
modify. The Modifying User details page appears (see Figure 9-3) listing
fields for modifying your GUI session settings.
4. Use the fields provided to modify the user’s account, as follows:
– Username—Change the account’s login name.
– Password/Retype password—Modify the login password for the
account; new passwords must be entered identically in both fields before
they are accepted.
– First name—Modify the user’s first name.
– Last name—Modify the user’s last name.
– Job title—Modify the user’s listed position within your organization.
– Department—Modify the user’s department.
– Phone—Modify the user’s business phone number.
– E-mail—Modify the user’s e-mail address.
– Comments—Modify comments on the user account.

9-16 OL-4327-01
5. Click Submit to save changes to the account. You return to the GSSM User
Administration list page.
Removing a GSSM GUI User Account

To delete an existing GSSM GUI user account:
page appears (see Figure 9-2) listing existing user accounts.
3. Click the Modify User icon to the left of the user account that you wish to
remove. The Modifying User details page appears (see Figure 9-3),
displaying that user’s account information.
Note You cannot delete the admin account.
4. Click the Delete icon. The software prompts you to confirm your decision to
permanently delete the user.
5. Click OK. You return to the GSSM User Administration list page with the
user account removed.
Changing Your GSSM GUI Password

Using the change password feature of the primary GSSM GUI, you can change
the password for the account that you used to log on to the primary GSSM. You
must know the existing password for an account before you can change it to a new
value.
Note If you change the Administration password that is used to log in to the primary
GSSM GUI, and then either lose or forget the password, you can reset the
password back to “default” by entering the reset-gui-admin-password CLI
command. Refer to the Cisco Global Site Selector Command Reference for details
on using this command.
To change your account password:


OL-4327-01 9-17
2. Click the Change Password navigation link. The Change Password detail
page (Figure 9-4) appears displaying your account name in the Username
field
Figure 9-4 GSSM Change Password Details Page
3. In the Old Password field, enter your existing GSSM login password.
4. In the New Password field, enter the string that you would like to use as the
new GSSM login password.
5. In the Re-type New Password field, enter the new password string a second
time. This is used to verify that you have entered your password correctly.
6. Click Submit to update your login password.

9-18 OL-4327-01
Creating and Managing GSS CLI Login Accounts

Using the CLI, you can set user access for each of your GSS devices, including
the GSSM. User access to the CLI of your GSSs must be managed individually on
each device.
Note Only the admin account can create and manage GSS logins.

• Creating a GSS User Account Using the CLI
• Modifying a GSS User Account Using the CLI
• Deleting a GSS User Account Using the CLI
Creating a GSS User Account Using the CLI

When creating user accounts from the CLI, you must specify the new login,
password, and privilege level using a single command. You cannot create a new
account without designating a value for each of these configuration settings. Refer
to the Cisco Global Site Selector Command Reference for detailed information on
the username command.
To create a user or administrative login account that can access the CLI of one of
your GSS devices:
gss1.yourdomain.com> enable
gss1.yourdomain.com# config
gss1.yourdomain.com(config)#
3. Use the username command to create and configure your new login account
and then press Enter to create the account. For example:
gss1.yourdomain.com(config)# username paulr password mypwd
privilege admin
User paulr added.

OL-4327-01 9-19
For a login name, enter an unquoted alphanumeric text string with no spaces
and a maximum of 32 characters. Login names must start with an alpha
character (for example, A-Z or a-z). The GSS does not support usernames that
begin with a numerical value. For a password, enter an unquoted text string
with no spaces and a maximum length of 8 characters. To create an
administrative account, set the privilege level to admin. To create a user
account, set the privilege level to user.
4. Repeat step 3 for each new user account that you wish to create.
Modifying a GSS User Account Using the CLI

When modifying a GSS user account using the CLI, use the same procedure that
you used to create the account: entering the full username, password, and
privilege level and substituting new values for the configuration settings that you
wish to change.
1. Log on to the CLI following the instructions in Chapter 2, Setting Up Your
3. Use the username command to modify your new login account and then press
Enter to input the new values. For example:
gss1.yourdomain.com(config)# username paulr password newpwd
privilege user
User paulr exists, change info? [y/n]: y
4. Repeat step 3 for each new user account that you wish to modify.
Deleting a GSS User Account Using the CLI

You must have administrative-level access to the GSS to delete login accounts.
To delete a login account:

9-20 OL-4327-01
3. Use the username command to delete an existing login account. For

example:
gss1.yourdomain.com#(config) username paulr delete
User paulr removed
Note You cannot delete the admin account.
4. Repeat step 3 for each new user account that you wish to delete.
Resetting the CLI Administrator Account Password

If you accidentally forget the password for the GSS administrator account, you
can reset it from the GSS CLI. You must have physical access to the GSS device
to perform this procedure.
Note If you change the Administration password that is used to log in to the primary
GSSM GUI, and then either lose or forget the password, you can reset the
password back to “default” by entering the reset-gui-admin-password CLI
command. Refer to the Cisco Global Site Selector Command Reference for details
on using this command.
To reset the CLI administrator account password:

1. Attach an ASCII terminal to the GSS console port, following the instructions
in the “Connecting Cables” section of Chapter 3 in the Cisco Global Site
Selector Hardware Installation Guide.
2. If the GSS device is currently up and running, enter the reload command to
halt and perform a cold restart of your GSS device. For example:
Host# reload
As the GSS reboots, output appears on the console terminal.

OL-4327-01 9-21
3. After the BIOS boots and the LILO boot: prompt appears, enter ? (a question
mark) to determine which software version the GSS device is running and to
enter boot mode.
LILO boot: ?
GSS-<software_version>
boot:
At the LILO boot: prompt, press Tab or ? to view a listing of the available
GSS software images.
Note Enter the ? command within a few seconds of seeing the LILO boot
prompt or the GSS device continues to boot. If you miss the time window
to enter the ? command, wait for the GSS to properly complete booting,
cycle power to the GSS device, and try again to access the LILO boot
prompt.
4. At the boot: prompt, enter GSS-<software_version>

RESETADMINCLIPW=1. Use care when entering this command; this CLI
command is case-sensitive. For example: boot: GSS-1.1.0
RESETADMINCLIPW=1
If you successfully reset the administrator password, the Resetting admin

account CLI password message appears on the console terminal while the
GSS device reboots. If the message does not appear, repeat steps 2 through 4
again. Pay close attention when you enter the GSS-<software_version>
RESETADMINCLIPW=1 command.
Segmenting GSS Traffic by Interface

GSS devices include two Ethernet interfaces. By default, GSS servers listen for
DNS traffic on both Ethernet interfaces.
Note In the case of inter-GSS communications, GSS devices listen for configuration
and status updates on one interface only, which is the first Ethernet interface
(eth 0) by default. You can use the gss-communications command to configure
which interface is used for interdevice communications on the GSS network.
Refer to the Cisco Global Site Selector Command Reference for instructions on
using the gss-communications command.

9-22 OL-4327-01
However, for security reasons you may wish to limit GSS traffic to one interface,
or segment traffic by constraining a certain type of traffic on a designated
interface. Using the access-list and access-group commands discussed in the
“Filtering GSS Traffic Using Access Lists” section, you can use access lists to
limit traffic on either of your GSS interfaces.
For example, network management services like Telnet, SSH, and FTP listen on
all active interfaces once they are enabled. To force these remote management
servers to listen on only the second Ethernet interface, you would use the
following CLI commands:
gss1.yourdomain.com#
gss1.yourdomain.com(config)# access-list alist1 permit tcp any
destination-port ftp
destination-port ssh
destination-port telnet
gss1.yourdomain.com(config)# access-group alist1 interface eth1
By default, the above commands would limit the second interface (eth1) to the
specified traffic. All other traffic to that interface would be refused.
To deny the same traffic on the first interface (eth0), you would use the following
commands:
gss1.yourdomain.com(config)# access-list alist1 deny tcp any
destination-port ftp
destination-port ssh
destination-port telnet
gss1.yourdomain.com(config)# access-group alist1 eth0

OL-4327-01 9-23
Filtering GSS Traffic Using Access Lists

Using built-in packet filtering features on the GSS, you can instruct your GSSs
and GSSMs to permit or refuse specific packets that are received based on a
combination of criteria that includes:
• Destination port of the packets
• Requesting host
• Protocol used (TCP, User Datagram Protocol [UDP], or ICMP)
These packet-filtering tools, called access lists, are created and maintained from
the GSS CLI. Access lists are essentially collections of filtering rules that are
created using the access-list CLI command and can be applied to one or both of
your GSS interfaces using the access-group command.
Each access list is a sequential collection of permit and deny conditions that apply
to a source network IP address to control whether routed packets are forwarded or
blocked at the GSS. The GSS examines each packet to determine whether to
forward or drop the packet based on the criteria you specified within the access
lists.
Note that each additional criteria statement that you enter is appended to the end
of the access list statements. Also note that you cannot delete individual
statements after they have been created. You can only delete an entire access list.
The order of access list statements is important. When the GSS is deciding
whether to forward or block a packet, the software tests the packet against each
criteria statement in the order the statements were created. After a match is found,
no more criteria statements are checked.
If you create a criteria statement that explicitly permits all traffic, no statements
added later will ever be checked. If you need additional statements, you must
delete the access list and retype it with the new entries.
For detailed information on access list syntax options, refer to the access-list,
access-group, and show access-list commands in the Cisco Global Site Selector
Command Reference.

9-24 OL-4327-01

• Creating an Access List
• Associating an Access List with a GSS Interface
• Disassociating an Access List from a GSS Interface
• Adding Rules to an Access List
• Removing Rules from an Access List
• Viewing Access Lists
Creating an Access List

The term access list simply refers to one or more filtering rules that are grouped
together. You can create any number of access lists on a given GSS device. After
you have created an access list, rules can be appended to or removed from the list
at any time.
To ensure your GSS functions properly with access lists, identify the ports and
protocols normally used by each GSS device. Table 9-1 illustrates the types of
expected inbound traffic received by the GSS.
Table 9-1 GSS-Related Ports and Protocols (Inbound Traffic)
Source Port
(Remote Destination Port
Device) (GSS) Protocol Details
* 20–23 TCP FTP, SSH, and Telnet server
services on the GSS
20, 21, 23 * TCP Return traffic of FTP and Telnet
GSS CLI commands
* 53 UDP, TCP GSS DNS server traffic
53 * UDP GSS software reverse lookup and
“dnslookup” queries
123 123 UDP Network Time Protocol (NTP)
updates
* 161 UDP Simple Network Management
Protocol (SNMP) traffic

OL-4327-01 9-25
Table 9-1 GSS-Related Ports and Protocols (Inbound Traffic)
Source Port
* 443 TCP Primary GSSM GUI
1304 1304 UDP CRA keepalives
* 2000 UDP Inter-GSS periodic status reporting
* 2001–2009 TCP Inter-GSS communication
2001–2009 * TCP Inter-GSS communication
5002 * UDP KAL-AP keepalives
*Any legal port number.

To create an access list:
Note You need access to the CLI of your GSS devices to create access lists.
2. Enable privileged EXEC mode and access configuration mode. For example:
3. Use the access-list command to create your first access list.

For example, to configure an access list named alist1 containing a rule that
allows any traffic using the TCP protocol on port 443 on the GSS device,
enter the following:
destination-port eq 443

9-26 OL-4327-01
Refer to the Cisco Global Site Selector Command Reference for an

explanation of access-list command syntax.
4. Repeat step 3 for each access list that you wish to add to this device, or see
the “Adding Rules to an Access List” section for instructions on adding more
rules to an access list that already exists.
Associating an Access List with a GSS Interface

After you have created an access list, you must associate it with one or both of
your GSS interfaces before it can be used to filter incoming traffic to that
interface.
When no access lists are associated with an interface, all incoming traffic is
allowed on that interface. After an access list has been applied, only the type of
traffic explicitly permitted by that list is allowed. All other traffic is disallowed.
The access-group command is used to associate an access list with a GSS
interface.
Note You need access to the CLI of your GSS devices to associate access lists with GSS
interfaces.
To associate access lists with a GSS interface:

3. Use the access-group command to associate an access list with the GSS
interface. For example, to associate the access list named alist1 with the first
interface on your GSS device, you would enter the following:
gss1.yourdomain.com(config)# access-group alist1 interface eth0

explanation of access-group command syntax.
4. Repeat step 3 for each access list that you wish to associate with an interface.

OL-4327-01 9-27
Disassociating an Access List from a GSS Interface

After you have associated an access list with one or more of your GSS interfaces,
you can dissociate it from that interface using the no form of the access-group
command. Disassociating an access list from an interface removes any constraints
that the list applied to traffic to that interface.
Note You need to be able to access the CLI of your GSS devices to disassociate access
lists from GSS interfaces.
To disassociate an access list from an interface:

3. Use the no access-group command to disassociate an access list from your

GSS interface. For example, to disassociate the access list named alist1 from
the first interface on your GSS device, you would enter the following:
gss1.yourdomain.com(config)# no access-group alist1 interface eth0

explanation of access-group and no access-group command syntax.
4. Repeat step 3 for each access list that you wish to disassociate from an
interface.
Adding Rules to an Access List

Once you have created one or more access lists, you can append rules to them at
any time.
To add a rule to an access list:

9-28 OL-4327-01
3. Use the access-list command to add a new rule to an existing access list. For
example, to add a new rule to the access list named alist1 that blocks all traffic
from host 192.168.1.101, you would enter the following:
gss1.yourdomain.com(config)# access-list alist1 deny tcp host
192.168.1.101

4. Use the show access-list command to verify that the rule has been added to
your access list. For example:
gss1.yourdomain.com(config)# show access-list
access-list:alist1
access-list alist1 permit tcp any destination-port eq 443
access-list alist1 deny tcp host 192.168.1.101
5. Repeat steps 3 and 4 for each rule that you wish to add to this access list.
Removing Rules from an Access List

Once you have created one or more access lists, you can remove rules from them
at any time. Access lists must contain at least one rule. Removing the last rule
from an access list removes the list itself from the GSS.
To remove a rule from an access list:

OL-4327-01 9-29
3. Use the no form of the access-list command to remove a rule from an existing
access list. For example, to remove the rule from the access list named alist1
that blocks all traffic from host 192.168.1.101, you would enter the
following:
gss1.yourdomain.com(config)# no access-list alist1 deny tcp host
192.168.1.101

4. Use the show access-list command to verify that the rule has been removed
from your access list. For example:
access-list:alist1
5. Repeat steps 3 and 4 for each rule that you wish to remove from this access
list, or from others configured on your system.
Viewing Access Lists

Use the show access-list command to view configured access lists. For example:
access-list:alist1
Deploying GSS Devices Behind Firewalls

In addition to the packet-filtering features of the access-list and access-group
commands discussed in the “Filtering GSS Traffic Using Access Lists” section,
you can also deploy your GSS devices behind an existing firewall on your
enterprise network.
The GSS does not support deployment of devices behind a NAT for inter-GSS
communication. The communication between the GSSs cannot include an
intermediate device behind a NAT because the actual IP address of the devices is
embedded in the payload of the packets.

9-30 OL-4327-01
When configuring your GSS for deployment behind a firewall, at a minimum you
will need to allow DNS traffic into the box. If you have multiple GSSs deployed
such that traffic between them must pass through a firewall, then you must
configure the firewall to also allow inter-GSS communications, and inter-GSS
status reporting. Whether you need to allow other traffic in Table 9-2 and
Table 9-3 will depend on your GSS configuration (for example, whether you are
using KAL-AP keepalives) and your need access to certain GSS services through
the firewall (for example, SNMP).
To configure your firewall to work with the GSS product, follow the guidelines in
Table 9-2 and Table 9-3 to permit inbound and outbound traffic to and from the
specified GSS ports. You may also want to use the access-list and access-group
commands to enable authorized GSS traffic to the specified ports. By default, all
ports not explicitly permitted in your access list are blocked by that interface once
the list is associated.
Table 9-2 Inbound Traffic Going Through a Firewall to the GSS
Source Port
* 20–23 TCP FTP, SSH, and Telnet server
services on the GSS
20, 21, 23 * TCP Return traffic of FTP and Telnet
GSS CLI commands
* 53 UDP, TCP GSS DNS server traffic
53 * UDP GSS software reverse lookup and
updates
* 161 UDP Simple Network Management
* 443 TCP Primary GSSM GUI

OL-4327-01 9-31
Table 9-2 Inbound Traffic Going Through a Firewall to the GSS (continued)
Source Port
5002 * UDP KAL-AP keepalives
Table 9-3 Outbound Traffic Originating from the GSS
Destination
Port
Source Port (Remote
(GSS) Device) Protocol Details
20–23 * TCP Return traffic of FTP, SSH, and
Telnet server services on the GSS
* 20, 21, 23 TCP Traffic of FTP and Telnet GSS CLI
commands
53 *
UDP, TCP GSS DNS server traffic
*
53 UDP GSS software reverse lookup and
updates
*
161 UDP Simple Network Management
443 * TCP Primary GSSM GUI
*
2001–2009 TCP Inter-GSS communication
2001-2009 * TCP Inter-GSS communication
*
3001–3009 TCP Inter-GSS communication

9-32 OL-4327-01
Configuring SNMP on Your GSS Network
Table 9-3 Outbound Traffic Originating from the GSS (continued)
Destination
Port
Source Port (Remote
(GSS) Device) Protocol Details
3001-3009 * TCP Inter-GSS communication
* 5002 UDP KAL-AP keepalives

To configure your GSS devices to function behind a firewall:
1. Determine what level of access and what services you wish to enable on your
GSSs and GSSMs. Determine whether you want to allow FTP, SSH, and
Telnet access to the device, or do you wish to permit GUI access to your
primary GSSM.
Table 9-2 and Table 9-3 show which GSS-related ports and protocols must be
enabled for the product to function properly.
2. Construct your access lists to filter traffic coming to and from your GSS
device.

