AX GSLB Guide v2 7 0-20121010

GlobalServerLoadBalancingGuide
AX Series Advanced Traffic Manager

Document No.: D-030-01-00-0029 Ver. 2.7.0 10/10/2012
A10 Networks, Inc. 10/10/2012 - All Rights Reserved
Information in this document is subject to change without notice. Trademarks

A10 Networks, the A10 logo, aACI, aCloud, ACOS, aDCS, aDNS, aELB, aFleX, aFlow, aGalaxy, aPlatform, aUSG, aVCS, aWAF, aXAPI, IDAccess, IDSENTRIE, IP to ID, SmartFlow, SoftAX, Unified Service Gateway, Virtual Chassis, VirtualADC, and VirtualN are trademarks or registered trademarks of A10 Networks, Inc. All other trademarks are property of their respective owners.
Patents Protection
A10 Networks products including all AX Series products are protected by one or more of the following US patents and patents pending: 8291487, 8266235, 8151322, 8079077, 7979585, 7716378, 7675854, 7647635, 7552126, 20120216266, 20120204236, 20120179770, 20120144015, 20120084419, 20110239289, 20110093522, 20100235880, 20100217819, 20090049537, 20080229418, 20080148357, 20080109887, 20080040789, 20070283429, 20070282855, 20070271598, 20070195792, 20070180101
Confidentiality
This document contains confidential materials proprietary to A10 Networks, Inc. This document and information and ideas herein may not be disclosed, copied, reproduced or distributed to anyone outside A10 Networks, Inc. without prior written consent of A10 Networks, Inc. This information may contain forward looking statements and therefore is subject to change.
A10 Networks Inc. Software License and End User Agreement

Software for all AX Series products contains trade secrets of A10 Networks and its subsidiaries and Customer agrees to treat Software as confidential information. Anyone who uses the Software does so only in compliance with the terms of this Agreement. Customer shall not: 1) reverse engineer, reverse compile, reverse de-assemble or otherwise translate the Software by any means 2) sublicense, rent or lease the Software.
Disclaimer
The information presented in this document describes the specific products noted and does not imply nor grant a guarantee of any technical performance nor does it provide cause for any eventual claims resulting from the use or misuse of the products described herein or errors and/or omissions. A10 Networks, Inc. reserves the right to make technical and other changes to their products and documents at any time and without prior notification. No warranty is expressed or implied; including and not limited to warranties of non-infringement, regarding programs, circuitry, descriptions and illustrations herein.
Environmental Considerations
Some electronic components may possibly contain dangerous substances. For information on specific component types, please contact the manufacturer of that component. Always consult local authorities for regulations regarding proper disposal of electronic components in your area.
Further Information
For additional information about A10 products, terms and conditions of delivery, and pricing, contact your nearest A10 Networks location, which can be found by visiting www.a10networks.com.
AX Series - GSLB Configuration Guide

End User License Agreement

IMPORTANT: PLEASE READ THIS END USER LICENSE AGREEMENT CAREFULLY. DOWNLOADING, INSTALLING OR USING A10 NETWORKS OR A10 NETWORKS PRODUCTS, OR SUPPLIED SOFTWARE CONSTITUTES ACCEPTANCE OF THIS AGREEMENT. A10 NETWORKS IS WILLING TO LICENSE THE PRODUCT (AX Series) TO YOU ONLY UPON THE CONDITION THAT YOU ACCEPT ALL OF THE TERMS CONTAINED IN THIS LICENSE AGREEMENT. BY DOWNLOADING OR INSTALLING THE SOFTWARE, OR USING THE EQUIPMENT THAT CONTAINS THIS SOFTWARE, YOU ARE BINDING YOURSELF AND THE BUSINESS ENTITY THAT YOU REPRESENT (COLLECTIVELY, "CUSTOMER") TO THIS AGREEMENT. IF YOU DO NOT AGREE TO ALL OF THE TERMS OF THIS AGREEMENT, THEN A10 NETWORKS IS UNWILLING TO LICENSE THE SOFTWARE TO YOU AND DO NOT DOWNLOAD, INSTALL OR USE THE PRODUCT. The following terms of this End User License Agreement ("Agreement") govern Customer's access and use of the Software, except to the extent there is a separate signed agreement between Customer and A10 Networks governing Customer's use of the Software License. Conditioned upon compliance with the terms and conditions of this Agreement, A10 Networks Inc. or its subsidiary licensing the Software instead of A10 Networks Inc. ("A10 Networks"), grants to Customer a nonexclusive and nontransferable license to use for Customer's business purposes the Software and the Documentation for which Customer has paid all required fees. "Documentation" means written information (whether contained in user or technical manuals, training materials, specifications or otherwise) specifically pertaining to the product or products and made available by A10 Networks in any manner (including on CD-Rom, or on-line). Unless otherwise expressly provided in the Documentation, Customer shall use the Software solely as embedded in or for execution on A10 Networks equipment owned or leased by Customer and used for Customer's business purposes. General Limitations. This is a license, not a transfer of title, to the Software and Documentation, and A10 Networks retains ownership of all copies of the Software and Documentation. Customer acknowledges that the Software and Documentation contain trade secrets of A10 Networks, its suppliers or licensors, including but not limited to the specific internal design and structure of individual programs and associated interface information. Accordingly, except as otherwise expressly provided under this Agreement, Customer shall have no right, and Customer specifically agrees not to: a. transfer, assign or sublicense its license rights to any other person or entity, or use the Software on unauthorized or secondhand A10 Networks equipment make error corrections to or otherwise modify or adapt the Software or create derivative works based upon the Software, or permit third parties to do the same
b.
Performance by Design Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
3 of 260

c. reverse engineer or decompile, decrypt, disassemble or otherwise reduce the Software to human readable form, except to the extent otherwise expressly permitted under applicable law notwithstanding this restriction disclose, provide, or otherwise make available trade secrets contained within the Software and Documentation in any form to any third party without the prior written consent of A10 Networks. Customer shall implement reasonable security measures to protect such trade secrets.
d.
Software, Upgrades and Additional Products or Copies. For purposes of this Agreement, "Software" and Products shall include (and the terms and conditions of this Agreement shall apply to) computer programs, including firmware and hardware, as provided to Customer by A10 Networks or an authorized A10 Networks reseller, and any upgrades, updates, bug fixes or modified versions thereto (collectively, "Upgrades") or backup copies of the Software licensed or provided to Customer by A10 Networks or an authorized A10 Networks reseller. OTHER PROVISIONS OF THIS AGREEMENT: a. CUSTOMER HAS NO LICENSE OR RIGHT TO USE ANY ADDITIONAL COPIES OR UPGRADES UNLESS CUSTOMER, AT THE TIME OF ACQUIRING SUCH COPY OR UPGRADE, ALREADY HOLDS A VALID LICENSE TO THE ORIGINAL SOFTWARE AND HAS PAID THE APPLICABLE FEE FOR THE UPGRADE OR ADDITIONAL COPIES USE OF UPGRADES IS LIMITED TO A10 NETWORKS EQUIPMENT FOR WHICH CUSTOMER IS THE ORIGINAL END USER PURCHASER OR LEASEE OR WHO OTHERWISE HOLDS A VALID LICENSE TO USE THE SOFTWARE WHICH IS BEING UPGRADED THE MAKING AND USE OF ADDITIONAL COPIES IS LIMITED TO NECESSARY BACKUP PURPOSES ONLY.
b.
c.
Term and Termination. This Agreement and the license granted herein shall remain effective until terminated. All confidentiality obligations of Customer and all limitations of liability and disclaimers and restrictions of warranty shall survive termination of this Agreement. Export. Software and Documentation, including technical data, may be subject to U.S. export control laws, including the U.S. Export Administration Act and its associated regulations, and may be subject to export or import regulations in other countries. Customer agrees to comply strictly with all such regulations and acknowledges that it has the responsibility to obtain licenses to export, re-export, or import Software and Documentation.
Trademarks
A10 Networks, the A10 logo, aACI, aCloud, ACOS, aDCS, aDNS, aELB, aFleX, aFlow, aGalaxy, aPlatform, aUSG, aVCS, aWAF, aXAPI, IDAccess, IDSENTRIE, IP to ID, SmartFlow, SoftAX, Unified Service Gateway, Virtual Chassis, VirtualADC, and VirtualN are trademarks or registered trademarks of A10 Networks, Inc. All other trademarks are property of their respective owners.
Patents Protection
A10 Networks products including all AX Series products are protected by one or more of the following US patents and patents pending: 8291487, 8266235, 8151322, 8079077, 7979585, 7716378, 7675854, 7647635, 7552126, 20120216266, 20120204236, 20120179770, 20120144015, 20120084419, 20110239289, 20110093522, 20100235880, 20100217819, 20090049537, 20080229418, 20080148357, 20080109887, 20080040789, 20070283429, 20070282855, 20070271598, 20070195792, 20070180101
4 of 260

End User License Agreement Limited Warranty
Disclaimer of Liabilities. REGARDLESS OF ANY REMEDY SET FORTH FAILS OF ITS ESSENTIAL PURPOSE OR OTHERWISE, IN NO EVENT WILL A10 NETWORKS OR ITS SUPPLIERS BE LIABLE FOR ANY LOST REVENUE, PROFIT, OR LOST OR DAMAGED DATA, BUSINESS INTERRUPTION, LOSS OF CAPITAL, OR FOR SPECIAL, INDIRECT, CONSEQUENTIAL, INCIDENTAL, OR PUNITIVE DAMAGES HOWEVER CAUSED AND REGARDLESS OF THE THEORY OF LIABILITY OR WHETHER ARISING OUT OF THE USE OF OR INABILITY TO USE PRODUCT OR OTHERWISE AND EVEN IF A10 NETWORKS OR ITS SUPPLIERS OR LICENSORS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. In no event shall A10 Networks or its suppliers' or licensors' liability to Customer, whether in contract, (including negligence), breach of warranty, or otherwise, exceed the price paid by Customer for the Software that gave rise to the claim or if the Software is part of another Product, the price paid for such other Product. Customer agrees that the limitations of liability and disclaimers set forth herein will apply regardless of whetherCustomer has accepted the Software or any other product or service delivered by A10 Networks. Customer acknowledges and agrees that A10 Networks has set its prices and entered into this Agreement in reliance upon the disclaimers of warranty and the limitations of liability set forth herein, that the same reflect an allocation of risk between the parties (including the risk that a contract remedy may fail of its essential purpose and cause consequential loss), and that the same form an essential basis of the bargain between the parties. The Warranty and the End User License shall be governed by and construed in accordance with the laws of the State of California, without reference to or application of choice of law rules or principles. If any portion hereof is found to be void or unenforceable, the remaining provisions of the Agreement shall remain in full force and effect. This Agreement constitutes the entire and sole agreement between the parties with respect to the license of the use of A10 Networks Products unless otherwise supersedes by a written signed agreement.
5 of 260

6 of 260

Obtaining Technical Assistance
Obtaining Technical Assistance

For all customers, partners, resellers, and distributors who hold valid A10 Networks Regular and Technical Support service contracts, the A10 Networks Technical Assistance Center provides support services online and over the phone.
Corporate Headquarters A10 Networks, Inc. 3 West Plumeria Dr San Jose, CA 95134 USA Tel: +1-408-325-8668 (main) Tel: +1-888-822-7210 (support toll-free in USA) Tel: +1-408-325-8676 (support direct dial) Fax: +1-408-325-8666 www.a10networks.com
Collecting System Information

The AX device provides a simple method to collect configuration and status information for Technical Support to use when diagnosing system issues. To collect system information, use either of the following methods.
USING THE GUI (RECOMMENDED)

1. Log into the GUI. 2. On the main page (Monitor Mode > Overview > Summary), click . This option downloads a text log file.
3. Email the file as an attachment to [email protected].
USING THE CLI

1. Log into the CLI. 2. Enable logging in your terminal emulation application, to capture output generated by the CLI. 3. Enter the enable command to access the Privileged EXEC mode of the CLI. Enter your enable password at the Password prompt. Performance by Design Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
7 of 260

Obtaining Technical Assistance 4. Enter the show techsupport command. 5. After the command output finishes, save the output in a text file. 6. Email the file as an attachment to [email protected]. Note: As an alternative to saving the output in a log file captured by your terminal emulation application, you can export the output from the CLI using the following command: show techsupport export [use-mgmt-port] url (For syntax information, see the AX Series CLI Reference.)
8 of 260

About This Document
About This Document

This document describes features of the A10 Networks AX Series / Application Delivery Controller. FIGURE 1 AX 5630 (front panel view)
Information is available for AX Series products in the following documents. These documents are included on the documentation CD shipped with your AX Series product, and also are available on the A10 Networks support site:
AX Series Installation Guides AX Series LOM Reference AX Series System Configuration and Administration Guide AX Series Application Delivery and Server Load Balancing Guide AX Series Global Server Load Balancing Guide AX Series GUI Reference AX Series CLI Reference AX Series aRule Reference AX Series MIB Reference AX Series aXAPI Reference
Make sure to use the basic deployment instructions in the AX Series Installation Guide for your AX model, and in the AX Series System Configuration and Administration Guide. Also make sure to set up your devices Lights Out Management (LOM) interface, if applicable.
9 of 260

About This Document Note: Some guides include GUI configuration examples. In these examples, some GUI pages may have new options that are not shown in the example screen images. In these cases, the new options are not applicable to the examples. For information about any option in the GUI, see the AX Series GUI Reference or the GUI online help.
Audience
This document is intended for use by network architects for determining applicability and planning implementation, and for system administrators for provision and maintenance of A10 Networks AX Series products.
Documentation Updates
Updates to these documents are published periodically to the A10 Networks support site, on an updated documentation CD (posted as a zip archive). To access the latest version, please log onto your A10 support account and navigate to the following page: Support > AX Series > Technical Library. http://www.a10networks.com
A10 Virtual Application Delivery Community

You can use your A10 support login to access the A10 Virtual Application Delivery Community (VirtualADC). The VirtualADC is an interactive forum where you can find detailed information from product specialists. You also can ask questions and leave comments. To access the VirtualADC, navigate here: http://www.a10networks.com/adc/
10 of 260

Contents
End User License Agreement Obtaining Technical Assistance About This Document
3 7 9
Collecting System Information.............................................................................................................. 7
Audience................................................................................................................................................ 10 Documentation Updates ...................................................................................................................... 10 A10 Virtual Application Delivery Community..................................................................................... 10
GSLB Overview
17
GSLB Deployment Modes.................................................................................................................... 18 Zones, Services, and Sites .................................................................................................................. 18 GSLB Policy .......................................................................................................................................... 18 Policy Metrics .................................................................................................................................. 19 Health Checks ............................................................................................................................. 21 Geo-Location ............................................................................................................................... 22 DNS Options ............................................................................................................................... 23 Metrics That Require the GSLB Protocol on Site AX Devices .................................................... 26
GSLB Configuration
27
Overview................................................................................................................................................ 27 Configure Health Monitors................................................................................................................... 28 Configure the DNS Proxy..................................................................................................................... 29 Configure a GSLB Policy ..................................................................................................................... 31 Enabling / Disabling Metrics ........................................................................................................... 32 Changing the Metric Order .................................................................................................................. 34 Configuring Active-Round Delay Time ............................................................................................ 35 Configuring BW-Cost Settings ........................................................................................................ 42 How Bandwidth Cost Is Measured .............................................................................................. 42 Configuration Requirements ........................................................................................................ 42 Configuring Bandwidth Cost ........................................................................................................ 43 Configuring Alias Admin Preference ............................................................................................... 47 Configuring Weighted Alias ............................................................................................................ 48 Loading or Configuring Geo-Location Mappings ............................................................................ 49 Geo-location Overlap .................................................................................................................. 57
11 of 260

Contents
Configure Services................................................................................................................................61 Gateway Health Monitoring ............................................................................................................ 62 CLI ExampleSite with Single Gateway Link ................................................................................ 65 CLI ExampleSite with Multiple Gateway Links ............................................................................ 65 Multiple-Port Health Monitoring ...................................................................................................... 66 Configure Sites......................................................................................................................................67 Configure a Zone...................................................................................................................................69 Enable the GSLB Protocol....................................................................................................................70 Resetting or Clearing GSLB .................................................................................................................70
Auto-mapping Advanced DNS Options
73 77
Configuration ............................................................................................................................... 74
DNS Active-only ....................................................................................................................................78 Support for DNS TXT Records .............................................................................................................80 Append All NS Records in DNS Authority Section ............................................................................82 Hints in DNS Responses ......................................................................................................................83 DNS Sub-zone Delegation ....................................................................................................................85 DNS Proxy Block ...................................................................................................................................91
Partition-specific Group Management GSLB Configuration Examples
97 99
Implementation Details .........................................................................................................................97
CLI Example...........................................................................................................................................99 Configuration on the GSLB AX Device (GSLB Controller) ............................................................. 99 Configuration on Site AX Device AX-A ......................................................................................... 101 Configuration on Site AX Device AX-B ......................................................................................... 101 GUI Example ........................................................................................................................................102 Configuration on the GSLB AX Device (GSLB Controller) ........................................................... 102 Configuration on Site AX Devices ................................................................................................ 112
GSLB Configuration Synchronization
113
Overview ..............................................................................................................................................113 GSLB Group Parameters ....................................................................................................................116 Configuration.......................................................................................................................................117 12 of 260


Contents
Geo-location-based Access Control
121
Using a Class List............................................................................................................................... 121 Using a Black/White List .................................................................................................................... 123 Configuring the Black/White List ................................................................................................... 123 Full-Domain Checking........................................................................................................................ 128 Full-Domain Checking .................................................................................................................. 129 Enabling PBSLB Statistics Counter Sharing ................................................................................. 129
Cloud-based Computing Solution DNSSEC Support
131 133
Overview.............................................................................................................................................. 133 DNS without Security .................................................................................................................... 134 DNSSEC (DNS with Security) ...................................................................................................... 137 Building the Chain of Trust ........................................................................................................... 140 Performing Key Rollovers ............................................................................................................. 142 ZSK Key Rollovers .................................................................................................................... 143 KSK Key Rollovers .................................................................................................................... 144 Importing and Exporting the Delegation Signature Keyset ........................................................... 145 DNSSEC Templates .................................................................................................................. 146 Configuration ...................................................................................................................................... 148 Configuration Examples .................................................................................................................... 151 CLI Example #1 CLI Example #2 CLI Example #3 CLI Example #4 ............................................................................................................................ 151 ............................................................................................................................ 151 ............................................................................................................................ 152 ............................................................................................................................ 152
CLI Command Reference
153
Main Configuration Commands ........................................................................................................ 153

gslb active-rdt ....................................................................................................................................... 153 gslb dns action ..................................................................................................................................... 155 gslb dns logging ................................................................................................................................... 155 gslb geo-location .................................................................................................................................. 156 gslb geo-location delete ....................................................................................................................... 157 gslb geo-location load .......................................................................................................................... 158 gslb group ............................................................................................................................................ 159 gslb ip-list ............................................................................................................................................. 161 gslb ping .............................................................................................................................................. 162 gslb policy ............................................................................................................................................ 163 gslb protocol ........................................................................................................................................ 163 Performance by Design Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
13 of 260

Contents gslb protocol limit ................................................................................................................................. 165 gslb service-ip ...................................................................................................................................... 166 gslb site ............................................................................................................................................... 168 gslb system auto-map module ............................................................................................................. 173 gslb system auto-map ttl ...................................................................................................................... 173 gslb system ip-ttl .................................................................................................................................. 174 gslb system prompt ............................................................................................................................. 174 gslb system reset ................................................................................................................................. 175 gslb system wait .................................................................................................................................. 175 gslb template csv ................................................................................................................................. 175 gslb template snmp ............................................................................................................................. 177 gslb zone ............................................................................................................................................. 180 no gslb all ............................................................................................................................................ 187
Policy Configuration Commands.......................................................................................................188

active-rdt .............................................................................................................................................. 188 active-servers ...................................................................................................................................... 191 admin-ip ............................................................................................................................................... 192 admin-preference ................................................................................................................................ 192 alias-admin-preference ........................................................................................................................ 193 bw-cost ................................................................................................................................................ 193 capacity ............................................................................................................................................... 194 connection-load ................................................................................................................................... 195 dns ....................................................................................................................................................... 197 dnssec key-generate ........................................................................................................................... 207 export dnssec-dnskey .......................................................................................................................... 208 geo-location ......................................................................................................................................... 209 geo-location match-first ....................................................................................................................... 209 geo-location overlap ............................................................................................................................ 210 geographic ........................................................................................................................................... 211 health-check ........................................................................................................................................ 211 import dnssec-dnskey .......................................................................................................................... 212 import dnssec-ds ................................................................................................................................. 213 ip-list .................................................................................................................................................... 214 least-response ..................................................................................................................................... 214 metric-fail-break ................................................................................................................................... 215 metric-force-check ............................................................................................................................... 215 metric-order ......................................................................................................................................... 215 num-session ........................................................................................................................................ 217 round-robin .......................................................................................................................................... 218 weighted-alias ...................................................................................................................................... 218 weighted-ip .......................................................................................................................................... 219 weighted-site ....................................................................................................................................... 220
14 of 260

Contents
Show Commands................................................................................................................................ 222

show gslb cache .................................................................................................................................. 222 show gslb config .................................................................................................................................. 223 show gslb fqdn ..................................................................................................................................... 227 show gslb geo-location ........................................................................................................................ 228 show gslb group ................................................................................................................................... 231 show gslb ip-list .................................................................................................................................... 234 show gslb memory ............................................................................................................................... 234 show gslb policy ................................................................................................................................... 234 show gslb protocol ............................................................................................................................... 236 show gslb rdt ........................................................................................................................................ 237 show gslb samples conn ...................................................................................................................... 239 show gslb samples conn-load .............................................................................................................. 240 show gslb samples rdt ......................................................................................................................... 242 show gslb service ................................................................................................................................. 243 show gslb service-ip ............................................................................................................................. 244 show gslb service-port ......................................................................................................................... 245 show gslb session ................................................................................................................................ 245 show gslb site ...................................................................................................................................... 246 show gslb slb-device ............................................................................................................................ 248 show gslb state .................................................................................................................................... 249 show gslb statistics .............................................................................................................................. 249 show gslb zone .................................................................................................................................... 250
Clear Command .................................................................................................................................. 254

clear ..................................................................................................................................................... 254
DNSSEC Commands .......................................................................................................................... 255

dnssec key-generate ............................................................................................................................ 255 dnssec template ................................................................................................................................... 256 dnssec sign-zone-now ......................................................................................................................... 257 show dnssec template ......................................................................................................................... 258
15 of 260

Contents
16 of 260

GSLB Overview -
GSLB Overview
This chapter provides an overview of Global Server Load Balancing (GSLB). Global Server Load Balancing (GSLB) uses Domain Name Service (DNS) technology and extends load balancing to global geographic scale. AX Series GSLB provides the following key advantages:
Protects businesses from down time due to site failures Ensures business continuity and applications availability Provides faster performance and improved user experience by directing
users to the nearest site

Increases data center efficiency and provides a better return on invest-
ment by distributing load to multiple sites

Provides flexible policies for selecting fairness and distribution to multi-
ple sites
In AX Release 2.7.0, all AX models and software do not have any code for Passive round trip time (RTT) for the time difference between receiving a TCP SYN and a TCP ACK for the TCP connection for GSLB. The code was completely removed starting from 2.7.0 because there was no single customer using this round trip time capability for GSLB.
In AX Release 2.7.0, the AX implementation of GSLB uses an array of fixed active IP addresses and the A10 site selection algorithm illustrated below in the figure, using an innovative method of iterative in-place marking. All AX models and software do not order the multiple network addresses based upon a first set of performance metrics from the stored performance metrics nor do any form of ordering or re-ordering of the network addresses for GSLB. (See GSLB Policy on page 18.)
17 of 260

GSLB Overview - GSLB Deployment Modes
GSLB Deployment Modes

You can deploy GSLB in proxy mode or server mode.
Proxy mode The AX device acts as a proxy for an external DNS
server. In proxy mode, the AX device can update the A and AAAA records in its response to client requests, but it forwards requests for all other record types to the external DNS server.
Server mode The AX device directly responds to queries for specific
service IP addresses in the GSLB zone. (The AX device still forwards other types of queries to the DNS server.) In server mode, the AX device can reply with A, AAAA, MX, NS, PTR, SRV and SOA records. For all other records, the AX device will attempt proxy mode. Note: An AX device becomes a GSLB AX device when you configure GSLB on the device and enable the GSLB protocol, for the controller function. The A10 Networks GSLB protocol uses port 4149. The protocol is registered on this port for both TCP and UDP.
Zones, Services, and Sites

GSLB operates on zones, services, and sites.
Zones A zone is a DNS domain for GSLB and is called a GSLB zone.
An AX device can be configured with one or more GSLB zones. Each zone can contain one or more GSLB sites. For example, mydomain.com is a domain.
Services A service is an application; for example, HTTP or FTP. Each
zone can be configured with one or more services. For example: www.mydomain.com is a service where www is the http service or an application.
Sites A site is a server farm that is locally managed by an AX device
that performs Server Load Balancing (SLB) for the site.
GSLB Policy
GSLB by default is not enabled. Use of the feature requires proper configuration. GSLB deals with multiple sites, and each site has unique IP address or IP addresses. GSLB uses an array of fixed site IP addresses and the new site selection algorithm is illustrated below using an innovative method of interactive in-
18 of 260

GSLB Overview - GSLB Policy place marking for selecting sites. GSLB does not order the multiple IP network addresses based on any set of performance metrics, and does not perform any form of ordering/reordering of the IP network addresses. The following figure illustrates the AX implementation. Each IP address is associated with a set of parameters. A site selection policy is based on the evaluation of the policy parameters. TABLE 1
Site IP Metric Health-check Geo-location Admin-preference Response back in round robin
GSLB site marking sample