Your GSS or GSSM contains an Simple Network Management Protocol (SNMP)
agent, ucd-snmp v4.2.3, that enables you to query your GSS devices for standard
MIB resources found in MIB-II (RFC-1213) and HOST-RESOURCE-MIB
(RFC-1514). SNMP runs on GSS port 161 by default.
MIB-II and HOST-RESOURCE-MIB definitions can be obtained from the
following Cisco FTP sites:
ftp://ftp.cisco.com/pub/mibs/v1
Before you can begin using SNMP to monitor your GSS or GSSM, however, you
must first enable the SNMP agent on your GSS device.

OL-4327-01 9-33

• Configuring SNMP on Your GSS
• Viewing SNMP Status
• Viewing MIB Files on the GSS
Configuring SNMP on Your GSS

To enable and configure the SNMP agent on your GSS device:
3. Use the snmp enable command to enable the SNMP agent. For example:
gss1.yourdomain.com(config)# snmp enable
4. Use the snmp community-string command to specify a SNMP community

name for this GSS device. By default, the SNMP community string is public.
To change the SNMP community string, enter an unquoted text string with no
space and a maximum length of 12 characters. For example:
gss1.yourdomain.com(config)#snmp community-string
Enter new Community String:
5. Use the snmp contact command to specify the name of the contact person for
this GSS device. You can also include information on how to contact the
person; for example, a phone number or e-mail address. Enter an unquoted
text string with a maximum of 255 characters including spaces.For example:
gss1.yourdomain.com(config)#snmp contact
Enter new Contact Info: Cisco Systems, Inc.

9-34 OL-4327-01
6. Use the snmp location command to specify the physical location of this GSS
device. Enter an unquoted text string with a maximum length of 255
characters. For example:
gss1.yourdomain.com(config)#snmp location
Enter new Location Info: Boxborough, MA 01719
7. To disable SNMP or any of the parameters outlined above, use the no form of
the snmp command. For example, to disable SNMP for the GSS, enter:
gss1.yourdomain.com(config)# no snmp enable
Viewing SNMP Status

Once SNMP is enabled, you can display the Simple Network Management
Protocol (SNMP) operating status on your GSS device using the show snmp
command.
To view the operating status of SNMP on your GSS device:
3. Use the show snmp command to verify that your SNMP agent, ucd-snmp, is
enabled or disabled, as well as the community-string, location and contact.
For example:
Host# show snmp
snmp is enabled
snmp settings
-------------
Community String = <set>
Location = Boxborough MA
Contact = Cisco Systems
Note You can also use the gss status command to verify if SNMP is enabled or
disabled.
4. See the “Configuring SNMP on Your GSS” section to change the status of
your SNMP agent.

OL-4327-01 9-35
Viewing MIB Files on the GSS

If necessary, you can view the GSS MIB files contained in the /mibs directory on
the GSS. The GSS includes a set of standard MIB resources found in MIB-II
(RFC-1213) and HOST-RESOURCE-MIB (RFC-1514). MIB-II and
HOST-RESOURCE-MIB definitions can be obtained from the following Cisco
FTP sites:
If you need to copy the MIBs, use the ftp or scp commands.
To view the GSS MIB files:
3. Use the dir command to view the list of GSS MIBs contained in the /mibs
directory. For example:
gss.cisco.com#dir /mibs
total 1100
drwxr-xr-x 2 root root 4096 Jul 18 08:45 .
drwxrwxrwx 19 root root 4096 Jul 18 08:46 ..
-rw-r--r-- 1 root root 17455 Jul 18 08:45 AGENTX-MIB.txt
-rw-r--r-- 1 root root 19850 Jul 18 08:45 DISMAN-SCHEDULE-MIB.txt
-rw-r--r-- 1 root root 64311 Jul 18 08:45 DISMAN-SCRIPT-MIB.txt
-rw-r--r-- 1 root root 50054 Jul 18 08:45 EtherLike-MIB.txt
-rw-r--r-- 1 root root 4660 Jul 18 08:45 HCNUM-TC.txt
-rw-r--r-- 1 root root 52544 Jul 18 08:45 HOST-RESOURCES-MIB.txt
-rw-r--r-- 1 root root 10583 Jul 18 08:45 HOST-RESOURCES-TYPES.txt
-rw-r--r-- 1 root root 4015 Jul 18 08:45
IANA-ADDRESS-FAMILY-NUMBERS-MIB.txt
-rw-r--r-- 1 root root 4299 Jul 18 08:45 IANA-LANGUAGE-MIB.txt
-rw-r--r-- 1 root root 15661 Jul 18 08:45 IANAifType-MIB.txt
-rw-r--r-- 1 root root 5066 Jul 18 08:45 IF-INVERTED-STACK-MIB.txt
-rw-r--r-- 1 root root 71691 Jul 18 08:45 IF-MIB.txt
-rw-r--r-- 1 root root 6260 Jul 18 08:45 INET-ADDRESS-MIB.txt
-rw-r--r-- 1 root root 26781 Jul 18 08:45 IP-FORWARD-MIB.txt
-rw-r--r-- 1 root root 23499 Jul 18 08:45 IP-MIB.txt
-rw-r--r-- 1 root root 15936 Jul 18 08:45 IPV6-ICMP-MIB.txt
-rw-r--r-- 1 root root 48703 Jul 18 08:45 IPV6-MIB.txt
-rw-r--r-- 1 root root 2367 Jul 18 08:45 IPV6-TC.txt
-rw-r--r-- 1 root root 7257 Jul 18 08:45 IPV6-TCP-MIB.txt
-rw-r--r-- 1 root root 4400 Jul 18 08:45 IPV6-UDP-MIB.txt
-rw-r--r-- 1 root root 1174 Jul 18 08:45 RFC-1215.txt

9-36 OL-4327-01
Backing Up the GSSM
-rw-r--r-- 1 root root 3067 Jul 18 08:45 RFC1155-SMI.txt

-rw-r--r-- 1 root root 79667 Jul 18 08:45 RFC1213-MIB.txt
-rw-r--r-- 1 root root 147822 Jul 18 08:45 RMON-MIB.txt
-rw-r--r-- 1 root root 4628 Jul 18 08:45 SMUX-MIB.txt
-rw-r--r-- 1 root root 15490 Jul 18 08:45 SNMP-COMMUNITY-MIB.txt
-rw-r--r-- 1 root root 20750 Jul 18 08:45 SNMP-FRAMEWORK-MIB.txt
-rw-r--r-- 1 root root 5261 Jul 18 08:45 SNMP-MPD-MIB.txt
-rw-r--r-- 1 root root 19083 Jul 18 08:45 SNMP-NOTIFICATION-MIB.txt
-rw-r--r-- 1 root root 8434 Jul 18 08:45 SNMP-PROXY-MIB.txt
-rw-r--r-- 1 root root 21495 Jul 18 08:45 SNMP-TARGET-MIB.txt
-rw-r--r-- 1 root root 38035 Jul 18 08:45 SNMP-USER-BASED-SM-MIB.txt
-rw-r--r-- 1 root root 33430 Jul 18 08:45 SNMP-VIEW-BASED-ACM-MIB.txt
-rw-r--r-- 1 root root 8263 Jul 18 08:45 SNMPv2-CONF.txt
-rw-r--r-- 1 root root 25052 Jul 18 08:45 SNMPv2-MIB.txt
-rw-r--r-- 1 root root 8924 Jul 18 08:45 SNMPv2-SMI.txt
-rw-r--r-- 1 root root 38034 Jul 18 08:45 SNMPv2-TC.txt
-rw-r--r-- 1 root root 3981 Jul 18 08:45 SNMPv2-TM.txt
-rw-r--r-- 1 root root 10765 Jul 18 08:45 TCP-MIB.txt
-rw-r--r-- 1 root root 2058 Jul 18 08:45 UCD-DEMO-MIB.txt
-rw-r--r-- 1 root root 3131 Jul 18 08:45 UCD-DISKIO-MIB.txt
-rw-r--r-- 1 root root 2928 Jul 18 08:45 UCD-DLMOD-MIB.txt
-rw-r--r-- 1 root root 8037 Jul 18 08:45 UCD-IPFWACC-MIB.txt
-rw-r--r-- 1 root root 30343 Jul 18 08:45 UCD-SNMP-MIB.txt
-rw-r--r-- 1 root root 4076 Jul 18 08:45 UDP-MIB.txt
4. If desired, use the ftp or scp command to copy the MIB files from the /mibs
directory on the GSS to another location on the GSS or to a remote network
location.
Backing Up the GSSM

The GSSM database of your primary GSSM is the heart of your GSS network. The
GSSM database maintains all network and device configuration information, as
well the DNS rules that are used by your GSS devices to route DNS queries from
users to available hosts.
Because it is so important to the continued operation of your GSS network, it is
important that you make frequent backups of your primary GSSM and its database
to ensure that if a sudden and unexpected power loss or media failure occurs, your
GSSM configuration and database survive, and your GSSM can be quickly
restored to operation.
The two types of backups that you can perform are:
• Full—Backs up the GSSM network configuration settings as well as the
GSSM database holding GSLB configuration information
• Database—Backs up just the primary GSSM database

OL-4327-01 9-37
Backing Up the GSSM
We recommend that you always perform a full backup of the GSSM. From a full
backup, you can later restore the same information that is contained in a
database-only backup in addition to GSSM platform information (if desired). You
do not have the option of restoring GSSM platform information from a
database-only backup. The full backup provides you with the flexibility to pick
and choose the specific GSSM configuration information you want to restore on
the GSSM.
Whenever you execute a backup on your primary GSSM, the GSS software
automatically creates a tar archive (“tarball”) of the necessary files. If you are
performing a full backup, this file has the .full extension. If you are performing a
database backup, the file has the .db extension.
When you execute a database restore on your primary GSSM, this archive is
automatically unpacked and the database is copied to the GSSM, overwriting the
failed database that is there.
Backing up your GSSM database requires access to the GSS CLI and the
completion of the following actions:
1. Determining the appropriate time to back up your GSSM
2. Determining whether you need to perform a full backup or database-only
backup
3. Performing the backup
4. Moving the backup file to a secure location on your network
• Determining When and What Type of Backup to Perform
• Performing a Full GSSM Backup
• Performing a GSSM Database Backup

9-38 OL-4327-01
Backing Up the GSSM
Determining When and What Type of Backup to Perform

Some general guidelines exist for when and how to back up your primary GSSM.
If followed, they help ensure that you are never caught unprepared if you suffer a
catastrophic loss of your GSSM.
When to Perform a Full Backup

You should perform a full backup of your GSSM in these situations:
• Before switching GSSM roles, making the standby GSSM your primary
GSSM on your network
• Before you perform a GSS software upgrade
• After you make any changes in the device or network configuration of your
GSSM
When to Perform a Database Backup

You should perform a database backup of your GSSM in these situations:
• After you make any changes in the device configuration of any of your GSS
devices using the GSSM GUI
• After you make any changes to the GSLB configuration of your GSS network
using the GSSM GUI. For example, adding or removing an answer, source
address list, DNS rule, or user account
Performing a Full GSSM Backup

You can perform a full primary GSSM backup at any time. Performing a full
backup of the primary GSSM requires access to the CLI.
To perform a full backup of your primary GSSM:

OL-4327-01 9-39
Backing Up the GSSM
3. Use the gssm database validate command to verify the integrity of your
existing database.
gssm1.yourdomain.com# gssm database validate
gssm1.yourdomain.com#
4. Use the gssm backup command to create a full backup of your primary
GSSM. You need to supply a filename for your full backup. For example:
gssm1.yourdomain.com# gssm backup full gssmfullbk
GSSM database backup succeeded [gssmfullbk.full]
5. Copy or move the backup file off your primary GSSM after you receive
confirmation that the GSSM successfully created your full backup. This
ensures that the backup is not lost if a media failure or other catastrophic loss
occurs on your primary GSSM.
Either the secure copy (scp) or ftp command can be used to move your full
backup to a remote host. For example:
gssm1.yourdomain.com# scp gssmfullbk.full username@server.yourdomain.com:~/
Performing a GSSM Database Backup

You can perform a database backup at any time. Backing up the primary GSSM
database requires access to the GSS CLI.
To perform a database backup of your primary GSSM:
3. Use the gssm backup command to create backup your primary GSSM
database. You need to supply a filename for your database backup. For
example:
gssm1.yourdomain.com# gssm backup database gssmdbbk
GSSM database backup succeeded [gssmdbbk.db]

9-40 OL-4327-01
Upgrading the Cisco GSS Software
4. Copy or move the backup file off your primary GSSM after you receive
confirmation that the GSSM successfully created your full backup. This
ensures that the backup is not lost if a media failure or other catastrophic loss
occurs on your primary GSSM.
Either the secure copy (scp) or ftp command can be used to move your
database backup to a remote host. For example:
gssm1.yourdomain.com# scp gssmdbbk.db server.yourdomain.com:home

To upgrade to a new software version, you must have access to the GSS download
area of the Cisco software download site and to Cisco.com. You must be familiar
with the proper procedure for updating your GSS devices and know the CLI
commands required to execute the backup.
To take full advantage of all of the features and capabilities of the software
release, we recommend that you upgrade all GSS devices in your network within
the same time frame, starting with the primary GSSM. This upgrade sequence
ensures that the other GSS devices properly receive configuration information
from, and are able to send statistics to, the primary GSSM.
The GSS software upgrade requires that you complete the following procedures
in the order listed below:
1. Verifying the GSSM Role in the GSS Network
2. Backing up and Archiving the Primary GSSM
3. Obtaining the Software Upgrade
4. Upgrading Your GSS Devices

OL-4327-01 9-41
Verifying the GSSM Role in the GSS Network

You can reconfigure the standby GSSM to operate as an interim primary GSSM
in the event that the primary GSSM is unavailable (for example, you need to move
the primary GSSM or you want to take it offline for repair or maintenance). Note
that the changing of roles between the designated primary GSSM and the standby
GSSM is intended to be a temporary GSS network configuration until the original
primary GSSM is back online. Before you continue with the upgrade procedure,
verify that the roles of the designated primary and standby GSSMs have not
changed.
To verify the role of the current primary GSSM and the standby GSSM:
1. At the CLI of the current primary GSSM, enter the following commands:
gssm1.yourdomain.com# cd /home
gssm1.yourdomain.com# type ../props.cfg | grep -i fqdn
The following output appears:

controllerFqdn= domain_name or ip_address
2. Based on the output value for controllerFqdn, note the following:

– If the value of the domain name or IP address is the current primary
GSSM in your network, then the current primary GSSM and standby
GSSM configuration is the original configuration and no further action is
needed. Proceed to the “Backing up and Archiving the Primary GSSM”
section.
– If the value of the domain name or IP address is the current standby
GSSM in your network, then the current primary GSSM and standby
GSSM configuration is not the original configuration. In this case, you
must reverse the roles of the primary and standby GSSM devices to those
of the original GSS network deployment. See the “Reversing the Roles
of the Interim Primary and Standby GSSMs” section.
– If the value of the domain name or IP address is not the current primary
GSSM or the standby GSSM in your network, this indicates that the
device is not a primary GSSM or is no longer on the network. No further
action is required. Proceed to the “Backing up and Archiving the Primary
GSSM” section.

9-42 OL-4327-01
The next step is to ensure that you have a full (and current) backup of the primary
GSSM database and that you archive this backup. Proceed to the “Backing up and
Archiving the Primary GSSM” section.
Backing up and Archiving the Primary GSSM

Before you upgrade your GSS software, ensure that you have a full backup of your
primary GSSM database and that you archive the backup by moving it to a remote
device. The GSSM database maintains all network and device configuration
information, as well the DNS rules that are used by your GSS devices to route
DNS queries from users to available hosts. That way, if necessary, you can quickly
restore your GSS network to its previous state. You can perform a full backup at
any time. Doing so does not interfere with the functions of the primary GSSM or
other GSS devices.
See the “Performing a Full GSSM Backup” section for instructions on performing
a full backup of your primary GSSM. Performing a full backup requires access to
the CLI.
You are now ready to obtain the upgrade file and upgrade the software on a GSS
device. Proceed to the “Obtaining the Software Upgrade” section.
Obtaining the Software Upgrade

Before you can update your GSS software, obtain the appropriate software update
file from Cisco.
To acquire the software update from Cisco, you must:
• Access the Cisco.com website and locate the software update files.
• Download the software update files to a server within your own organization
that is accessible using FTP or SCP from your GSSs and GSSMs.
You must have a Cisco.com username and password before attempting to
download a software update from Cisco.com. To acquire a Cisco.com login, go to
http://www.cisco.com and click the Register link.

OL-4327-01 9-43
Note You need a service contract number, Cisco.com registration number and
verification key, Partner Initiated Customer Access (PICA) registration
number and verification key, or packaged service registration number to obtain
a Cisco.com username and password.
To add an upgrade file for the GSS software:

1. Launch your preferred web browser and point it to the Cisco Global Site
Selector download page. When prompted, log in to Cisco.com using your
designated Cisco.com username and password. The Cisco GSS Software
download page appears, listing the available software upgrades for the GSS
software product.
2. If you do not have a shortcut to the Cisco Global Site Selector download page:
a. Log in to Cisco.com using your designated Cisco.com username and
password.
b. Access the Software Center from the Technical Support link.
c. Select the Content Networking Software link from the Software Center -
Software Products and Downloads page.
d. Select the Cisco Global Site Selector link from the Software Center -
Content Networking page.
e. Select the Download Cisco Global Site Selector link from the Software
Center - Content Networking page.
The Cisco GSS Software download page appears, listing the available
software upgrades for the Cisco GSS Software product.
Note When you first access the Content Networking page of the Software
Center, you must apply for eligibility for GSS software updates because
it is considered a strong encryption image. Under the Cisco Content
Networking Cryptographic Software section is the Apply for 3DES Cisco
Cryptographic Software Under Export Licensing Controls link. Click this
link and complete the Encryption Software Export Distribution
Authorization Form. You must complete this step to access and download
Global Site Selector software images.