Site1-IP Site2-IP M M Site3-IP Site4-IP M M M Site5-IP M Site6-IP M M M
As Site4-IP and Site6-IP are marked at the end of evaluation, these the two addresses will be selected in round robin manner and that means there is no determination of any single best network address.
Each site IP is tagged with Marked (M) or Un-marked for each evaluated parameter. The subsequent evaluation of the parameters is performed only on the previously marked sites and continues until the end of all the parameters in the metric policy regardless of how many sites are remaining as Marked. In other words, the AX device does not stop the evaluation even if there is one single site left, and continues with the evaluation until the end of the user configured metric parameters. At the end of the evaluation, the responses corresponding to the marked sites are sent back in a round-robin manner and there is no determination of any single best network address.
Policy Metrics
A GSLB policy consists of one or more of the following metrics: 1. Health-Check Services that pass health checks are preferred. 2. Weighted-IP Service IP addresses with higher administratively assigned weights are used more often than service IP addresses with lower weights. (See Weighted-IP and Weighted-Site on page 21.) 3. Weighted-Site Sites with higher administratively assigned weights are used more often than sites with lower weights. (See Weighted-IP and Weighted-Site on page 21.) 4. Session-Capacity Sites with more available sessions based on respective maximum Session-Capacity are preferred. Performance by Design Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
19 of 260

GSLB Overview - GSLB Policy 5. Active-Servers Sites with the most currently active servers are preferred. 6. Active-Round Delay Time (aRDT) Sites with faster round-delay-times for DNS queries and replies between a site AX device and the GSLB local DNS are preferred. 7. Geographic Services located within the clients geographic region are preferred. 8. Connection-Load Sites that are not exceeding their thresholds for new connections are preferred. 9. Num-Session Sites that are not exceeding available Session-Capacity threshold compared to other sites are treated as having the same preference. 10. Admin-Preference The site with the highest administratively set preference is selected. 11. BW-Cost Selects sites based on bandwidth utilization on the site AX links. 12. Least-Response Service IP addresses with the fewest hits are preferred. 13. Admin-IP Sites are preferred based on administratively assigned weight. 14. Round-Robin Sites are selected in sequential order. (See TieBreaker on page 21.) 15. Alias-Admin-Preference Selects the DNS CNAME record with the highest administratively set preference. This metric is similar to the Admin-Preference metric, but applies only to DNS CNAME records. 16. Weighted-Alias Prefers CNAME records with higher weight values over CNAME records with lower weight values. This metric is similar to Weighted-IP, but applies only to DNS CNAME records. The Health-Check, Geographic, and Round-Robin metrics are enabled by default. All other metrics are disabled by default. The metric order and the configuration of each metric are specified in a GSLB policy. Policies can be applied to GSLB zones and to individual services. The GSLB AX device has a default GSLB policy, named default, which is automatically applied to a zone or service. Note: Metric order does not apply to the Alias-Admin-Preference and Weighted-Alias metrics. When enabled, Alias-Admin-Preference always has high priority. In AX Release 2.6.0, the ability to configure the passive round-trip time metric (Passive-RTT) was removed. If a configuration were to contain any commands related to this deprecated metric, they would never take effect since there is no way to enable it. In the current release, all referPerformance by Design Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
Note:
20 of 260

GSLB Overview - GSLB Policy ences to the deprecated Passive-RTT metric have been removed from the software. Weighted-IP and Weighted-Site The Weighted-IP and Weighted-Site metrics allow you to bias selection toward specific sites or IP addresses. GSLB selects higher-weighted IP addresses or sites more often than lower-weighted IP addresses or sites. For example, if there are two sites (A and B), and A has weight 2 whereas B has weight 4, GSLB will select site B twice as often as site A. Specifically, GSLB will select site B the first 4 times, and will then select site A the next 2 times. This cycle then repeats: B is chosen 4 times, then A is chosen the next 2 times, then B is chosen the next 4 times, and so on. Note: If DNS caching is used, the cycle starts over if the cache aging timer expires. Tie-Breaker The AX device uses Round-Robin as a tie-breaker to select a site. This is true even if the Round-Robin metric is disabled in the GSLB policy. (See Configure a GSLB Policy on page 31.)
Health Checks
The Health-Check metric checks the availability (health) of the real servers and service ports. Sites whose real servers and service ports respond to the health checks are preferred over sites in which servers or service ports are unresponsive to the health checks. GSLB supports health check methods for the following services: ICMP (Layer 3 health check), TCP, UDP, HTTP, HTTPS, FTP, SMTP, POP3, SNMP, DNS, RADIUS, LDAP, RTSP, SIP You can use the default health methods or configure new methods for any of these services. Note: By default, the GSLB protocol generates its own packets when sending a health check to a service. If the GSLB protocol cannot reach the service, then another health check is performed using standard network traffic. Health-Check Precedence Health monitoring for a GSLB service can be performed at the following levels and in the following order: 1. Gateway health check Performance by Design Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
21 of 260

GSLB Overview - GSLB Policy 2. Port health check 3. IP health check (Layer 3 health check of service IP)
Geo-Location
You can configure GSLB to prefer site VIPs for DNS replies that are geographically closer to the clients. For example, if a domain is served by sites in both the USA and Asia, you can configure GSLB to favor the USA site for USA clients while preferring the Asian site for Asian clients. To configure geo-location:
Leave the Geographic GSLB metric enabled; it is enabled by default. Load geo-location data. You can load geo-location data from a file or
manually configure individual geo-location mappings. Loading geo-location data from a file is simpler than manually configuring geo-location mappings, especially if you have more than a few GSLB sites. For more information, see Loading or Configuring Geo-Location Mappings on page 49. The AX software includes an Internet Assigned Numbers Authority (IANA) database. The IANA database contains the geographic locations of the IP address ranges and subnets assigned by the IANA. The IANA database is loaded on the AX device, and it is enabled by default. CNAME Support As an extension to geo-location support, you can configure GSLB to send a Canonical Name (CNAME) record instead of an Address record in DNS replies to clients. A CNAME record maps a domain name to an alias for that domain. For example, you can associate the following aliases with the domain a10.com:
www.a10.co.cn www.1.a10.com ftp.a10.com
Each of the aliases in the list above can be associated with a different geolocation: If a clients IP address is within the geo-location that is associated with www.1.a10.com, then GSLB places a CNAME record for www.1.a10.com in the DNS reply to that client.
22 of 260

GSLB Overview - GSLB Policy To configure CNAME support:
Configure geo-location as described above. In the GSLB policy, enable the following DNS options: dns cname-detect (enabled by default) dns geoloc-alias For individual services in the zone, configure the aliases and associate
them with geo-locations. Alias-Admin-preference and Weighted-alias The Alias Admin Preference metric, which selects the DNS CNAME record with the highest administratively set preference, can be used in DNS Proxy or DNS Server mode. Similarly, the Weighted Alias metric, which expresses a preference for higher-weighted CNAME records, can be used in DNS Proxy or DNS Server mode. Some additional policy options are required in either mode.
DNS proxy Enable the geoloc-alias option. After GSLB retrieves the
DNS response from the DNS answer, GSLB selects a DNS A record using IP metrics, and then tries to insert the DNS CNAME record into the answer based on geo-location settings. While inserting the CNAME record, if the Alias metrics are enabled, GSLB may remove some CNAME records and related service IPs.
DNS server If applicable, enable the backup-alias option. If there is no
DNS A record to return, GSLB tries to insert all backup DNS CNAME records. During insertion, if Alias metrics are enabled, GSLB may remove some CNAME records. No DNS A records are returned. This option also requires the dns-cname-record as-backup option on the service.
DNS Options
DNS options provide additional control over the IP addresses that are listed in DNS replies to clients. The following DNS options can be set in GSLB policies:
dns action Enable GSLB to perform DNS actions specified in the ser-
vice configurations.
dns active-only Removes IP addresses for services that did not pass
their health checks.
23 of 260

GSLB Overview - GSLB Policy
dns addition-mx Appends MX records in the Additional section in
replies for A records, when the device is configured for DNS proxy or cache mode.
dns auto-map Enables creation of A and AAAA records for IP
resources configured on the AX device. For example, this option is useful for auto-mapping VIP addresses to service-IP addresses.
dns backup-alias Returns the alias CNAME record configured for the
service, if GSLB does not receive an answer to a query for the service and no active DNS server exists. This option is valid in server mode or proxy mode.
dns backup-server Designates one or more backup servers that can be
returned to the client if the primaries should fail.

dns cache Caches DNS replies and uses them when replying to clients,
instead of sending a new DNS request for every client query.

dns cname-detect Disabling this option skips the Cname response. If
enabled, the GSLB-AX applies the zone and service policy to the Cname record instead of applying it to the address record.
dns delegation Enables sub-zone delegation. The feature allows you to
delegate authority or responsibility for a portion of the DNS namespace from the parent domain to a separate sub-domain which may reside on one or more remote servers and may be managed by someone other than the network administrator who is responsible for the parent zone.
dns external-ip Returns the external IP address configured for a ser-
vice IP. If this option is disabled, the internal address is returned instead.
dns external-soa Replaces the internal SOA record with an external
SOA record to prevent external clients from gaining information that should only be available to internal clients. If this option is disabled, the internal address is returned instead.
dns geoloc-action Performs the DNS traffic handling action specified
for the clients geo-location. The action is specified as part of service configuration in a zone.
dns geoloc-alias Replaces the IP address with its alias configured on
the GSLB AX Series.

dns geoloc-policy Returns the alias name configured for the clients
geo-location.
dns hint Enables hints, which appear in the Additional Section of the
DNS response. Hints are A or AAAA records that are sent in the response to a clients DNS request. These records provide a mapping between the host names and IP addresses.
24 of 260

GSLB Overview - GSLB Policy
dns ip-replace Replaces the IP addresses with the set of addresses
administratively assigned to the service in the zone configuration.

dns ipv6 Enables support for IPv6 AAAA records. dns logging Configures DNS logging. dns proxy block Blocks DNS t queries from being sent to an internal
DNS server. The AX device must be in GSLB proxy mode for the feature to work.
dns selected-only Returns only the selected IP addresses. dns server Enables the GSLB AX device to act as a DNS server, for
specific service IPs in the GSLB zone.

dns sticky Sends the same service IP address to a client for all requests
from that client for the service address.

dns ttl Overrides the TTL set in the DNS reply. (For more information
about this option, see TTL Override on page 25.) The cname-detect and external-ip options are enabled by default. All the other DNS options are disabled by default. Order in Which Sticky, Server, Cache, and Proxy Options Are Used If more than one of the following options are enabled, GSLB uses them in the order listed, beginning with sticky: 1. 2. 3. 4. Note: sticky server cache proxy GSLB does not have a separately configurable proxy option. The proxy option is automatically enabled when you configure the DNS proxy as part of GSLB configuration. The site address selected by the first option that is applicable to the client and requested service is used. TTL Override GSLB ensures that DNS replies to clients contain the optimal set of IP addresses based on current network conditions. However, if the DNS TTL value assigned to the Address records is long, the local DNS servers used by clients might cache the replies for a long time and send those stale replies to clients. Thus, even though the GSLB AX device has current information, clients might receive outdated information. Performance by Design Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
25 of 260

GSLB Overview - GSLB Policy To ensure that the clients local DNS servers do not cache the DNS replies for too long, you can configure the GSLB AX device to override the TTL values of the Address records in the DNS replies before sending the replies to clients. The TTL of the DNS reply can be overridden in two different places in the GSLB configuration: 1. If a GSLB policy is assigned to the individual service, the TTL set in that policy is used. 2. If no policy is assigned to the individual service, but the TTL is set in the zone, then the zones TTL setting is used. By default, the TTL override is not set in either of these places. Note: In DNS server mode, the DNS response from the AX device includes an IP TTL (maximum number of Layer 3 hops), with a default value equal to 255. This IP TTL can be configured using the following CLI command: gslb system ip-ttl. More Information See Advanced DNS Options on page 77.
Metrics That Require the GSLB Protocol on Site AX Devices

AX devices use the GSLB protocol for GSLB management traffic. The protocol must be enabled on the GSLB controller. GSLB does not need to be enabled on the site AX devices, but enabling it is recommended in order to collect site information that is needed for the following metrics:
Session-capacity aRDT Connection-Load Num-Session
Note:
Enabling the GSLB protocol is also required if you are using the default health-check methods. However, if you modify the default health checks, then the GSLB protocol does not need to be enabled. (See Health Checks on page 21.)
26 of 260

GSLB Configuration - Overview
GSLB Configuration
This chapter describes the configuration of Global Server Load Balancing (GSLB).
Overview
Configuration is required on the GSLB AX device (GSLB controller) and the site AX devices. Note: The AX device provides an optional mechanism to automatically synchronize GSLB configurations and service IP status among multiple GSLB controllers for a GSLB zone. If you plan to use automatic GSLB configuration synchronization among controllers, first see GSLB Configuration Synchronization on page 113. This chapter shows the GUI pages for detailed configuration. The GUI also provides pages for simple GSLB configuration. Navigate to Config Mode > Getting Started > GSLB Easy Config. See the online help or AX Series GUI Reference for information. Configuration on GSLB Controller To configure GSLB on the GSLB AX device: 1. Configure health monitors for the DNS server to be proxied and for the GSLB services to be load balanced. 2. Configure a DNS proxy. 3. Configure a GSLB policy (unless you plan to use the default policy settings, described in GSLB Policy on page 18). 4. Configure services. 5. Configure sites. 6. Configure a zone. 7. Enable the GSLB protocol for the GSLB controller function. Note: If you plan to run GSLB in server mode, the proxy DNS server does not require configuration of a real server or service group. Only the VIP is required. However, if you plan to run GSLB in proxy mode, the real
Note:
27 of 260

GSLB Configuration - Configure Health Monitors server and service group are required along with the VIP. (Server and proxy mode are configured as DNS options. See DNS Options on page 23.) Configuration on Site AX Device To configure GSLB on the site AX devices: 1. Configure SLB, if not already configured. 2. Enable the GSLB protocol for the GSLB site device function. Configuration takes place at the following levels: Global (system-wide on the GSLB AX device) Zone Service IP Site SLB device
The following sections describe the GSLB configuration steps in the GUI and in the CLI. Required commands and commonly used options are listed. For advanced commands and options, see CLI Command Reference on page 153. Note: Each of the following sections shows the CLI and GUI configuration. For complete configuration examples, see GSLB Configuration Examples on page 99.
Configure Health Monitors

A10 Networks recommends that you configure health monitors for the local DNS server to be proxied and also for the GSLB services to be load balanced. Use a DNS health monitor for the local DNS server. You also can use a Layer 3 health monitor to check the IP reachability of the server. For the GSLB service, use health monitors for the application types of the services. For example, for an HTTP service, use an HTTP health monitor. If
28 of 260

GSLB Configuration - Configure the DNS Proxy the Health-Check metric is enabled in the GSLB policy, the metric will use the results of service health checks to select sites. To monitor the health of the real servers providing the services, configure health monitors on the site SLB devices. Configure the health monitors for the proxied DNS server and the GSLB services on the GSLB AX device. Configure the health monitors for real servers and their services on the site AX devices. Configuration of health monitors is the same as for standard SLB. There are no special health monitoring options or requirements for GSLB.
Configure the DNS Proxy

The DNS proxy is a DNS virtual service, and its configuration is therefore similar to the configuration of an SLB service. To configure the GSLB DNS proxy, use one of the following procedures.
USING THE GUI

1. Select Config Mode > Service > GSLB. 2. Click DNS Proxy, then click Add. 3. Enter a name for the DNS proxy. 4. Enter the IP address that will be advertised as the authoritative DNS server for the GSLB zone. Note: The GUI will not accept the configuration if the IP address you enter here is the same as the real DNS server IP address you enter when configuring the service group for this proxy (below). 5. (Optional) To add this proxy configuration of the DNS server to a High Availability (HA) group, select the group. 6. In the GSLB Port section, click Add. 7. In the Port field, enter the DNS port number, if not already filled in. 8. In the Service Group field, select create. The Service Group and Server sections appear. 9. In the Name field, enter a name for the service group.
29 of 260

GSLB Configuration - Configure the DNS Proxy 10. In the Type drop-down list, select UDP. 11. In the Server section, in the Server drop-down list, enter the IP address of the DNS server. Enter the real IP address of the DNS server, not the IP address you are assigning to the DNS proxy. 12. Enter the DNS port number in the Port field and click Add. The server information appears. 13. Click OK. The GSLB Port section re-appears. 14. Click OK. The Proxy section re-appears. 15. Click OK. The DNS proxy appears in the DNS proxy table.
USING THE CLI

1. To configure a real server for the DNS server to be proxied, use the following commands: slb server server-name ipaddr Use this command at the global configuration level of the CLI. The command creates the proxy and changes the CLI to the configuration level for it. To configure the DNS port on the server, use the following command to change the CLI to the configuration level for the port: port port-num udp To enable health monitoring of the DNS service, use the following command: health-check monitor-name (Layer 3 health monitoring using the default Layer 3 health monitor is already enabled by default.) 2. To configure a service group and add the DNS proxy (real server) to it, use the following commands: slb service-group group-name udp Use this command at the global configuration level of the CLI. The command creates the service group and changes the CLI to the configuration level for it. To add the DNS server to the service group, use the following command: member server-name:port-num 3. To configure a virtual server for the DNS proxy and bind it to the real server and service group, use the following commands: slb virtual-server name ipaddr
30 of 260

GSLB Configuration - Configure a GSLB Policy Use this command at the global configuration level of the CLI. The command creates the virtual server changes the CLI to the configuration level for it. To add the DNS port, use the following command: port port-number udp This command changes the CLI to the configuration level for the DNS port. To bind the DNS port to the DNS proxy service group and enable GSLB on the port, use the following commands: service-group group-name gslb-enable
Configure a GSLB Policy

The GSLB policy contains the metrics used to evaluate each site. For the evaluation of sites, A10 uses a fixed list of site addresses. This list is constructed based on the original list when a site becomes active. This fixed metric evaluation function does not do ordering or re-ordering of the original list. In the default GSLB policy, the following metrics are enabled by default:
Health-Check Geographic Round-Robin
All other metrics are disabled. (For detailed information about policy parameters and their defaults, see Policy Configuration Commands on page 188 or the AX Series GUI Reference or online help.) Note: Although the Geographic metric is enabled by default, there are no default geo-location mappings. To use the Geographic metric, you must load or manually configure geo-location mappings. (See Loading or Configuring Geo-Location Mappings on page 49 later in this section.)
Also see GSLB Policy on page 18.
Note:
31 of 260

GSLB Configuration - Configure a GSLB Policy
Enabling / Disabling Metrics

To enable or disable a metric, use one of the following procedures.
USING THE GUI

1. Select Config Mode > Service > GSLB. 2. On the menu bar, select Policy. 3. Click on the policy name or click Add to create a new policy. 4. If you are configuring a new policy, enter a name in the Name field in the General section. 5. In the Metrics section, drag-and-drop the metric from one column to the other. For example, to disable the Health-Check metric, drag-and-drop it from the In Use column to the Not In Use column. If you are enabling a metric, drag it to the position you want it to be used in the processing order. For example, if you are enabling the Admin Preference metric and you want this metric to be used first, drag-anddrop the metric to the top of the In Use column. 6. In the DNS Options section, configure the DNS options, if applicable to your deployment. (For descriptions, see DNS Options on page 23.) 7. Click OK.
USING THE CLI

To enable a metric, enter the metric name at the configuration level for the policy. For example, to enable the Admin-Preference metric, enter the following command:
AX(config gslb-policy)#admin-preference
To disable a GSLB metric, use the no form of the command for the metric, at the configuration level for the policy. For example, to disable the Health-Check metric, enter the following command at the configuration level for the policy:
AX(config gslb-policy)#no health-check
32 of 260

GSLB Configuration - Configure a GSLB Policy To set DNS options, use the following command at the configuration level for the policy. (For descriptions, see DNS Options on page 23.) [no] dns { action | active-only [fail-safe] | addition-mx | auto-map | backup-alias | backup-server | cache [aging-time {seconds | ttl}] | cname-detect | delegation | external-ip | external-soa | geoloc-action | geoloc-alias | geoloc-policy | hint | ip-replace | ipv6 options | logging {both | query | response | none} proxy block option | selected-only [num] | server [addition-mx] [any] [authoritative options] [mx] [ns [auto-ns]] [ptr [auto-ptr]] [srv] [txt] | sticky [network-mask | /prefix-length] [aging-time minutes] [ipv6-mask mask-length] | ttl num }
33 of 260

GSLB Configuration - Changing the Metric Order
Changing the Metric Order

To change the metric order, use one of the following procedures.
USING THE GUI

1. Select Config Mode > Service > GSLB. 2. On the menu bar, select Policy. 3. Click on the policy name or click Add to create a new policy. 4. If you are configuring a new policy, enter a name in the Name field in the General section. 5. In the Parameters section, drag-and-drop the metric to the position in which you want it to be used in the processing order. For example, if you want the Admin-Preference metric to be used first, drop the metric to the top of the In Use column. 6. Click OK.
USING THE CLI

To change the positions of metrics in a GSLB policy, use the following command at the configuration level for the policy: [no] metric-order metric [metric ...] The metric option specifies a metric and can be one of the following:
active-rdt active-servers admin-ip admin-preference bw-cost capacity connection-load geographic health-check least-response
34 of 260

num-session weighted-ip weighted-site
Note:
Metric order does not apply to the Alias-Admin-Preference or WeightedAlias metrics.
Configuring Active-Round Delay Time

If you are planning to use the active-Round Delay Time (aRDT) metric, read this section. Otherwise, you can skip the section. This metric is disabled by default. aRDT aRDT measures the round-delay-time for a DNS query and reply between a site AX device and the GSLB local DNS. You can configure aRDT to take a single sample or periodic samples. Global aRDT Parameters The aRDT metric uses the following options, which are configurable on a global basis:
Domain Specifies the query domain. To measure the active round-
delay-time (aRDT) for a client, the site AX device sends queries for the domain name to a clients local DNS. An aRDT sample consists of the time between when the site AX device sends a query and when it receives the response. Only one aRDT domain can be configured. It is recommended to use a domain name that is likely to be in the cache of each clients local DNS. The default domain name is google.com. The AX device averages multiple aRDT samples together to calculate the aRDT measurement for a client. (See the description of Track below.)
Interval Specifies the number of seconds between queries. You can
specify 1-16383 seconds. The default is 1.

Retry Specifies the number of times GSLB will resend a query if there
is no response. You can specify 0-16. The default is 3.

Sleep Specifies the number of seconds GSLB stops tracking aRDT
data for a client after a query fails. You can specify 1-300 seconds. The default is 3. Performance by Design Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
35 of 260

Timeout Specifies the number of milliseconds GSLB will wait for a
reply before resending a query. You can specify 1-16383 milliseconds (ms). The default is 3000 ms.
Track Specifies the number of seconds during which the AX device
collects samples for a client. The samples collected during the track time are averaged together, and the averaged value is used as the aRDT measurement for the client. You can specify 3-16383 seconds. The default is 60 seconds. The averaged aRDT measurement is used until it ages out. The aging time for averaged aRDT measurements is 10 minutes by default and is configurable on individual sites, using the aRDT aging-time command. To configure global aRDT options, use the following command at the global configuration level of the CLI: [no] gslb active-rdt { domain domain-name | interval seconds | retry num | sleep seconds | timeout ms | track seconds } Default Settings When you enable aRDT, a site AX device sends some DNS requests to the GSLB domains local DNS. The GSLB AX device then averages the aRDT times of 5 samples. Single Sample (Single Shot) To take a single sample and use that sample indefinitely, use the single-shot option. This option instructs each site AX device to send a single DNS query to the GSLB local DNS. The single-shot option is useful if you do not want to frequently update the aRDT measurements. For example, if the GSLB domain's clients tend to remain logged on for long periods of time, using the single-shot option ensures that clients are not frequently sent to differing sites based on aRDT measurements.
36 of 260

GSLB Configuration - Changing the Metric Order The single-shot has the following additional options:
timeout Specifies the number of seconds each site AX device should
wait for the DNS reply. If the reply does not arrive within the specified timeout, the site becomes ineligible for selection, in cases where selection is based on the aRDT metric. You can specify 1-255 seconds. The default is 3 seconds.
skip Specifies the number of site AX devices that can exceed their sin-
gle-shot timeouts, without the aRDT metric itself being skipped by the GSLB AX device during site selection. You can skip from 1-31 sites. The default is 3. Multiple Samples To periodically retake aRDT samples, do not use the single-shot option. In this case, the AX device uses the averaged aRDT value based on the number of samples measured for the intervals. For example, if you set aRDT to use 3 samples with an interval of 5 seconds, the aRDT is the average over the last 3 samples, collected in 5-second intervals. If you configure single-shot instead, a single sample is taken. The number of samples can be 1-8. The default is 5 samples. Store-By By default, the GSLB AX device stores one aRDT measurement per site SLB device. Optionally, you can configure the GSLB AX device to store one measurement per geo-location instead. This option is configurable on individual GSLB sites. (See Changing aRDT Settings for a Site on page 39.) Tolerance The default measurement tolerance is 10 percent. If the aRDT measurements for more than one site are within 10 percent, the GSLB AX device considers the sites to be equal in terms of aRDT. You can adjust the tolerance to any value from 0-100 percent.
37 of 260

GSLB Configuration - Changing the Metric Order Enabling aRDT To enable aRDT, use one of the following procedures.
USING THE GUI

1. Select Config Mode > Service > GSLB. 2. On the menu bar, select Policy. 3. Click on the policy name or click Add to create a new one. 4. Drag-and-drop aRDT from the Not In Use column to the In Use column. 5. Click the plus sign to display the aRDT configuration fields. 6. To use single-shot aRDT, select the Single-shot checkbox. To collect multiple samples, do not select the Single-shot checkbox. 7. To change settings for single-shot, edit the values in the Timeout and Skip fields. 8. To change settings for multiple samples, edit the values in the Samples and Tolerance fields. 9. Click OK.
USING THE CLI

Enter the following command at the configuration level for the GSLB policy: [no] active-rdt [difference num] [fail-break] [ignore-id group-id] [keep-tracking] [limit ms] [samples num-samples] [single-shot] [skip count] [timeout seconds] [tolerance num-percentage] If you omit all the options, the site AX device send DNS requests to the GSLB domains local DNS. The GSLB AX device averages the aRDT times of the samples. The aRDT measurements are regularly updated. You can use the samples option to change the number of samples to 1-8. To enable single-shot aRDT instead, use the single-shot option. For singleshot, you also can use the skip and timeout options. (See the descriptions above, in Single Sample (Single Shot) on page 36)
38 of 260

GSLB Configuration - Changing the Metric Order CLI Examples The following commands access the configuration level for GSLB policy gslbp2 and enable the aRDT metric, using all the default settings:
AX(config)#gslb policy gslbp2 AX(config gslb-policy)#active-rdt
The following commands access the configuration level for GSLB policy gslbp3 and enable the aRDT metric, using single-shot settings:
AX(config)#gslb policy gslbp3 AX(config gslb-policy)#active-rdt single-shot AX(config gslb-policy)#active-rdt skip 3
In this example, each site AX device will send a single DNS query to the GSLB domains local DNS, and wait 3 seconds (the default) for a reply. The site AX devices will then send their aRDT measurements to the GSLB AX device. However, if more than 3 site AX devices fail to send their aRDT measurements to the GSLB AX device, the AX device will not use the aRDT metric. Changing aRDT Settings for a Site You can adjust the following aRDT settings on individual sites:
aging-time Specifies the maximum amount of time a stored aRDT
result can be used. You can specify 1-60 minutes. The default is 10 minutes.
bind-geoloc Stores the aRDT measurements on a per geo-location
basis. Without this option, the measurements are stored on a per siteSLB device basis.
ignore-count Specifies the ignore count if aRDT is out of range. You
can specify 1-15. The default is 5.

ipv6-mask Specifies the client IPv6 mask length, 1-128. The default is
128.
limit Specifies the limit. You can specify 1-16383. The default is
16383 milliseconds.
mask Based on the subnet mask or mask length, the entry can be a host
address or a subnet address. The default is 32.

range-factor Specifies the maximum percentage a new aRDT mea-
surement can differ from the previous measurement. If the new measurement differs from the previous measurement by more than the allowed percentage, the new measurement is discarded and the previous measurement is used again.
39 of 260

GSLB Configuration - Changing the Metric Order For example, if the range-factor is set to 25 (the default), a new measurement that has a value from 75% to 125% of the previous value can be used. A measurement that is less than 75% or more than 125% of the previous measurement can not be used. You can specify 1-1000. The default is 25.
smooth-factor Blends the new measurement with the previous one, to
smoothen the measurements. For example, if the smooth-factor is set to 10 (the default), 10% of the new measurement is used, along with 90% of the previous measurement. Similarly, if the smooth-factor is set to 50, 50% of the new measurement is used, along with 50% of the previous measurement. You can specify 1-100. The default is 10.
USING THE GUI

Use the Options section of the GUI page for the site.
USING THE CLI

Use the following command at the configuration level for the site: [no] active-rdt aging-time minutes | bind-geoloc | limit num | mask {/mask-length | mask-ipaddr} | range-factor num | smooth-factor num Excluding a Set of IP Addresses from aRDT Polling You can use an IP list to exclude a set of IP addresses from aRDT polling. You can configure an IP list in either of the following ways:
Use a text editor on a PC or use the AX GUI to configure a black/white
list, then load the entries from the black/white list into an IP list.
Use this command to configure individual IP list entries.
40 of 260

USING THE CLI

To configure an IP list using the CLI, use the following command at the global configuration level of the CLI: [no] gslb ip-list list-name The command changes the CLI to the configuration level for the list, where the following IP-list-related commands are available: [no] ip ipaddr {subnet-mask | /mask-length} id group-id This command creates an IP entry in the list. Based on the subnet mask or mask length, the entry can be a host address or a subnet address. The id option adds the entry to a group. The group-id can be 0-31. [no] load bwlist-name This command loads the entries from a black/white list into the IP list. For information on configuring a black/white list, see the Policy-Based SLB (PBSLB) chapter in the AX Series System Configuration and Administration Guide. To use the IP list to specify the IP addresses to exclude from aRDT data collection, use the following command at the configuration level for the GSLB policy: [no] active-rdt ignore-id group-id
USING THE GUI

Note: In the current release, IP lists can not be configured using the GUI.
41 of 260

Configuring BW-Cost Settings

If you are planning to use the BW-Cost metric, read this section. Otherwise, you can skip the section. The BW-Cost metric is disabled by default. The BW-Cost metric selects sites based on bandwidth utilization on the site AX links.
How Bandwidth Cost Is Measured

To compare sites based on bandwidth utilization, the GSLB AX device sends SNMP GET requests for a specified MIB interface object, such as ifInOctets, to each site.
If the SNMP object value is less than or equal to the bandwidth limit
configured for the site, the site is eligible to be selected.

If the SNMP object value is greater than the bandwidth limit configured
for the site, then the site is ineligible. The GSLB AX device sends the SNMP requests at regular intervals. Once a site is ineligible, the site can become eligible again at the next interval if the utilization is below the configured limit minus the threshold percentage. (See below.)
Configuration Requirements
To use the BW-Cost metric, an SNMP template must be configured and bound to each site. The GSLB SNMP template specifies the SNMP version and other information necessary to access the SNMP agent on the site AX device, and the Object Identifier (OID) of the MIB object to request. In addition, the following BW-Cost parameters must be configured on each site:
Bandwidth limit The bandwidth limit specifies the maximum value of
the requested MIB object for the site to be eligible for selection.
Bandwidth threshold For a site to regain eligibility when BW-Cost is
being compared, the SNMP objects value must be below the thresholdpercentage of the limit value. For example, if the limit value is 80,000 and the threshold is 90 (percent), then the limit value must be 72,000 or less, for the site to become eligible again based on bandwidth cost. Once a site again becomes eligible, the SNMP objects value is again allowed to increase up to the bandwidth limit value (80,000 in this example).
42 of 260

Configuring Bandwidth Cost

To use the BW-Cost metric: 1. On the site AX devices, configure and enable SNMP. 2. On the GSLB AX device: a. Configure a GSLB SNMP template. b. Add the template to the GSLB site configuration. c. Optionally, set the bandwidth limit and threshold on the site. By default, the bandwidth limit is not set (unlimited). d. Enable the BW-Cost metric in the GSLB policy. By default, the BW-Cost metric is disabled.
USING THE GUI

Note: SNMP template configuration is not supported in the GUI. Use the CLI to configure the template, then use the following GUI procedures.
USING THE CLI

To Configure a GSLB SNMP Template Use the following commands: [no] gslb template snmp template-name This command adds the template and changes the CLI to the configuration level for the template, where the following template-related commands are available: [no] version {v1 | v2c | v3} The version command specifies the SNMP version running on the site AX device. [no] host ipaddr [no] oid oid-value The host command specifies the IP address of the site AX device. The oid command specifies the interface MIB object to query on the site AX device. Note: If the object is part of a table, make sure to append the table index to the end of the OID. Otherwise, the AX device will return an error.
43 of 260

GSLB Configuration - Changing the Metric Order SNMPv1 / v2c Commands: [no] community community-string The community command specifies the community string required for authentication. SNMPv3 Commands: [no] username name This command specifies the SNMPv3 username required for access to the SNMP agent on the site AX device. [no] security-level {no-auth | auth-no-priv | auth-priv} This command specifies the SNMPv3 security level:
no-auth Authentication is not used and encryption (privacy) is not
used. This is the default.

auth-no-priv Authentication is used but encryption is not used. auth-priv Both authentication and encryption are used.
[no] auth-proto {sha | md5} [no] auth-key string These commands are applicable if the security level is auth-no-priv or auth-priv. The auth-proto command specifies the authentication protocol. The auth-key command specifies the authentication key. The key string can be 1-127 characters long. [no] priv-proto {aes | des} [no] priv-key string These commands are applicable only if the security level is auth-priv. The priv-proto command specifies the privacy protocol used for encryption. The priv-key command specifies the encryption key. The key string can be 1-127 characters long. [no] context-engine-id id [no] context-name id [no] security-engine-id id The context-engine-id command specifies the ID of the SNMPv3 protocol engine running on the site AX device. The context-name command specifies an SNMPv3 collection of management information objects accessible by an SNMP entity. The security-engine-id command specifies the ID of
44 of 260

GSLB Configuration - Changing the Metric Order the SNMPv3 security engine running on the site AX device. For each command, the ID is a string 1-127 characters long. [no] interface id The interface command specifies the SNMP interface ID. Additional Commands: [no] interval seconds [no] port port-num The interval command specifies the amount of time between each SNMP GET to the site AX devices. You can specify 1-999 seconds. The default is 3. The port command specifies the protocol port on which the site AX devices listen for the SNMP requests from the GSLB AX device. You can specify 165535. The default is 161. To Apply a GSLB SNMP Template to a GSLB Site Use the following command at the configuration level for the site: [no] template template-name To Configure the Bandwidth Limit and Threshold on a Site Use the following command at the configuration level for the site: [no] bw-cost limit limit threshold percentage The limit specifies the maximum value of the SNMP object (as queried by the GSLB AX device), in order for the site to remain eligible for selection. You can specify 0-2147483647. There is no default. If a site becomes ineligible due to being over the limit, the percentage parameter is used. In order to become eligible for selection again, the sites limit value must not be more than limit*threshold-percentage. You can specify 0-100 percent. There is no default. To Enable the Bandwidth Cost Metric in a GSLB Policy Use the following command at the configuration level for the policy: [no] bw-cost
45 of 260

GSLB Configuration - Changing the Metric Order To display BW-Cost data for a site Use the following command: show gslb site [site-name] bw-cost CLI Example SNMPv2c The following commands configure a GSLB SNMP template for SNMPv2c:
AX(config)#gslb template snmp snmp-1 AX(config-gslb template snmp)#version v2c AX(config-gslb template snmp)#host 192.168.214.124 AX(config-gslb template snmp)#oid .1.3.6.1.2.1.2.2.1.16.12 AX(config-gslb template snmp)#community public AX(config-gslb template snmp)#exit
The following commands apply the SNMP template to a site and set the bandwidth limit and threshold:
AX(config)#gslb site usa AX(config gslb-site)#template snmp-1 AX(config gslb-site)#bw-cost limit 100000 threshold 90 AX(config gslb-site)#exit
The following commands enable the BW-Cost metric in the GSLB policy:
AX(config)#gslb policy pol1 AX(config-gslb policy)#bw-cost AX(config-gslb policy)#exit
The following command displays BW-Cost data for the site:

AX-1(config)#show gslb site usa bw-cost U = Usable, TI = Time Interval USGN = Unsigned, SN64 = Unsigned 64 CNTR = Counter, CT64 = Counter 64 Site Template Current Highest Limit U Type Len Value TI -------------------------------------------------------------------------------usa snmp-1 31091 142596 100000 Y CNTR 4 3355957308 3
46 of 260

GSLB Configuration - Changing the Metric Order CLI Example SNMPv3 The following commands configure a GSLB SNMP template for SNMPv3. In this example, authentication and encryption are both used.
AX(config)#gslb template snmp snmp-2 AX(config-gslb template snmp)#security-level auth-priv AX(config-gslb template snmp)#host 192.168.214.124 AX(config-gslb template snmp)#username read AX(config-gslb template snmp)#oid .1.3.6.1.2.1.2.2.1.16.12 AX(config-gslb template snmp)#priv-proto des AX(config-gslb template snmp)#auth-key 12345678 AX(config-gslb template snmp)#priv-key 12345678
The other commands are the same as those shown in CLI Example SNMPv2c on page 46.
Configuring Alias Admin Preference

To configure the Alias Admin Preference metric: 1. At the configuration level for the GSLB service, assign an administrative preference to the DNS CNAME record for the service. 2. At the configuration level for the GSLB policy:
Enable the Alias Admin Preference metric. Enable one or both of the following DNS options, as applicable to
your deployment: DNS backup-alias DNS geoloc-alias 3. If using the backup-alias option, use the dns-cname-record as-backup option on the service.
USING THE GUI

The current release does not support this feature in the GUI.
USING THE CLI

1. To assign an administrative preference to the DNS CNAME record for a service, use the following command at the configuration level for the service: [no] admin-preference preference
47 of 260

GSLB Configuration - Changing the Metric Order The preference can be 0-255. A higher value is preferred over a lower value. The default is 0 (not set). 2. To enable the Alias Admin Preference metric, use the following command at the configuration level for the policy: [no] alias-admin-preference
Configuring Weighted Alias

To configure the Weighted Alias metric: 1. At the configuration level for the GSLB service, assign a weight to the DNS CNAME record for the service. 2. At the configuration level for the GSLB policy:
Enable the Weighted Alias metric. Enable one or both of the following DNS options, as applicable to
your deployment: DNS backup-alias DNS geoloc-alias 3. If using the backup-alias option, use the dns-cname-record as-backup option on the service.
USING THE GUI

USING THE CLI

1. To assign a weight to the DNS CNAME record for a service, use the following command at the configuration level for the service: [no] weight num The num can be 1-255. A higher value is preferred over a lower value. The default is 1. 2. To enable the Weighted Alias metric, use the following command at the configuration level for the policy: [no] weighted-alias
48 of 260

Loading or Configuring Geo-Location Mappings

You can configure geo-location mappings manually or by loading the mappings from a file. Configuring the geo-location mappings manually might not be practical, unless you have only a few sites. The geo-location configuration options are described in detail below. To skip the descriptions and go directly to configuration instructions, see one of the following sections. Each section provides the procedure for one of the approaches to configuring geo-location mappings.
Loading or Configuring Geo-Location Mappings on page 49 Manually Configuring Geo-Location Mappings on page 54
Geo-Location Database Files You can load the geo-location database (which contains the geo-location mappings) from one of the following types of files:
Internet Assigned Numbers Authority (IANA) database The IANA
database contains the geographic locations of the IP address ranges and subnets assigned by the IANA. Note that this database is loaded by default.
Custom database in CSV format You can load a custom geo-location
database from a file in comma-separated-values (CSV) format. However, before loading the file, you must first configure a CSV template on the AX device because the data in the file is formatted by the template. Note: You can load more than one geo-location database. When you load a new database, if the same IP address or IP address range already exists in a previously loaded database, the address or range is overwritten by the new database. Geo-Location Mappings A geo-location mapping consists of a geo-location name and an IP address or IP range.
If you manually map a geo-location to an GSLB site, GSLB uses the
mapping.
If no geo-location is configured for a GSLB site, GSLB automatically
maps the service-ip to a geo-location in the loaded geo-location database.

If a service-ip cannot be mapped to a geo-location, GSLB maps the site
AX device to a geo-location. Performance by Design Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
49 of 260

GSLB Configuration - Changing the Metric Order If more than one geo-location matches a clients IP address, the most specific match is used. For example, if a client is in the same city as a site AX, that site will be preferred. If the client and site are in the same state but in different cities, the site in that state will be preferred. Only one database can be active. If you load more than one database, the most-recently loaded one becomes the active one, and the older database is no longer used. Data from the older database is not merged into the new database. Example Database File An example of a database file is shown below. Each paragraph is actually a single line in the file, but they are displayed here in multiple lines due to the limited width of the page. (Note that lines in the database file should not have spaces between the paragraphs. This was done to improve readability.)
"1159363840","1159364095","US","UNITED STATES","NA","NORTH AMERICA","EST","MA","MASSACHUSETTS", "COMMRAIL INC","MARLBOROUGH","MIDDLESEX","42.3495","-71.5482" "1159364096","1159364351","US","UNITED STATES","NA","NORTH AMERICA","","","","ENVIRONMENTAL COMPLIANCE SERVICE","SILVER","","32.0708","-100.682" "1159364352","1159364607","US","UNITED STATES","NA","NORTH AMERICA","EST","MA","MASSACHUSETTS", "MLS PROPERTY INFORMATION NETWORK","SHREWSBURY","WORCESTER","42.2959","71.7134"
...
The example above shows how the CSV file appears when displayed in a text editor. If the same data were displayed in a spreadsheet application, it would appear like Figure 1 below. FIGURE 1 CSV File in Spreadsheet Application
The database file can contain more types of information (fields, or columns) than are required for the GSLB database. When you load the CSV file into the geo-location database, the CSV template on the AX device filters the file to extract the required data, while ignoring the rest of the data. In the example below, only the fields shown in bold type will be extracted and placed into the geo-location database:
"1159363840","1159364095","US","UNITED STATES","NA","NORTH AMERICA","EST","MA","MASSACHUSETTS","COMMRAIL INC","MARLBOROUGH","MIDDLESEX","42.3495","-71.5482"
50 of 260

GSLB Configuration - Changing the Metric Order These fields contain the following information:
From IP address (starting IP address in range), To IP address (ending IP address in range, or subnet mask), Continent, Country
The IP addresses in this example are in bin4 format. Dotted decimal format (for example: 69.26.125.0) is also supported. If you use bin4 format, the AX device automatically converts the addresses into dotted decimal format when you load the database into GSLB. Converting IP Addresses into bin4 Format If you want to use bin4 format in the CSV file, here is how to convert an IP address from dotted-decimal format to bin4 format: 1. Convert each node into Hex. 2. Convert the resulting Hex number into decimal. 3. Enter the decimal number into the database file. Here is an example for IP address 69.26.125.0, the first IP address in the example CSV file: Dotted Decimal 69.26.125.0 Hex of Each Node 45.1a.7d.00 Combined Hex Number 451a7d00 Decimal 1159363840
CSV File Field Delimiters The fields in the CSV file must be separated by a delimiter. By default, the AX device interprets commas as delimiters. When you configure the CSV template on the AX device, you can set the delimiter to any valid ASCII character. Creating and Loading a Custom Geo-Location Database To create and load a custom geo-location database: 1. Prepare the database file. (This step requires an application that can save to text for CSV format, and it cannot be performed on the AX device.) 2. Configure a CSV template on the AX device. The CSV template specifies the field positions (or columns) in the database that should be extracted, such as IP address and location information. 3. Import the CSV file onto the AX device. Performance by Design Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
51 of 260

GSLB Configuration - Changing the Metric Order 4. Load the CSV file. 5. Display the geo-location database.
USING THE GUI

Configuring the CSV Template 1. Select Config Mode > Service > GSLB. 2. On the menu bar, select Geo-location > Import. 3. In the Template section, enter a name for the template. 4. If the CSV file uses a character other than a comma to delimit fields, enter the delimiter character in the Delimiter field. You want the CSV template to use the same delimiter that has been used in the database file you will be loading. 5. In each data field, indicate the fields position (or column) in the CSV file. For example, if the destination IP address or subnet is listed in the CSV file in the fourth column, enter 4 in the IP-To field. 6. Click Add. Importing the CSV File 1. Select Config Mode > Service > GSLB, if not already selected. 2. On the menu bar, select Geo-location > Import, if not already selected.. 3. In the File section, select the file transfer protocol. 4. Enter the filename and the access parameters required to copy the file from the remote server. 5. Click Add. Loading the CSV File Data into the Geo-Location Database 1. Select Config Mode > Service > GSLB, if not already selected. 2. On the menu bar, select Geo-location > Import, if not already selected.. 3. In the Load/Unload section, enter the name of the geo-location database in the file field. 4. In the Template field, enter the name of the template to use for formatting the data.
52 of 260

USING THE CLI

Configuring the CSV Template On the AX device, you must configure a CSV template for the database file. When you load the file into GSLB, the AX device uses the template to extract the data and load it into the GSLB database. 1. Use the following command at the global configuration level: [no] gslb template csv template-name This command creates the template and changes the CLI to the configuration level for it. 2. Use the following command to identify the field positions for the geolocation data: [no] field num {ip-from | ip-to-mask | continent | country | state | city} The num option specifies the field position (or column) within the CSV file. You can specify 1-64. The following options specify the type of geo-location data that is located in the field position: ip-from Specifies the beginning IP address in the range or subnet. ip-to-mask Specifies the ending IP address in the range, or the subnet mask. continent Specifies the continent where the IP address range or subnet is located. country Specifies the country where the IP address range or subnet is located. state Specifies the state where the IP address range or subnet is located. city Specifies the city where the IP address range or subnet is located. 3. If the CSV file uses a character other than a comma to delimit fields, use the following command to specify the character used in the file: [no] delimiter {character | ASCII-code} You can type the character or enter its decimal ASCII code (0-255). Importing the CSV File To import the CSV file onto the AX device, use the following command at the Privileged EXEC or global configuration level of the CLI: import geo-location file-name [use-mgmt-port] url
53 of 260

GSLB Configuration - Changing the Metric Order You can enter the entire URL on the command line or press Enter to display a prompt for each part of the URL. If you enter the entire URL and a password is required, you will still be prompted for the password. To enter the entire URL:
tftp://host/file ftp://[user@]host[:port]/file scp://[user@]host/file rcp://[user@]host/file http://[user@]host/file https://[user@]host/file sftp://[user@]host/file
(For information about the use-mgmt-port option, see the Using the Management Interface as the Source for Management Traffic chapter in the AX Series System Configuration and Administration Guide.) Loading the CSV File Data into the Geo-Location Database To load the CSV file, use the following command at the global configuration level of the CLI: [no] gslb geo-location load file-name csv-template-name Use the file name you specified when you imported the CSV file, and the name of the CSV template to be used for extracting data from the file. Note: The file-name option is available only if you have already imported a geolocation database file. To display information about CSV files as they are being loaded, use the following command: show gslb geo-location file [file-name] Manually Configuring Geo-Location Mappings
USING THE GUI

In the GUI, this is part of site configuration. See Configure Sites on page 67.
54 of 260

USING THE CLI

To manually configure a geo-location mapping: 1. Configure each geographic location (geo-location) as a named range of client IP addresses. You can configure geo-locations globally and within individual GSLB policies. To configure a geo-location, use the following command at the global configuration level or at the configuration level for the GSLB policy: [no] gslb geo-location location-name start-ip-addr [mask ip-mask] [end-ip-addr] 2. Associate a site with a geo-location name, using the following command at the configuration level for the site: [no] geo-location location-name Note: If you configure geo-locations globally and at the configuration level for individual sites, and a client IP address matches both a globally configured geo-location and a geo-location configured on a site, the globally configured geo-location is used by default. To configure the GSLB AX device to use geo-locations configured on individual sites instead, use the geo-location match-first policy command at the configuration level for the policy. Displaying the Geo-Location Database
USING THE GUI

1. Select Config Mode > Service > GSLB. 2. On the menu bar, select Geo-location > Find. The geo-location database appears. You can use the find options to display database entries or statistics for specific geo-locations or IP addresses.
USING THE CLI

To display the geo-location database, use the following command: show gslb geo-location db [geo-location-name] [[statistics] ip-range range-start range-end] [[statistics] depth num] [statistics]] The geo-location-name option displays the database entry for the specified location.
55 of 260

GSLB Configuration - Changing the Metric Order The ip-range option displays entries for the specified IP address range. The depth num option filters the display to show only the location entries at the specified depth or higher. For example, to display continent and country entries while hiding individual state and city entries, specify depth 2. To search for an entry in the geo-location database that is based on client IP address, use the following command: show gslb geo-location ip ipaddr CLI Example The commands in this example load a custom geo-location database from a CSV file called test.csv, and then display the database. The test.csv file is shown in Example Database File on page 50. First, the following commands configure the CSV template:
AX(config)#gslb template csv test1-tmplte AX(config-gslb template csv)#field 1 ip-from AX(config-gslb template csv)#field 2 ip-to-mask AX(config-gslb template csv)#field 5 continent AX(config-gslb template csv)#field 3 country AX(config-gslb template csv)#exit
The following command imports the file onto the AX device:

AX(config)#import geo-location test1.csv ftp: Address or name of remote host []?192.168.1.100 User name []?admin2 Password []?********* File name [/]?test1.csv
The following commands initiate loading the data from the CSV file into the geo-location database, and display the status of the load operation:
AX(config)#gslb geo-location load test1.csv test1-tmplte AX(config)#show gslb geo-location file T = T(Template)/B(Built-in), Per = Percentage of loading Filename T Template Per Lines Success Error -----------------------------------------------------------------------------test1 T t1 98% 11 10 0
56 of 260

GSLB Configuration - Changing the Metric Order The following command displays the geo-location database. The data that was extracted from the CSV file is shown here in bold type.
AX(config)#show gslb geo-location db Last = Last Matched Client, Hits = Count of Client matched T = Type, Sub = Count of Sub Geo-location G(global)/P(policy), S(sub)/R(sub range) M(manually config) Global Name From To Last Hits Sub T -----------------------------------------------------------------------------NA (empty) (empty) (empty) 0 1 G Geo-location: NA, Global Name From To Last Hits Sub T -----------------------------------------------------------------------------US (empty) (empty) (empty) 0 10 GS Geo-location: NA.US, Global Name From To Last Hits Sub T -----------------------------------------------------------------------------69.26.125.0 69.26.125.255 (empty) 0 0 GR 69.26.126.0 69.26.126.255 (empty) 0 0 GR 69.26.127.0 69.26.127.255 (empty) 0 0 GR 69.26.128.0 69.26.136.135 (empty) 0 0 GR 69.26.136.136 69.26.136.143 (empty) 0 0 GR 69.26.136.144 69.26.140.255 (empty) 0 0 GR 69.26.141.0 69.26.141.255 (empty) 0 0 GR 69.26.142.0 69.26.159.255 (empty) 0 0 GR 69.26.160.0 69.26.160.255 (empty) 0 0 GR 69.26.161.0 69.26.161.7 (empty) 0 0 GR
Geo-location Overlap
The geo-location overlap option searches the geo-location database for the match best instead of searching the database using the match first algorithm. This behavior may be helpful if you suspect that more than one host has been mapped to a single public IP address. Geo-location Databases Background When configuring GSLB on the AX device, a geo-location file containing mappings between geographic regions and IP addresses is imported onto the AX device. For example, the IANA database is pre-installed on the AX device prior to shipping, and it contains thousands of entries mapping geographic regions to IP address ranges.
57 of 260