9-44 OL-4327-01
3. Locate the .upg file you wish to download by referring to the Release column
for the proper release version of the software.
Note The meta file, originally posted for use with GSS version 1.0, is no longer
posted for version 1.1(0) and subsequent releases. The meta file is
unnecessary for the installation, and is only used as a check to let you
verify the file size of the upgrade file. The Cisco Global Site Selector
Software download page contains information on the GSS file size, the
MD5 checksum, and other important details about the GSS software
upgrade file. Use this file information to verify the integrity of the
software upgrade file.
4. Click the link for the .upg file. The download page appears.
5. Click the Software License Agreement link. A new browser window opens
to display the license agreement.
6. After you have read the license agreement, close the browser window
displaying the agreement and return to the Software Download page.
7. Click the filename link labeled Download. If prompted, reenter your
username and password.
8. Click Save to file and then choose a location on your workstation to
temporarily store the .upg upgrade file.
9. Post the .upg file that you downloaded to a designated area on your network
that is accessible to all your GSS devices.
You are now ready to upgrade the software on a GSS device. Proceed to the
“Upgrading Your GSS Devices” section.
Upgrading Your GSS Devices

You must upgrade your GSS devices in the following sequence: the primary
GSSM first, followed by the other GSS devices in your network. After you
upgrade the primary GSSM, ensure that the GSS device in your network being
upgraded has connectivity to the primary GSSM before you perform the software
upgrade procedure.

OL-4327-01 9-45
When executing an upgrade, use the CLI install command. Before proceeding
with the installation of the software upgrade, the install command also performs
a validation check on the upgrade file, unpacks the upgrade archive, and installs
the upgraded software. Finally, the install command restarts the affected GSS
device.
Note Upgrading your GSS devices causes a temporary loss of service for each
affected device.
To upgrade the GSS software (starting with the primary GSSM):

1. Log on to the CLI of the GSS device.
2. Use the ftp or scp command to copy the GSS software upgrade file from the
network location to a directory on the GSS. Ensure that you set the transfer
type to binary.
For example, to copy an upgrade file named gss.upg from a remote host, your
FTP session might look like the following:
gssm1.yourdomain.com> ftp host.yourdomain.com
Connected to host.yourdomain.com.
220 host.yourdomain.com FTP server (Version wu-2.6.1-0.6x.21)
ready.
Name (host.yourdomain.com:root): admin
331 Password required for admin.
Password:
230 User admin logged in. Access restrictions apply.
Remote system type is UNIX.
Using ascii mode to transfer files.
ftp> binary
ftp> get
(remote-file) gss.upg
(local-file) gss.upg
local: gss.upg remote: gss.upg
200 PORT command successful.
...

4. Enter the gss stop command to stop your GSS servers. For example:
gssm1.yourdomain.com# gss stop

9-46 OL-4327-01
5. Enter the install command to install the upgrade. For example:

gssm1.yourdomain.com# install gss.upg
6. At the Proceed with install (the device will reboot)? (y/n): prompt, type y to
reboot the GSS device. When the GSS reboots, you lose any network CLI
connections. Console connections remain active.
7. If you did not previously save changes to the startup-configuration file, the Save
current configuration? [y/n]: prompt appears. Type y to continue. The GSS
reboots.
8. After the GSS device reboots, log on to the device and enable privileged
EXEC mode.
9. Enter the gss status command and verify that the GSS device reaches a
Normal Operation state of runmode 4 or 5.
10. Repeat this procedure for the remaining GSS devices in your network.

OL-4327-01 9-47
Downgrading and Restoring Your GSS Devices

If you encounter problems with a software upgrade, you can always restore an
earlier version of the GSS software on your GSSs and GSSMs.
However, to restore an earlier version of your software, you must have backed up
a version of your GSSM database that corresponds to that version. In other words,
if you wish to downgrade from GSS Release 3 to GSS Release 1 software, there
must be a GSS Release 1 database backup that you can restore; your GSS Release
3 database cannot run on the Release 1 platform because of changes in the
database schema between releases.
We recommend that you always perform a full backup of the GSSM. From a full
backup, you can restore the same information that is contained in a database-only
backup in addition to GSSM platform information (if desired). You do not have
the option of restoring GSSM platform information from a database-only backup.
The full backup provides you with the flexibility to pick and choose the specific
GSSM configuration information you want to restore on the GSSM.
When downgrading, use the following order of operations to safeguard your
critical GSS data and properly restore your GSSM database:
1. Verify the current software version.
2. Perform a full backup of your primary GSSM.
3. Obtain the software downgrade (.upg) file.
4. Downgrade your GSS device.
5. Verify your downgrade.
In addition, do not attempt to restore an earlier version of the software than the
earliest database backup you have available. For example, if the earliest version
of the GSS software that you have run is Release 2.0 and your earliest database
backup is for Release 2.0, do not attempt to downgrade to a release of the software
earlier than 2.0.
• Restoring an Earlier Software Version on Your GSS Devices
• Restoring Your GSSM from a Full Backup
• Restoring Your GSSM Database from a Database-Only Backup

9-48 OL-4327-01
Restoring an Earlier Software Version on Your GSS Devices

To restore an earlier version of your GSS software, follow the instructions in the
“Verifying the GSSM Role in the GSS Network” and “Upgrading Your GSS
Devices” sections to acquire and then install the earlier software upgrade.
After you have downgraded the software on your GSSM, see the “Restoring Your
GSSM from a Full Backup” section to restore your backed up GSSM database.
Restoring Your GSSM from a Full Backup

When restoring the GSSM from a full backup as opposed to a database backup,
you use the last full backup to restore the GSS device’s network configuration
settings as well as the encryption keys that are used to communicate with other
GSS devices. Restoring the GSSM from a full backup should be done when you
need to return the device to its exact configuration as of the last full backup. It is
not necessary if you are simply rolling back the device to an earlier software
version.
Use the following procedure to restore an earlier version of the GSSM from a full
backup:
2. Verify that your full backup of the GSSM is at a location that is accessible
from the GSSM that you are restoring. Full backups have a .full file
extension.
4. Stop the GSS software on the GSSM and then use the gss status command to
confirm that the GSSM has stopped. For example:
atcr1.cisco.com# gss stop
atcr1.cisco.com# gss status
Cisco GSS - 1.1(0.0.1) - [Mon Sep 15 11:33:47 UTC 2003]
gss is not running.

OL-4327-01 9-49
5. Once the GSSM has stopped, use the gssm restore command to restore the
GSSM from the full backup file. To restore the file gssmfullbk.full, you would
enter:
gss1.yourdomain.com# gssm restore gssmfullbk.full
6. Confirm your decision to overwrite GSS system configuration information on

the GSSM and restart the GSSM device. Enter y for yes (or n to stop the
restore process).
% WARNING WARNING WARNING
Restoring the database will overwrite all existing
system configuration. If running, the system will
be restarted during this process.
Are you sure you wish to continue? (y/n): y

Backup file is valid. Timestamp = 2003-Sep-15-14:01:53
7. Confirm your decision whether to restore GSSM platform information, or

only the GSS database. This selection enables you to return the primary
GSSM back to the original state prior to the database backup. Platform
information includes all configuration parameters set at the CLI, including:
interface configuration, hostname, service settings (NTP, SSH, Telnet, FTP,
and SNMP), timezone, logging levels, Web certificates, inter-GSS
communication certificates, access lists and access groups, CLI user
information, GUI user information, and property-set CLI commands.
This backup contains a backup of the platform configuration.
'n' restores just the database. Restoring platform files requires
a reboot.
Restore Platform files? [y/n]: y
Perform one of the following actions:

– Select y to restore GSSM platform information.
Note Restoring platform information requires a reboot of the GSS at the

end of the restore procedure.
– Select n to restore only the GSSM database and not the GSSM platform
information. If you choose not to restore GSSM platform information,
you must reconfigure the GSSM platform information from the CLI.
Refer to Chapter 2, Setting Up Your GSS for details.

9-50 OL-4327-01
8. Confirm your decision to restore the GSS network information for remote
devices activated from the primary GSSM.
Do you want to replace your current GSS network configuration with
the one specified in the backup file? (y/n): y

– Select y to restore the GSS network information, such as registered GSS
devices, GSS device status, node information, and IP addresses. This is
the network information displayed in the Global Site Selectors list table
in the Resources tab (refer to Chapter 2, Setting Up Your GSS). GSS
network information does not include DNS rules, answers, keepalive, and
so on. Those configuration elements are automatically restored as part of
the database restore process.
– Select n to instruct the software not to restore GSS network information
to the GSSM. If you choose not to restore the GSS network information,
you must disable and enable each device, then reregister the device with
the primary GSSM, which may result in a temporary network service
outage. Refer to Chapter 2, Setting Up Your GSS for details.
The GSSM continues with the restore process.
Deleting existing database...
Creating empty database for restore...
Restoring the database...
Using GSS network information present in backup file...
Restoring platform backup files.
Database restored successfully.
Reboot Device now? (y/n): y
If you specified to restore GSSM platform information, the GSSM reboots.

9. Use the gss status command to confirm that your restored GSSM is up and
running in normal operation mode (runmode = 5).

OL-4327-01 9-51
Restoring Your GSSM Database from a Database-Only Backup

You must have a backup of an earlier version of your database file to restore it to
run with your downgraded GSS software. You should be aware that the GSS
database schema often changes between versions. When you downgrade from a
later to an earlier version of the GSSM database, any configuration changes that
you entered through the GSSM subsequent to your last upgrade are lost, including
configuration changes, device configuration information, and DNS rules.
See the “Backing Up the GSSM” section for details on performing a database
backup of the GSSM.
Note Restoring your GSSM database requires that the GSSM device be stopped and
restarted, resulting in the device and the GUI being unavailable for a short period.
Use the following procedure to restore an earlier version of the GSSM from a
backup:
2. Verify that the full backup of the GSSM is at a location that is accessible from
the GSSM that you are restoring. Full backups have a .full file extension.
4. Stop the GSS software on the GSSM and then use the gss status command to
confirm that the GSSM has stopped. For example:
gss1.yourdomain.com# gss stop
gss1.yourdomain.com# gss status
Cisco GSS - 1.1(0.0.1) - GSSM - primary [Mon Sep 15 12:58:27 UTC
2003]
gss is not running.

9-52 OL-4327-01
5. Once the GSSM has stopped, use the gssm restore command to restore the
GSSM database from the backup file that corresponds to the software version
that you just restored. To restore the file gssmdbbk.db, you would enter:
gss1.yourdomain.com# gssm restore gssmdbbk.db
6. Confirm your decision to overwrite GSS system configuration information on

the GSSM and restart the GSSM device. Enter y for yes (or n to stop the
restore process).
% WARNING WARNING WARNING
Restoring the database will overwrite all existing
system configuration. If running, the system will be restarted
during this process.
Are you sure you wish to continue? (y/n):

Backup file is valid. Timestamp = 2003-Aug-20-14:02:06
Restoring database only (No platform backup present)
7. Confirm your decision to restore the GSS network information for remote
devices activated from the primary GSSM.
Do you want to replace your current GSS network configuration with
the one specified in the backup file? (y/n): y

– Select y to restore the GSS network information, such as registered GSS
devices, GSS device status, node information, and IP addresses. This is
the network information displayed in the Global Site Selectors list table
in the Resources tab (refer to Chapter 2, Setting Up Your GSS). GSS
network information does not include DNS rules, answers, keepalive, and
so on. Those configuration elements are automatically restored as part of
the database restore process.
– Select n to instruct the software not to restore GSS network information
to the GSSM. If you choose not to restore the GSS network information,
you must disable and enable each device, then reregister the device with
the primary GSSM, which may result in a temporary network service
outage. Refer to Chapter 2, Setting Up Your GSS for details.

OL-4327-01 9-53
Viewing Third-Party Software Versions
The GSSM continues with the restore process.

Deleting existing database...
Creating empty database for restore...
Restoring the database...
Using GSS network information present in backup file...
Database restored successfully.
GSSM database restore succeeded.
8. Once you receive confirmation that the database restoration has succeeded,
use the gss start command to restart your GSSM. For example:
gss1.yourdomain.com# gss start
System started.
9. Use the gss status command to confirm that your restored GSSM is up and
running in normal operation mode ( runmode = 5).

The GSS software relies on a variety of third-party software products to operate
properly. For that reason, the GSSM GUI provides a feature that easily allows you
to track the third-party software used by the GSS software.
To view information on the third-party software currently running on your GSS:
1. From the GSSM GUI, click the Tools tab.
2. Click the Third-Party Software navigation link. The GSSM
Third-Party Software list page appears (Figure 9-5). This page displays the
following information:
• Product—Third-party software product. For example, RedHat Version
6.2
• Version—Version of the third-party software currently installed on the
GSS device
• URL—Web URL for the software product

9-54 OL-4327-01
Figure 9-5 GSSM Third-Party Software List Page

OL-4327-01 9-55
Primary GSSM Error Messages

The following sections describe error messages that you may encounter when
using the primary GSSM GUI to manage your GSS network. Error messages are
organized by GSSM component.
This section contains the following GSSM error messages:
• Answer Error Messages
• Answer Group Error Messages
• DNS Rule Error Messages
• Domain List Error Messages
• Shared KeepAlive Error Messages
• KeepAlive Error Messages
• Location Error Messages
• Owner Error Messages
• Region Error Messages
• GSSM Error Messages
• Source Address List Error Messages
• User Error Messages
Answer Error Messages
Error Message Invalid answer name. If entered, name must not be the
empty string.
Explanation The name that you entered for the answer is not valid. Answer
names cannot be blank or contain blank spaces.
Recommended Action Enter a valid alphanumeric answer name of a least 1 and

no more than 80 characters in length that does not contain spaces.

9-56 OL-4327-01
Error Message Invalid answer name. Name length must not exceed 80
characters.
Explanation The answer name that you entered contains too many characters.
Recommended Action Enter a valid alphanumeric answer name of at least 1 and

no more than 80 characters in length that does not contain spaces.
Error Message Invalid CRA timing decay. Timing decay must be

between 1 and 10.
Explanation You entered an invalid number for the CRA timing decay.
Recommended Action Enter a number between 1 and 10. Lower timing decay
values mean that more recent DNS races are weighted more heavily than older
races. Higher decay values mean that the results of older races are weighted
more heavily than more recent races.
Error Message Invalid CRA static RTT value. Static RTT must be
between 0 and 1000.
Explanation You entered an invalid number for the static round-trip time
(RTT). This is a manually entered value that is used by the GSS to represent
the time it takes for traffic to reach and return from a host.
Recommended Action Enter a static RTT value between 0 and 1000.
Error Message A VIP/Name Server/CRA-type answer named answer_name

already exists. If specified, name and type must uniquely
identify an answer.
Explanation You are trying to create an answer that already exists on the GSS.
You cannot have two answers with the same name and answer type.
Recommended Action Assign a new name or answer type to your answer to

make it unique.

OL-4327-01 9-57
Error Message An unnamed VIP/Name Server/CRA-type answer having

address IP_address already exists. Name must be specified to
configure an answer with the same address as another answer.
Explanation You are trying to create an answer that already exists on the GSS.
You cannot have two answers with the same name and IP address.
Recommended Action Assign a new name to your answer to make it unique.
Error Message The maximum number of number VIP/Name Server/CRA-type

answers has been met.
Explanation You are attempting to create an answer when the maximum

number of that type of answer has already been created.
Recommended Action Remove an existing answer of the same type.
Error Message CRA decay value must be specified.
Explanation You are attempting to create a CRA answer type without

specifying a decay value. The decay value is required to tell the GSS how to
evaluate and weigh DNS race results.
Recommended Action Enter a number between 1 and 10 for the CRA decay,
with 1 causing the GSS to weigh recent DNS race results more heavily, and 10
telling it to weigh them less heavily.
Error Message CRA static RTT must be specified.
Explanation You are attempting to create a CRA answer type without

specifying a static round-trip time (RTT) value. The RTT value is used to force
the GSS to use a value that you supply as the round-trip time necessary to
reach the requesting D-proxy.
Recommended Action Enter a number between 1 and 1000 for the CRA
round-trip time in milliseconds.

9-58 OL-4327-01
Error Message Invalid keepalive tag. Tag must be at least one

character in length.
Explanation You are attempting to create a VIP answer with a KAL-AP By Tag
keepalive, but you have not specified a value for the tag in the field provided.
Recommended Action Enter an alphanumeric tag between 1 and 76 characters

in the Tag field.
Error Message Invalid keepalive tag. Tag length must not exceed
76 characters.
Explanation You are attempting to create a VIP answer with a KAL-AP By Tag
keepalive, but you have specified a value for the tag that contains too many
characters.
Recommended Action Enter an alphanumeric tag between 1 and 76 characters

in the Tag field.
Error Message NS-type answer IP Address has the same IP address as

GSS GSS_name. GSS IP addresses must not equal any NS-type
answers.
Explanation You are attempting to create a name server answer type with the
same IP address as a GSS device on the same GSS network. Name server
answers cannot use the same address as GSS devices belonging to the same
GSS network.
Recommended Action Assign a valid IP address to your name server answer.