GSLB Configuration - Changing the Metric Order In addition, third-party companies sell geo-location databases, and some of these databases may contain millions of mappings between geographic regions and ranges of IP addresses. As with the IANA database files, these files can also be imported into the AX devices global database. However, geo-location information can also be manually configured on the AX device at the GSLB policy level. A GSLB policy is typically created for each GSLB zone, so you could, for example, have separate zones for a company that has offices in New York and San Jose. Each of these GSLB zones might have its own geo-location file, with each file containing highly granular information that maps IP addresses and local regions. When configuring geo-location for a GSLB zone, you will need to use the match first command to decide whether to search the Global database (containing the IANA file) or if you would prefer to search the GSLB Policy database. The match first command determines which of the two geo-location databases will be used to parse incoming DNS requests from clients. That is, it allows you to decide whether the Global database or GSLB Policy database will be searched. Once this configuration decision has been made, then the next thing that you need to do is decide if you want to enable the geo-location overlap command. Note: The geo-location overlap command is disabled by default because it tends to be taxing on the AX processors. The default behavior for the AX device is to use the match first algorithm (not to be confused with the match first option described above), is to scan the geo-location database for the first IP address that matches the clients Source IP. In contrast, the geo-location overlap option uses match best algorithm, meaning the entire geo-location file must be scanned in order to locate the optimal response to send back to the client. This is very demanding on the AX CPU. When to Use Geo-Location Overlap The geo-location overlap option is recommended for situations in which the public IP address is not unique and the same IP address may be associated with different hosts. While it is unlikely that the IANA geo-location file would contain such errors, the internet is a dynamic place and information can become stale and/or inaccurate. In particular, this situation might hap-
58 of 260

GSLB Configuration - Changing the Metric Order pen if users are careless about the way they manually add IP addresses to the GSLB policies. A user might have many GSLB zones and each zone might have many geo-location files, so it is possible that some IP address ranges may overlap. For example, if a company has a site in New York and San Jose:
New YorK IP range is 1.1.1.1 1.1.1.9 San Jose IP range is 1.1.1.1 1.1.1.3
In this situation, there exists an overlap in the IP address from 1.1.1.1 to 1.1.1.3. To remedy this confusing situation, one can enable the geo-location overlap option to cause the AX device to search the geo-location database for the match best (or longest matching IP address). However, if the geo-location overlap option is disabled, then the AX device will revert to its default behavior, which is to use the match first algorithm to check the clients IP address against the database and then use the first IP address-region mapping discovered when parsing the database.
USING THE GUI

If you suspect a public IP address in your domain is not unique and the same IP address may be associated with different hosts, you can enable the geolocation overlap option. To do so, follow the procedure below: 1. Select Config Mode > Service > GSLB. 2. Click the Policy tab, and then click the Add button. 3. Enter a name for the GSLB policy in the Name field. 4. Click the Geo-location arrow to expand the menu. The Geo-location menu appears, as shown below: 5. In the Match Best Entry section, select the desired checkboxes. By default, the Global and Policy checkboxes are clear, meaning the overlap feature is disabled (and the match first approach is used).
59 of 260

GSLB Configuration - Changing the Metric Order 6. To enable the overlap behavior, select one or both checkboxes in the Match Best Entry area. Your options are:
Global Enabling this option will search the global database (such
as IANA) for the longest matching and most-specific address. Policy Enabling this option will search the GSLB policy database for the longest matching and most-specific address. 7. When finished, click OK to save your changes.
USING THE CLI

If you believe your manually-configured geo-location databases may have two or more domains tied to the same IP address, you can use the following command at the GSLB policy configuration level of the CLI to enable geolocation overlap: [no] geo-location overlap [global | policy] CLI Example The following command enables geo-location overlap at the GSLB policy level. The overlap option is used to enable match best behavior for the geolocation database within the default GSLB policy. By enabling this behavior, the match first algorithm will not be used, and instead the AX device will attempt to find the best match by searching for the longest string that matches the source IP address in the clients request. AX(config)#gslb policy default AX(config-gslb policy)#geo-location overlap policy AX(config-gslb policy)#exit
60 of 260

GSLB Configuration - Configure Services
Configure Services
A service is an application such as HTTP or FTP. For example: www.mydomain.com is a service where www is the http service or an application. Each zone can be configured with one or more services. To configure services in a GSLB zone, use one of the following procedures.
USING THE GUI

1. Select Config Mode > Service > GSLB. 2. On the menu bar, select Service IP. 3. Click Add. 4. Enter the service name and IP address. 5. If needed, assign an external IP address to the service IP. The external IP address allows a service IP that has an internal IP address to be reached from outside the internal network. 6. Add the service port(s): a. Enter the port number and select the protocol (TCP or UDP). b. Optionally, select a health monitor. c. Click Add. The service port appears in the service port list. 7. Click OK. 8. Repeat for each service IP.
USING THE CLI

To configure service VIPs, use the following command at the global configuration level of the CLI: gslb vip-name ipaddr This command changes the CLI to the configuration level for the service. To assign an external IP address to the service, use the following command. An external IP address is needed if the service IP address is an internal IP address that can not be reached from outside the internal network. external-ip ipaddr
61 of 260

GSLB Configuration - Configure Services To configure a service port on the service, use the following command to change the CLI to the configuration level for the port: port port-num {tcp | udp} To enable health monitoring of the service, use the following command: health-check monitor-name
Gateway Health Monitoring

To simplify health monitoring of a GSLB site, you can use a gateway health check. A gateway health check is a Layer 3 health check (ping) sent to the gateway router for an SLB site. If a sites gateway router fails a health check, it is likely that none of the services at the site can be reached. GSLB stops using the site until it begins to pass gateway health checks again. In most cases, an ICMP health check is sufficient. You can use the default ICMP health check or configure a custom one. For more detailed health analysis, you can use an external health check. For example, you can use a script to get SNMP information from the gateway, and base the gateways health status on the retrieved information. Health-Check Precedence Health checking for a GSLB service can be performed at the following levels. 1. Gateway health check 2. Port health check 3. IP health check (Layer 3 health check of service IP) If the gateway health check is unsuccessful, the service IP is marked Down. If the gateway health check is successful, then the port health check can be used to check the status of the ports (assuming ports have been configured on the service IP). Otherwise, if no service ports are configured on the service IP, then the Layer 3 health check of the service IP is used.
62 of 260

GSLB Configuration - Configure Services Configuring Gateway Health Checking for GSLB Sites To configure gateway health checking for a GSLB site: 1. Configure the health monitor, unless you plan to use the default ICMP health monitor. 2. On the SLB device at the site, create an SLB real server configuration with the gateway routers IP address. If you configured a custom health check, make sure to apply it to the real server. 3. On the GSLB controller, specify the sites gateway IP address in the SLB-device configuration for the site. Sites with Multiple Gateway Links If a site has multiple gateways, create a separate real server for each gateway on the site AX device. On the GSLB controller, create a separate SLBdevice configuration for each gateway (real server). In each SLB-device configuration, specify only the service IPs that can be reached by the gateway specified in that SLB-device configuration. For a service IP that can be reached on any of multiple links, create a separate SLB-device configuration, without using the gateway option. The gateway health status for this SLB-device will be Down only if all the gateway health checks performed for the other SLB-device configurations for the site fail.
USING THE GUI

1. On the site AX deviceTo create the gateway router, navigate to the real server configuration page. Enter a name and the gateway IP address. Do not add any ports. If you plan to use the default Layer 3 health monitor, no further configuration is needed on the site AX device. If you plan to use a custom ICMP monitor, configure the monitor, select create from the Health Monitor drop-down list. 2. On the GSLB controllerTo specify the sites gateway IP address, navigate to the site configuration page. From this page, navigate to the SLB-Device configuration page and enter the gateway IP address in the Gateway field.
63 of 260

USING THE CLI

1. On the site AX deviceTo create the gateway router, use the following command at the global configuration level of the CLI on the site AX device: [no] slb server gateway-name gateway-ipaddr If you plan to use the default Layer 3 health monitor, no further configuration is needed on the site AX device. If you plan to use a custom ICMP monitor, configure the monitor, then use the following command at the configuration level for the real server (gateway): [no] health-check icmp-monitor-name 2. On the GSLB controllerTo specify the sites gateway IP address, use the following command at the configuration level for the SLB device, within the site configuration: [no] gateway gateway-ipaddr Disabling a Gateway Health-Check On the GSLB controller, you can disable gateway health checking at the SLB-device configuration level or the service configuration level; doing so will not affect any health checks configured for the individual virtual servers and service ports at the site. To disable gateway health checking at the SLB-device configuration level, use the following command: no gateway health-check After you enter this command, the SLB device will stop accepting gateway status information. To disable gateway health checking at the service configuration level, use the following command: no health-check gateway After you enter this command, the service will stop using gateway health checks. Displaying the Health Status of a Site Gateway To display the health status for a site gateway, use the following command: show gslb slb-device
64 of 260

CLI ExampleSite with Single Gateway Link

On the site AX device, the following command configures a real server for the gateway. The default ICMP health method is used.
Site-AX(config)#slb server 1.1.1.1
On the GSLB controller, the following commands enable gateway health checking for site device site-ax:
GSLB-AX(config)#gslb site remote GSLB-AX(config-gslb site)#slb-dev site-ax 10.1.1.1 GSLB-AX(config-slb dev)#gateway 1.1.1.1
The following command displays the gateway health status for GSLB sites:
GSLB-AX(config)#show gslb slb-device Attrs = Attributes, APF = Administrative Preference Sesn-Num/Uzn = Number/Utilization of Available Sessions GW = Gateway Status, IPCnt = Count of Service-IPs P = GSLB Protocol, L = Local Protocol Device IP Attrs APF Sesn-Num Uzn GW IPCnt -------------------------------------------------------------------------------local:self 127.0.0.1 100 0 0% 0 local:self2 127.0.0.1 100 0 0% 0 local:self3 127.0.0.1 100 0 0% 2 remote:site-ax 10.1.1.1 100 0 0% UP 0
In this example, the gateway health status for SLB-device configuration site-ax on the remote site is Up.
CLI ExampleSite with Multiple Gateway Links

On the site AX device, the following commands configure real servers for each of two gateway links. The default ICMP health method is used for each link.
Site-AX(config)#slb server 2.2.2.1 Site-AX(config-real server)#exit Site-AX(config)#slb server 3.3.3.1
On the GSLB controller, the following commands enable gateway health checking for each of the sites links. A unique SLB-device name is used for each link, even though both links are for the same SLB device (20.1.1.1).
GSLB-AX(config)#gslb site remote-link1 GSLB-AX(config-gslb site)#slb-dev site-ax-lnk1 20.1.1.1 GSLB-AX(config-slb dev)#gateway 2.2.2.1
65 of 260

GSLB-AX(config-slb dev)#exit GSLB-AX(config-gslb site)#exit GSLB-AX(config)#gslb site remote-link2 GSLB-AX(config-gslb site)#slb-dev site-ax-lnk2 20.1.1.1 GSLB-AX(config-slb dev)#gateway 3.3.3.1
If the same services can be reached through either link, an additional SLBdevice configuration is required:
GSLB-AX(config)#gslb site remote-link-both GSLB-AX(config-gslb site)#slb-dev site-ax-lnkboth 20.1.1.1
No gateway is specified in the SLB-device configuration. The gateway health status will be Up unless the health checks for 2.2.2.1 and 3.3.3.1 both fail.
Multiple-Port Health Monitoring

GSLB supports multiple-port health checking for service IPs. When you use a multiple-port health check for a service IP, the service IP is marked Up if any of the ports passes the health check. It is not required for all ports to pass the health check. Default Health Monitors The default health monitor for a service is the default Layer 3 health monitor (ICMP ping). The default health monitor for a service port is the default TCP or UDP monitor, depending on the transport protocol. By default, if the GSLB protocol is enabled and can reach the service, health checking is performed over the GSLB protocol. Otherwise, health checking is performed using standard network traffic instead. Optionally, you can disable use of the GSLB protocol for health checking, on individual service-IPs.
USING THE GUI

66 of 260

GSLB Configuration - Configure Sites
USING THE CLI

To configure a multiple-port health check, use the following command at the configuration level for the service IP: [no] health-check port port-num port-num [...] You can specify up to 64 ports. CLI Example The following commands apply a custom HTTP health monitor to service IP gslb-srvc2:
AX(config)#gslb service-ip gslb-srvc2 192.168.20.99 AX(config-gslb service-ip)#port 80 AX(config-gslb service-port)#health-check http AX(config-gslb service-ip)#port 8080 AX(config-gslb service-port)#health-check http AX(config-gslb service-ip)#port 8081 AX(config-gslb service-port)#health-check http
Note:
Applying a health monitor is required only if you do not plan to use the default health monitors. (See Default Health Monitors on page 66.) The following commands enable a multi-port health check for the HTTP service www on service IP gslb-srvc2 in GSLB zone abc.com:
AX(config)#gslb zone abc.com AX(config-gslb zone)#service http www AX(config-gslb service)#health-check port 80 8080 8081
Configure Sites
To configure GSLB sites, use one of the following procedures.
USING THE GUI

1. Select Config Mode > Service > GSLB. 2. On the menu bar, select Site. 3. Click Add. 4. Enter the site name.
67 of 260

GSLB Configuration - Configure Sites 5. In the SLB-Device section, enter information about the AX devices that provide SLB for the site: a. Click Add. b. Enter a name for the device. c. Enter the IP address at which the GSLB AX device will be able to reach the site AX device. d. To add a service to this SLB device, select it from the drop-down list in the VIP server section and click Add. Repeat for each service. 6. In the IP-Server section, add services to the site. Select a service from the drop-down list and click Add. Repeat for each service. 7. To manually map a geo-location name to the site, enter the geo-location name in the Geo-location section and click Add. 8. Click OK. The site appears in the Site table.
USING THE CLI

To configure the GSLB sites, use the following commands: gslb site site-name This command changes the CLI to the configuration level for the site. To associate an IP service with this site, use the following command: ip-server {name | service-ip} The name or service-ip is the name or IP address of a real server load balanced by the site. To specify the AX device that provides SLB at the site, use the following command: slb-dev device-name ipaddr To add the GSLB VIP server to the SLB device, use the following command: vip-server {name | ip ipaddr} The service-name is the GSLB service specified by the gslb vip-name ipaddr command in Configure Services on page 61.
68 of 260

GSLB Configuration - Configure a Zone
Configure a Zone
To configure a GSLB zone, use one of the following procedures.
USING THE GUI

1. Select Config Mode > Service > GSLB. 2. On the menu bar, select Zone. 3. Click Add. 4. Enter the zone name in the Name field. 5. In the Service section, click Add. (See Figure 16 on page 110.) The service configuration sections appear. 6. In the Service field, enter the service name. 7. Select the service type from the Port drop-down list. 8. Add the services: a. b. c. d. e. f. In the Service section, click Add. Enter name for the service (for example, www). Select the service type from the Port drop-down list. Configure additional options, if applicable to your deployment. Click OK. Repeat for each service.
9. Click OK. The zone appears in the GSLB zone list.
USING THE CLI

To configure the GSLB zone, use the following commands: gslb zone zone-url The zone-url is the URL that clients will send in DNS queries. This command changes the CLI to the configuration level for the zone. To add a service to the zone, use the following command: service port service-name
69 of 260

GSLB Configuration - Enable the GSLB Protocol The port is the application port for the server and must be the same port name or number specified on the service VIP.
Enable the GSLB Protocol

To enable the GSLB protocol, use one of the following procedures.
USING THE GUI

1. Select Config Mode > Service > GSLB. 2. On the menu bar, select Global. The Global section appears. 3. Select Enabled next to one of the following options, depending on the AX devices function in the GSLB configuration:
Run GSLB as Controller Run GSLB as Site SLB Device
4. Click OK.
USING THE CLI

To enable the GSLB protocol on the GSLB AX device, use the following command at the global configuration level of the CLI: gslb protocol enable controller To enable the GSLB protocol on a site AX device, use the following command at the global configuration level of the CLI: gslb protocol enable device
Resetting or Clearing GSLB

If you need to reset or clear the GSLB configuration, you can use the following commands:
gslb system reset Unloads all geo-location files and reloads the
default iana file.

no gslb all Unloads all geo-location files, including iana, and clears
all GSLB configuration information and statistical data.
70 of 260

GSLB Configuration - Resetting or Clearing GSLB These commands are available at the global configuration level of the CLI. Confirmation Prompt By default, the CLI displays a prompt asking you to confirm whether to perform the reset or deletion. You can reply yes or no. If you do not want the prompt to appear, you can disable it by entering the following command at the global configuration level of the CLI: no gslb system prompt Simplified CLI Syntax for Removing All Configuration Items The all option removes all configuration items of the specified type. In previous releases, the CLI supported removal of GSLB configuration items only one item at a time. Here are the no gslb commands that support the all option:
no gslb geo-location all Removes all manually configured
geo-locations from the AX devices configuration.

no gslb geo-location load all Unloads all geo-location
database files on the AX device. The default database (IANA) is also unloaded.
no gslb ip-list all Removes all IP lists from the AX devices
configuration. no ip all At the configuration level for an IP-list, removes all IP addresses from the list.
no gslb policy all Removes all GSLB policies from the AX
devices configuration.
no gslb service-ip all Removes all service IPs from the AX
devices configuration.
no gslb site all Removes all GSLB sites from the AX
devices configuration. no ip-server all At the site configuration level, removes all IP servers (real servers) from the site. no slb-device all At the site configuration level, removes all SLB devices. no vip-server all At the configuration level for an SLB device, removes all virtual servers from the device.
no gslb template csv all Removes all CSV templates from
the AX devices configuration.
71 of 260

GSLB Configuration - Resetting or Clearing GSLB
no gslb template snmp all Removes all SNMP templates
from the AX devices configuration.

no gslb template all Removes all CSV templates and SNMP
templates from the AX devices configuration.

no gslb zone all Removes all GSLB zones from the AX
devices configuration. To remove all GSLB configuration items at the same time, you can use the following command instead: no gslb all
72 of 260

Auto-mapping -
Auto-mapping
An AX device acting as a GSLB controller can retrieve the data needed to build the DNS system by automatically returning DNS records by name. This GSLB Auto-Mapping feature reduces the required amount of DNS management work when deploying GSLB. In releases prior to 2.7.0, manual configuration is required for each of the services for which an AX device is to respond. This manual configuration typically involves creating a service IP, applying it to a site, adding the zone, and then mapping the service to the service IP. With, GSLB Auto-mapping, however, the AX device allows you to automatically create the service by taking the name of a system resource, or "module", and appending it to the front of a zone to create the service name (DNS name). Once the servers and other network devices have been configured with basic information, auto-mapping enables the GSLB protocol to support DNS queries for the following modules (or system resources):
SLB server SLB virtual server SLB device GSLB site GSLB service-IP GSLB Group Hostname
Details:
This feature only works with GSLB wildcard service. There is no L3V support for SLB server or SLB virtual server. Names exceeding 20 characters must be changed to DNS domain, with
labels separated by the '.' character.
73 of 260

Auto-mapping -
Configuration
Configuring DNS Auto-mapping requires the following steps: 1. Configure DNS Auto-mapping at the zone level or system level. 2. Enable DNS Auto-mapping the zone and/or system level.
USING THE GUI

To configure GSLB Auto-mapping, navigate as follows: 1. Select Config Mode > Service > GSLB. 2. Click the Site tab, and then click the Add button. 3. Scroll down and click the arrow button to expand the Options section. A window similar to the one shown below appears: FIGURE 2 Config Mode > Service > GSLB > Site > Add
4. Select the Auto Map checkbox, if it is not already selected. 5. Click the Policy tab, and then click the Add button. 6. Scroll down and click the arrow button to expand the Auto Map section. A window similar to the one shown below appears: FIGURE 3 Config Mode > Service > GSLB > Policy > Add
7. By default, all modules (resources) are selected. You can select or clear the checkboxes to determine which modules or system resources for which the GSLB protocol will support DNS queries.
74 of 260

Auto-mapping 8. Either accept the default TTL value of 300 seconds, or enter a new time-to-live for the modules. 9. Click OK to store your changes.
USING THE CLI

Configure DNS Auto-mapping at the system level By default, system auto-mapping is disabled until you configure the modules. However, after system auto-mapping has been configured, the query name is the objects name. Use the following CLI commands to configure auto-mapping. gslb system auto-map module {all | slb-server | slb-virtual-server | slb-device | gslb-service-ip | gslb-site | gslb-group | hostname} gslb system auto-map ttl seconds Note: By default, all modules are enabled in the policy. Configure DNS Auto-mapping at the zone level Use the following CLI commands at the GSLB policy level to configure auto-mapping for a zone level: dns auto-map Details: To get the DNS response, the query name is in the following format: <obj-name>.<zone-name> For example, if a real server's name is us-svr1, and the wildcard zone is example.com, then the query name should be us-svr1.example.com
75 of 260

Auto-mapping CLI Example The following example configures a VIP called WWW at IP 192.168.1.100. AX(config)#slb virtual-server WWW 192.168.1.100 AX(config-slb vserver)#ha-group 1 AX(config-slb vserver)#port 80 http AX(config-slb vserver-vport)#source-nat pool Internal-Pool-1 AX(config-slb vserver-vport)#service-group Internal-Service-Group-1 Next, the commands below configure a GSLB policy auto-map, for the zone a10.com. A wildcard service IP is used. If a client sends a query for a host within the a10.com zone (for example, an AX with the name "sjax"), then the full service name is sj-ax.a10.com., and the GSLB protocol will respond to the clients query by providing the management IP address and the IP address for the inbound data interface. AX(config)#gslb policy auto-map AX(config)#dns auto-map AX(config)#gslb zone a10.com AX(config-gslb zone)#service * AX(config-gslb service)#gslb policy auto-map
76 of 260

Advanced DNS Options -
Advanced DNS Options

This chapter describes some of the DNS options you can configure in Global Server Load Balancing (GSLB) policies. Note: This chapter is not intended to be an exhaustive presentation of all DNS options in GSLB policies. For complete syntax information, see dns on page 197.
DNS Active-only on page 78 Support for DNS TXT Records on page 80 Append All NS Records in DNS Authority Section on page 82 Hints in DNS Responses on page 83 DNS Sub-zone Delegation on page 85 DNS Proxy Block on page 91
77 of 260

Advanced DNS Options - DNS Active-only
DNS Active-only
By default, if all of the servers failed to pass the health check, then the GSLB controller would return an empty list to the client, rather than sending the list of IP addresses for the servers that had failed the health check. You can configure the AX device to send the list of IP addresses (associated with servers that failed their health checks) back to the client. The feature can be enabled using the new dns active-only metric option. In association with this feature, you can also designate one or more backup servers, and the IP addresses for these servers will be sent to the client in the event that all of the primary servers have failed. This behavior requires that you enable the dns backup-server feature within the GSLB policy, and that you specify the backup servers within the DNS A-record for the GSLB zone service. To summarize, there are now three options:
active-only (Old) Nothing is returned to the client if all servers fail the
health check.
active-only fail-safe (New) A list of IP addresses for the servers that
failed the health check are sent back to the client.

backup-server Designate one or more backup servers that can be
returned to the client if the primaries should fail.
USING THE GUI

To configure the Active Only Fail Safe feature on a GSLB AX device, follow the procedure below: 1. Select Config Mode > Service > GSLB. 2. Click the Policy tab, and then click the Add button. 3. Enter a name for the GSLB policy in the Name field. 4. Click the DNS Options arrow to expand the menu.
78 of 260

Advanced DNS Options - DNS Active-only 5. From the DNS Options menu that appears, select one of the following:
Active Only checkbox Select this to enable the Active Only fea-
ture. If all servers fail the health check, then nothing is returned to the client. (Selecting this checkbox activates the Fail Safe checkbox.) Fail Safe checkbox Select this sub-option to have the list of IP addresses associated with failed servers returned to the client. 6. (Optional) Select the Backup Server checkbox if you would like one or more backup servers to be returned to the client in the event that all of the primary servers fail. 7. When finished, click OK to save your changes.
USING THE CLI

Enabling fail-safe option To enable the active-only fail-safe option and return a list of server IP addresses for failed servers, use the following command within a GSLB policy: dns active-only fail-safe The no form of the command can be used with the active-only feature to disable the fail-safe option. CLI Example The commands below enable the DNS active-only fail-safe option within a GSLB policy, so a list of IP addresses will be sent to the client for the servers that failed the health check.
AX(config)#gslb policy default AX(config-gslb policy)#dns active-only fail-safe AX(config-gslb policy)#exit
Enabling backup server mode To designate one or more backup servers to be returned to the client if the primary servers fail, do the following: 1. Use the following command to enable the backup server mode within the GSLB policy: dns backup-server
79 of 260

Advanced DNS Options - Support for DNS TXT Records 2. Specify the backup servers in the dns-a-record within the GSLB zone service using the following command: dns-a-record ip-addr as-backup CLI Example The commands below are used within a GSLB policy to specify that a backup server at IP 192.168.123.1 will be returned to the client, should the primary servers fail.
AX(config)#gslb policy default AX(config-gslb policy)#dns backup-server AX(config-gslb policy)#exit AX(config)#gslb zone z1 AX(config-gslb zone)#service 80 http AX(config-gslb zone-gslb service)#dns-a-record 192.168.123.1 as-backup AX(config-gslb zone-gslb service)#exit
Support for DNS TXT Records

The TXT record is a type of DNS resource record, similar to an A record or a CNAME record, but it has typically been used to carry machine-readable data, opportunistic encryption, Sender Policy Framework (SPF), Domain Keys, and DNS-SD. (Please refer to RFC 1464 for further details on uses for TXT resource records.) GSLB supports the ability to use DNS TXT resource records for the following purposes:
Perform Add/Delete/Find operations, based on a DNS TXT record Support multiple DNS TXT records for each service Carry multiple pieces of DNS TXT data within one TXT record Support DNS TXT/ANY query in server mode Support GSLB debug functions
Note:
The maximum length of a DNS TXT record data is 2048 characters.
80 of 260

Advanced DNS Options - Support for DNS TXT Records
USING THE GUI

To configure a DNS TXT record for a GSLB zone using the AX GUI, navigate as follows: 1. Select Config Mode > Service > GSLB. 2. Click the Zone tab, and then click the Add button. 3. Scroll down and click the arrow button to expand the Service section. 4. Click the Add button, and enter the details for this new service. 5. Scroll down and click the arrow button to expand the DNS TXT Record section. A window similar to the one shown below appears: FIGURE 4 DNS TXT Record
6. Enter the desired text string in the blank DNS TXT Record field. Then, click the Add button, as shown in Figure 4. Note: Use quotation marks when entering text strings that contain spaces. If a text string is entered without using quotation marks, this will cause the content to be split into different sections of the record. 7. When finished, scroll to the bottom of the page and click OK to save your changes.
USING THE CLI

To use DNS TXT resource records to carry multiple pieces of DNS TXT data within one TXT record, use the following command at the GSLB policy configuration level: [no] dns server txt Performance by Design Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
81 of 260

Advanced DNS Options - Append All NS Records in DNS Authority Section And then use the following command at the service config level within a GSLB zone: [no] dns-txt-record aaaa bbbb cccc Note: The AX device has a special handler that enables you to enter non-printable characters that the CLI does not support. For details, please contact A10 Support. Displaying Records To display the DNS TXT Records, use the following command: show gslb service dns-txt-record To display the DNS TXT switch, use the following command: show gslb policy [name]
Append All NS Records in DNS Authority Section

GSLB supports name server (NS) records in the Authority Section of the DNS response. When this feature is enabled, the GSLB AX device (running in server mode) will include all NS records in the Authority Section of the DNS response that is sent to the client. By providing additional NS information, this feature can be helpful if one or more of the name servers becomes unavailable.
USING THE GUI

To enable the GSLB AX device to append NS records in the Authority section of a DNS response, follow the procedure below: 1. Select Config Mode > Service > GSLB. 2. Click the Policy tab, and then click the Add button. 3. Enter a name for the GSLB policy in the Name field. 4. Click the DNS Options arrow to expand the menu. The DNS Options menu appears, as shown below:
82 of 260

Advanced DNS Options - Hints in DNS Responses FIGURE 5 NS Records under DNS Options
5. Select the Server Mode checkbox to place the AX device in Server Mode (and to activate the NS List checkbox). Then, select the NS List checkbox, as shown above. 6. When finished, click OK to save your changes.
USING THE CLI

To append all Name Server (NS) Resource Records (RR) in the Authority Section of a DNS reply from a GSLB AX device in server mode, use the following command at the gslb policy configuration level of the CLI: [no] dns server authoritative ns-list You can disable the inclusion of the NS record in the Authority section of DNS responses by using the no form of the command.
Hints in DNS Responses

By default, the AX device places hints in the Additional Section of the DNS response. Hints are A or AAAA records that are sent in the response to a clients DNS request. These records provide a mapping between the host names and IP addresses. You can disable the appearance of hints in a DNS response. In addition, you also can determine where in the DNS response the hints will appear. Hints can appear in the following sections of a DNS response:
83 of 260

Advanced DNS Options - Hints in DNS Responses
None Does not append hints in the DNS response Additional Appends hints in the Additional Section (default) Answer Appends hints in the Answer Section
This new option applies to the following record types:

NS MX SRV
USING THE GUI

To configure hints in the DNS response, follow the procedure below: 1. Select Config Mode > Service > GSLB. 2. Click the Policy tab, and then click the Add button. 3. Enter a name for the GSLB policy in the Name field. 4. Click the DNS Options arrow to expand the menu. 5. In the Hint area, select the desired radio button:
No Disables hints in the DNS response Additional Enables hints in the Additional Section (default) Answer Enables hints in the Answer Section
6. When finished, click OK to save your changes.
USING THE CLI

Use the following command at the GSLB policy configuration level of the CLI to configure the Hint Record, (or Glue Record) that appears in DNS replies sent from the GSLB AX device to a clients DNS request. [no] dns hint { addition | answer | none }
84 of 260

Advanced DNS Options - DNS Sub-zone Delegation CLI Example The following command configures the AX device to include the Hint Record in the Answer Section of the DNS response. This might be helpful if, for example, the local DNS server has trouble parsing the Additional Section that appears in a full DNS reply. AX(config)#gslb policy default AX(config-gslb policy)#dns hint answer AX(config-gslb policy)#exit
DNS Sub-zone Delegation

GSLB sub-zone delegation allows you to delegate authority or responsibility for a portion of the DNS namespace from the parent domain to a separate sub-domain which may reside on one or more remote servers and may be managed by someone other than the network administrator who is responsible for the parent zone. By delegating responsibility for a sub-zone (or sub-domain), you are effectively dividing up the namespace, or the mappings between the hostnames and their associated IP addresses. This division helps to distribute the DNS database more effectively. Sub-zone delegation may be desirable if your organization is growing quickly and you are adding remote branches or offices. If the branches are distributed across a broad geographic area, sub-zone delegation can be done to reduce the response times to the resolvers, thus providing faster performance by placing the requested DNS records closer to the clients. Sub-zone delegation may also be done to distribute the DNS traffic load across a larger number of servers in order to improve fault tolerance. Additionally, you may wish to delegate the responsibility for a sub-zone to an administrator who is more familiar with a particular group of servers, whether due to geographical proximity or due to an administrators familiarity with the content and services offered by those servers. For example, assume a San Jose-based company is expanding rapidly and decides to open an office in New York for its finance division. With the additional traffic generated by client DNS resolvers on the East Coast, the parent domain, (example.com) may no longer suffice. In this case, it might be helpful to add a separate sub-zone (finance.example.com) for the New York office. Such a scenario is shown in Figure 6 on page 86.
85 of 260

Advanced DNS Options - DNS Sub-zone Delegation FIGURE 6 Namespace for finance division is delegated as new sub-zone
Figure 6 shows the root zone at the top of the DNS hierarchy. The figure also illustrates the following important points:
The next level down are the Top Level Domains (TLDs), or the DNS
servers responsible for managing the resource records for the .com, .org and other domains.
The parent zone is located beneath the TLDs. It is at this level within the
DNS structure that the organizations main domain (example.com) is located.

A separate sub-zone (finance.example.com), representing the New
York office, has been delegated from the parent zone. As this hypothetical sub-zone is branched off of the parent domain, it might be helpful to delegate responsibility for managing this new sub-zone to an IT administrator who is also located in New York. Keep in mind that during the process of delegating authority for any subzone, an NS record must be added to the zone file within the authoritative name server for the parent zone. This must be done so that other DNS servers and clients will recognize the new server as being authoritative for the particular delegated sub-zone.
86 of 260

Advanced DNS Options - DNS Sub-zone Delegation Details:
Sub-zone delegation is enabled within a GSLB policy and applied at the
zone level.
When delegating a sub-zone, the GSLB AX device must be in server
mode. The feature will not work with the GSLB AX device in proxy mode.
Once a sub-zone has been delegated from the parent zone, client resolv-
ers will send a query for the NS record, and the response from the GSLB AX device will have the NS record in the Authority section and the IP address in the Additional section of the full DNS response. Note: The AX device supports configuration of glue records. A glue record can be configured to prevent circular dependencies, which can occur if the name server is located in a sub-zone of the parent domain. Such a scenario can make it impossible for the client resolver to locate the IP for the name server, because it is located within a sub-zone of the parent domain. Configuring a glue record eliminates this problem by providing an address record that appears in the Additional section of the full DNS response, and this enables the client to find the name server.
USING THE GUI

This feature is not supported in the GUI for this release.
USING THE CLI

To enable sub zone delegation, use the following command at the GSLB configuration level: [no] dns delegation CLI Example #1 The following command configures the GSLB policy, and places the GSLB AX device in server mode. The delegation command, which is also applied at the DNS level, enables the sub-zone delegation. AX(config)#gslb policy delegat-1 AX(config-gslb policy)#dns server AX(config-gslb policy)#dns delegation AX(config-gslb policy)#exit
87 of 260

Advanced DNS Options - DNS Sub-zone Delegation The following command creates the sub-zone to be delegated. Note that this also requires the configuration of a wildcard service. AX(config)#gslb zone sub.example.com AX(config-gslb zone)#service * Alternatively, you could use the following commands to have the feature support DNSSEC by removing the sub. from the zone config. AX(config)#gslb zone example.com AX(config-gslb zone)#service *.sub
The following command creates the NS record in the GSLB policy: AAX(config-gslb service)#dns-ns-record ns.finance.example.com
The following command applies the delegation policy at the zone level for the service group level:
AX(config-gslb zone)#policy delegation
The following optional command can be used at the GSLB zone level to configure a DNS glue record. This configuration helps prevent circular dependencies: AX(config-gslb zone)#service 53 ns.finance AX(config-gslb zone-gslb service)#dns-a-record <service-ip name> AX(config-gslb zone-gslb service)#exit
88 of 260

Advanced DNS Options - DNS Sub-zone Delegation CLI Example #2 The following command configures the GSLB service IP ns-ip-1 at IP 172.16.11.211 and disables the health check at the service IP level and at port 53 for UDP. AX(config)#gslb service-ip ns-ip-1 172.16.11.211
AX(config-gslb service ip)#no health-check AX(config-gslb service ip)#port 53 udp AX(config-gslb service ip-port)#no health-check
The following command configures the GSLB service IP dc1-vip at IP 10.10.10.10 and disables the health check at the service IP level and at port 80 for TCP. AX(config)#gslb service-ip dc1-vip 10.10.10.10
AX(config-gslb service ip)#no health-check AX(config-gslb service ip)#port 80 tcp AX(config-gslb service ip-port)#no health-check
The following command configures the GSLB service IP ns-ip-1 at IP 172.16.10.203 and disables the health check at the service IP level and at port 80 for TCP. AX(config)#gslb service-ip dc2-vip 172.16.10.203
AX(config-gslb service ip)#no health-check AX(config-gslb service ip)#port 80 tcp AX(config-gslb service ip-port)#no health-check
The following commands configure a GSLB site called dc1. The site has an AX device, dc1-ax at IP 10.10.10.50. AX(config)#gslb site dc1 AX(config-gslb site)#slb-dev dc1-ax 10.10.10.50
AX(config-gslb site-slb dev)#vip-server dc1-vip AX(config-gslb site-slb dev)#exit
The following commands configure a GSLB site called dc2. The site has an AX device, dc2-ax at IP 172.16.10.50. AX(config)#gslb site dc2 AX(config-gslb site)#slb-dev dc1-ax 172.16.10.50
AX(config-gslb site-slb dev)#vip-server dc2-vip AX(config-gslb site-slb dev)#exit
89 of 260

Advanced DNS Options - DNS Sub-zone Delegation The following commands configure a GSLB site called dc5. The site has an AX device, dc5-ax at IP 172.16.11.50. AX(config)#gslb site dc5 AX(config-gslb site)#slb-dev dc5-ax 172.16.11.50
AX(config-gslb site-slb dev)#vip-server ns-ip-1 AX(config-gslb site-slb dev)#exit
The following commands configure three GSLB policies: (1) the default GSLB policy, (2) GSLB policy 5 (for delegation), and (3) GSLB policy dns-server. The AX delegates authority for the sub-domain sub.sub.a10networks.jp to nameserver "ns01.sub.sub.a10networks.jp". AX(config)#gslb policy default
AX(config-gslb policy)#exit
AX(config)#gslb policy 5
AX(config-gslb policy)#dns delegation AX(config-gslb policy)#dns server AX(config-gslb policy)#exit
AX(config)#gslb policy dns-server

AX(config-gslb policy)#dns server AX(config-gslb policy)#exit
The following commands create the GSLB zone sub.sub.a10networks.jp and creates a wildcard service within the zone. The GSLB policy 5, created above, is assigned to the wildcard service, and an NS record is created for the name server, ns01.sub.sub.a10networks.jp. AX(config)#gslb zone sub.sub.a10networks.jp
AX(config-gslb zone)#service * AX(config-gslb zone-gslb service)#policy 5 AX(config-gslb zone-gslb service)#dns-ns-record ns01.sub.sub.a10networks.jp AX(config-gslb zone-gslb service)#exit
90 of 260

Advanced DNS Options - DNS Proxy Block The following commands are used within the same GSLB zone sub.sub.a10networks.jp to creates a service for port 53 called ns01. The GSLB policy dns-server, created above, is assigned to the service, and an A record is created for ns-ip-1 to return the associated Service-IP if the DNS is in server mode.
AX(config-gslb zone)#service 53 ns01 AX(config-gslb zone-gslb service)#policy dns-server AX(config-gslb zone-gslb service)#dns-a-record ns-ip-1 static
The following commands creates the GSLB zone sub.a10networks.jp and enables the http service. Then, the policy dns-server is bound and A records are create for dc1-vip and dc2-vip. AX(config)#gslb zone sub.a10networks.jp
AX(config-gslb zone)#service http www AX(config-gslb zone-gslb service)#policy dns-server AX(config-gslb zone-gslb service)#dns-a-record dc1-vip static AX(config-gslb zone-gslb service)#dns-a-record dc2-vip static
The following command enables the GSLB and makes this AX device the GSLB controller. AX(config)#gslb protocol enable controller
DNS Proxy Block

AX Release 2.7.0 introduces DNS Proxy Block, which enables an AX device to block DNS client queries from being sent to an internal DNS server. The AX device must be in GSLB proxy mode for the feature to work. The DNS Proxy Block feature can be used to block DNS queries based on DNS query type, DNS query number, or by specifying a range of numbers. The feature can be used to block the following well-known DNS types:
A (type 1) AAAA (type 28) CNAME (type 5) MX (type 15) NS (type 2)
91 of 260

Advanced DNS Options - DNS Proxy Block
PTR (type 12) SOA (type 6) SRV (type 33) TXT (type 16)
After specifying the type of DNS query to be blocked, select an action to perform on the selected DNS query type, for example, drop or reject. When selecting an action to perform on a query type, keep in mind the following caveats:
Selecting a DNS query type without specifying the action will cause the
default action to be applied to the selected query type. The default action is drop.
Selecting an action without specifying the query type will cause the fea-
ture to essentially remain disabled. If no query type has been identified, then no action is applied, even if an action has been specified. Benefits Implementing this feature may reduce the amount of traffic sent to back-end DNS servers. This can increase efficiency by reducing the burden on those servers. This feature may also be desirable in situations where resource records reside on a DNS server that is accessible to both internal and external clients. In such situations where the same DNS server is being accessed by both internal and external clients, the DNS Proxy Block feature helps prevent sensitive resource records on an internal DNS server from being leaked to external clients. Note: Prior releases supported a similar DNS Blocking option, which essentially removed the dns-a-record information from DNS responses. By using the no-resp option at the GSLB service level for a zone, dns-arecord information would be stripped from the DNS servers response. This new command, however, simply blocks the clients DNS request before it is received by the back-end DNS server. Details:
The GSLB AX device must be operating in proxy mode to support the
DNS Proxy Block feature.

The feature is configured within the GSLB policy and is applied at the
zone and service levels.
92 of 260

Multiple query types can be specified, but only one action can be
applied to those query types. Therefore, the first bullet below would be an acceptable configuration, but the second bullet would not: Reject both SRV and CNAME query types (OK) Reject SRV but drop CNAME query types (Not OK)
USING THE GUI

To enable the DNS Proxy Block feature for a GSLB zone using the AX GUI, navigate as follows: 1. Select Config Mode > Service > GSLB. 2. Click the Policy tab, and then click the Add button. 3. Click the DNS Proxy Block arrow to expand the menu. A window similar to the one shown below appears: FIGURE 7 DNS Proxy Block
4. Select the Drop or Reject Action radio button. If desired, you can select the No radio button to disable the DNS Proxy Block feature. 5. Click the Type List drop-down menu and select the desired well-known DNS query type that you would like to block. Then, click the Add button. If you want to remove a query type from the list, select the checkbox next to a query type and then click the Delete button. Performance by Design Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
93 of 260

Advanced DNS Options - DNS Proxy Block Alternatively, to enter a range of DNS query type numbers to be blocked, in the Range List section, enter the beginning number in the From field and the ending number in the To field. 6. When finished, click OK to save your changes. 7. Next, apply the policy to a zone by selecting Config Mode > Service > GSLB, and then click the Zone tab. 8. Apply the GSLB policy you just created to an existing zone by clicking the hyperlinked name of the zone and then selecting the GSLB policy from the drop-down menu. 9. Click OK to save your changes.
USING THE CLI

Enabling GSLB DNS Proxy Block To enable the GSLB DNS Proxy Block feature, use the following command at the GSLB policy configuration level: dns proxy block [ a | aaaa | ns | mx | srv | cname | ptr | soa | txt | num query-type | range {start-query-type end-query-type} | ] action [[drop | reject]
The query-type is the numeric value that corresponds to a well-known DNS query type. Specify any number from 1 to 255. The range option allows you to target less well-known DNS query types. The start-query-type is the numeric value used to define the beginning of the range, while the end-query-type is the numeric value used to define the end of the range of DNS query types that will be blocked. The range can go
94 of 260

Advanced DNS Options - DNS Proxy Block from 1 to 65535. If desired, you can enter the same number for the beginning and end range values to target a specific query type. The available actions are drop and reject. Selecting "drop" drops the specified DNS query type without sending a confirmation message to the client. Selecting "reject" rejects the specified DNS query type and returns the Refused message in replies to the client. Note: To enter the action and query type on a single line, you must enter the query type prior to entering the action. If the action is entered first, then the query type must be entered on a separate line. CLI Example The following example shows the commands used to create a GSLB policy, enable the DNS Proxy Block feature for A records, and then applies the policy to the zone called example.com for the service http.
AX(config)#gslb policy pol-1 AX(config-gslb policy)#dns proxy block a AX(config-gslb policy)#exit AX(config-gslb policy)#gslb zone example.com AX(config-gslb policy)#policy pol-1 AX(config-gslb policy)#service http www AX(config-gslb policy)#exit
95 of 260

96 of 260
AX Series - Global Server Load Balancing Guide

Partition-specific Group Management - Implementation Details
Partition-specific Group Management

Beginning with release 2.6.1-GR1, the AX device allows Global Server Load Balancing (GSLB) to be configured within individual partitions. The shared partition and the private partitions in which Layer 2/3 virtualization is enabled, can each have their own GSLB configuration parameters, which are separate from the other partitions. To configure GSLB parameters for an individual partition, assign them all to the same GSLB configuration group, and then map the group to the partition.
Implementation Details
Partition-specific GSLB configuration is supported only for partitions in
which Layer 2/3 virtualization is enabled.

The following GSLB configuration items can not be configured for indi-
vidual partitions. They can be configured only globally, for all partitions on the AX device: GSLB system-wide settings: gslb system, gslb dns, gslb protocol and gslb active-rdt GSLB geo-locations (gslb geo-location)
Duplicate names are not supported for GSLB items. For example, the
same zone name can not be configured in more than one partition.
For each partition, only one GSLB Group is supported to implement
mapping.
For each partition, you can create one group, the partition group. In the current release, the following synchronization scenario is sup-
ported: from shared partition group to shared partition group

The view and inheritance features are not supported in this release.
aVCS Notes
In an aVCS deployment there is more than one device in the virtual
chassis. Due to real-time configuration synchronization, all devices in the virtual chassis will have the same configuration. In this case, more than one GSLB controller can have the highest priority. The controller with the highest last 4 bytes in its management interface MAC address is elected as the group master. Performance by Design Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
97 of 260

Partition-specific Group Management - Implementation Details
GSLB group will synchronize configuration between AX devices. If the
group is enabled and the GSLB configuration can be handled by the GSLB group, aVCS will not synchronize the GSLB configuration to the vBlade.
If the vMaster is not the same device as the as GSLB group master, con-
figuration of GSLB in a member controller requires the config-anywhere option to be enabled in the GSLB group. Note: For additional information about Role Based Partitions, please see the Role-Based Administration chapter in the AX Series System Configuration and Administration Guide.
98 of 260

GSLB Configuration Examples - CLI Example
GSLB Configuration Examples

This chapter provides configuration examples for Global Server Load Balancing (GSLB). These examples implement a basic GSLB deployment. The examples assume that the default GSLB policy is used, without any changes to the policy settings.
CLI Example
Configuration on the GSLB AX Device (GSLB Controller)
The following commands configure a health monitor for the local DNS server to be proxied:
AX-Controller(config)#health monitor dns-53 AX-Controller(config-health:monitor)#method dns domain example.com AX-Controller(config-real server)#exit
The following commands configure the DNS proxy:

AX-Controller(config)#slb server dns-1 10.10.10.53 AX-Controller(config-real server)#port 53 udp AX-Controller(config-real server-node port)#health-check dns-53 AX-Controller(config-real server-node port)#exit AX-Controller(config-real server)#exit AX-Controller(config)#slb service-group sg-1 udp AX-Controller(config-slb service group)#member dns-1:53 AX-Controller(config-slb service group)#exit AX-Controller(config)#slb virtual-server DNS_SrvA 10.10.10.100 AX-Controller(config-slb virtual-server)#port 53 udp AX-Controller(config-slb virtual server-slb virtua...)#gslb-enable AX-Controller(config-slb virtual server-slb virtua...)#service-group sg-1 AX-Controller(config-slb virtual server-slb virtua...)#exit AX-Controller(config-slb virtual server)#exit
The following commands configure the service IP addresses. The VIP address and virtual port number of the virtual server in the site AX Series devices SLB configuration are used as the service IP address and port number on the GSLB AX Series device.
99 of 260

AX-Controller(config)#gslb service-ip servicevip1 2.1.1.10 AX-Controller(config-gslb service ip)#port 80 tcp AX-Controller(config-gslb service ip)#exit AX-Controller(config)#gslb service-ip servicevip2 3.1.1.10 AX-Controller(config-gslb service ip)#port 80 tcp AX-Controller(config-gslb service ip)#exit
The following command loads the IANA file into the geo-location database:
AX-Controller(config)#gslb geo-location load iana
The following commands configure the sites. For each site SLB device, enter the IP address of the AX Series device that provides SLB at the site. For the VIP server names, enter the service IP name specified above.
AX-Controller(config)#gslb site usa AX-Controller(config-gslb site)#slb-dev ax-a 2.1.1.1 AX-Controller(config-gslb site-slb dev)#vip-server servicevip1 AX-Controller(config-gslb site-slb dev)#exit AX-Controller(config-gslb site)#exit AX-Controller(config)#gslb site asia AX-Controller(config-gslb site)#slb-dev ax-b 3.1.1.1 AX-Controller(config-gslb site-slb dev)#vip-server servicevip2 AX-Controller(config-gslb site-slb dev)#exit AX-Controller(config-gslb site)#exit
The following commands configure the GSLB zone:

AX-Controller(config)#gslb zone a10.com AX-Controller(config-gslb zone)#service http www AX-Controller(config-gslb zone-gslb service)#dns-cname-record www.a10.co.cn AX-Controller(config-gslb zone-gslb service)#geo-location China www.a10.co.cn AX-Controller(config-gslb zone-gslb service)#exit AX-Controller(config-gslb zone)#exit
At the configuration level for the service (www), the CNAME www.a10.co.cn is configured, and the CNAME is associated with geo-location China. If a clients IP address is in the range for the China geo-location, GSLB sends the CNAME www.a10.co.cn in the DNS reply. The following command enables the GSLB protocol:
AX-Controller(config)#gslb protocol enable controller
100 of 260

Configuration on Site AX Device AX-A

The following commands configure SLB on site AX device AX-A:
Site-AX-A(config)#slb server www 2.1.1.2 Site-AX-A(config-real server)#port 80 tcp Site-AX-A(config-real server-node port)#exit Site-AX-A(config-real server)#exit Site-AX-A(config)#slb server www2 2.1.1.3 Site-AX-A(config-real server)#port 80 tcp Site-AX-A(config-real server-node port)#exit Site-AX-A(config-real server)#exit Site-AX-A(config)#slb service-group www tcp Site-AX-A(config-slb service group)#member www:80 Site-AX-A(config-slb service group)#member www2:80 Site-AX-A(config-slb service group)#exit Site-AX-A(config)#slb virtual-server www 2.1.1.10 Site-AX-A(config-slb virtual server)#port 80 http Site-AX-A(config-slb virtual server-slb virtua...)#service-group www Site-AX-A(config-slb virtual server-slb virtua...)#exit Site-AX-A(config-slb virtual server)#exit
Note:
The virtual server IP address must be the same as the GSLB service IP address configured on the GSLB AX device. The following command enables the GSLB protocol:
Site-AX-A(config)#gslb protocol enable device
Configuration on Site AX Device AX-B

The following commands configure SLB and enable the GSLB protocol on site AX device AX-B:
Site-AX-B(config)#slb server www 3.1.1.2 Site-AX-B(config-real server)#port 80 tcp Site-AX-B(config-real server-node port)#exit Site-AX-B(config-real server)#exit Site-AX-B(config)#slb server www2 3.1.1.3 Site-AX-B(config-real server)#port 80 tcp Site-AX-B(config-real server-node port)#exit Site-AX-B(config-real server)#exit Site-AX-B(config)#slb service-group www tcp Site-AX-B(config-slb service group)#member www:80 Site-AX-B(config-slb service group)#member www2:80 Site-AX-B(config-slb service group)#exit Site-AX-B(config)#slb virtual-server www 3.1.1.10 Site-AX-B(config-slb virtual server)#port 80 http Site-AX-B(config-slb virtual server-slb virtua...)#service-group www Site-AX-B(config-slb virtual server-slb virtua...)#exit
101 of 260