OL-4327-01 9-59
Answer Group Error Messages
Error Message This answer group cannot be deleted because it is

referenced by number DNS rule balance clause(s).
Explanation You are attempting to delete an answer group that is being

referenced by one or more DNS rules.
Recommended Action Modify any DNS rules that are referencing the answer
group so that those rules do not point to the group, and then try again to delete
the group.
Error Message Invalid answer group name. Name must be entered.
Explanation You are attempting to create an answer group without assigning a

name to that group. All answer groups must have names of at least one
character.
Recommended Action Enter a name for the new answer group in the field
provided, and then click Save.
Error Message Invalid answer group name. Name length must not
exceed 80 characters.
Explanation You are attempting to assign the answer group an invalid name.
Recommended Action Enter an alphanumeric name for the answer group that is
fewer than 80 characters and does not contain spaces.
Error Message Invalid answer group name. Name must not contain
spaces.
Explanation You are attempting to assign the answer group an invalid name.
Recommended Action Enter an alphanumeric name for the answer group that is

9-60 OL-4327-01
Error Message An answer group named name already exists. Name must
uniquely identify an answer group.
Explanation You are attempting to assign the answer group a name that is
already being used by a different GSS device.
Recommended Action Enter a unique alphanumeric name for the answer group
that is fewer than 80 characters and does not contain spaces.
Error Message The maximum number of number answers per VIP/Name

Server/CRA-type group has been met.
Explanation You are attempting to add an answer to an answer group to which

the maximum number of answers has already been assigned.
Recommended Action Remove an answer from the group, or add the answer to
a group to which the maximum number of answers has not already been added.
DNS Rule Error Messages
Error Message TTL must be specified for balance method associated

with CRA- or VIP-type answer group.
Explanation You are attempting to create a balance clause without specifying

a Time To Live (TTL) for answers returned by the clause.
Recommended Action Enter a TTL value between 0 and 604,800 seconds.
Error Message Invalid balance clause TTL. TTL must be between 0 and
604,800.
Explanation You are required to specify a Time To Live (TTL) value for
answers provided by the balance clause that you are creating.
Recommended Action Enter a TTL value between 0 and 604,800 seconds.

OL-4327-01 9-61
Error Message Invalid balance clause position. Position must be

between 0 and 2.
Explanation You are attempting to create a clause for your DNS rule that is out
of sequence. The DNS Rule Builder provides options for three balance
clauses, which must be created in order, with no gaps between clauses. For
example, if you are using only one balance clause, it must appear in the first
position. It cannot be listed in the second or third positions with the first
position left blank.
Recommended Action Rearrange your balance clauses in the DNS Rule Builder
so that they are listed in the proper order, with no gaps between them.
Error Message Hash type must be specified for answer group using
hash balance method.
Explanation You are trying to create an answer group using the balance method
“Hashed” with the selected answer, but you have not selected one (or more)
hash methods: By Domain Name and By Source Address.
Recommended Action Select one or more of the available hash methods by

checking the box corresponding to the methods that you wish to use with this
balance clause.
Error Message Balance clause Boomerang fragment size must be

specified.
Explanation You are attempting to create a balance clause using the boomerang
balance method but have not specified a fragment size in the Fragment Size
field. The fragment size determines the preferred size of the boomerang race
response that is produced by a match to a DNS rule and is sent to the
requesting client.
Recommended Action Enter a fragment size between 28 and 1980 in the field
provided. The fragment size must be divisible by 4.

9-62 OL-4327-01
Error Message Invalid balance clause Boomerang fragment size.

Boomerang fragment size must be 0 or between 28 and 1980.
Explanation You are attempting to specify an unacceptable fragment size for

this balance clause in the Fragment Size field.
Recommended Action Enter a valid fragment size. Fragment sizes must be

between 28 and 1980, and must be divisible by 4.
Error Message Invalid balance clause Boomerang fragment size.

Boomerang fragment size must be a multiple of 4.
Explanation You are attempting to specify a fragment for this boomerang

balance clause that is within the acceptable range but not divisible by 4.
Fragment sizes must be divisible by 4.
Recommended Action Enter a fragment size between 28 and 1980 that is also
divisible by 4. Zero is also an acceptable fragment size.
Error Message Balance clause Boomerang IP TTL value must be

specified.
balance method, but have not specified an IP Time To Live (TTL) in the field
provided. The IP TTL specifies the maximum number of network hops that
can be used when returning a response to a CRA from a match on a DNS rule.
Recommended Action Enter an IP TTL between 1 and 255 in the field provided
and then click Save.
Error Message Invalid balance clause Boomerang IP TTL. Boomerang

IP TTL must be between 1 and 255.
balance method but have specified an invalid IP Time to Live (TTL).
Recommended Action Enter an IP TTL between 1 and 255 in the field provided
and then click Save.

OL-4327-01 9-63
Error Message Balance clause Boomerang maximum propagation delay

must be specified.
balance method but have not specified a maximum propagation delay (Max
Prop. Delay) in the field provided. The maximum propagation delay specifies
the maximum length of time (in milliseconds) that is observed before the GSS
forwards a Domain Name System (DNS) request to a content routing agent
(CRA).
Recommended Action Enter a maximum propagation delay between 1 and

1000 milliseconds in the Max Prop. Delay field.
Error Message Invalid balance clause Boomerang maximum propagation

delay. Boomerang maximum propagation delay must be between 1 and
1000.
balance method but have not specified a valid maximum propagation delay
(Max Prop. Delay) in the field provided.
Recommended Action Enter a maximum propagation delay between 1 and

1000 milliseconds in the Max Prop. Delay field.
Error Message Balance clause Boomerang padding size must be

specified.
balance method but have not specified a pad size in the Pad Size field. The pad
size is the amount of extra data (in bytes) included with each content routing
agent (CRA) response packet and is used to evaluate CRA bandwidth as well
as latency when routing decisions are made.
Recommended Action Enter a valid pad size between 0 and 2000 in the
Pad Size field.

9-64 OL-4327-01
Error Message Invalid balance clause Boomerang padding size.

Boomerang padding size must be between 0 and 2000.
balance method but have specified an invalid pad size in the Pad Size field.
Recommended Action Enter a valid pad size between 0 and 2000 in the Pad Size
field.
Error Message Invalid balance clause Boomerang secret. If

specified, Boomerang secret must be between 1 and 64 characters
in length.
balance method but have specified an invalid secret in the Secret field. The
boomerang secret is a text string consisting of between 1 and 64 characters that
is used to encrypt critical data sent between the boomerang server and content
routing agents (CRAs). This key must be the same for each configured CRA.
Recommended Action Enter a valid boomerang secret between 1 and 64

characters in the Secret field.
Error Message Balance clause Boomerang server delay must be

specified.
Explanation You are attempting to create a balance clause using the

boomerang balance method but have not specified a server delay in the
Server Delay field. The boomerang server delay is the maximum delay (in
milliseconds) that is observed before the boomerang server component of
the GSS forwards the address of its “last gasp” server as a response to the
requesting name server.
Recommended Action Enter a valid server delay between 32 and

999 milliseconds in the Server Delay field.

OL-4327-01 9-65
Error Message Invalid balance clause Boomerang server delay.

Boomerang server delay must be between 32 and 999.
Explanation You are attempting to create a balance clause using the

boomerang balance method but have specified an invalid server delay in
the Server Delay field.
Recommended Action Enter a valid server delay between 32 and

999 milliseconds in the Server Delay field.
Error Message Invalid DNS rule name. Name must be entered.
Explanation You are attempting to create a DNS rule without assigning a name
to the rule. DNS rules must have names of between 1 and 100 characters.
Recommended Action Assign a name to your DNS rule using the Rule Name
field and then try again to save the rule.
Error Message Invalid DNS rule name. Name length must not exceed
100 characters.
Explanation You are attempting to assign a name to your DNS rule that is too
long. The maximum length for DNS rules is 100 characters.
Recommended Action Enter a name for your DNS rule that is between 1 and
100 characters and then attempt to save the rule again.
Error Message Invalid DNS rule name. Name must not contain spaces.
Explanation You are attempting to assign your DNS rule a name that contains
spaces.
Recommended Action Enter a valid name for your DNS rule that is between 1
and 100 characters and does not contain spaces.

9-66 OL-4327-01
Error Message A DNS rule using the specified source address list,
domain list, and matching query type already exists. Source
address list, domain list, and matching query type must uniquely
identify a DNS rule.
Explanation You are attempting to create a DNS rule that already exists. DNS
rules must specify a unique combination of source address list, domain list,
and matching query type.
Recommended Action Reconfigure your DNS rule so that it does not exactly
match the preexisting rule and then save the rule.
Error Message Duplicate answer group/balance method assignment

detected. A DNS rule cannot use the same answer group and balance
method in multiple balance clauses.
Explanation You are attempting to create two identical answer group and
balance method clauses in your DNS rule. Each clause must use a unique
combination of answer groups and balance methods.
Recommended Action Modify one of your answer group and balance method
pairs so that it is no longer identical to the other and then save your DNS rule.
Error Message Balance clause gap detected at position {0,1,2}.

Balance clauses must be specified sequentially without gaps.
Explanation You are attempting to create a clause for your DNS rule that is out
of sequence. The DNS Rule Builder provides options for three balance
clauses, which must be created in order, with no gaps between clauses. For
example, if you are using only one balance clause, it must appear in the first
position. It cannot be listed in the second or third positions with the first
position left blank.
Recommended Action Rearrange your balance clauses in the DNS Rule Builder
so that they are listed in the proper order, with no gaps between them.

OL-4327-01 9-67
Error Message A DNS rule named DNS_Rule_name already exists. Name

must uniquely identify a DNS rule.
Explanation You are attempting to assign a name to the DNS rule that is
already assigned to another rule. DNS rule names must be unique.
Recommended Action Assign the rule a name that is not already being used and
then save the rule.
Domain List Error Messages
Error Message <domain name> must contain at least one character.
Explanation You are attempting to add a domain to a domain list with an

invalid name. Domains in domain lists must have names of at least one
character.
Recommended Action Enter a name that is between 1 and 100 characters and
then save your domain list.
Error Message <domain name> character limit exceeded.
Explanation You are attempting to add a domain to a domain list using a name
that is too long. Domains in domain lists cannot have names of more than
100 characters.
Recommended Action Enter a new domain name of no more than 100 characters
and then save your domain list.
Error Message Domain specification must not exceed 128 characters.
Explanation You are attempting to add a domain to your domain list with a
name that is longer than 128 characters. Domain lists cannot contain domains
with names longer than 128 characters.
Recommended Action Replace the domain with a domain name containing

fewer than 128 characters and then save your domain list.

9-68 OL-4327-01
Error Message <domain name> must not contain spaces.
Explanation You are attempting to add a domain to your domain list with a
name that contains spaces. Domains in domain lists cannot have names that
contain spaces.
Recommended Action Modify the domain name so that it does not contain
spaces and then save your domain list.
Error Message <domain name> is not a valid regular expression:

<regular expression syntax error message here>
Explanation You are attempting to add a domain name to a domain list with a
name that contains invalid characters or formatting. Domain names in domain
lists must be valid regular expressions.
Recommended Action Modify the domain name so that it is a valid regular

expression and does not contain any invalid characters or formatting. For
example, www.cisco.com or .*\.cisco\.com, and then save your domain list.
Error Message <domain name> must not begin or end with '.'
Explanation You are attempting to add a domain to a domain list with a literal
name that contains an invalid character at the beginning or end of the domain
name.
Recommended Action Modify the domain name so that it does not contain a
period at the beginning or end of the name and then save your domain list.
Error Message <domain name> component must not begin or end with
'-'
Explanation You are attempting to add a domain to a domain list with a literal
name that contains an invalid character at the beginning or end of one
component of the domain name. For example, www.cisco-.com.
Recommended Action Modify the domain name so that it does not contain a
dash (-) at the beginning or end of any segment of the name and then save your
domain list.

OL-4327-01 9-69
Error Message <domain name> contains invalid character

'<character>' (<ASCII value of the character>)
Explanation You are attempting to add a domain to a domain list with a name
that contains an invalid text character. Domains belonging to domain lists must
have names that are regular expressions.
Recommended Action Modify the domain name so that it does not contain an
invalid text character and then save your domain list.
Error Message This domain list cannot be deleted because it is

referenced by X DNS rule
Explanation You are attempting to delete a domain list that is being referenced
by one or more DNS rules.
Recommended Action Modify any DNS rules that use the domain list so that
they no longer reference it and then try again to delete the list.
Error Message Invalid domain list name. Name must be entered.
Explanation You are attempting to create a domain list without a name.

Domain lists must have names of at least one character.
Recommended Action Assign a name of at least 1 and no more than

80 characters to your domain list and then save it.
Error Message Invalid domain list name. Name length must not exceed
80 characters.
Explanation You are attempting to create a domain list with a name that
is too long.
Recommended Action Assign a name of at least 1 and no more than

80 characters to your domain list and then save it.

9-70 OL-4327-01
Error Message Invalid domain list name. Name must not contain
spaces.
Explanation You are attempting to create a domain list with a name that
contains spaces. Domain list names cannot contain spaces.
Recommended Action Assign a name without spaces to your domain list. Names
must consist of at least 1 and no more than 80 characters. Save your domain
list when you have assigned it a valid name.
Error Message A domain list named '<name>' already exists. Name

must uniquely identify a domain list.
Explanation You are attempting to assign a name to your domain list that has
already been assigned to another domain list on the same GSS network.
Recommended Action Assign a unique name to your new domain list and then
save the list.
Error Message The maximum number of <limit> domains per list has
been met.
Explanation You are attempting to add a domain to your domain list when the
maximum number of domains has already been added to that list.
Recommended Action Remove an existing domain from the domain list and
then add the new domain. Alternatively, create a domain list to hold the new
domain and any subsequent domains that you wish to add.

OL-4327-01 9-71
Shared KeepAlive Error Messages
Error Message Invalid CAPP hash secret. Secret must be entered.
Explanation You are attempting to create a KAL-AP keepalive using a CAPP

hash secret but have not specified a secret in the field provided.
Recommended Action Enter a CAPP hash secret of no more than 31 characters

in the field provided.
Error Message Invalid CAPP hash secret. Secret length must not

hash secret but have specified a secret that is too long.

Error Message Invalid HTTP HEAD response timeout.
Explanation You are attempting to specify an HTTP HEAD response timeout

that is invalid.
Recommended Action Enter a response timeout between 20 and 60 seconds in

the HTTP HEAD response timeout field of the Shared Keepalive details page.
Error Message Response timeout must be between 20 and 60 seconds.
Explanation You are attempting to specify an HTTP HEAD response timeout

that is invalid.
Recommended Action Enter a response timeout between 20 and 60 seconds in

the HTTP HEAD response timeout field of the Shared Keepalive details page.

9-72 OL-4327-01
Error Message Invalid HTTP HEAD destination port. Destination port

must be between 1 and 65,535.
Explanation You are attempting to specify a port number for HTTP HEAD
traffic that is invalid.
Recommended Action In the HTTP HEAD destination port field in the Shared
Keepalive details page, enter a port number between 1 and 65,535 through
which HTTP HEAD keepalive traffic will pass. The default port is 80.
Error Message Invalid HTTP HEAD path. Path length must not exceed
256 characters.
Explanation You are attempting to specify an HTTP HEAD path that is not
valid.
Recommended Action Enter a valid path shorter than 256 characters in the
HTTP HEAD default path field in the Shared Keepalive details page.
Error Message Invalid <keepalive type> minimum probe frequency.

Frequency must be between <min> and <max>.
Explanation You are attempting to specify a minimum probe interval for your
keepalive type that is invalid.
Recommended Action Specify an interval (in seconds) within the range

specified for that keepalive type in the Shared Keepalive details page. The
interval range for the CRA keepalive type is between 1 and 60 seconds. For all
other keepalive types, it is between 45 and 255 seconds.

OL-4327-01 9-73
KeepAlive Error Messages
Error Message Duplicate keepalive address detected. A keepalive

must not be configured to use the same primary and secondary
addresses.
Explanation You are trying to configure a KAL-AP keepalive that is identical

to a keepalive of the same type that already exists.
Recommended Action Configure the KAL-AP keepalive to use a different

primary and secondary address.
Error Message Duplicate keepalive primary address

'<primaryaddress>' detected. An address can be used by at most
one KAL-AP type keepalive.
Explanation You are trying to configure a KAL-AP keepalive that uses the
same primary IP address as a keepalive of the same type that already exists.
Recommended Action Configure the KAL-AP keepalive to use a primary

IP address that is not already being used by another keepalive.
Error Message Duplicate keepalive secondary address '<secondary

address>' detected. An address can be used by at most one KAL-AP
type keepalive.
Explanation You are trying to configure a KAL-AP keepalive that uses the
same secondary IP address as a keepalive of the same type that already exists.
Recommended Action Configure the KAL-AP keepalive to use a secondary

IP address that is not already being used by another keepalive.

9-74 OL-4327-01
Error Message HEAD Duplicate keepalive detected. An HTTP HEAD

keepalive must not use the same address, destination path, host
tag, and port as another HTTP HEAD keepalive.
Explanation You are trying to configure an HTTP HEAD keepalive that

features an identical configuration to that of another HTTP HEAD keepalive
on your GSS network.
Recommended Action Configure the HTTP HEAD keepalive to use a unique

configuration of address, destination path, host tag, and port.
Error Message Duplicate keepalive detected. An ICMP keepalive must

not use the same address as another ICMP keepalive.
Explanation You are trying to configure an ICMP keepalive with an IP address

that is identical to that of another ICMP keepalive on your GSS network.
Recommended Action Configure the ICMP to use a unique IP address.
Error Message Invalid CAPP hash secret. Secret length must not

hash secret but have specified a secret that is too long.

Error Message Invalid HTTP HEAD destination port. If specified,

destination port must be between 0 and 65,535.
Explanation You are attempting to specify a port number for HTTP HEAD
traffic that is invalid.
Recommended Action In the HTTP HEAD destination port field in the Shared
Keepalive details page, enter a port number between 1 and 65,535 through
which HTTP HEAD keepalive traffic will pass. The default port is 80.