GSLB Configuration Examples - GUI Example
Site-AX-B(config-slb virtual server)#exit Site-AX-B(config)#gslb protocol enable device
GUI Example
Configuration on the GSLB AX Device (GSLB Controller)
Configure a Health Monitor for the DNS Proxy 1. Select Config Mode > Service > Health Monitor. 2. On the menu bar, select Health Monitor. 3. Click Add. 4. Enter a name for the monitor in the Name field. 5. In the Method section, select DNS from the Type drop-down list. 6. In the Domain field, enter the domain name. (Generally, this is the same as the GSLB zone name you will configure.) Configure the DNS Proxy 1. Begin configuring the proxy: a. Select Config Mode > Service > GSLB. b. On the menu bar, select DNS Proxy. c. Click Add. d. Enter a name for the proxy in the Name field. e. In the IP Address field, enter the IP address that will be advertised as the authoritative DNS server for GSLB zone. Note: The GUI will not accept the configuration if the IP address you enter here is the same as the real DNS server IP address you enter when configuring the service group for this proxy. (below). f. In the GSLB Port section, click Add. The GSLB Port section appears.
102 of 260

GSLB Configuration Examples - GUI Example 2. Configure the service group: a. In the Service Group drop-down list, select create to create a service group. (See Figure 8 on page 103.) The Service Group section appears. b. Enter the service group information. For this example, enter the following: Name gslb-proxy-sg-1 Port type UDP Load-balancing metric (algorithm) Round-Robin Health Monitor default c. In the Server section, enter the DNS servers real IP address in the Server field, and enter the DNS port number in the port field. d. Click Add. The DNS port appears in the list. (See Figure 9 on page 104.) e. Click OK. The GSLB Port section reappears. In the service dropdown list, the service group you just configured is selected. (See Figure 10 on page 104.) 3. Finish configuration of the proxy: a. Click OK. The Proxy section reappears. (See Figure 11 on page 105.) b. Click OK. The DNS proxy appears in the DNS Proxy table. (See Figure 12 on page 105.) FIGURE 8 Configure > Service > GSLB > DNS Proxy
103 of 260

GSLB Configuration Examples - GUI Example FIGURE 9 Configure > Service > GSLB > DNS Proxy - service group configuration
FIGURE 10 selected
Configure > Service > GSLB > DNS Proxy - service group
104 of 260

GSLB Configuration Examples - GUI Example FIGURE 11 configured Configure > Service > GSLB > DNS Proxy - GSLB port
FIGURE 12 configured
Configure > Service > GSLB > DNS Proxy - DNS proxy
Load the IANA Geo-location Database 1. Select Config Mode > Service > GSLB. 2. On the menu bar. select Geo-location > Import. 3. In the Load/Unload section, enter iana in the File field. Leave the Template field blank. 4. Click Add. Configure Services 1. Select Config Mode > Service > GSLB. 2. On the menu bar, select Service IP. 3. Click Add. Performance by Design Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
105 of 260

GSLB Configuration Examples - GUI Example 4. Enter the service name and IP address. For this example, enter the following:
Name servicevip1 IP Address 2.1.1.10 (This is the VIP address of a site. Configure a
separate GSLB service IP for each SLB VIP.) 5. If needed, assign an external IP address to the service IP. The external IP address allows a service IP that has an internal IP address to be reached from outside the internal network. 6. Add the service port(s): a. Enter the port number and select the protocol (TCP or UDP). b. Optionally, select a health monitor. c. Click Add. The service port appears in the service port list. For this example, add TCP port 80 and leave the health monitor unselected. (See Figure 13 on page 106.) 7. Click OK. 8. Repeat for each service IP. FIGURE 13 Config Mode > Service > GSLB > Service IP
106 of 260

GSLB Configuration Examples - GUI Example Configure Sites 1. Select Config Mode > Service > GSLB. 2. On the menu bar, select Site. 3. Click Add. 4. Enter the site name. 5. In the SLB-Device section, enter information about the AX devices that provide SLB for the site: a. Click Add. b. Enter a name for the device. c. Enter the IP address at which the GSLB AX device will be able to reach the site AX device. d. To add a service to this SLB device, select it from the drop-down list in the VIP server section and click Add. Repeat for each service. For this example, enter the following: Name AX-A IP Address 2.1.1.1 (This is the IP address of the site AX device that provides SLB for the site.) GSLB Service Add a service IP by selecting it from the dropdown list and clicking Add. For this example, add servicevip1 to site usa. 6. In the IP-Server section, add services to the site. Select a service from the drop-down list and click Add. Repeat for each service. 7. To manually map a geo-location name to the site, enter the geo-location name in the Geo-location section and click Add. 8. Click OK. The site appears in the Site table.
107 of 260

GSLB Configuration Examples - GUI Example FIGURE 14 Configure > Service > GSLB > Site - SLB Device
108 of 260

GSLB Configuration Examples - GUI Example FIGURE 15 Configure > Service > GSLB > Site - site parameters selected
Configure a Zone 1. Select Config Mode > Service > GSLB. 2. On the menu bar, select Zone. 3. Click Add. 4. Enter the zone name in the Name field. 5. In the Service section, click Add. (See Figure 16 on page 110.) The service configuration sections appear. 6. In the Service field, enter the service name. Performance by Design Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
109 of 260

GSLB Configuration Examples - GUI Example 7. Select the service type from the Port drop-down list. 8. Add the services: a. b. c. d. e. f. In the Service section, click Add. Enter name for the service (for example, www). Select the service type from the Port drop-down list. Configure additional options, if applicable to your deployment. Click OK. Repeat for each service.
9. Click OK. The zone appears in the GSLB zone list. FIGURE 16 Configure > Service > GSLB > Zone
110 of 260

GSLB Configuration Examples - GUI Example FIGURE 17 Configure > Service > GSLB > Zone
Enable the GSLB Protocol 1. Select Config Mode > Service > GSLB. 2. On the menu bar, select Global. 3. Select Enabled next to Run GSLB as Controller. 4. Click OK.
111 of 260

GSLB Configuration Examples - GUI Example
Configuration on Site AX Devices

SLB configuration is the same with or without GSLB, and is not described here. To enable the AX device to run GSLB as a site AX device, perform the following steps on each site AX device: 1. Select Config Mode > Service > GSLB. 2. On the menu bar, select Global. 3. Select Enabled next to Run GSLB as Site SLB Device. 4. Click OK.
112 of 260

GSLB Configuration Synchronization - Overview
GSLB Configuration Synchronization

This chapter describes GSLB configuration synchronization.
Overview
The AX device provides a mechanism to automatically synchronize GSLB configurations and service IP status among multiple GSLB controllers for a GSLB zone. (A GSLB controller is an AX device on which GSLB is configured and on which the GSLB controller option is enabled.) To use this feature, add the GSLB controllers to a GSLB controller group. The group members (controllers) elect a master controller for the group. The master controller updates the GSLB configurations on each of the other group members. The master controller also checks the service IPs for their status and sends the status information to the other group members. Note: This feature is different from the AX Series Virtual Chassis System (aVCS) feature. aVCS is used for multiple AX devices that serve as mutual backups within the same LAN. GSLB configuration synchronization is used by GSLB controllers, which typically are connected across WAN links. How AX Devices Join a Controller Group On each GSLB controller, the configuration for a GSLB group includes a list of primary group members. After the GSLB process starts on an AX device, the device joins the controller group by connecting to the primary group members to exchange group management traffic. You can specify up to 15 primary group members. By default, no primary group members are defined. You do not need to configure the list of primary group members on each controller. If you configure the list on the AX device you plan to use as the master controller for the group, that device will send the list to the other controllers in the group. The learning option enables an AX device to learn the IP addresses of additional group members from the primary group members. Learning is enabled by default.
113 of 260

GSLB Configuration Synchronization - Overview Election of the Master Controller Each GSLB controller in a controller group has a configurable priority value, 1-255. During master election, the GSLB controller with the highest priority is elected master for the group. If more than one controller has the highest priority value, the controller with the highest last 4 bytes in its management interface MAC address is elected. The master controller and the other controllers periodically send keepalive messages. If the other controllers stop receiving keepalive messages from the master controller, a new master is elected. Note: To designate a master controller for the GSLB group, set the priority of the desired AX device to a higher value than the other members. It is recommended that you make GSLB configuration changes for the groupwide parameters (shown below) on the master. The group synchronization feature will push your configuration to the other group members. GSLB Synchronization The master in a GSLB controller group synchronizes the following GSLB configuration items by updating the configurations on the other controllers:
Service IPs Sites, including SLB-device parameters Zones, including services GSLB policies (only those that are used by services) SLB information for DNS proxy GSLB protocol settings
The following items are not synchronized:

Geo-location files Black/white list files Health monitors
The master controller sends the following status information to the other controllers:
aRDT data Connection load data Virtual port status
114 of 260

GSLB Configuration Synchronization - Overview
Virtual server status Device status
Until the configuration synchronization status reaches FullSync, you can change GSLB configuration information directly on group members even if they are not the master. However, if the same configuration items are changed on the master, the changes on the master overwrite the changes on the other group members. After the configuration synchronization status reaches FullSync, directly changing the configuration on a member device is not supported. In this case, the following error message is displayed: Operation denied by Group Master. Notes
In the current release, if there are two or more controllers in a private
network and they are using the same public NAT address, only one of the controllers will be accepted as a member of the GSLB group. The AX GSLB controller will reject the other connection request if it comes from the same external IP.
In HA or VRRP-A deployments, the GSLB configuration synchroniza-
tion feature synchronizes with the active device, which then pushes the GSLB configuration changes to the standby.
Starting in Release 2.6.1-P3, the AX devices CLI prompt displays the
AX devices role within the GSLB group, which can be either Master or Member, as shown in the examples below: AX2500-Master(config)# AX2500-Member(config)# Display of the group role can be disabled by using the no terminal gslbprompt command at the global config level.
115 of 260

GSLB Configuration Synchronization - GSLB Group Parameters
GSLB Group Parameters

Table 2 lists the GSLB group parameters you can configure. TABLE 2
Parameter Group name
GSLB Group Parameters

Description and Syntax Name of the GSLB controller group. [no] gslb group default Note: The current release does not support this feature in the GUI. State of the group on the AX device. [no] enable Note: The current release does not support this feature in the GUI. Value used during master election for the group. Higher priority values are preferred over lower priority values. For example, priority value 200 is preferred over priority value 100. [no] priority num Note: The current release does not support this feature in the GUI. IP addresses of the other GSLB controllers to connect to within the group. You can specify up to 15 IP addresses. [no] primary ipaddr Note: The current release does not support this feature in the GUI. Allows the device to learn the IP addresses of additional group members from the primary controller(s). [no] learn Note: The current release does not support this feature in the GUI. Automatically saves the configuration on a group member when the configuration is saved on the groups master controller. [no] config-save Note: The current release does not support this feature in the GUI. Supported Values default Default: not set
Group state
Enabled or disabled Default: disabled
Priority
0-255 Default: 100
Primary controller
Valid IP address Default: not set
Learning
Enabled or disabled Default: enabled
Automatic configuration save
Enabled or disabled Default: enabled
116 of 260

GSLB Configuration Synchronization - Configuration
Configuration
At a minimum, to add an AX device to a GSLB controller group: 1. On the controller you plan to use as the master: a. Configure the GSLB parameters that will be synchronized with the other controllers. b. Configure local GSLB parameters as applicable to your deployment. c. Add the device to the GSLB controller group and change the group priority value to 255. d. Enable the devices membership in the group. 2. On each of the other controllers: a. Add the device to the GSLB controller group. Set the priority to a value that is less than the master. b. Enable the AX devices membership in the group. c. Configure local GSLB parameters as applicable to your deployment.
USING THE GUI

The current release does not support configuration of this feature using the GUI.
USING THE CLI

To configure a GSLB group, use the following commands. [no] gslb group default This command changes the CLI to the configuration level for the group, where the following commands are available. [no] enable This command activates the GSLB controllers membership in the group. [no] priority num This command specifies the priority of the controller to become the master for the group. (See Election of the Master Controller on page 114.)
117 of 260

GSLB Configuration Synchronization - Configuration [no] primary ipaddr This command specifies the IP address of another GSLB controller in the group. You can specify up to 15 primary controllers. Enter the command separately for each controller. [no] learn This command enables the AX device to learn the IP addresses of other group members from the primary controllers. [no] config-save This command enables automatic configuration save on a group member when the configuration is saved on the groups master controller. To display GSLB group information, use the following command: show gslb group [group-name] [brief] [statistics] CLI Example The following commands add a GSLB controller to the default GSLB group, enable the devices membership in the group, and display group information:
AX(config)#gslb group default AX(config-gslb group)#enable AX(config-gslb group)#show gslb group brief Pri = Priority, Attrs = Attributes D = Disabled, L = Learn P = Passive, * = Master Name default Pri Attrs Master 100 L 192.168.101.72 Member 2 -----------------------------------------------------------------------------
Table 3 describes the fields in the command output. TABLE 3

Field Name Pri
show gslb group brief fields

Description Name of the GSLB controller group. Priority of the master controller.
118 of 260

GSLB Configuration Synchronization - Configuration TABLE 3
Field Attrs
show gslb group brief fields (Continued)

Description GSLB group attributes of this member: D Member is disabled. L Group learning is enabled on this member. P Members connection with this member (the member on which you enter the show gslb group command) is passive. The group connection between any two controller group members is a client-server connection. The group member that initiates the connection is the client, and has the passive side of the connection. The other member is the server. * Member is the current master for the group. Note: Attributes are displayed only when at least two group members are connected. IP address of the current master for the group. Number of GSLB controllers in the group. This number includes all configured group members and all learned group members.
Master Member
AX(config-gslb group)#show gslb group Pri = Priority, Attrs = Attributes D = Disabled, L = Learn P = Passive, * = Master Group: default, Master: 192.168.101.72 Member local 192.168.1.131 192.168.1.132 ID Pri Attrs Status OK Synced Synced ----------------------------------------------------------------------------22e40d29 255 L* 941a1229 100 ab301229 100 P

Field Member
show gslb group fields

Description GSLB controllers currently in the group. The local member is the GSLB controller on which you entered this show command. Group member ID assigned by the controller group feature.
ID
119 of 260

GSLB Configuration Synchronization - Configuration TABLE 4
Field Pri Attrs
show gslb group fields (Continued)

Description Priority of the GSLB controller. GSLB group attributes of the member: D Member is disabled. L Group learning is enabled on this member. P Members connection with this member (the member on which you enter the show gslb group command) is passive. The group connection between any two controller group members is a client-server connection. The group member that initiates the connection is the client, and has the passive side of the connection. The other member is the server. * Member is the current master for the group. Note: Attributes are displayed only when at least two group members are connected. When the GSLB group is starting up, this column shows the protocol status. After the group is established, this column shows the group status. Protocol status: Idle Active OpenSent OpenConfirm Established Group status of the member: Ready FullSync / MasterSync Synced Note: If the group status of the member is OK, this AX device (the one on which you entered the command) knows of the member, but no connection between this AX device and the member is required.
Status
120 of 260

Geo-location-based Access Control - Using a Class List
Geo-location-based Access Control

You can control access to a VIP based on the geo-location of the client. You can configure the AX device to perform one of the following actions for traffic from a client, depending on the location of the client:
Drop the traffic Reset the connection Send the traffic to a specific service group (if configured using a black/
white list) The AX device determines a clients location by looking up the clients subnet in the geo-location database used by Global Server Load Balancing (GSLB). Note: This feature requires you to load a geo-location database, but does not require any other configuration of GSLB. The AX system image includes the Internet Assigned Numbers Authority (IANA) database. By default, the IANA database is not loaded but you can easily load it, as described in the configuration procedure later in this section.
Using a Class List

This section show how to configure geo-location-based VIP access using a class list. Note: In the current release, geo-location-based VIP access works only if the class list is imported as a file. The CLI does not support configuration of class-list entries for this application. Example The following class list maps client geo-locations to limit IDs (LIDs), which specify the maximum number of concurrent connections allowed for clients in the geo-locations.
L US 1 L US.CA 2 L US.CA.SJ 3
The following commands import the class list onto the AX device, configure a policy template, and bind the template to a virtual port. The connec-
121 of 260

Geo-location-based Access Control - Using a Class List tion limits specified in the policy template apply to clients who send requests to the virtual port. This example assumes the default geo-location database (iana) is already loaded.
AX(config)#import class-list c-share tftp: Address or name of remote host []?192.168.32.162 File name [/]?c-share Importing ... Done. AX(config)#slb template policy pclass AX(config-policy)#class-list name c-share AX(config-policy)#class-list lid 1 AX(config-policy-policy lid)#conn-limit 4 AX(config-policy-policy lid)#exit AX(config-policy-policy lid)#class-list lid 2 AX(config-policy-policy lid)#conn-limit 2 AX(config-policy-policy lid)#exit AX(config-policy-policy lid)#class-list lid 3 AX(config-policy-policy lid)#conn-limit 1 AX(config-policy-policy lid)#exit AX(config-policy)#geo-location overlap AX(config-policy)#exit AX(config)#slb virtual-server vip1 10.1.1.155 AX(config-slb vserver)#port 80 http AX(config-slb vserver-vport)#template policy pclass AX(config-slb vserver-vport)#exit
The following command verifies operation of the policy:

AX(config-policy)#show slb geo-location statistics M = Matched or Level, ID = Group ID Conn = Connection number, Last = Last Matched IP v = Exact Match, x = Fail Virtual Server: vip1/80, c-share -------------------------------------------------------------------------------Max Depth: 3 Success: 3 Geo-location M ID Permit Deny Conn Last -------------------------------------------------------------------------------US.CA.SJ v 3 1 1 1 77.1.1.107 -------------------------------------------------------------------------------Total: 1
122 of 260

Geo-location-based Access Control - Using a Black/White List
Using a Black/White List

To configure geo-location-based access control for a VIP: 1. Configure a black/white list. You can configure the list using a text editor on a PC or enter it directly into the GUI. If you configure the list using a text editor, import the list onto the AX device. 2. Configure an SLB policy (PBSLB) template. In the template, specify the black/white list name, and the actions to perform for the group IDs in the list. 3. Load a geo-location database, if one is not already loaded. 4. Apply the policy template to the virtual port for which you want to control access.
Configuring the Black/White List

You can configure black/white lists in either of the following ways:
Remote option Use a text editor on a PC, then import the list onto the
AX device.
Local option Enter the black/white list directly into a management
GUI window. With either method, the syntax is the same. The black/white list must be a text file that contains entries (rows) in the following format: L "geo-location" group-id #conn-limit The L indicates that the clients location will be determined using information in the geo-location database. The geo-location is the string in the geo-location database that is mapped to the clients IP address; for example, US, US.CA, or US.CA.SanJose. The group-id is a number from 1 to 31 that identifies a group of clients (geolocations) in the list. The default group ID is 0, which means no group is assigned. On the AX device, the group ID specifies the action to perform on client traffic. The #conn-limit specifies the maximum number of concurrent connections allowed from a client. The # is required only if you do not specify a group ID. The connection limit is optional. For simplicity, the examples in this section do not specify a connection limit.
123 of 260

Geo-location-based Access Control - Using a Black/White List Here is a simple example of a black/white list for this feature:
L "US" L "US.CA" L "JP" 1 2 3
USING THE GUI

To configure or import a black/white list using the GUI: 1. Select Config Mode > Service > PBSLB. 2. Click New.
To import the list: Leave Remote selected. Enter a name for the list in the Name field. Enter the hostname or IP address in the Host field. Enter the file path and name in the Location field. To enter the file directly into the GUI: Select Local. Type the list into the Definition field.
3. Click OK. To configure an SLB policy (PBSLB) template: 1. Select Config Mode > Service > Template. 2. On the menu bar, select Application > PBSLB Policy. 3. Click Add. 4. In the Name field, enter a name for the template. 5. From the drop-down list below the Name field, select the black/white list. 6. Select a group ID from the Group ID drop-down list. 7. Select one of the following from the Action drop-down list.
Drop Drops new connections until the number of concurrent con-
nections on the virtual port falls below the ports connection limit. (The connection limit is set in the black/white list.) Reset Resets new connections until the number of concurrent connections on the virtual port falls below the connection limit.
124 of 260

Geo-location-based Access Control - Using a Black/White List
service-group-name Each of the service groups configured on the
AX device is listed. create This option displays the configuration sections for creating a new service group. 8. Optionally, enable logging. (The AX device uses the same log rate limiting and load balancing features for PBSLB logging as those used for ACL logging. See the "Log Rate Limiting section in the "Basic Setup chapter of the AX Series System Configuration and Administration Guide.) 9. Click Add. 10. Repeat step 6 through step 9 for each group ID. 11. Click OK. To load the IANA geo-location database: 1. Select Config Mode > Service > GSLB. 2. On the menu bar, select Geo-location > Import. 3. In the Load/Unload section, enter iana in the File field. Leave the Template field blank. 4. Click Add. Note: If preferred, you can import a custom geo-location database instead. For information, see Loading or Configuring Geo-Location Mappings on page 49. To apply the policy template to a virtual port: 1. Select Config Mode > Service > SLB. 2. On the menu bar, select Virtual Server. 3. Select the virtual server or click Add to configure a new one. 4. If you are configuring a new VIP, enter the name and IP address for the server. 5. In the Port section, select the port and click Edit, or click Add to add a new port. The Virtual Server Port page appears. 6. Select the policy template from the PBSLB Policy Template drop-down list.
125 of 260

Geo-location-based Access Control - Using a Black/White List 7. Click OK. 8. Click OK again to finish the changes and redisplay the virtual server list.
USING THE CLI

1. To import a black/white list onto the AX device, use the following command at the global configuration level of the CLI: bw-list name url [period seconds] [load] The name can be up to 31 alphanumeric characters long. The url specifies the file transfer protocol, directory path, and filename. The following URL format is supported: tftp://host/file 2. To configure a PBSLB template, use the following commands: [no] slb template policy template-name Enter this command at the global configuration level of the CLI. The command creates the template and changes the CLI to the configuration for the template, where the following PBSLB-related commands are available. [no] bw-list name file-name This command binds a black/white list to the virtual ports that use this template. [no] bw-list id id service {service-group-name | drop | reset} [logging [minutes] [fail]] This command specifies the action to take for clients in the black/white list: id Group ID in the black/white list. service-group-name Sends clients to the SLB service group associated with this group ID on the AX device. drop Drops connections for IP addresses that are in the specified group. reset Resets connections for IP addresses that are in the specified group. 3. To load a geo-location database, use the following command at the global configuration level of the CLI: [no] gslb geo-location load {iana | file-name csv-template-name}
126 of 260

Geo-location-based Access Control - Using a Black/White List 4. To apply the policy template to a virtual port, use the following command at the configuration level for the virtual port: [no] template policy template-name Displaying SLB Geo-Location Information To display SLB geo-location information, use the following command: show slb geo-location [ virtual-server-name | virtual-port-num | bad-only | [depth num] [id num] [location string] [statistics] ] The bad-only option displays only invalid or mismatched geo-location content. The depth option specifies how many nodes within the geo-location data tree to display. For example, to display only continent and country entries and hide individual state and city entries, specify depth 2. By default, the full tree (all nodes) is displayed. The id option displays only the geo-locations mapped to the specified black/ white list group ID. The location option displays information only for the specified geo-location; for example US.CA. Clearing SLB Geo-Location Statistics To clear SLB geo-location statistics, use the following command at the Privileged EXEC level of the CLI: clear slb geo-location [ virtual-server name [...] virtual-port-num | location {all | string} ]
127 of 260

Geo-location-based Access Control - Full-Domain Checking CLI Example The following command imports black/white list geolist onto the AX device.
AX(config)#import bw-list geolist scp://192.168.1.2/root/geolist
The following commands configure a policy template named geoloc and add the black/white list to it. The template is configured to drop traffic from clients in the geo-location mapped to group 1 in the list.
AX(config)#slb template policy geoloc AX(config-policy)#bw-list name geolist AX(config-policy)#bw-list id 1 drop AX(config-policy)#exit
The following commands apply the policy template to port 80 on virtual server vip1:
AX(config)#slb virtual-server vip1 AX(config-slb virtual server)#port 80 http AX(config-slb vserver-vport)#template policy geoloc AX(config-slb vserver-vport)#show slb geo-location
Full-Domain Checking
By default, when a client requests a connection, the AX device checks the connection count only for the specific geo-location level of the client. If the connection limit for that specific geo-location level has not been reached, then the clients connection is permitted. Likewise, the permit counter is incremented only for that specific geo-location level. Table 5 shows an example set of geo-location connection limits and current connections. TABLE 5 Geo-location connection limit example
Connection Limit 100 50 20 Current Connections 100 37 19
Geo-location US US.CA US.CA.SanJose
Using the default behavior, the connection request from the client at US.CA.SanJose ia allowed even though CA has reached its connection limit. Likewise, a connection request from a client at US.CA is allowed. However, a connection request from a client whose location match is simply US is denied.
128 of 260

Geo-location-based Access Control - Full-Domain Checking After these three clients are permitted or denied, the connection permit and deny counters are incremented as follows:
US Deny counter is incremented by 1. US.CA Permit counter is incremented by 1. US.CA.SanJose Permit counter is incremented by 1.
Full-Domain Checking
When full-domain checking is enabled, the AX device checks the current connection count not only for the clients specific geo-location, but for all geo-locations higher up in the domain tree. Based on full-domain checking, all three connection requests from the clients in the example above are denied. This is because the US domain has reached its connection limit. Likewise, the counters for each domain are updated as follows:
US Deny counter is incremented by 1. US.CA Deny counter is incremented by 1.
USING THE GUI

USING THE CLI

To enable full-domain checking for geo-location-based connection limiting, use the following command at the configuration level for the PBSLB template: geo-location full-domain-tree Note: It is recommended to enable or disable this option before enabling GSLB. Changing the state of this option while GSLB is running can cause the related statistics counters to be incorrect.
Enabling PBSLB Statistics Counter Sharing

You can enable sharing of statistics counters for all virtual servers and virtual ports that use a PBSLB template. This option causes the following counters to be shared by the virtual servers and virtual ports that use the template:
129 of 260

Geo-location-based Access Control - Full-Domain Checking
Permit Deny Connection number Connection limit
USING THE GUI

USING THE CLI

To enable the share option, use the following command at the configuration level for the PBSLB policy template: geo-location share Note: It is recommended to enable or disable this option before enabling GSLB. Changing the state of this option while GSLB is running can cause the related statistics counters to be incorrect.
130 of 260

Cloud-based Computing Solution -
Cloud-based Computing Solution

GSLB supports the ability to dynamically generate a service-ip, based on the hostname assigned to an AX device. If you have an FQDN for the SLB but you are lacking the associated IP address, then the GSLB protocol can query the DNS server for an A record or CNAME record in order to learn the IP address for that device. The GSLB AX device, or GSLB controller, can acquire the IP address of the device and apply it to the service-ip. This information can then be used to configure the SLB server (with hostname) as an ip-server or vip-server of a GSLB site. The IP address that appears in the A record or CNAME record will become the dynamically assigned service-ip for that SLB. Benefits The GSLB Cloud Computing Solution may work well if you are using multiple web-based service providers to provide server load balancing services. It can allow you to shift from one web-based service provider to another in order to use the services that cost less or that have better health metrics. If you are using a cloud-based SLB service provider for web-based services, then the provider will send a CNAME record to access the cloud servers, and the cloud servers can be dynamically imported into the AX device via the CNAME record in order to do GSLB. Note: For this release, the feature supports IPv4 resource records and does not support IPv6 records.
USING THE GUI

This feature is not supported in the GUI for this release.
USING THE CLI

No new CLI commands are required to use this feature. The ability to shift from one cloud-based SLB provider to another can be enabled by using existing CLI commands, as shown in the CLI example below. CLI Example The example below shows the generation of dynamic service-ip addresses by hostname via DNS. This can be accomplished using the following CLI configurations on an AX device: Performance by Design Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
131 of 260

Cloud-based Computing Solution To configure the cloud-based service provider number 1:
AX(config)#slb server www www.example2.com
To configure the cloud-based service provider number 2:

AX(config)#slb server mail mail.example2.com
To configure the cloud-based service provider number 3:

AX(config)#slb server www1 www1.example2.com
The following commands configure three sites for each web-based service provider:
AX(config)#gslb site sanjose AX(config-gslb site)#slb-dev AX5200 192.168.1.2 AX(config-gslb site-slb dev)#ip-server ip-server1 AX(config-gslb site-slb dev)#ip-server ip-server2 AX(config-gslb site-slb dev)#ip-server www AX(config-gslb site-slb dev)#ip-server mail
132 of 260

DNSSEC Support - Overview
DNSSEC Support
This chapter describes the AX devices DNSSEC support.
Overview
An AX device configured as a Global Server Load Balancer (GSLB) controller can act as an authoritative DNS server for a domain zone. As the authoritative DNS server for the zone, the AX device sends records in response to requests from DNS clients. The AX device supports the ability to respond to client requests for the following types of well-known resource records:
A AAAA CNAME NS MX PTR SRV TXT
Placing the AX device within the DNS infrastructure exposes it to potential online attacks. When DNS was originally designed, there were no mechanisms to ensure the DNS infrastructure would remain secure. In an unsecured DNS environment, the clients DNS resolver has no way to assess the validity of the address it receives for a particular domain name, so the clients DNS resolver cannot tell whether an address received for a particular domain is from the legitimate owner of that domain. This potential security hole opens the door for possible forgeries, thus making DNS vulnerable to so-called man-in-the-middle attacks, DNS cache poisoning attacks, and other types of online attacks that could be used to forge DNS data, hijack traffic, and to potentially steal sensitive information from the user.
133 of 260

DNSSEC Support - Overview To close this security hole, the IETF introduced a set of standards in the mid-1990s called Domain Name System Security Extensions (DNSSEC). These additional standards add authentication to DNS and help ensure the integrity of the data transferred between the client resolvers and DNS servers. DNSSEC offers authentication through the use of cryptographic keys and digital signatures, which ensure that entries within DNS tables are correct and that connections are made to legitimate servers. The AX devices implementation of DNSSEC is based on RFCs 4033, 4034, and 4035. Note: DNSSEC for GSLB is not supported in proxy mode for this release.
DNS without Security

Figure 18 on page 135 provides a visual introduction to basic DNS without DNSSEC. The figure shows the recursive lookup process that occurs when a client resolver requests the IP address for a particular URL. Note that this
134 of 260

DNSSEC Support - Overview illustration shows how a client request works in a simple DNS environment that does not have DNSSEC. FIGURE 18 DNS Packet Flow without DNSSEC
A client (shown at upper left) requires access to a server in the domain zone1.example.org (at lower left). The AX device, which is acting as the GSLB controller, is the authoritative DNS server for the zone. In order to access this server, the client requires the IP address for this zone, or domain. The user enters the domain name in the web browsers URL, and from there, the process of obtaining the IP address associated with this domain unfolds as follows: 1. The DNS resolver embedded in the clients web browser sends an address request (A ?) to the Caching DNS server to see if the Caching DNS server already has the required IP address cached in its memory for the requested example.org domain. 2. The Caching DNS server has a list of IP address-to-domain mappings, but the list is not comprehensive, and unfortunately, the Caching DNS Performance by Design Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
135 of 260

DNSSEC Support - Overview server does not have the required IP address. It acts as a proxy for the client and makes a recursive query to the Root DNS Server, which is located at the top of the DNS hierarchy. 3. The Root DNS Server does not have the requested IP address, but in an attempt to point the Caching DNS server in the right direction, it responds to the request with a Name Server (NS) record, which contains the IP of the Top Level Domain (TLD) server for the .org domain. 4. The Caching DNS server now has the IP address for the name server that manages the .org domain, so it sends an address request (on behalf of the client) to the TLD DNS server for the .org domain. 5. It turns out that the TLD Server does not have the requested IP address, but once again, it points the Caching DNS server in the right direction by providing an NS record containing the IP address for the next name server within the DNS hierarchy, which is the authoritative DNS server for the example.org subdomain. 6. Now that it has the IP address needed to reach the authoritative DNS server for the example.org domain, the Caching DNS server sends a request for zone1.example.org to this authoritative DNS server. 7. The authoritative DNS server does not have the requested information, but it can get the Caching DNS server one step closer to its destination by providing the NS record for the authoritative DNS server for the zone1.example.org domain. 8. The Caching DNS Server sends a request to the authoritative DNS server for the zone1.example.org domain. 9. The AX device, which is the authoritative DNS server for zone1.example.org, has the IP address that the client needs. It sends the requested IP address to the Caching DNS server. 10. The Caching DNS server sends the IP address, provided by the AX device, to the DNS resolver in the clients browser. The client now has the IP address needed to reach the server in the zone1 subdomain.
136 of 260

DNSSEC (DNS with Security)

Figure 19 on page 138 illustrates how the DNS query process works when the security extensions are used with DNS to provide security (DNSSEC). The process is similar to that depicted in Figure 18 on page 135, but with the notable exception that DNSSEC uses the following additional resource record types to provide security:
DNS Key (DNSKEY) Public key used by an Authoritative DNS
server to sign resource records for its zone.

Delegation Signer (DS) Hash (message digest) of a public key. A DNS
server uses the DS for a zone directly beneath it in the DNS hierarchy to verify that signed resource records from the Authoritative DNS server for that zone are legitimate.
Resource Record Signature (RRSIG) Digitally signs another resource
record, such as an A record. The digital signature is created by applying a hash function to the DNS record to reduce its file size, an encryption algorithm is applied to the hash value (using the private key), and this encrypted hash value appears as the digital signature at the bottom of the resource record. The RRSIG record, which contains the private key used to encrypt the hash value, appears at the bottom of the record being signed.
While Figure 18 on page 135 shows how basic DNS works without DNSSEC, Figure 19 on page 138 provides an updated version of this illustration showing how the DNS lookup process works with DNSSEC. The recursive lookup process remains largely unchanged, with the higher level DNS servers pointing to lower level servers within the DNS hierarchy in order to move the request closer to the authoritative server for the desired domain. However, when DNSSEC is added to this scenario, the additional records (such as DS, RRSIG, and DNSKEY) are used to sign and authenticate the communications from the DNS servers, thus proving to the client that each of the name servers in the chain of trust are authoritative for their respective domains. For more details, See Building the Chain of Trust on page 140.
137 of 260

DNSSEC Support - Overview FIGURE 19 DNS Packet Flow with DNSSEC
Figure 19 shows the resolution process for an address query from the DNS resolver on a client for the IP address of zone1.example.org. 1. The DNS resolver on the client sends an address query for the IP address of a host under zone1.example.org. 2. The Caching DNS server, which does not have the address, forwards the request to the root server. 3. The root server redirects the Caching DNS server to the TLD DNS server for the .org domain. This is accomplished by sending an NS record with the IP address of that TLD server. The root server uses an RRSIG record (used to store the private key) to sign the NS record, and
138 of 260

DNSSEC Support - Overview the root server sends a copy of the DS record to the Caching DNS server, which points to the TLD server. 4. The Caching DNS server sends the address query to the TLD server for the .org domain. 5. The TLD server does not have the requested address, so it points the Caching DNS server to the Authoritative DNS server for example.org It sends an NS record with the IP address of the authoritative server for example.org, and the TLD server signs the NS record with the private key in the RRSIG record. 6. The Caching DNS server sends the address query to the Authoritative DNS server for example.org. 7. The Authoritative DNS server for example.org does not have the requested address, so it responds to the caching servers request by sending the NS record (signed with the RRSIG record). This NS record contains the IP address of the Authoritative DNS server for zone1.example.org. The server sends the DS record for the zone1.example.org server to the Caching DNS server. 8. The Caching DNS server sends the address query to the Authoritative DNS server for zone1.example.org, which happens to be the AX device. 9. Finally, the Caching DNS server has reached the Authoritative DNS server for zone1.example.org. The Authoritative DNS server (which is the AX device) replies with an SOA record, the requested A record, and RRSIG records containing the private key, which is used to sign the SOA and A records. 10. The Caching DNS server asks the AX device for its DNSKEY record, which is where the public key for the zone is advertised. (This public key is needed to unlock the resource records and check the hash values back up the chain.) 11. The AX device sends its DNSKEY record, along with an RRSIG record that was used to sign the DNSKEY record. (The RRSIG record contains the private key.) 12. To continue assembling the chain of trust, the Caching DNS server asks the Authoritative DNS server for example.org for its DNSKEY record. 13. The Authoritative DNS server for example.org sends its DNSKEY record, along with an RRSIG record (with the private key) that was used to sign the DNSKEY record.
139 of 260

DNSSEC Support - Overview 14. The Caching DNS server then asks the TLD server for .org for its DNSKEY record. 15. The TLD server sends its DNSKEY record, along with an RRSIG record that was used to sign the DNSKEY record. The Caching DNS server now has all the private/public key pairs and has therefore validated all of the links in the chain of trust. It can now send the trusted response to the DNS resolver on the client.
Building the Chain of Trust

Figure 20 illustrates how the Chain of Trust is built within the DNSSEC infrastructure. A Chain of Trust is built like a series of links, with each node authenticating the one below. The presence of a Chain of Trust allows the clients DNS resolver to know that all DNS servers within the chain have vouched for one another, starting from the Root DNS Server and continuing down to the lowest-level DNS server.
140 of 260

DNSSEC Support - Overview FIGURE 20 DNSSEC Chain of Trust
Figure 20 above shows the Authoritative DNS Server for the zone1.example.org domain at the bottom left, and the Root DNS Server is located at the upper right. Starting from the lower left, the Authoritative DNS Server for the zone1.example.org domain, has a DNS key record (DNSKEY). This DNSKEY record contains the public Zone Signing Key (ZSK) for zone1. The ZSK is used to sign other record types, such as A records, for the zone. The DNSKEY record is signed by another key, the Key Signing Key (KSK), which also belongs to this zone.
141 of 260

DNSSEC Support - Overview The Start of Authority (SOA) record indicates that this server is the Authoritative DNS Server for zone1. The A record provides the IP address for zone1.example.org. The next level up within the DNS hierarchy corresponds to the next "label" in the example.org domain, and it has a record called the Delegation Signer (DS). The DS record contains a hash, or message digest, of the public Key Signing Key (KSK), which belongs to the Authoritative DNS Server for the node below, zone1.example.org. The DNS resolver (or the Caching DNS Server) can compare the hash value for any of the nodes within the Chain of Trust, and the values should match. If the hash values in a DS record cannot be recreated from the DNSKEY record, then this indicates the packet containing the key record may have been tampered with, cannot be trusted, and should be discarded. However, if the hash value is correct, this indicates that the Chain of Trust is unbroken and that the DNSKEY record (for the Authoritative DNS Server associated with the zone1.example.org domain) is properly linked to the DS record above. In turn, the DNSKEY record (for the Authoritative DNS Server associated with the example.org domain) is properly linked to the DS record above. This process of DNSKEY records being linked with the DS record of the node above continues all the way to the Root DNS Server. The clients DNS resolver knows that the Root DNS Server is legitimate due to the presence of a trust anchor. This trust anchor, which consists of information for the Root DNS Server, is included in the resolver software that is installed on the client. This minimizes the chance that a client could access a corrupt root DNS server. Due to this anchor, the client knows the Root DNS Server can be trusted, in it can infer that the other nodes within the Chain of Trust can also be trusted. Because the hash values match all the way down the line, this is an indication that the Chain of Trust is intact, and that the clients DNS resolver can trust the Authoritative DNS Server for zone1.example.org, located at the bottom of the Chain of Trust within the DNS hierarchy.
Performing Key Rollovers

New DNSSEC keys should be generated periodically to replace the old keyset. While it may not be necessary to perform the key rollover process every time you sign your zone, it is a good idea to change keys on a regular schedule if you suspect your keys may have been compromised.
142 of 260

DNSSEC Support - Overview As a rule of thumb, longer keys are more secure and do not need to be replaced as often as shorter keys. However, if your zone contains highly valuable information that could attract unwanted attention from potential miscreants, then it is recommended that you perform the key rollover process at more frequent intervals. Key rollovers must be performed manually. The key rollover process differs slightly for the ZSK and KSK keys. Instructions for performing both types of key rollovers are provided below.
ZSK Key Rollovers

ZSK rollovers use a pre-publishing scheme. This approach can be helpful because if the old key expires or is compromised in some way, the new key has already been distributed throughout the DNS. This makes performing the rollover relatively easy since you can easily switch to the new key that has already been distributed while removing the old key from the zone. This way, the name servers will still be able to find the zone-signing DNSKEY record by using the new pre-published but inactive ZSK key, thus preventing them from becoming isolated with the old information.1 To help illustrate the ZSK rollover process, consider the following example in which there is DNSSEC-enabled zone, example.com, which uses the DNSSEC template temp-test. In this example, the old key called, ZSKOLD is replaced with a new key, ZSK-NEW. The key rollover process unfolds as follows: 1. The new key ZSK-NEW is added to the DNSSEC template temptest. When the new key is added to the template, the status of the new key is set with the publish command in order to distribute the new key across the network of DNS servers. 2. The DNSSEC template has a dnskey-ttl option. Wait for the amount of time configured for this parameter; the default is 4 hours. Once the time has elapsed, the old ZSK key expires and is removed from the cache. 3. The status of the old key ZSK-OLD is changed within the DNSSEC template using the deprecate command. At the same time, the status of the new key ZSK-NEW is elevated using the active command. 4. It is recommended to wait for the duration specified for the Maximum Zone TTL for any data in the zone to expire from the caches. This is just
1.
For additional details on pre-publishing, refer to RFC 4641.
143 of 260

DNSSEC Support - Overview a precaution to ensure that any old data in the zone expires and is removed. 5. Remove the old key ZSK-OLD from the DNSSEC template using the no zsk keyname command.
KSK Key Rollovers

A double-signature scheme is used for KSK key rollovers. This scheme is simpler than the ZSK pre-publishing scheme and does not use the publish, active, and deprecate command options. The drawback to using the double-signature approach for KSK rollovers is that the number of signatures is multiplied by a factor of two. This increases the size of your zone during the key rollover process, which can present problems for larger zones. However, the benefit of the double-signature scheme, when compared with the pre-publishing scheme used for ZSK rollovers, is that the double-signature scheme requires only three steps: Initial, new DNSKEY, and DNSKEY removal.1 To help illustrate the KSK rollover process, consider the following example in which there is DNSSEC-enabled zone, example.edu, which uses the DNSSEC template temp-2, and has the KSK key called KSK-OLD. In this example, the old key is replaced with a new key, KSK-NEW. The KSK key rollover process unfolds as follows: 1. The new key KSK-NEW is added to the DNSSEC template temp-2 to sign the zone. 2. The DNSSEC template has a dnskey-ttl option. Wait for the amount of time configured for this parameter; the default is 4 hours. After this time period has passed, the old KSK key will expire from the cache. 3. Transfer the new KSK key to the parent zone. In this example, the parent zone is .edu. For details on transferring the key to the parent zone, see Importing and Exporting the Delegation Signature Keyset on page 145. 4. The parent zone has a TTL value configured for the DS record. Wait for this amount of time to pass. This will cause the old DS record (which
1.
For additional details, refer to RFC 4641.
144 of 260

DNSSEC Support - Overview points to the authoritative DNSKEY record for the example.edu child zone) to expire from the cache of the parent zone. 5. Remove the old key KSK-OLD from the DNSSEC template temp-2 using the no ksk keyname command. Once the old key is removed, the new KSK will be used to sign the zone.
Importing and Exporting the Delegation Signature Keyset

The Delegation Signer (DS) resource record (RR) and the corresponding DNSKEY RR are stored in the different locations. The AX device offers import and export CLI commands to move these records to the appropriate nodes within the DNS hierarchy. Figure 20 on page 141 shows that the DS RR always appears one level higher within the DNS hierarchy than its DNSKEY record. The DS record is on the parent side and the DNSKEY record is on the child side. To help understand this principle, consider the example earlier in this section. The DS record for the zone example.org is stored in the .org zone. This zone is the parent zone relative to the example.org zone, which is the child zone. While the DS record is stored in the parent zone, the DNSKEY record is stored in the child zone. To ensure that these records are in the appropriate relative locations, the AX supports two kinds of keyset formats that can be used to import the DS record from the child zone to the parent zone:
DS RR This is a hashed version of the DNSKEY. DNSKEY RR The AX converts this record using a hash function,
in order to create the resulting DS record. The import dnssec-ds/dnssec-dnskey child-zone-name command imports the DS keyset of the child zone. Note that the parent zone must be set up before the record is imported. The export dnssec-ds/dnssec-dnskey authoritative-zone-name command exports the DS keyset from the child zone to the parent zone. Note: Communication between the parent and child zones is performed out-ofband.
145 of 260

DNSSEC Templates
To configure DNSSEC on the AX device, templates are used to define information required by the security standard. The following information is required when configuring DNSSEC templates:
Combinations limits (on signatures)1 The parameter is used to spec-
ify the maximum number of combinations per Resource Record Set (RRset), where RRset is defined as all the records of a particular type for a particular domain, such as all the quad-A (IPv6) records for www.example.com. A static signature is included in the response to DNS queries. This static signature is generated in advance of future requests. For example, suppose there are five A type DNS resource records that correspond to a hypothetical domain name, www.example.net: 1.1.1.1 1.1.1.2 1.1.1.3 1.1.1.4 1.1.1.5 A static signature is generated for all of the possible combinations, such as [1.1.1.1], [1.1.1.1 1.1.1.2], [1.1.1.1 1.1.1.2 1.1.1.3]... [1.1.1.5]. By setting the combinations-limit parameter, this places a limit on the number of combinations of resource records that could be returned, preventing an excessive burden on the system memory. Values for this combination limit range from 1-65535, with a default value of 31 possible combinations per resource record set.
DNSKEY Time to Live The dnskey-ttl parameter is used to set the
lifetime for DNSSEC key resource records. The TTL can range from 1864,000 seconds, with a default of 14,400 seconds (or 4 hours).
Key Signing Key The key signing key (KSK) is needed to establish
the chain of trust and is the private counterpart to the public zone signing key used to sign authentication keys for the zone. At least one KSK is needed to sign successfully, but no more than two KSKs can be configured. There is no default.
Return NSEC/NSEC3 This parameter is used to enable or disable the
return of an NSEC or NSEC3 record in response to a client request for an invalid domain. As originally designed, DNSSEC would expose the list of device names within a zone, allowing an attacker to gain a list of network devices that could be used to create a map of the network.
1.
For more details, please refer to RFC 4033, 4034, 4035 and 4641.
146 of 260

DNSSEC Support - Overview However, when NSEC/NSEC3 is used, the DNS server responds to invalid client requests by providing an NSEC/NSEC3 record, which contains an authenticated denial of existence for the invalid domain. NSEC records include the invalid name in the response to the client. It was found that this information could be used for zone walking or zone enumeration using dictionary attacks. To address this vulnerability, NSEC3 was introduced to thwart zone walking by including a hashed value of the invalid requested name in the response record. By default, the AX device returns an NSEC/NSEC3 record to client queries for invalid domain names. To disable the return of an NSEC/ NSEC3 record, use the no return-nsec-on-failure command.
Signature validity period The signature-validity-period parameter is
used to set the period for which a signature will remain valid. The time can range from 5-30 days, and the parameter has a default of 10 days.
Zone Signing Key The zone signing key (ZSK) is used to sign the
domain names zone. At least one ZSK is needed to sign successfully, but no more than two ZSKs can be configured. There is no default. The ZSK allows that you specify one of the following sub-options, which are used during the key rollover process: Active Selecting this option sets the status of the ZSK to active, and only the active ZSK can be used to sign the zone. The active option is enabled by default. Only one active ZSK is allowed per zone. Published This option is used to publish a newer ZSK just before deprecating the older key and activating the newer ZSK. This offers a way to push the newer key into the DNS infrastructure, but without activating it. The published ZSK can become active at the expiration of the DNSKEY TTL period. Deprecated This option is used to deprecate an older ZSK prior to activating a new ZSK. This must be done before the new key can become active. FIGURE 21 Life cycle of a ZSK
147 of 260

DNSSEC Support - Configuration
Configuration
To configure DNSSEC for GSLB: 1. Generate the DNS keys (or import them) to the AX device. 2. Configure the DNSSEC template. 3. Verify the DNSSEC template. 4. Apply the DNSSEC template to GSLB policy.
USING THE GUI

The current release does not support configuration of this feature using the GUI.
USING THE CLI

Configure the DNSSEC template Note: You must generate the keys before using them in a DNSSEC template. To configure the DNSSEC template, use the following command at the GSLB config level: dnssec template name Please refer to DNSSEC Templates on page 146 for details on configuring DNSSEC template sub-options. Verify DNSSEC template using show command After configuring a DNSSEC template, use the following command at the GSLB config level to display information for the configured template: show dnssec template name Apply the DNSSEC template to GSLB policy To apply the DNSSEC template and provide DNSSEC support for GSLB, and to enable DNSSEC within the zone policy, use the following command at the GSLB policy level: dns server authoritative sec
148 of 260

DNSSEC Support - Configuration Specify the DNSSEC template To specify the DNSSEC template, use the following command at the GSLB zone config level. If no template is specified, then the default template will be used. template dnssec template-name Import the DS Keyset from a Child Zone To import the DS keyset from the child zone to the parent zone, use the following command at the config level: import dnssec-ds child-zone-name Export the DS Keyset from a Child Zone To export the DNSKEY keyset from the child zone to the parent zone, use the following command at the config level: export dnssec-dnskey authoritative-zone-name Note: When using the CLI commands to import/export a DS/DNSKEY record to/from a parent/child zone, it is not necessary to list the AX devices internal file name for the resource record. Instead, you can simply include the name of the DNS zone from which you will be importing or exporting the file. Generate the DNSSEC Key To generate the DNSSEC keyset, use the following command at the config level: dnssec key-generate name algorithm [RSASHA1 | RSASHA256 | RSASHA512 | NSEC3RSASHA1] keysize num
Algorithm Specify which RSA SHA algorithm is used to generate
the DNSSEC key pair (ZSK and KSK). You can specify any of the following algorithms: RSASHA1 (default) RSASHA256 RSASHA512 NSEC3RSASHA1 Selecting one of the first three algorithms (RSASHA1, RSASHA256, or RSASHA512) will cause the standard NSEC resource record to be generated for the zone. However, selecting the fourth algorithm option (NSEC3RSASHA1) causes the NSEC3/NSEC3PARAM record to be generated for the zone, which is helpful in mitigating the threat posed by zone walking.
149 of 260