OL-4327-01 9-75
Error Message Invalid HTTP HEAD host tag. Host tag length must not
Explanation You are attempting to create an HTTP HEAD host tag that is
too long.
Recommended Action Enter an HTTP HEAD host tag of no more than

128 characters.
Error Message Invalid HTTP HEAD path. If specified, path length

must not exceed 256 characters.
Explanation You are attempting to specify an HTTP HEAD path that is not
valid.
Recommended Action Enter a valid path shorter than 256 characters in the
HTTP HEAD default path field in the Shared Keepalive details page.
Location Error Messages
Error Message The location is still being referenced by other

objects and cannot be removed.
Explanation You are attempting to delete a location that has answers or GSSs
associated with it.
Recommended Action Dissociate any answers or GSSs from the location and
then try again to delete it.
Error Message There already exists a location named <name> in

region <region> with the same name. Please specify a different
location name.
Explanation You are attempting to create a location within this region when
another location with the same name already exists.
Recommended Action Change the name of the location so that it is unique for
the region.

9-76 OL-4327-01
Owner Error Messages
Error Message Invalid owner name. Name must be entered.
Explanation You are attempting to create an owner without assigning the

owner a name.
Recommended Action Owners must have a unique name. Enter a name for the
owner in the field provided and then save the owner.
Error Message Invalid owner name. Name length must not exceed
80 characters.
Explanation You are attempting to assign a name to an owner that is too long.
Recommended Action Assign your owner a name that is no longer than

80 characters.
Error Message An owner named <owner name> already exists. Name must
uniquely identify an owner.
Explanation You are attempting to assign your owner a name that is already
assigned to another owner on your GSS network.
Recommended Action Assign a unique name to your owner.
Region Error Messages
Error Message The region is still being referenced by other objects

and cannot be removed.
Explanation You are attempting to delete a region that is associated with GSSs
on your GSS network.
Recommended Action Disassociate the GSSs from the region and then try again
to delete the region.

OL-4327-01 9-77
Error Message There already exists a region named <region name>.

All region names have to be unique.
Explanation You are attempting assign a name to the region that is already
being used by another region on your GSS network.
Recommended Action Assign a unique name to your region.
GSSM Error Messages
Error Message Maximum number of GSSMs exceeded. A GSS network can

contain at most 2 GSSMs.
Explanation You are attempting to enable a GSSM when there are already two
GSSMs enabled on your GSS network.
Recommended Action If necessary, remove your standby GSSM from your GSS
network and then try again to enable the GSSM.
Error Message The maximum number of <size> <className> has been

met.
Explanation You are attempting to add a resource to your GSS network when
the maximum number of that resource already exists.
Recommended Action Remove an existing resource of the same type and then
try again to add the new resource.

9-78 OL-4327-01
Source Address List Error Messages
Error Message Invalid source address block '<block string>'.

Address block must specify a host or a network.
Explanation You are attempting to specify an invalid source address range.
Recommended Action Enter a valid source address or block of source addresses.

Source addresses cannot specify a multicast address list.
Error Message Invalid source address block '<blockstring>'.

Address block must specify a class A, B, or C host or network.
Explanation You are attempting to specify an invalid source address range.
Recommended Action Enter a valid source address or block of source addresses.

Source addresses cannot specify a multicast address list.
Error Message Invalid source address list name. Name must be

entered.
Explanation You are attempting to create a source address list without

assigning the list a name.
Recommended Action Enter a name for the source address list in the Name field.
Error Message Invalid source address list name. Name length must
not exceed 80 characters.
Explanation You are attempting to create a source address list with a name that
is too long.
Recommended Action Enter a valid name for the source address list that has

OL-4327-01 9-79
Error Message Invalid source address list name. Name must not
contain spaces.
Explanation You are attempting to create a source address list with a name that
contains spaces. Source address list names cannot contain spaces.
Recommended Action Enter a valid name for the source address list that has
Error Message This source address list cannot be deleted because

it is referenced by <number> DNS rules.
Explanation You are attempting to delete a source address list that is referenced
by one or more DNS rules.
Recommended Action Disassociate your DNS rules from the source address list
using the DNS Rule Builder or DNS Rule Wizard and then attempt to delete
the source address list again.
Error Message A source address list named '<name>' already exists.

Name must uniquely identify a source address list.
Explanation You are attempting to create a source address list using a name
that is already being used by another source address list on your GSS network.
Recommended Action Assign a unique name to your source address list that is
no more than 80 characters and does not contain spaces.
Error Message The maximum number of 30 source address blocks per

list has been met.
Explanation You are attempting to add a source address block to the source
address list, when the maximum of 30 source address blocks has already been
added to the list.
Recommended Action Remove an existing source address block, or create a

source address list for the source address block that you wish to add.

9-80 OL-4327-01
User Error Messages
Error Message There already exists a user account named <user

name>. All user accounts must have a unique username.
Explanation You are attempting to create a user account with a name identical
to that of an existing account.
Recommended Action Assign your new user account a unique name.
Error Message You cannot delete the account with username 'admin'.
This account must exist.
Explanation You are attempting to delete the admin user account.
Recommended Action This account cannot be deleted from the GSSM.
Error Message Invalid answer load threshold. Load threshold must

be between 2 and 254.
Explanation You are attempting to assign an invalid load threshold to your

answer in the LT field.
Recommended Action Assign a load threshold for the answer that is between 2
and 254 in the LT field.
Error Message Invalid answer order. Order must not be negative.
Explanation You are attempting to assign a negative order number to your

answer. The order must be a positive number.
Recommended Action Enter a nonnegative whole number for the order.

OL-4327-01 9-81

9-82 OL-4327-01
C H A P T E R 10
Monitoring GSS Performance
The GSS software features a number of tools for monitoring the status of your
GSS devices and of global load balancing on your GSS network. These include
CLI-based commands for determining the status of your GSSs, GSSMs (primary
and standby), and the embedded GSS database. In addition, the primary GSSM
GUI contains pages that display the status of global server load balancing activity.
For example, tabulating answer and DNS rule hit counts.
• Monitoring GSS and GSSM Status
• Monitoring GSSM Database Status
• Monitoring Global Load-Balancing Status
• Viewing Log Files
Monitoring GSS and GSSM Status

You can easily monitor the status of your GSSs and GSSMs from both the CLI
and the GSSM GUI.
• Monitoring the Online Status of GSS Devices from the CLI
• Monitoring the Status of Your GSS Network from the CLI
• Monitoring GSS Device Status from the Primary GSSM GUI

OL-4327-01 10-1
Chapter 10 Monitoring GSS Performance
Monitoring the Online Status of GSS Devices from the CLI

Use the gss command to display the online status and resource usage of your GSS
servers.
To monitor the status of a GSS device from the CLI:
3. Use the gss command to display the current running status of the GSS device
that you have logged on to. For example:
gss1.yourdomain.com# gss status verbose
Cisco GSS - 1.1(0.0.1) - Development build GSSM - primary [Mon Sep
15 13:16:38 UTC 2003]
Normal Operation [runmode = 5]
%CPU START SERVER

0.0 Jun17 Boomerang
0.0 Jun17 Config Agent
0.0 Jun17 Config Server
0.0 Jun17 DNS Server
0.0 Jun17 Database
0.0 Jun17 GUI Server
0.0 Jun17 Keepalive Engine
0.0 Jun17 Node Manager
0.0 Jun17 Syslog
0.0 Jun17 Web Server
--- --- SNMP [DISABLED]

10-2 OL-4327-01
Monitoring the Status of Your GSS Network from the CLI

Use the show statistics command to view the status of any request routing and
load balancing component on your GSS devices, including answers, keepalives,
domains, and DNS rules. Refer to the Cisco Global Site Selector Command
Reference for detailed information about the show statistics command.
The following sections provide instructions about using and interpreting the
output of the various show statistics command options.
• Monitoring the Status of the Boomerang Server on Your GSS
• Monitoring the Status of the DNS Server on Your GSS
• Monitoring the Status of Keepalives on Your GSS
Note If you specify the show statistics command after issuing either the gss start
command or the reload command, the GSS device can take approximately one
minute before the command can take affect and display the requested statistics.
Monitoring the Status of the Boomerang Server on Your GSS

The boomerang server is a server load-balancing component of the GSS that uses
calculations of network delay provided by DNS races between content routing
agents (CRAs) to determine which server is best able to respond to a given
request.
Use the show statistics boomerang command option to view boomerang activity
such as DNS races on your GSS device on a domain-by-domain or on a global
basis. Refer to the Cisco Global Site Selector Command Reference for detailed
information about the show statistics boomerang command.
To view DNS race statistics:

OL-4327-01 10-3
3. Use the show statistics boomerang command to display current boomerang

server statistics for a particular domain, or across all domains managed by
your GSS. For example:
gss1.yourdomain.com# show statistics boomerang global
Boomerang global statistics:
Total races: 24
Monitoring the Status of the DNS Server on Your GSS

The DNS server component tracks all DNS-related traffic to and from your GSS
device, including information about DNS queries received, responses sent,
queries dropped and forwarded, and so on.
Using the show statistics dns command option, you can view DNS statistics with
regard to your GSS request routing and server load-balancing components such as
DNS rules, answers, answer groups, domains, domain lists, source addresses, and
source address groups. Refer to the Cisco Global Site Selector Command
Reference for detailed information about the show statistics dns command.
To view DNS statistics:
3. Use the show statistics dns command to display statistics from the domain
name server (DNS) component of the GSS. For example:
gss1.yourdomain.com# show statistics dns answer
Answer Type Total Hits 1-Min 5-Min 30-Min 4-Hr
-----------------------------------------------------------------
192.168.1.80 VIP 0 0 0 0 0
1.1.5.160 VIP 0 0 0 0 0
192.168.1.24 VIP 0 0 0 0 0
192.168.1.245 VIP 0 0 0 0 0

10-4 OL-4327-01
Monitoring the Status of Keepalives on Your GSS

The keepalive engine on your GSS device monitors the online status of keepalive
objects across your GSS network.
Using the show statistics keepalive command option, you can view statistics
about the health of your GSS keepalives globally or by keepalive type. Refer to
the Cisco Global Site Selector Command Reference for detailed information about
the show statistics keepalive command.
To view keepalive statistics:
3. Use the show statistics keepalive command to display current keepalive

engine statistics for your GSS network. You can view statistics for all
keepalive types on your network, or limit statistics to a particular keepalive
type such as ICMP, HTTP HEAD, TCP, KAL-AP, or CRA.
For example:
gss1.yourdomain.com# show statistics keepalive tcp all
IP: 192.168.50.41
Keepalive => 192.168.50.41
Destination Port: 80
Status: ONLINE
Packets Sent: 93188
Packets Received: 69891
Positive Probe: 23297
Negative Probe: 0
Transitions: 1
GID: 105 LID: 5

OL-4327-01 10-5
Monitoring GSSM Database Status
Monitoring GSS Device Status from the Primary GSSM GUI

To monitor the status of your GSS devices from the primary GSSM GUI:
2. Click the Global Site Selectors navigation link. The Global Site Selector list
page appears.
3. Click the Modify GSS icon for the GSS or GSSM that you wish to monitor.
The device type (GSS or GSSM) appears in the Node Services column.
The Global Site Selectors details page appears, displaying configuration and
status information about the device at the bottom of the page including:
– Status—Online status
– Version—Software version currently loaded on the device
– Node services—Current role of the device (GSS, primary or standby
GSSM, or both)
– IP address—Network address of the device
– Hostname—Network host name of the device
– MAC—Machine address of the device
4. Click Cancel to return to the Global Site Selectors list page.

The GSS software includes a number of CLI commands that you can use to
monitor the status of the GSSM database and its contents. This section includes
the following procedures:
• Monitoring the Database Status
• Validating Database Records
• Creating a Database Validation Report

10-6 OL-4327-01
Monitoring the Database Status

To verify that the GSS database on the GSSM is functioning properly:
3. Use the gssm database status command to display the current running status
of the GSS device that you have logged on to. For example:
gss1.yourdomain.com# gssm database status
GSSM database is running.
Validating Database Records

To validate the records in your GSSM database:
3. Use the gssm database validate command to validate the content of your
GSSM database. For example:
gss1.yourdomain.com# gssm database validate
GSSM database passed validation.

OL-4327-01 10-7
Creating a Database Validation Report

Should you encounter problems while attempting to validate your GSSM
database, you can generate a report, called validation.log, that details which
database records failed validation.
To generate a database validation report:
3. Use the gssm database report command to generate a validation report on

the content of your GSSM database. For example:
gss1.yourdomain.com# gssm database report
GSSM database validation report written to validation.log.
4. Use the type command to view the contents of your validation report. For
example:
gss1.yourdomain.com# type validation.log
validation.log
Start logging at Thu Aug 28 19:17:21 GMT+00:00 2003
- storeAdmin Validating ... Thu Aug 28 19:17:23 GMT+00:00 2003 -

- ObjectId Object_Name.Field_Name Description -
Validating FactoryInfo
Validating answerElement
Validating answerGroup
70 answerGroup.OwnerId Many-To-One List
Validating CachingConfig
Validating ClusterConfig
Validating CmdControl
Validating CmdPurgeRd
Validating CmdUpdate
Validating ConfigProperty
Validating Customer
Validating DistTree
Validating DnsRule
Validating DomainElement
Validating DomainGroup
Validating ENodeConfig
Validating ENodeStatus

10-8 OL-4327-01
Monitoring Global Load-Balancing Status
Validating KeepAliveConfig
Validating KeepAlive
Validating Location
Validating OrderedanswerGroup
Validating Owner
Validating Region
Validating RequestHandler
Validating RoutedDomain
Validating RoutingConfig
Validating RrConfig
Validating RrStatus
Validating SNodeConfig
Validating SourceAddressElement
Validating SourceAddressGroup
Validating SpInfo
Validating SystemConfig
Validating UpdateInfo
Validating UserConfig
Validating VirtualCDN
Validating WlpanswerElement
Validating User Validations
End of file validation.log

From the primary GSSM GUI, you can monitor the status of global load balancing
on your GSS network using a variety of features that filter and condense GSS
traffic and statistics.
• Monitoring Answer Hit Counts
• Monitoring Answer Keepalive Statistics
• Monitoring Answer Status
• Monitoring DNS Rule Statistics
• Monitoring Domain Statistics
• Monitoring Source Address Statistics
• Monitoring Global Statistics

OL-4327-01 10-9
Monitoring Answer Hit Counts

The answer hit counts feature of the primary GSSM GUI provides you with an
overview of your GSS answer resources and the number of times that user
requests have been directed to each answer device. Looking at answer hit counts
is one way to judge how well your GSS resources are being used in responding to
user requests.
To view the number of hits recorded by each of your GSS answers:
1. From the primary GSSM GUI, click the Monitoring tab.
2. Click the Answers navigation link.
3. Click the Answer Hit Counts navigation link (located under the Contents
table of contents).
4. . The Answer Hit Counts list page appears (Figure 10-1).
Figure 10-1 Answer Hit Counts List Page

10-10 OL-4327-01
Table 10-1 describes the fields on the Answer Hit Counts list page.
Table 10-1 Field Descriptions for Answer Hit Counts List Page
Field Description
Answer IP address of the answer device
Name Name assigned to the answer using the primary
GSSM GUI
Type Type of answer: VIP (virtual IP address), NS (name
server), or CRA (content routing agent)
Location GSS network location into which the answer has been
grouped
Name of the GSSM or Number of requests directed to the answer
GSS by each GSS device
5. Click the column header of any of the displayed columns to sort your answers
by a particular property.
Monitoring Answer Keepalive Statistics

The answer keepalive statistics feature of the primary GSSM GUI provides you
with an overview of the online status of your GSS answer resources. For each
answer configured on your GSS, the answer keepalive statistics feature displays
the number of keepalive probes that have been directed to that answer by the
primary and the standby GSSM, as well as information about how that keepalive
probe was handled. If a large number of keepalive probes are being rejected or are
encountering transition conditions, the answer may be offline or may be having
problems staying online.
To view the online status of each of your GSS answers:
3. Click the Answer KeepAlive Statistics navigation link (located under the
Contents table of contents). The Answer KeepAlive Statistics list page

OL-4327-01 10-11
Figure 10-2 Answer Keepalive Statistics List Page
Table 10-2 describes the fields on the Answer KeepAlive Statistics list page.
Table 10-2 Field Descriptions for Answer Keepalive Statistics List Page
Field Description
Answer IP address of the answer device being probed
GSSM GUI
Keepalive The address assigned to the remote device, CRA, or
name server that the GSS is to forward requests

10-12 OL-4327-01
Table 10-2 Field Descriptions for Answer Keepalive Statistics List Page
Field Description
Method The keepalive method used by the answer: VIP
(virtual IP address), NS (name server), or CRA
(content routing agent)
Location GSS network location into which the answer has
been grouped
Name of the GSSM or Number of keepalive probes directed to the answer
GSS by each GSS device, as well as a record of how those
probes were handled. Statistics are presented in the
following order:
• Keepalive packets sent—Total number of
keepalive probes sent to the answer by each GSS
on the network
• Keepalive packets received—Total number of
keepalive probes returned from the answer
• Keepalive positive probe count—Total number
of keepalive probes received to which a positive
(OK) response was returned
• Keepalive negative probe count—Total
number of keepalive probes received to which a
negative response was returned
• Keepalive transition count—Total number of
keepalive probe transitions (for example, from
the INIT to the ONLINE state) experienced by
the keepalive

OL-4327-01 10-13
Monitoring Answer Status

The answer status feature of the primary GSSM GUI provides you with an
overview of your GSS answer resources and their online status. Answers can be
sorted by IP address, name, type, location, or online status according to a
particular device.
To view the status of your GSS answers:
3. Click the Answer Status navigation link (located under the Contents table of
contents). The Answer Status list page appears (Figure 10-3).
Figure 10-3 Answer Status List Page

10-14 OL-4327-01
Table 10-3 describes the fields on the Answer Status list page.
Table 10-3 Field Descriptions for Answer Status List Page
Field Description
Answer IP address of the answer device
GSSMGUI
Location GSS network location into which the answer has
been grouped
Name of the GSSM or Online status of the answer according to the named
GSS device
Monitoring DNS Rule Statistics

The DNS rule statistics feature of the primary GSSM GUI provides you with an
overview of your global load-balancing rules, as well as information about how
many queries were processed by each rule and how many of those processed
queries were successfully matched with answers.
To view the status of your DNS rules:
2. Click the DNS Rules navigation link. The DNS Rule Statistics list page

OL-4327-01 10-15
Figure 10-4 DNS Rule Statistics List Page
Table 10-4 describes the fields on the DNS Rule Statistics list page.
Table 10-4 Field Descriptions for DNS Rule Statistics List Page
Field Description
GSSM.
Owner GSS owner to which the DNS rule has been assigned.
Name of the GSSM or Total hit count and successful hit count for the DNS
GSS rule from the listed GSS device. Refer to the legend
that appears below the listed DNS rules if you are
confused about which number represents total hits
and which represents successful requests served.
3. Click the column header of any of the displayed columns to sort your DNS
rules by a particular property.

10-16 OL-4327-01
Monitoring Domain Statistics

The domain statistics feature of the primary GSSM GUI provides you with an
overview of the hosted domains that your GSS is serving, as well as information
about how many queries were directed to each domain by your DNS rules. The
domain hit counts feature tracks the traffic directed to individual domains, not
GSS domain lists, which may include one or more domains.
To view the status of your hosted domains:
2. Click the Domains navigation link. The Domain Hit Counts list page appears
(Figure 10-5).
Figure 10-5 Domain Hit Counts List Page

OL-4327-01 10-17
Table 10-5 describes the fields on the Domain Hit Counts list page.
Table 10-5 Field Descriptions for Domain Statistics List Page
Field Description
Domain DNS domains for which your GSS is responsible;
these are the domains contained in your domain lists.
Name of the GSSM or Total number of requests for the listed domain from
GSS each GSS device
3. Click the column header of any of the displayed columns to sort the listed
domains by a particular property.
Monitoring Source Address Statistics

The source address statistics feature of the primary GSSM GUI provides you with
an overview of incoming requests received by each of your source addresses (that
is, those addresses from which DNS queries to your GSS originate) from each of
your GSS devices. The source address hit counts feature tracks requests from
individual address blocks, not from GSS source address lists, which may contain
one or more address blocks.
To view the statistics for your source address lists:
2. Click the Source Addresses navigation link. The Source Address Lists
Statistics list page appears (Figure 10-6).

10-18 OL-4327-01
Figure 10-6 Source Address List Statistics List Page
Table 10-6 describes the fields on the Source Address Lists Statistics list
page.
Table 10-6 Field Descriptions for Source Address Statistics List Page
Field Description
Source Address Block Address or range of addresses from which DNS
queries originate. Source address blocks make up
GSS source address lists.
Name of the GSSM or Total number of requests received by the listed GSS
GSS device from each address or address block.

OL-4327-01 10-19
Monitoring Global Statistics

The global statistics feature of the primary GSSM GUI provides you with an
overview of your GSS network, providing average statistics for DNS requests
received by each GSS device and keepalive messages sent to your answers, as well
as the online status of each GSS device.
To view the status of your GSS network:
2. Click the Global navigation link. The Global Statistics list page (Figure 10-7)
appears.
Figure 10-7 Global Statistics List Page

10-20 OL-4327-01
Table 10-7 describes the fields on the Global Statistics list page.
Table 10-7 Field Descriptions for Global Statistics List Page
Field Description
GSS Status Online status of each GSS device
Unmatched DNS Queries Total number of DNS queries received by each listed
device for which no answer could be found
DNS Queries/sec Average number of DNS queries received each
second by each listed GSS device
Keepalive Probes/sec Average number of keepalive probes received by
each listed GSS device each second

OL-4327-01 10-21
Viewing Log Files
Viewing Log Files

The GSS maintains logged records for a wide range of GSS network activity in
the gss.log file as well as through the system logs feature of the GSSM.
The following sections help you audit logged information about your GSS
devices.
• Understanding GSS Logging Levels
• Viewing Device Logs from the CLI
• Viewing System Logs from the Primary GSSM GUI
Understanding GSS Logging Levels

The GSS employs eight separate logging levels to identify the wide range of
critical and noncritical logged events that may occur on a GSS device. Table 10-8
lists these different logging levels and explains their meanings.
Table 10-8 GSS Logging Levels
Level Number Level Name Description

0 Emergencies The GSS has become unusable: for example,
the device is shutting down and cannot be
restarted, or it has experienced a hardware
failure.
1 Alerts The GSS requires immediate attention: for
example, one of the GSS servers is not
running.
2 Critical The GSS has encountered a critical condition
that requires attention: for example, being
unable to connect to the primary GSSM and
not having a configuration snapshot to use in
the meantime.
3 Errors The GSS has encountered an error condition
that requires prompt attention but still
enables the device to function: for example,
running out of memory.

10-22 OL-4327-01
Viewing Log Files
Table 10-8 GSS Logging Levels (continued)
Level Number Level Name Description

4 Warnings The GSS has encountered an error condition
that requires attention but is not interfering
with the operation of the GSS device: for
example, losing contact with the primary
GSSM when a local configuration snapshot
exists.
5 Notifications The GSS has encountered a nonerror
condition that should be brought to the
administrator’s attention: for example, a
software upgrade.
6 Information Messages at this level are normal operational
messages for the GSS device, such as status
or configuration changes.
7 Debug Messages at this level (such as detailed
information about DNS request or keepalive
handling, specific code path tracking, and so
on) are intended for use by technical support
personnel.
Viewing Device Logs from the CLI

Each GSS device contains a variety of log files that retain records of both
GSS-related activity and the functioning of various GSS subsystems. You can
access these log files using the CLI to troubleshoot problems or better understand
the behavior of a GSS device.
• Viewing the gss.log File from the CLI
• Viewing Subsystem Log Files from the CLI
• Rotating Existing Log Files from the CLI

OL-4327-01 10-23
Viewing Log Files
Viewing the gss.log File from the CLI

The gss.log file pulls together information that may be of use to customers, such
as keepalive, availability, and load statistics for GSS devices. This log file can be
viewed from the CLI using the show logs command.
Refer to the Cisco Global Site Selector Command Reference for a list of the
various log files that are displayed using the show logs command.
Note The show logs command outputs all logged information to your terminal session.
This output may be quite large and exceed the buffer size that you have set. If you
wish to capture all logged information, adjust the size of your screen buffer.
Otherwise, use the tail or follow options to limit the output of the file.
To view logged GSS messages in the gss.log file:

3. Use the show logs command to display logged information for the device on
your terminal. For example:
gssm1.yourdomain.com# show logs
gss.log
Jul 14 21:42:01 gss-css2 KAL-7-KALAP[1240] KAL-AP (seq# 29410)=> Host 192.10.2.1
Jul 14 21:42:02 gss-css2 KAL-7-KALAP[1240] Retrying IP [192.10.4.1] (Retry Count
3)
Jul 14 21:42:07 gss-css2 KAL-7-KALAP[1240] Timeout: Found outstanding KAL
[192.10.2.1]
1)
Jul 14 21:42:09 gss-css2 KAL-7-KALCRA[1240] rtt_task: waiting 10000 mseconds
2)
Jul 14 21:42:16 gss-css2 KAL-7-KALAP[1240] Sending circuit keepalive =>
[192.10.2.1]
[192.10.3.1]

10-24 OL-4327-01
Viewing Log Files

[192.10.4.1]
[192.10.6.1]
[192.10.7.1]
[192.10.8.1]
3)
Jul 14 21:42:19 gss-css2 KAL-7-KALCRA[1240] rtt_task: waiting 10000 mseconds
Jul 14 21:42:22 gss-css2 KAL-7-KALAP[1240] Timeout: Found outstanding KAL
[192.10.3.1]
1)
Jul 14 21:42:22 gss-css2 NMR-7-NODEMGR[1035] Checking process queue for defunct
members.
2)
...
4. To limit the output of the show logs command, specify one of the following:
– Use the tail option of the show logs command to view just the last ten
lines of logged information. For example:
gssm1.yourdomain.com# show logs tail
– Use the follow option of the show logs command to view data that is
appended to the end of the log as it grows. For example:
gssm1.yourdomain.com# show logs follow
Viewing Subsystem Log Files from the CLI

In addition to the gss.log file, each GSS device maintains a number of additional
log files that record subsystem-specific information (for example, the keepalive
engine or DNS server component of the GSS). Although these log files are not
generally associated with specific CLI commands as the gss.log file is, any of
them can be viewed from the CLI using the type EXEC command.

OL-4327-01 10-25
Viewing Log Files
Note Many GSS subsystem logs output all logged information to your terminal session.
This output may be quite large and exceed the buffer size that you have set. If you
wish to capture all logged information, adjust the size of your screen buffer.
Otherwise, use the tail or follow options to limit the output of the file.
To view your GSS subsystem log files:

2. From privileged EXEC mode, navigate to the directory containing the log file
or files that you wish to view. For example:
gssm1.yourdomain.com> cd ../sysout
gssm1.yourdomain.com>
3. Use the type command to display the contents of the log file. For example:
gssm1.yourdomain.com> type dnsserver.log
dnsserver.log
Starting dnsserver: Mon Jul 1 13:52:50 UTC 2003 [(1221)]
2003-07-10 16:23:08 relog: Booting...
Starting dnsserver: Wed Jul 10 16:23:33 UTC 2003 [(1201)]
End of file dnsserver.log
]
4. Use the tail command to view just the last ten lines of the log file. For
example:
gssm1.yourdomain.com# tail dnsserver.log
Rotating Existing Log Files from the CLI

You can force the GSS to restart its log files and save archive copies of all existing
log files by using the rotate-logs command. This command forces the GSS to save
archive copies of all existing log files in the $STATE directory and subdirectories
and replaces them with fresh log files.

10-26 OL-4327-01
Viewing Log Files
Existing log files are archived locally using the following naming convention:
logfile_name.log.number
where:
• logfile_name.log - Name of the archived log file (for example, gss.log or
kale.log) .
• number - An incremented number representing the number of times the logs
have been rotated (for example, .3). The number of the most recent rotated
log file is .1. The maximum number of log files is 25 for the gss.log file, five
for all other log files.
To rotate existing log files:
3. Use the rotate-logs command to rotate existing log files. For example:
gssm1.yourdomain.com# rotate-logs
If you wish to clear all rotated log files in the $STATE directory and
subdirectories, except for the active log files, include the delete-rotated-logs
option. For example:
gssm1.yourdomain.com# rotate-logs delete-rotated-logs

OL-4327-01 10-27
Viewing Log Files
Viewing System Logs from the Primary GSSM GUI

From the primary GSSM GUI, you can view messages logged in the GSS
system.log file. This log presents the logged information that is most likely of
interest to GSS administrators. However, the system.log file presents only a subset
of all logged information. See the “Viewing Subsystem Log Files from the CLI”
section for information about viewing the entire contents of individual GSS
log files.
• Viewing System Logs from the GUI
• Purging System Log Messages from the GUI
• System Log Messages
Viewing System Logs from the GUI

To view the GSS system logs:
2. Click the System Logs option. The System Log list page appears
(Figure 10-8) displaying the following information:
– Time—Time in Universal Coordinated Time (UTC) at which the logged
event occurred on the GSS device.
– Node type—Type of GSS node (GSS or GSSM) on which the logged
event occurred.
– Node name—Name assigned to the GSS device using the primary
GSSM.
– Module—GSS component logging the message. For example, server or
storeAdmin.
– Severity— Severity of the logged message; system log messages are
rated using one of four severity levels, as follows:
• Fatal—Indicates that the GSS or one of its components failed. Fatal
errors are rare and are usually caused by exceptions from which it is
impossible to recover, or by the failure of a GSS component to
initialize properly.
• Warning—Indicates a noncritical error or unexpected condition.

10-28 OL-4327-01
Viewing Log Files
• Info—Provides information about the normal operation of the GSS

and its components.
• Debug—Provides very detailed information about the internal
operations of the GSS or one of its components. Debug log messages
are intended for use by Cisco support engineers in their efforts to
troubleshoot a problem.
– Description—Text description that explains the event.
– Message—Information about any relevant conditions encountered while
the event was being logged.
Figure 10-8 System Log List Page

OL-4327-01 10-29
Viewing Log Files
3. Click the column header of any of the displayed columns (except for Severity
or Description) to sort the listed domains by a particular property.
Purging System Log Messages from the GUI

You can instruct the GSS to purge system log messages from the GSSM database
by using the gssm database purge-log-records CLI command. This option
removes the system log messages appearing on the primary GSSM GUI, the
System Log list page of the Tools navigation tab. You can instruct the GSS
software to:
• Purge a quantity of system log messages from the database up to the last n
records, where n equals the number of database records back from the last
record to be retained when the database is purged.
• Purge system log messages covering a set time period up to n days before
today, where n equals the number of days back from today to be retained
when the database is purged.
To purge system log messages from the GSSM database:
3. Use the gssm database purge-log-records command to purge system log

messages.
For example, to purge all system log messages except for the last 3, enter:
gssm1.yourdomain.com# gssm database purge-log-records count 3
For example, to purge all system log messages except for those generated
within the last 7 days, enter:
gssm1.yourdomain.com# gssm database purge-log-records days 7
4. From the primary GSSM GUI, click the Tools tab, then click the System Logs
option. The System Log list page appears. Notice that system log message
have been purged based on the criteria specified in the gssm database
purge-log-records CLI command.

10-30 OL-4327-01
Viewing Log Files
System Log Messages

Table 10-9 lists common GSS system messages that may be encountered in the
System Log list page. Error messages are listed alphabetically, and each error
message is accompanied by a brief description. Contact a Cisco technical support
representative if you require more detailed information about the purpose of a
message.
Table 10-9 System Log Messages
System Log Message Description

Deleted a Global Site Selector The named GSS has been deleted from the
primary GSSM
Error occurred while processing An error occurred while the device was
received data processing configuration updates from
the primary GSSM. The affected device
will attempt to recover automatically.
Failed store invalidation The process of marking internally
inconsistent database records has failed.
Errors can be viewed in the validation log.
Failed store validation The GSSM database has failed its internal
consistency checks.
Multiple primary GSSMs detected The system has detected multiple primary
GSSMs operating concurrently.
Passed store invalidation The process of marking internally
inconsistent database records has been
successfully completed.
Passed store validation The GSSM database has passed its
internal consistency checks.
Registered a new Global Site A new GSS is online and identified itself
Selector to the primary GSSM.
Registered a new standby GSSM A new standby GSSM came online and
identified itself to the primary GSSM.
Server is Shutting Down The Cisco GSS software has been stopped
from the CLI.

OL-4327-01 10-31
Viewing Log Files
Table 10-9 System Log Messages (continued)
System Log Message Description

Server Started The Cisco GSS software has been started
from the CLI.
Standby GSSM database error An error has occurred on the standby
GSSM embedded database.
Started store invalidation The process of marking internally
inconsistent database records has begun.
Started store validation An internal consistency check has begun
for the GSSM database.
Store is corrupted The GSS GSSM database has failed
internal consistency checks.
x System Messages Dropped The GSS device has dropped (did not
report) a certain number of messages in
an effort to throttle message traffic to the
GSSM.
Unexpected GSSM activation The primary GSSM has received a report
timestamp warning from a GSS device with a GSSM
activation time stamp that was not
consistent with the primary GSSM’s
current time. The standby and primary
GSSM may have clocks that are not
synchronized.
User HTTP Password Change A user has changed his or her password
using the Change Password details page
from the Tools tab.

10-32 OL-4327-01
G L O S S ARY
A
answer Individual resource (virtual IP address [VIP], name server [NS], or content
routing agent [CRA]) that is used to reply to a content request.
answer group Customer-defined set of virtual IP address (VIP), name server (NS), or content
routing agent (CRA) addresses from which an individual answer is selected and
used to reply to a content request.
B
boomerang Server load-balancing component of the Global Site Selector (GSS) that uses
calculations of network delay to select the site “closest” to the requesting
D-proxy. Closeness is determined by conducting DNS races between content
routing agents (CRAs) on each host server. The CRA that replies first to the
requesting D-proxy is chosen to reply to the request.
C
client Content consumer, typically a web browser or multimedia stream player, that
makes Domain Name System (DNS) requests for domains managed by the
Global Site Selector (GSS).
content provider Customer deploying content on a Content Delivery Network (CDN), or

purchasing hosting services from a service provider or web hosting service.
content router Machine that routes requests for content through Domain Name System
(DNS) records.

OL-4327-01 GL-1
Glossary
content routing Software running on a Content Delivery Network (CDN) or server

agent (CRA) load-balancing device that provides information to a Global Site Selector (GSS)
for making content routing decisions, and handles content routing requests from
the GSS.
Content Switching Server load-balancing component for the Catalyst 6000 Switch product.
Module (CSM)
Content Services Cisco server load-balancing appliance for Layer 4 through Layer 7 content.
Switch (CSS)
customer Cisco customer purchasing Global Site Selector (GSS) hardware, software, or
services. Typically an Internet service provider (ISP), application service
provider (ASP), or enterprise customer.
D
data center Collection of centrally located devices (content servers, transaction servers, or
web caches).
DNS rule Central configuration and routing concept of the Global Site Selector (GSS),
allowing specific request balance resources, methods, and options to be applied
to source address and domain pairs.
domain list One or more hosted domains logically grouped for administrative and routing
purposes.
D-proxy Client’s local name server, which makes iterative DNS queries on behalf of a
client. A single recursive query from a client may result in many iterative
queries from a D-proxy. Also referred to as local domain name server (LDNS).
F
fully qualified Domain name that specifies the named node’s absolute location relative to the
domain name Domain Name System (DNS) root in the DNS hierarchy.
(FQDN)

GL-2 OL-4327-01
Glossary
G
Global Site Selector Cisco content routing device that intelligently responds to Domain Name
(GSS) System (DNS) queries, selecting the “best” content locations to serve those
queries based on DNS rules created by the customer.
GSS network Set of Global Site Selectors (GSSs) in a scaled, redundant GSS deployment.
Global Site Selector Device that administers a Global Site Selector (GSS) network, storing
Manager (GSSM) configuration information and statistics for GSS devices and providing a
graphical user interface that GSS administrators use to reconfigure or monitor
the performance of their GSS network.
global server load System based on the Content Services Switch that directs clients through the
balancing (GSLB) Domain Name System (DNS) to different sites based on load and availability.
Two versions of GSLB currently exist:
• Rule-based GSLB
• Zone-based GSLB
H
hosted domain Any domain managed by the Global Site Selector (GSS). A minimum of two
levels is required for delegation (for example, foo.com). Domain wildcards are
supported.

OL-4327-01 GL-3
Glossary
K
keepalive (KAL) Periodic testing of availability and status of a content service through the
sending of intermittent queries to a specified address using one of a variety of
methods.
The Global Site Selector product uses both primary keepalive and secondary
keepalive IP addresses.
See keepalive method.
keepalive method Protocol or strategy used to determine whether a device is online, for example,
ICMP, TCP, KAL-AP, HTTP-HEAD, and CRA round-trip time.
L
location Grouping for devices with common geographical attributes, used for
administrative purposes only, and similar to data center or content site.
See data center.
N
name server (NS) Publicly or privately addressable Domain Name System (DNS) server that
resolves DNS names to IP addresses. Name servers are used by the Global Site
Selector (GSS) for name server forwarding, in which queries that the GSS
cannot resolve are forwarded to a designated name server that can resolve them.
O
ordered list List of possible answers that are used for routing. List members are ranked and
tried in order. Answers lower on the list are not tried unless all previous
members fail to provide a suitable result.

GL-4 OL-4327-01
Glossary
origin server Machine that serves original or replicated content provider content.
owner Internal department or resource or external customer associated with a group of

GSS resources such as domain lists, answer groups, and so on.
R
region Grouping of Global Site Selector (GSS) locations with common geographic
attributes that is used to organize GSS resources.
S
Secure Socket Layer Industry-standard method for protecting and encrypting web communication.
(SSL)
server load balancer Network device that balances content requests to network resources based on
(SLB) content rules and real-time load and availability data collected from those
devices. Server load balancers like the Cisco Content Services Switch (CSS),
Content Switching Module (CSM), and LocalDirector provide publicly routable
virtual IP addresses (VIPs) while front-ending content servers, firewalls, Secure
Socket Layer (SSL) terminators, and caches. Third-party SLBs are supported in
a GSS network through the use of Internet Message Control Protocol (ICMP),
TCP, and HTTP-HEAD keepalives.
service provider Cisco customer providing infrastructure for a Content Delivery Network (CDN).
Also ISP (Internet service provider) and ASP (application service provider).
source address list List of source IPs or source IP blocks that are logically grouped by the
system administrator.
static proximity Type of request routing in which incoming requests from specified D-proxies
are routed to statically defined resources that have been identified as being in
proximity to the source D-proxies.
subscriber Client or set of clients receiving a certain style of DNS routing. Subscribers
often pay for application services from the Cisco GSS customer.

OL-4327-01 GL-5
Glossary
T
Time To Live (TTL) Length of time that a response is to be cached and considered valid by the
requesting D-proxy.
W
Web Network VxWorks-based operating system and software that runs on the Content
Services (WebNS) Services Switch (CSS).

GL-6 OL-4327-01
I N D EX
CRA-type answer, overview 1-16

A
deleting 7-22
accessing error messages 9-56
CLI 2-2, 2-4, 2-5 hit count 10-11
primary GSSM GUI 2-15 keepalive 1-17
remote connection 2-2 keepalive statistics 10-11
serial connection 2-2 modifying all in location 7-21
access lists modifying an answer 7-19
access-group command 9-27 monitoring 10-11
access-list command 9-26 name server-type answer, creating 7-17
adding rules to 9-28 name server-type answer, overview 1-16
associating with an interface 9-27 overview 1-14, 7-1
creating 9-25 reactivating 7-21
disassociating from an interface 9-28 setting all to ICMP 1-46
filtering traffic 9-24 setting all to none 1-46
overview 9-24 status 10-14
removing rules 9-29 suspending 1-45, 7-20
viewing 9-30 suspending all answers in a location 7-21
activating GSS devices 2-18 VIP-type answer, creating 7-2
adding rules to access lists 9-28 VIP-type answer, overview 1-15
administrator account, resetting 9-21 answer group
answer adding answers 7-26
activating 1-45 balance method options 1-27
configuring 7-1 balance methods 7-23
CRA-type answer, creating 7-14 CRA configuration information 8-32

OL-4327-01 IN-1
Index
creating 7-24
B
current members 7-27
deleting 7-35 backup of GSSM
DNS rule 1-12, 1-15 conditions for 9-39
DNS Rule Wizard 8-15 overview 9-37
error messages 9-60 procedure 9-39
general configuration 7-25 backup of GSSM database
load threshold 7-28 conditions for 9-39
modifying 7-29 overview 9-37
order 7-28 procedure 9-40
overview 1-15, 7-23 balance clause 7-23, 8-30
removing answers 7-29 balance method
suspending 7-30 answer group options 1-27
suspending or reactivating all for an answer group pair 7-23
owner 7-32 balance clauses 7-23
VIP DNS configuration information 8-32 boomerang 1-26
weight 7-28 DNS rule 1-12, 1-15
answer hit counts 10-10 DNS Rule Wizard 8-22
answer keepalive statistics 10-11 hash 1-26, 8-23, 8-31
Anywhere source address 1-14, 4-1 hashed balance method 8-31
appliance-based global server load least loaded 1-25, 8-31
balancing 1-6
load threshold option 1-29, 8-19
A record 8-26, 8-30
ordered list 1-24, 8-23, 8-31
associating access list with interface 9-27
order option 1-28, 8-19
audience xx
overview 1-24
round robin 1-25, 8-23, 8-31
weighted round robin 1-25, 8-23, 8-31
weight option 1-28, 8-19
BIND sample zone configuration file 8-44

IN-2 OL-4327-01
Index
boomerang resetting CLI administrator account 9-21

activity, monitoring 10-3 resetting password 9-21
balance method 1-26 saving session 2-3
DNS race 1-26 user account, creating 9-19
server 1-27 closeness (DNS race) 7-15
server, monitoring status 10-3 communication between nodes 1-33
server status 10-3 Content Services Switch
browsers supported 1-36 data center deployment 1-34
definition G-2
global load-balancing 1-2
C
GSS network deployment 1-6
Cancel icon 1-43 VIP answers 1-15
certificate Content Switching Module
accepting 2-16 data center deployment 1-34
trusting 2-16 definition G-2
changing global load-balancing 1-2
GSSM role 9-2 GSS network deployment 1-6
startup and running configuration 9-8 VIP answers 1-15
CIDR block masking 4-1 copy command 9-9
clauses (balance clause) in answer group 7-23 copying startup configuration to or from
disk 9-9
CLI
CRA
accessing 2-2, 2-12
answer, creating 7-14
configuring GSS 2-10
balance method 1-28, 7-23
device management 1-34
closeness 7-15
direct serial connection 2-2
CRA answer overview 1-16
GSS device monitoring 10-2
definition G-2
monitoring GSS network statistics 10-3
DNS race 7-15
private and public key pair 2-5
global keepalive configuration 6-15
remote connection 2-4
keepalive 1-19

OL-4327-01 IN-3
Index
last gasp address 8-24 delegation

minimum frequency 6-15 definition 1-3
one way delay 7-16 domains to GSS 1-31, 8-43
overview 1-19 GSS devices 8-42
round-trip time 7-16 subdomains to GSS 1-31, 8-43
timing delay 6-15 Delete icon 1-44
Create icon 1-42 deployment
CSM configuring name servers 8-42
See Content Switching Module data center 1-34
CSS GSS devices behind firewall 9-30
See Content Services Switch locations and regions 3-2
overview 1-31
resources 3-2
D
typical GSS deployment 1-31
database details pages 1-40
backing up 9-40 disassociating access list from interface 9-28
monitoring status of 10-7 DNS
restoring GSSM from full backup 9-49 all 8-26, 8-30
synchronized with standby GSSM 1-33 A record 8-26, 8-30
validating records 10-7 balance clause 8-30
validation report 10-8 creating DNS rules 8-5
data center delegation 8-42
definition G-2 DNS queries 8-26, 8-30
deployment 1-34 glue A records 8-43
debug log message 10-29 hosted domain 1-13
default iterative request 1-5
password 2-16 query 1-14
username 2-16 race 1-16, 7-15
recursive request 1-4

IN-4 OL-4327-01
Index
request resolution 1-5 reactivating all by owner 8-36

routing overview 1-3 removing filters 8-42
sample BIND zone configuration 8-44 showing all rules 1-43
server, modifying 8-43 suspending 1-45, 8-34
server, monitoring 10-4 suspending all by owner 8-36
traditional routing 1-3 DNS Rule Builder
unmatched queries 10-21 balance clause 8-30
zone configuration file 8-43 CRA configuration information 8-32
DNS race creating DNS rules 8-27
balance method 1-26 DNS queries 8-30
closeness 7-15 modifying DNS rule 8-33
coordinate start time 7-15 name server balance methods 8-23, 8-31
CRAs 1-16 overview 8-4
DNS rule VIP answer group configuration
information 8-32
activating 1-45
VIP balance methods 8-31
answer 1-12
DNS rule filter
balance clause 7-23
configuring 8-38
components 1-12
parameters 8-39
creating 8-2
removing 8-42
definition G-2
DNS Rules tab 1-38
deleting 8-38
DNS Rule Wizard
error messages 9-61
activating 8-26
filtering 1-43
answer group, configuring 8-15
filters, configuring 8-38
balance method, configuring 8-22
filters, removing 8-42
creating DNS rules 8-5
hit count 10-15
domain list, configuring 8-10
modifying 8-33
icons 1-42, 1-44, 1-45
overview 1-12
modifying DNS rule 8-33
reactivating 8-35
overview 8-2

OL-4327-01 IN-5
Index
source address list, configuring 8-7 domains

summary 8-25 delegating to GSS 1-32, 8-43
suspending 8-26 hit counts 10-17
documentation maximum length 5-6
caution and note overview xxiii maximum name length 5-5
conventions xxi, xxii maximum per domain list 1-13, 5-2
organization xx wildcards example 8-13
related xxi wildcards maximum length 5-6
set xxi downgrading
symbols and conventions xxii GSS device software 9-48
domain lists order of operation 9-48
adding domains to 5-2, 5-5, 8-13 restoring earlier software version 9-49
creating 5-2 D-proxy
current members 5-6 background 1-4
deleting 5-10 definition G-2
DNS Rule Wizard 8-10 iterative requests 1-5
error messages 9-68 name server forwarding 1-16
general configuration 5-4 query GSS 1-14
maximum domains 1-13
maximum nonwildcard domain length 5-6
E
modifying 5-8
overview 1-13, 5-1 error messages 9-56
regular expressions 5-1 answer 9-56
removing domains 5-8 answer group 9-60
wildcards in domains 5-2, 5-6, 8-13 DNS rule 9-61
domain name space 1-3 domain list 9-68
Domain Name System GSSM 9-78
See DNS keepalive 9-74
location 9-76

IN-6 OL-4327-01
Index
owner 9-77
G
region 9-77
shared keepalive 9-72 global keepalives
source address list 9-79 CRA configuration settings 6-15
user 9-81 fast transmission rate 1-20, 6-4, 6-7, 6-10, 6-13
Ethernet interface, segmenting traffic 9-22 HTTP HEAD configuration settings 6-9
exporting ICMP configuration settings 6-3
GSSM data 9-12 KAL-AP configuration settings 6-12
icon 1-42 modifying 6-2
Export to CSV icon 1-42 name server configuration settings 6-16
overview 6-1
properties, modifying 6-2
F standard transmission rate 1-20, 6-4, 6-7, 6-10,
6-13
failure detection time, adjusting 1-20
TCP configuration settings 6-6
fatal error log message 10-28
global server load balancing
filtering GSS traffic 9-24
balance clauses 7-23
filters
data centers 1-34
DNS rules 8-38
definition G-3
parameters 8-39, 8-40
delegation of GSS devices 8-42
removing 8-42
global statistics 10-20
firewall
monitoring 10-9
configuring for GSS 9-33
overview 1-6
deploying GSS devices 1-32, 9-30
summary 2-23
inbound traffic to the GSS 9-31
using the GSS 1-6
outbound traffic from the GSS 9-32
Global Site Selector
permitting traffic to GSS 1-32
accessing the CLI 2-2, 2-4
FTP, enabling 2-3
accessing the CLI with private/public key
full GSSM backup 9-39 pair 2-5
fully qualified domain name G-2 acting as GSSM 1-10, 1-31

OL-4327-01 IN-7
Index
activating 2-18 MIBs 9-36

authoritative DNS server 1-7 modifying device configuration 2-21
balancing data centers 1-34 monitoring through CLI 10-2
boomerang server 10-3 monitoring through GUI 10-6
CLI-based management 1-34 network configuration settings 9-7
communication 1-33 network deployment 2-6
configured as GSSM (primary or network management 1-34
standby) 2-12
online status and resource usage 10-2
configuring 2-14
overview 1-2, 1-10
configuring from CLI 2-10
packet filtering 1-32
console port, physical access to 2-4
ports and protocols 9-25, 9-31
delegation of devices 8-42
purging system log messages 10-30
deleting devices 2-22
remote access, enabling 2-3
deployment 1-31, 1-32, 1-34, 8-42
remote connection 2-4
direct serial connection 2-2
removing or replacing 9-2
DNS server, monitoring 10-4
reporting interval 9-12
downgrading software 9-48
resources, grouping 3-16
enable remote connect 2-3, 2-5
restoring earlier software version 9-49
factors in responding to a request 1-7
running configuration 9-8
firewalls 9-30, 9-33
setup configuration decisions 2-6
global server load balancing 1-6
setup script, configuring with 2-8
GSLB configuration 2-23
software architecture 1-9
GUI-based management 1-35
startup configuration 9-8
hardware 1-10, 1-11
synchronized with GSSM 1-10, 1-33
initial setup 2-8
upgrading software 9-41
interact with SLBs 1-6
user account, creating 9-19
inter-GSS communications 1-33, 9-22
user account, deleting 9-20
keepalives overview 1-17, 6-1
user account, modifying 9-20
locating 1-31
login accounts 9-19

IN-8 OL-4327-01
Index
Global Site Selector Manager login accounts 9-13

activating 2-18 modifying user account (GUI) 9-16
backing up 9-37 monitoring device status from GUI 10-6
changing role in GSS network 9-4 online help 1-47
changing the GUI password 9-17 overview 1-10
communication 1-33 password 9-17
configuring, primary 2-13 platform information 9-50
configuring, standby 2-13 primary 1-10
configuring the GUI 9-10 primary GSSM GUI overview 1-36
creating user account (GUI) 9-14 printing data 9-12
database 1-10, 1-33 redundancy 1-33
database, monitoring 10-7 removing user account (GUI) 9-17
database, restoring from backup 9-52 resetting the GUI password 9-17
default username and password 2-16 resources, grouping 3-16
definition G-3 restoring earlier software version 9-49
deployment 1-31 restoring full backup 9-49
DNS rule configuration interface 2-24, 8-2 role change 9-4
DNS rules 1-12 security 9-13
downgrading software 9-48 setup configuration decisions 2-6
error messages 9-78 standby 1-11
exporting data 9-12 standby, as backup 1-31
GSLB configuration 2-23 standby acting as primary 1-33
GUI overview 1-36 switching primary and standby role 9-2
icons 1-41 upgrading software 9-41
initial setup 2-8 viewing system logs 10-28
inter-GSS communication 1-33 global statistics 10-20
keepalives overview 6-1 glossary of terms G-1
locating 1-31 glue A records 8-43
logging on 2-15

OL-4327-01 IN-9
Index
GSLB setup configuration decisions 2-6

See global server load balancing standby GSSM, removing 9-2
GSS URL 2-15
See Global Site Selector GSS-related ports and protocols 9-25
gss.log file 10-24 GUI
GSSM browsers supported 1-36
See Global Site Selector Manager configuration 9-10, 9-11
gssm standby-to-primary command 9-5 details pages 1-40
GSS network device management 1-34
changing GSSM role 9-4 icons 1-41
configuration 1-10, 1-33 list pages 1-38
configuration overview 2-6 logging on 1-36, 2-15
definition G-3 monitoring GSS device status 10-6
deployment 1-31 navigation 1-41
global statistics 10-20 organization 1-38
GSLB status 10-9 overview 1-36
GSS, removing 9-2 password 9-17
GSSM connectivity 2-12 refreshing 1-42, 9-10, 9-12
limiting network traffic 9-22 security 9-13
logically removing a GSS 9-2 session inactivity timeout 9-10, 9-11
logically removing a standby GSSM 9-2 tabs 1-38
management 1-34 timeout 9-11
monitoring through CLI 10-3 understanding 1-36
monitoring through GUI 10-6 user account, creating 9-14
organizing 3-2 user account, modifying 9-16
primary GSSM 1-10 user account, removing 9-17
primary GSSM, removing 9-2
resource grouping 3-16
segmenting network traffic 9-22

IN-10 OL-4327-01
Index
H I
hashed balance method 1-26, 8-23, 8-31 ICMP keepalive

help global keepalive configuration 6-3
navigation link 1-47 overview 1-18
obtaining 1-47 shared keepalive configuration 6-21
primary GSSM Online help overview 1-47 VIP answer 7-7
hosted domain icons 1-41
definition G-3 Info log message 10-29
domain names 1-13 inter-GSS communication 1-33
name examples 1-13 inter-GSS communications 9-22
overview 1-13, 5-1 iterative requests 1-5
regular expressions 1-13
requested 1-12
K
statistics 10-17
HTTP HEAD keepalive KAL
default path 6-11, 6-25, 7-12 See keepalive
destination port 6-11, 7-11 KAL-AP keepalive
global keepalive configuration 6-9 by tag 7-14
host tag 6-25, 7-12 by VIP 7-14
overview 1-18 CAPP hash secret 6-14, 6-27
shared keepalive configuration 6-24 global keepalive configuration 6-12
termination method 6-11, 6-25, 7-12 overview 1-19
VIP answer 7-11 primary and secondary IP addresses 6-27
HyperTerminal shared keepalive configuration 6-26
launching 2-2 VIP answer 7-13
saving session 2-3 keepalive
CRA overview 1-19
CRA type 1-19

OL-4327-01 IN-11
Index
definition G-4 TCP connection termination method 6-8, 6-23,

7-10
deleting a shared keepalive 6-29
error messages 9-72, 9-74 TCP overview 1-18
transmission interval formula 1-21
failure detection time, adjusting 1-20
fast transmission rate 1-20, 6-4, 6-7, 6-10, 6-13 VIP 1-18, 1-19, 6-17
global properties, modifying 6-2

global properties, overview 6-1 L
HTTP HEAD connection termination
method 6-11, 6-25, 7-12 last gasp address 8-24
HTTP HEAD overview 1-18 least loaded 8-31
ICMP type 1-18 balance method 1-25, 8-23, 8-31
KAL-AP overview 1-19 overview 1-25, 8-23, 8-31
keepalive attempts 1-23, 6-5, 6-8, 6-11, 6-14, 6-22, weight option 1-29
6-23, 6-25, 6-27, 7-8, 7-10, 7-12
list pages
monitoring status 10-5
overview 1-38
name server 1-20
sorting items 1-38
name server overview 1-20
loading startup configuration from external
none 1-20 file 9-9
number of retries 1-22, 6-5, 6-8, 6-11, 6-14, 6-23, load threshold, balance method option 1-29,
6-25, 6-27, 7-8, 7-10, 7-12 8-19
overview 1-17 location
probes 1-23, 6-5, 6-8, 6-11, 6-14, 6-22, 6-23, 6-25, creating 3-6
6-27, 7-8, 7-10, 7-12
definition G-4
probes per second 10-21
deleting 3-10
shared keepalive, creating 6-17
error messages 9-76
shared keepalive, modifying 6-28
modify all answers in 7-21
shared keepalive overview 6-17
modifying 3-9
shared VIP keepalives, overview 6-17
organizing resources 3-16
standard transmission rate 1-20, 6-4, 6-7, 6-10,
overview 3-2
6-13
suspending all answers 7-21
supported types 1-17

IN-12 OL-4327-01
Index
location overview 1-30

M
log files
logging levels 10-22 messages
rotating 10-26 error 9-56
subsystem 10-25 purging 10-30
viewing 10-22 system log 10-31
logging levels 10-22 viewing 10-28
logging on to GSSM GUI 2-15 MIBs 9-33, 9-36
logically removing Modify icon 1-42
standby GSSM from a network 9-2 monitoring
logically removing a GSS from a network 9-2 answer hit counts 10-10
login answer keepalive statistics 10-11
accounts 9-13 answer status 10-14
certificate 2-15 boomerang server status 10-3
default 2-16 database status 10-7
GUI 1-36 DNS rule statistics 10-15
security 9-13 DNS server 10-4
login accounts global load-balancing status 10-9
creating on GSS 9-19 global statistics 10-20
creating on GSSM 9-14 GSS network status 10-3
deleting 9-20 hosted domain statistics 10-17
GSSM 9-13 keepalives 10-5
managing 9-19 online status 10-2
modifying 9-16, 9-20 resource usage 10-2
removing 9-17 source address statistics 10-18
status of GSS devices by CLI 10-2
status of GSS devices from the GUI 10-6
Monitoring tab 1-38

OL-4327-01 IN-13
Index
configuration for GSS devices 9-8

N
deployment 1-31
name server locating GSS on 1-31
answer type, creating 7-17 running configuration, changing 9-8
authoritative 1-6 startup configuration, changing 9-8
authoritative name server (ANS) 1-4 network management 1-34
balance method 7-23 CLI-based 1-34
balance method options 1-28 GUI-based 1-35
balance methods 8-23, 8-31 node communication 1-33
client name server (CNS) 1-4 number of retries for keepalive types 1-22, 6-5,
definition G-4 6-8, 6-11, 6-14, 6-23, 6-25, 6-27, 7-8, 7-10, 7-12
DNS resolvers (DNSR) 1-4

forwarding 1-16
O
intermediate name server (INS) 1-4
keepalive 1-20 one-way delay 7-16
name server answer overview 1-16 Online help overview 1-47
overview 1-4 ordered list 8-31
query 7-19 balance method 1-24, 8-23, 8-31
records, adding to zone configuration definition G-4
file 8-43 overview 1-24
root name servers (RNS) 1-4 order option, balance method 1-28, 8-19
name server keepalive origin server G-5
global keepalive configuration 6-16 owner
minimum frequency 6-16 creating 3-11
overview 1-20 deleting 3-15
query domain 6-16 error messages 9-77
navigation through the GUI 1-41 modifying 3-14
network organizing resources 3-16
configuration, erasing 9-7 overview 1-30, 3-2
configuration, modifying 9-7 reactivating all DNS rules 8-36

IN-14 OL-4327-01
Index
suspending all answer groups for 7-32 Print icon 1-42

suspending all DNS rules 8-36 private and public key pairs 2-5
protocols and ports for GSS devices 9-25
proximity DNS race 7-15
P
purging system log messages 10-30
Partner Initiated Customer Access
See PICA
Q
password
CLI, resetting 9-21 query
default 2-16 answers 7-2
GSSM GUI, changing 9-17 balance methods 1-24
GSSM GUI, resetting 9-17 CRA answer 7-14
logging in 2-16 DNS request 1-6
resetting CLI administrator account 9-21 DNS rules 1-12
user account, creating 9-15 KAL-AP 1-19, 7-14
PICA 9-44 match DNS query type 8-26
platform information name server 1-20, 6-16
restoring 9-50 name server answer 7-17
summary 9-50 not matched to D-proxy 1-14
ports and protocols 9-25, 9-31 query domain 6-16
primary GSSM source addresses 1-13
changing to standby 9-4 VIP answer 7-2
configuring the GUI 9-10
overview 1-10
R
security 9-13
viewing system logs 10-28 reactivating
Print icon 1-42 all answer groups for an owner 7-32
printing all answers in an answer group 7-32
GSSM data 9-12 all answers in location 7-21

OL-4327-01 IN-15
Index
all DNS rules by owner 8-36 answer status 10-14

answer 7-21 database validation 10-8
DNS rule 8-35 DNS rule hit count 10-15
record domain hit count 10-17
database records, validating 10-7 keepalive statistics 10-11
request 8-26, 8-30 source address hit count 10-18
redundancy synchronization 1-33 reporting interval 9-12
Refresh icon 1-42 requests
refreshing the GUI 1-42, 9-10, 9-12 iterative 1-5
region resolution 1-4, 1-7
creating 3-3 resetting
definition G-5 CLI administrator account 9-21
deleting 3-10 CLI password 9-21
error messages 9-77 GUI password 9-17
modifying 3-8 password 9-21
organizing resources 3-16 resources
overview 1-30, 3-2 configuring 3-1
regular expressions 1-13, 5-1 grouping 3-16
remote access organizing 3-2
enabling 2-3 Resources tab 1-38
FTP 2-3 restoring
SSH 2-3 earlier software version 9-49
Telnet 2-3 GSSM database from a backup 9-52
remote connection GSSM from full backup 9-49
accessing CLI 2-4 GSSM platform information 9-50
SSH 2-4 rotating log files 10-26
Telnet 2-4 round robin 8-31
report balance method 1-25, 8-23, 8-31
answer hit counts 10-10 overview 1-25

IN-16 OL-4327-01
Index
round-trip time 7-16 shared keepalives

running configuration HTTP HEAD configuration settings 6-24
changing 9-8 ICMP configuration settings 6-21
saving 9-8 KAL-AP configuration settings 6-26
TCP configuration settings 6-22
show access-list command 9-30
S
show logs command 10-24
sample BIND zone configuration 8-44 show statistics command 10-3
secure HTTP address 2-16 boomerang 10-3
security dns 10-4
configuration 9-13 keepalive 10-5
GUI 9-13 Simple Network Management Protocol
(SNMP)
segmenting GSS traffic by interface 9-22
community-string 9-34
server load balancer 1-2, G-5
configuring 9-34
service provider G-5
contact information 9-34
session inactivity timeout 9-10, 9-11
enabling 9-34
setup script 2-8
location 9-35
bypassing 2-8
MIB files, viewing 9-36
configuring GSS 2-8
overview 9-33
configuring GSSM 2-8
port, changing 9-36
severity log message 10-28
viewing status 9-35
shared keepalive
software, restoring earlier version 9-49
creating 6-17
software downgrade
deleting 6-29
procedure 9-48
error messages 9-72
restoring earlier software version 9-49
modifying 6-28
software update
overview 6-17
new update file 9-43
obtaining update file 9-43
procedure 9-41

OL-4327-01 IN-17
Index
sort SSL
DNS rules 8-38 See Secure Socket Layer
removing 8-42 standby GSSM
Sort icon 1-42 changing to primary 9-4
source address definition 1-33
Anywhere 1-14, 4-1 overview 1-11
blocks 1-14, 4-1 startup configuration
hit counts 10-18 changing 9-8, 9-9
maximum per source address list 4-1 loading from external file 9-9
overview 1-14 saving from external file 9-9
source address and domain hash balance static proximity G-5
method 1-26, 8-23, 8-31
statistics
source address list
answer hit counts 10-10
adding addresses 4-3
answer keepalive 10-11
address blocks 4-4
answer status 10-14
anywhere 1-14
DNS rule hit count 10-15
Anywhere (default) 4-1
global 10-20
creating 4-1, 4-2
hosted domains 10-17
current members 4-4
source address 10-18
definition G-5
subdomains, delegation 1-31, 8-43
deleting 4-7
Submit icon 1-43
DNS Rule Wizard 8-7
subscriber G-5
error messages 9-79
subsystem log files
general configuration 4-3
rotating 10-26
maximum addresses 4-1
viewing 10-25
modifying 4-5
suspending
overview 1-13
all answer groups for an owner 7-32
removing addresses 4-6
all answers in a location 7-21
SSH, enabling 2-3
all answers in an answer group 7-32

IN-18 OL-4327-01
Index
all DNS rules by owner 8-36 troubleshooting 9-56

answer 7-20 TTL
answer group 7-30 See Time To Live
DNS rule 8-34
switching primary and standby GSSM role 9-2
U
synchronization of primary and standby
GSSM 1-33
update file, obtaining 9-43
system log
upgrading
messages 10-31
GSS device software 9-41
purging 10-30
obtaining update file 9-43
severity 10-28
order of operation 9-41
viewing 10-28
URL, secure HTTP 2-16
user
T account, creating 9-14

account, modifying 9-16
tail command option 10-24
account, removing 9-17
TCP keepalive error messages 9-81
destination port 6-8, 7-9
user account
global keepalive configuration 6-6 creating 9-14
overview 1-18
creating for GUI 9-14
shared keepalive configuration 6-22 creating with CLI 9-19
termination method 6-8, 6-23, 7-10
deleting 9-20
VIP answer 7-9 modifying 9-16, 9-20
Telnet, enabling 2-3, 2-5
removing 9-17
third-party software, viewing information 9-54 user interface
Time To Live G-6
details windows 1-40
Tools tab 1-38 icons 1-41
traffic
list windows 1-38
limiting 9-22 log on to 2-15
segmenting by interface 9-22

OL-4327-01 IN-19
Index
navigation 1-41 creating 7-2

organization 1-38 HTTP HEAD keepalive 7-11
understanding 1-36 ICMP keepalive 7-7
username KAL-AP keepalive 7-13
default 2-16 TCP keepalive 7-9
logging in 2-16 VIP keepalive type
user account, creating 9-15 HTTP HEAD 1-18
ICMP 1-18
KAL-AP 1-19
V
TCP 1-18
validating database records 10-7
viewing
W
access lists 9-30
gss.log file 10-24 warning log message 10-28
log files 10-22 weight
MIB files 9-36 balance method overview 1-28, 8-19
SNMP status 9-35 least loaded 1-29
subsystem log files 10-25 round-robin 1-29
system log 10-28 weighted round robin
third-party software information 9-54 balance method 1-25, 8-23, 8-31
VIP overview 1-25
answer groups 7-23 wildcards
answers 7-2 example 8-13
balance method options 1-28 in domains 5-2, 5-6, 8-13
balance methods 7-23, 8-23, 8-31 maximum length in domain names 5-6
keepalive type 1-18 wizard
VIP answer overview 1-15 creating DNS rules 8-5
VIP answer DNS Rule Wizard 8-2
answer types 7-5 overview 8-2

IN-20 OL-4327-01
Index
write memory command 9-8
zone configuration file

modifying 8-43
sample 8-44

OL-4327-01 IN-21
Index

IN-22 OL-4327-01

Cisco Global Site Selector Configuration Guide Book-Length PDF v1.1

Diunggah oleh

Informasi Dokumen

Hak Cipta

Format Tersedia

Bagikan dokumen Ini

Bagikan atau Tanam Dokumen

Opsi Berbagi

Apakah menurut Anda dokumen ini bermanfaat?

Apakah konten ini tidak pantas?

Hak Cipta:

Format Tersedia

Cisco Global Site Selector Configuration Guide Book-Length PDF v1.1

Diunggah oleh

Hak Cipta:

Format Tersedia

Cisco Global Site Selector

Text Part Number: OL-4327-01

Cisco Global Site Selector Configuration Guide

CHAPTER 1 Introducing the Global Site Selector 1-1

Cisco Global Site Selector Configuration Guide

GSS Architecture 1-9

Cisco Global Site Selector Configuration Guide

CHAPTER 2 Setting Up Your GSS 2-1

Cisco Global Site Selector Configuration Guide

Logging Into the Primary GSSM Graphical User Interface 2-15

CHAPTER 3 Configuring Resources 3-1

CHAPTER 4 Configuring Source Address Lists 4-1

Cisco Global Site Selector Configuration Guide

CHAPTER 5 Configuring Domain Lists 5-1

CHAPTER 6 Configuring KeepAlives 6-1

Cisco Global Site Selector Configuration Guide

CHAPTER 7 Configuring Answers and Answer Groups 7-1

CHAPTER 8 Building and Modifying DNS Rules 8-1

Cisco Global Site Selector Configuration Guide

Building DNS Rules Using the Wizard 8-5

CHAPTER 9 GSS Administration and Troubleshooting 9-1

Cisco Global Site Selector Configuration Guide

Modifying Network Configuration Settings of a GSS 9-7

Cisco Global Site Selector Configuration Guide

Backing Up the GSSM 9-37

Cisco Global Site Selector Configuration Guide

CHAPTER 10 Monitoring GSS Performance 10-1

Cisco Global Site Selector Configuration Guide

Cisco Global Site Selector Configuration Guide

Cisco Global Site Selector Configuration Guide

Figure 1-1 Domain Name Space 1-3

Figure 1-2 DNS Request Resolution 1-5

Figure 1-5 Primary GSSM Welcome Window 1-37

Figure 1-6 Answers List Page 1-39

Figure 1-7 Modifying Answer Details Page 1-40

Figure 1-8 GSSM Online Help 1-47

Figure 2-1 Primary GSSM Welcome Window 2-17

Figure 2-3 Modifying GSS Details Page 2-20

Figure 3-1 Regions List Page 3-4

Figure 3-2 Creating New Region Details Page 3-5

Figure 3-3 Locations List Page 3-6

Figure 3-4 Creating New Location Details Page 3-7

Figure 3-5 Modifying Region Details Page 3-8

Figure 3-6 Modifying Location Details Page 3-9

Figure 3-7 Owners List Page 3-12

Figure 3-8 Creating New Owner Details Page 3-13

Figure 3-9 Modifying Owner Details Page 3-14

Figure 4-1 Source Address Lists List Page 4-2

Cisco Global Site Selector Configuration Guide

Figure 4-5 Modifying Source Address List - Remove Addresses 4-6

Figure 4-6 Modifying Source Address List - Delete Icon 4-8

Figure 5-1 Domain Lists Page 5-3

Figure 5-3 Creating New Domain List - Add Domains 5-5

Figure 5-4 Creating Domain List - Current Members List 5-7

Figure 5-5 Modifying Domain List - Remove Domains 5-9

Figure 5-6 Modifying Domain List - Delete Icon 5-11

Figure 6-1 Configure Global KeepAlive Properties Details Page 6-2

Figure 6-2 ICMP Global KeepAlive—Standard KAL Type 6-3

Figure 6-3 ICMP Global KeepAlive—Fast KAL Type 6-4

Figure 6-4 TCP Global KeepAlive—Standard KAL Type 6-6

Figure 6-5 TCP Global KeepAlive—Fast KAL Type 6-7

Figure 6-6 HTTP HEAD Global KeepAlive—Standard KAL Type 6-9

Figure 6-7 HTTP HEAD Global KeepAlive—Fast KAL Type 6-10

Figure 6-8 KAL-AP Global KeepAlive—Standard KAL Type 6-12