DNSSEC Support - Configuration Note: Different zones can use different DNSSEC templates and thus have different algorithms.
Keysize Specify the number of bits in the DNSSEC key, which can
range from 512-4096 bits. Values must be specified in multiples of 64 bits, and the default value is 1024 bits. Deleting the DNSSEC Key To remove a DNSSEC key from the AX device, use the following CLI command at the config level: no dnssec key-generate name Exporting the DNSSEC Key To export the DNSSEC key from the AX device, use the following CLI command at the config level: export dnssec-key filename Importing the DNSSEC Key To import the DNSSEC key to the AX device, use the following CLI command at the config level: import dnssec-key filename Note: The imported dnssec-key file is a compressed file with the .tar suffix. This tar file includes both the private and public keys, with the respective suffixes of .private and .key. When an example tar file with the name key01 is un-compressed, it includes the public key ("key01.key") and the private key ("key01.private"). Zone Signing Commands After the zone or DNSSEC template configuration is changed, the zone signing will automatically begin 30 seconds later. However, you can use the following command at the global config level to immediately trigger zonesigning: dnssec sign-zone-now name Specify the name for the DNS zone. Note that if a name is not specified, then all zones will be checked for configuration changes and signed (if any changes are found). Details:
DNSSEC Signature timeout All zones will be checked every two
days to guarantee that the dnssec-enabled zones have valid signatures. If the signature has timed-out, then this will cause the zone to be re-signed.
150 of 260

DNSSEC Support - Configuration Examples
Import the DNSSEC DS RR for the child zone Every time the DS
record of the child zone is imported, the parent of that child zone will be re-signed.
Configuration Examples
The following sections show DNSSEC configuration examples.
CLI Example #1
The following commands enable the DNSSEC option for GSLB, so that the AX device can handle DNSSEC queries while in DNS server mode.
AX(config)#gslb policy default AX(config-gslb policy)#dns server authoritative sec AX(config-gslb policy)#exit
Note: Note:
DNSSEC for GSLB is not supported in proxy mode for this release. The AX device supports the following standard DNS records: SOA, A, AAAA, ANY, CNAME, MX, NS, PTR and SRV. The AX device supports the following DNSSEC records: DNSKEY, NSEC, NSEC3, DS and RRSIG
CLI Example #2
When configuring GSLB on the AX device, the default DNSSEC template is used for each zone unless you specify another template. The commands below generate an encryption key called keygen1, using the NSEC3RSASHA1 encryption algorithm. Then, commands are used to create the DNSSEC template called dnssec1, which has a combinations-limit of 10 and uses the key just created. The template is applied to a zone called example.com:
AX(config)#dnssec key-generate keygen1 algorithm NSEC3RSASHA1 keysize 1024 AX(config)#dnssec template dnssec1 AX(config-dnssec)#combinations-limit 10 AX(config-dnssec)#ksk keygen1 AX(config-dnssec)#exit AX(config)#gslb zone example.com AX(config-gslb zone)#template dnssec dnssec1 AX(config-gslb zone)#exit
151 of 260

DNSSEC Support - Configuration Examples
CLI Example #3
The following command is used to display information for the DNSSEC template created above:
AX(config)#show dnssec template dnssec1 dnssec template dnssec1 ksk keygen1 combinations-limit 10
CLI Example #4
The following command imports the DS record from the delegated child zone (zone1.example.org) to the parent zone (example.org), for which the AX device is the authoritative DNS server:
AX(config)#import dnssec-ds zone1.example.org scp://[email protected]/root/ dsset-zone1.example.org Password []?****** Importing ... ...0 minutes 3 seconds Done.
152 of 260

CLI Command Reference - Main Configuration Commands
CLI Command Reference

This chapter lists the CLI commands for Global Server Load Balancing (GSLB). The commands are organized into the following sections:
Main Configuration Commands on page 153 Policy Configuration Commands on page 188 Show Commands on page 222 Clear Command on page 254
Main Configuration Commands

The commands in this section configure GSLB parameters. In some cases, the commands create a GSLB configuration item and change the CLI to the configuration level for that item.
gslb active-rdt
Description Syntax Configure global aRDT settings. [no] gslb active-rdt { domain domain-name | interval seconds | port portnum | retry num | sleep seconds | timeout ms | track seconds } Parameter domain domain-name Description Specifies the query domain. To measure the active-Round Delay Time (aRDT) for a client, the site AX device sends queries for the domain name to a clients local DNS. An aRDT sample consists of the time between when the site AX device sends a query and when it receives the response.
153 of 260

CLI Command Reference - Main Configuration Commands Only one aRDT domain can be configured. It is recommended to use a domain name that is likely to be in the cache of each clients local DNS. The AX device averages multiple aRDT samples together to calculate the aRDT measurement for a client. (See the description of track below.) interval seconds port portnum Specifies the number of seconds between queries. You can specify 1-16383 seconds. Specifies the port. You can specify ports 1-65535. (For more information, please contact A10 Networks.) Specifies the number of times GSLB will resend a query if there is no response. You can specify 0-16. Specifies the number of seconds GSLB stops tracking aRDT data for a client after a query fails. You can specify 1-300 seconds. Specifies the number of milliseconds GSLB will wait for a reply before resending a query. You can specify 1-16383 ms. Specifies the number of seconds during which the AX device collects samples for a client. The samples collected during the track time are averaged together, and the averaged value is used as the aRDT measurement for the client. You can specify 3-16383 seconds. The averaged aRDT measurement is used until it ages out. The aging time for averaged aRDT measurements is 10 minutes by default and is configurable on individual sites, using the active-rdt aging-time command. Default This command has the following default settings:
domain google.com interval 1 second port Please contact A10 Networks for information. retry 3 sleep 3 seconds
retry num
sleep seconds
timeout ms
track seconds
154 of 260

timeout 3000 ms track 60 seconds
Mode
Global configuration mode
gslb dns action

Description Syntax Globally drop or reject DNS queries from the local DNS server. [no] gslb dns action {drop | reject} Parameter drop reject Description Drops DNS queries that do not match any zone service. Rejects DNS queries that do not match any zone service, and returns the Refused message in replies.
Default Mode
Not set Global configuration mode
gslb dns logging

Description Globally set DNS logging parameters. When this option is enabled, the GSLB DNS log messages appear in the AX log. [no] gslb dns logging { both | query | response | none | } Parameter both query response none Default Disabled Description Specifies that both query and response messages are logged. Specifies that query messages are logged. Specifies that response messages are logged. Logs nothing.
Syntax
155 of 260

CLI Command Reference - Main Configuration Commands Mode Global configuration mode
gslb geo-location
Description Configure a global geographic location by assigning a location name to a client IP address range. GSLB forwards client requests from addresses within the specified IP address range to the GSLB site that serves the location. [no] gslb geo-location location-name [start-ip-addr {mask ip-mask | end-ip-addr}] no gslb geo-location all Parameter location-name Description Name of the location. Use a period between each string label (range). Each range can contain up to 15 alphanumeric characters. The entire name can contain up to 127 alphanumeric characters. Example: Asia.japan.123456789.xyz The AX device can perform a partial match for a geo-location. For example, if IP 1.1.1.1 belongs to Asia.japan, but only Asia is configured, the AX device still knows which site to select. start-ip-addr mask ip-mask end-ip-addr all Beginning IP address for the range. Network mask. Ending IP address for the range. Removes all manually configured geo-locations from the configuration. The all option is valid only with the no form of the command shown above.
Syntax
If you enter the gslb geo-location location-name command without any additional options, the CLI changes to the configuration level for the geo-location, where you can assign multiple IP address ranges to it. Use the following command for each range: [no] ip start-ip-addr {mask ip-mask | end-ip-addr} Default Mode N/A Global configuration mode
156 of 260

CLI Command Reference - Main Configuration Commands Usage Geographic location also can be configured in a GSLB policy. In this case, the policy specifies whether to use the globally configured geographic location or the location configured in the policy. (See geo-location on page 209 and geo-location match-first on page 209.) You can use manually configured geo-location mappings or load a database of mappings. To load a geo-location databases, see gslb geo-location load on page 158.
If you manually map a geo-location to an GSLB site, GSLB uses the
mapping.
If no geo-location is configured for a GSLB site, GSLB automatically
maps the service-ip to a geo-location in the loaded geo-location database.

If a service-ip cannot be mapped to a geo-location, GSLB maps the site
AX device to a geo-location. Example The following example configures geographic location US.CA.SanJose for IP address range 100.1.1.1 through 100.1.1.125:
AX(config)#gslb geo-location US.CA.SanJose 100.1.1.1 100.1.1.125
gslb geo-location delete

Description Syntax Delete or replace a custom geo-location database from the AX device. gslb geo-location delete {all | file-name} Parameter all Description Deletes all manually configured geo-locations from the configuration.
Default Usage
N/A This command is available only if you have already imported a geo-location database file. This command can replace a loaded geo-location database file but does not unload one without replacing it. To unload a geo-location database file without replacing it, see gslb geo-location load on page 158. Global configuration mode
Mode
157 of 260

gslb geo-location load

Description Load a geo-location database into GSLB. Loading a pre-configured geolocation database provides a convenient alternative to manually configuring each geo-location separately. [no] gslb geo-location load {iana | file-name csv-template-name} no gslb geo-location load all Parameter iana Description Loads the Internet Assigned Numbers Authority (IANA) database. The IANA database contains the geographic locations of the IP address ranges and subnets assigned by the IANA. The IANA database is included in the AX system software. However, it is unloaded (not used) by default.
Syntax
file-name csv-templatename
Loads a custom database. You can load a custom geo-location database from a file in comma-separated-values (CSV) format. This option requires configuration of a CSV template on the AX device. When you load the CSV file, the data is formatted based on the template. (To configure a CSV template, see gslb template csv on page 175.)
Note:
The file-name option is available only if you have already imported a geolocation database file. To display a list of filenames, enter the following: gslb geo-location load ? all Unloads all geo-location database files, including the default database (IANA). The all option is valid only with the no form of the command shown above.
Default Mode Usage
The IANA geo-location database is loaded by default. Global configuration mode You can load more than one geo-location database. When you load a new database, if the same IP address or IP address range already exists in a previously loaded database, the address or range is overwritten by the new database. Performance by Design Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
158 of 260

CLI Command Reference - Main Configuration Commands Example The following command loads the IANA database:
AX(config)#gslb geo-location load iana
Example
The following command loads geo-location data from a CSV file:
AX(config)#gslb geo-location load test1.csv test1-tmplte
gslb group
Description Configure GSLB group settings. GSLB controllers within a GSLB group automatically synchronize GSLB configuration information and data. [no] gslb group default The command changes the CLI to the configuration level for the group, where the following group-related commands are available: (The other commands are common to all CLI configuration levels. See the AX Series CLI Reference.) Command [no] configanywhere Description Allows GSLB to be configured on any group member, without restricting the changes to the master controller. If this option is used and the current GSLB controller has the highest priority of all group members, then this current controller will attempt to retrieve the config file from the master GSLB controller before assuming control. Enables automatic configuration save on this GSLB group member when the configuration is saved on the group master. Discover member via DNS protocol. When this option is used, you do not need to configure a primary IP address, because GSLB will send a DNS query (based on the group name) to discover other group members. For example, if group name is group.a10.com then GSLB will send the DNS discover query with domain name group.a10.com. Performance by Design Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
Syntax
[no] configmerge
[no] config-save
[no] dnsdiscover
159 of 260

CLI Command Reference - Main Configuration Commands [no] enable [no] inherit [no] learn Activates the AX devices membership in the GSLB controller group. Inherit main GSLB configuration. Enables the AX device to learn the IP addresses of other group members from the groups primary controllers. Specifies the IP address of another group member, to be a primary member. After the GSLB process starts on an AX device, the device joins the controller group by connecting to the primary group members to exchange group management traffic. You can specify up to 15 primary members. Enter the command separately for each member. [no] priority num Specifies the priority of the AX device to become the master for the group. You can specify 1-255.
[no] primary ipaddr
[no] standalone Run GSLB Group in standalone mode. [no] suffix name This option allows you to configure the DNS suffix that will be used for dns-discovery. You can specify the suffix (or name) that GSLB will append to the domain name when sending the dns-discover query. For example, if the group name is group and the suffix is a10.com, then the concatenated strings are sent in the DNS discovery query as group.a10.com.
Default
The group parameters have the following default values:

config-anywhere disabled config-merge disabled config-save disabled dns-discover disabled enable disabled inherit disabled learn enabled primary not set
160 of 260

priority 100 standalone disabled suffix not set
Mode
gslb ip-list
Description Configure a list of IP addresses and group IDs to use as input to other GSLB commands. [no] gslb ip-list list-name no gslb ip-list all The command changes the CLI to the configuration level for the list, where the following IP-list-related commands are available: (The other commands are common to all CLI configuration levels. See the AX Series CLI Reference.) Command [no] ip ipaddr [subnet-mask | /mask-length] id group-id Description
Syntax
Creates an IP entry in the list. Based on the subnet mask or mask length, the entry can be a host address or a subnet address. The id option adds the entry to a group. The group-id can be 0-31. Removes all manually configured IP addresses from the IP list. Loads the entries from a black/white list into the IP list. For information on configuring a black/ white list, see the Policy-Based SLB (PBSLB) section in the Traffic Security Features chapter of the AX Series System Configuration and Administration Guide. Removes all GSLB IP lists from the configuration. The all option is valid only with the no form of the command shown above.
no ip all [no] load bwlist-name
all
Default
None
161 of 260

CLI Command Reference - Main Configuration Commands Mode Usage Global configuration mode You can configure an IP list in either of the following ways:
Use a text editor on a PC or use the AX GUI to configure a black/white
list, then load the entries from the black/white list into an IP list.
Use this command to configure individual IP list entries.
Example
The following commands configure a GSLB IP list and use the list to exclude IP addresses from aRDT data collection:
AX(config)#gslb ip-list iplist1 AX(config-gslb ip-list)#ip 192.168.1.0 /24 id 3 AX(config-gslb ip-list)#ip 10.10.10.10 /32 id 3 AX(config-gslb ip-list)#ip 10.10.10.20 /32 id 3 AX(config-gslb ip-list)#ip 10.10.10.30 /32 id 3 AX(config-gslb ip-list)#exit AX(config)#gslb policy pol1 AX(config-gslb policy)#ip-list iplist1 AX(config-gslb policy)#active-rdt ignore-id 3
gslb ping
Description Syntax Test GSLB connectivity from the GSLB AX device to a site AX device. ping {site-name | ipaddr} site-name | ipaddr GSLB site name or the IP address of the site AX device. Description GSLB site name of the site AX device. The IP address of the site AX device.
Command site-name ipaddr Mode
162 of 260

gslb policy
Description Syntax Configure a GSLB policy. [no] gslb policy {default | policy-name} no gslb policy all Parameter default policy-name all Description The default GSLB policy included in the software. Name of the policy, up to 63 alphanumeric characters. Removes all GSLB policies from the configuration. The all option is valid only with the no form of the command shown above.
This command changes the CLI to the configuration level for the specified GSLB policy. For information about the commands available at the GSLB policy level, see Policy Configuration Commands on page 188. Default Mode Example N/A Global configuration mode The following example creates a GSLB policy called gslb-policy2:
AX(config)#gslb policy gslb-policy2 AX(config gslb-policy)#
gslb protocol
Description Syntax Enable the GSLB protocol or set protocol options. [no] gslb protocol { enable {controller | device} | status-interval seconds | use-mgmt-port } Note: For the limit options, see gslb protocol limit on page 165.
163 of 260

CLI Command Reference - Main Configuration Commands Parameter enable {controller | device} Description
Enables the GSLB protocol: controller Use this option on the AX device on which GSLB is configured. device Use this option on the AX devices that are SLB devices at the GSLB sites.
status-interval seconds Changes the number of seconds between GSLB status messages. You can specify 1-300 seconds. use-mgmt-port Use the management route table instead of the data route table.
Default
The GSLB protocol options have the following defaults:

enable Disabled. status-interval 30 seconds use-mgmt-port disabled
Mode Usage
Global configuration mode The A10 Networks GSLB protocol uses port 4149. The protocol is registered on this port for both TCP and UDP. AX devices use the GSLB protocol for GSLB management traffic. The protocol must be enabled on the GSLB controller, and it is recommended (but not required) that you enable the protocol on the site AX devices. The following GSLB policy metrics require the protocol to be enabled on both the site AX devices as well as the GSLB controller:
Session-Capacity aRDT Connection-Load Num-Session
The GSLB protocol is also required for the Health-Check metric, if the default health checks are used. If you modify the health checks, the GSLB protocol is not required.
164 of 260

CLI Command Reference - Main Configuration Commands Example The following command enables the GSLB protocol on a GSLB AX Series device:
AX(config)#gslb protocol enable controller
Example
The following command enables the GSLB protocol on a site AX Series device:
AX(config)#gslb protocol enable device
gslb protocol limit

Description Syntax Change aRDT message limits. [no] gslb protocol limit { ardt-query num-msgs | ardt-response num-msgs | ardt-session num-sessions | conn-response num-msgs | response num-msgs | message num-msgs } Parameter ardt-query ardt-response ardt-session conn-response response message Default Description Limits the number of aRDT Query messages. Limits the number of aRDT Response Messages. Limits the number of aRDT sessions. Limits the number Connection Load Response Messages. Limits the number of Response Messages. Limits the number of messages.
The GSLB protocol limit options have the following defaults:

ardt-query 200 messages ardt-response 1000 response messages ardt-session 32768 sessions conn-response no limit
165 of 260

response 3600 messages message 10000 messages
Mode
gslb service-ip
Description Configure a service IP, which can be a virtual servers or real servers IP address. [no] gslb service-ip service-name [ipaddr] no gslb service-ip all Parameter service-name ipaddr Description Name of the service, up to 63 alphanumeric characters. IP address of the virtual server or real server. You can specify an IPv4 or IPv6 address. (If you are changing the configuration of a GSLB service that is already configured, this parameter is not required.) all Removes all GSLB service IPs from the configuration. The all option is valid only with the no form of the command shown above.
Syntax
This command changes the CLI to the configuration level for the specified service, where the following GSLB-related commands are available: Command disable enable [no] external-ip ipaddr Description Disables GSLB for the service IP address. Enables GSLB for the service IP address. Assigns an external IP address to the service IP. The external IP address allows a service IP that has an internal IP address to be reached from outside the internal network. Configures monitoring of the service IP address. If you enter the command without any options,
[no] healthcheck [option]
166 of 260

CLI Command Reference - Main Configuration Commands the default Layer 3 health monitor (ICMP ping) is used. monitor-name The service is checked using the specified Layer 3, 4 or 7 health monitor. follow-port portnum The health of the service port is based on the health of another port. Specify the other port number. protocol Enables or disables use of the GSLB protocol for health checking of the service. By default, the protocol option is enabled. If the GSLB protocol is enabled and can reach the service, health checking is performed over the GSLB protocol. Otherwise, health checking is performed using standard network traffic instead. [no] ipv6 ipv6-addr Maps the specified IPv6 address to an IPv4 service IP. This option also requires IPv6 DNS AAAA support to be enabled in the GSLB policy. (See the ipv6-mapping option in dns on page 197.) Adds a service port to the service IP address. The command also changes the CLI to the configuration level for the specified service port, where the following service port-related commands are available: disable Disables GSLB for the service port on this service IP address. enable Enables GSLB for the service port on this service IP address. [no] health-check [monitor-name] Enables or disables health monitoring for the service port. If you do not specify a health monitor, the default health monitor is used. (See Usage below.) Default No services are configured by default. When you configure a service, the service is enabled by default, and the default port is 80. The default health monitor for a service is the default Layer 3 health monitor (ICMP ping). The default health monitor for a service port is the default TCP or UDP monitor, depending on the transport protocol. (For more on health checking, see Usage below.)
[no] port num
{tcp | udp}
167 of 260

CLI Command Reference - Main Configuration Commands Mode Usage Global configuration mode If you leave the health monitor for a service left at its default setting (the default ICMP ping health check), the health checks are performed within the GSLB protocol. If you use a custom health monitor, or you explicitly apply the default Layer 3 health monitor to the service, the GSLB protocol is not used for any of the health checks. If you use a custom health monitor for a service port, the port number specified in the service configuration is used instead of the port number specified in the health monitor configuration. The following policy metric options are not supported for IPv6 service IPs:
active-rdt ip-list dns external-ip dns ipv6 mapping geo-location
Example
The following example creates a GSLB service IP address named gslbsrvc2 with IP address 192.160.20.99:
AX(config)#gslb service-ip gslb-srvc2 192.168.20.99 AX(config-gslb service-ip)#
gslb site
Description Syntax Configure a GSLB site. [no] gslb site site-name no gslb site all Parameter site-name all Description Name for the site, up to 63 alphanumeric characters. Removes all GSLB sites from the configuration. The all option is valid only with the no form of the command shown above.
168 of 260

CLI Command Reference - Main Configuration Commands This command changes the CLI to the configuration level for the specified site, where the following site-related commands are available: Command [no] active-rdt option Description Configures options for the aRDT metric: aging-time minutes Specifies the maximum amount of time a stored aRDT result can be used. You can specify 1-15360 minutes. The default is 10 minutes. bind-geoloc Stores the aRDT measurements on a per geo-location basis. Without this option, the measurements are stored on a per siteSLB device basis. ignore-count num Specifies the ignore count if aRDT is out of range. You can specify 115. The default is 5. limit num Specifies the maximum aRDT allowed for the site. If the aRDT measurement for a site exceeds the configured limit, GSLB does not eliminate the site. Instead, GSLB moves to the next metric in the policy. You can specify 0-16383 milliseconds (ms). The default is 16383. mask {/mask-length | mask-ipaddr} Specifies the IPv4 client subnet mask length. The default mask length is 32. range-factor num Specifies the maximum percentage a new aRDT measurement can differ from the previous measurement. If the new measurement differs from the previous measurement by more than the allowed percentage, the new measurement is discarded and the previous measurement is used again. For example, if the range-factor is set to 25 (the default), a new measurement that has a value from 75% to 125% of the previous value can be used. A measurement that is less than 75% or more than 125% of the previous measurement can not be used. You can specify 1-1000. The default is 25. smooth-factor num Blends the new measurement with the previous one, to smoothen the measurements. Performance by Design Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
169 of 260

CLI Command Reference - Main Configuration Commands For example, if the smooth-factor is set to 10 (the default), 10% of the new measurement is used, along with 90% of the previous measurement. Similarly, if the smooth-factor is set to 50, 50% of the new measurement is used, along with 50% of the previous measurement. You can specify 1-100. The default is 10. (For information about the aRDT metric, see active-rdt on page 188.) [no] auto-map [no] bw-cost options Enables auto-mapping feature at the site level. Configures options for the BW-Cost metric: limit num Specifies the maximum amount the SNMP object queried by the GSLB AX device can increase since the previous query, in order for the site to remain eligible for selection. You can specify 0-2147483647. There is no default. If a site becomes ineligible due to being over the limit, the percentage parameter is used. In order to become eligible for selection again, the sites limit value must not exceed limit*threshold-percentage. You can specify 0-100. There is no default. threshold percentage For a site to regain eligibility when BW-Cost is being compared, the SNMP objects value must be below the threshold-percentage of the limit value. For example, if the limit value is 80,000 and the threshold is 90 percent, then the limit value must be 72,000 or less, in order for the site to become eligible again based. Once a site again becomes eligible, the SNMP objects value is again allowed to increase up to the bandwidth limit (80,000 in this example). (For information about the BW-Cost metric, see bw-cost on page 193.) [no] disable Disables all servers in the GSLB site.
170 of 260

CLI Command Reference - Main Configuration Commands [no] geolocation location-name
Associates this site with a specific geographic location. (To configure a location, use the gslb geo-location command.) Associates a real server with this site. Note: Generally, virtual servers rather than real servers are associated with a site. To associate a virtual server with a site, use the vip-server option of the slb-dev command.
[no] ip-server service-ip
no ip-server all [no] slb-dev device-name ip-addr
Removes all real servers from the site.
Specifies the device that provides SLB for the site. The IP address must be reachable by the GSLB AX Series when the GSLB protocol is enabled. This command changes the CLI to the configuration level for the SLB device. At this CLI level, the following optional GSLB-related commands are available: [no] admin-preference num Assigns a preference value to the SLB device. If the Admin-Preference metric is enabled in the policy and all metrics before this one result in a tie, the SLB device with the highest Admin-Preference value is preferred. You can specify from 0 255. The default is 100. [no] auto-detect [ip | port] Enables DNS auto mapping at the service IP level or the port level. [no] auto-map Enables auto mapping for this site. [no] gateway ipaddr Specifies the gateway the SLB device will use to reach the GSLB local DNS for collecting aRDT measurements. [no] gateway health-check Enables gateway health checking. A gateway health check is a Layer 3 health check (ping) sent to the gateway router for an SLB site. This option is enabled by default.
171 of 260

CLI Command Reference - Main Configuration Commands [no] max-client num Specifies the maximum number of clients for which the GSLB AX device (controller) saves data such as aRDT measurements for each of the clients. You can specify 1-2147483647. The default is 32768. [no] proto-aging-fast This option enables a quick refresh of data sent from a site AX device to the AX controller by aging out data from a site AX device. This can be useful to obtain fresh health status information from a site AX. For example, if a virtual server has been deleted from a site-AX device, but this information could not be sent to the AX controller, then the status in the controller will continue to appear as "UP" for a long time until it is aged out. The "proto-aging-fast" command forces the GSLB controller to start aging the health status immediately after receiving updated information from a site AX. [no] proto-aging-time seconds If communication between a site AX device and the GSLB controller is interrupted, then the data for that site will become stale. The GSLB controller can continue to rely upon this old information, but after some time, the old data for the site must be purged. The lifespan of this old data is the sum of the time set using the gslb protocol status-interval command, plus the time you set using this proto-aging-time option. The default value is 60 seconds. [no] proto-compatible Enables GSLB protocol compatibility between a controller running 2.6.1 or later and a site AX device running 2.4.x. This option is disabled by default. [no] vip-server {name | ip ipaddr} Maps this SLB site to a globally configured GSLB service IP address. If you use the name option, the name must be the name of a configured service IP. (To configure the service IP, use the gslb service-ip command. See gslb serviceip on page 166.) no vip-server all Removes all VIP mappings (configured by the vip-server command) from the SLB device.
172 of 260

CLI Command Reference - Main Configuration Commands no slb-dev all [no] template template-name Removes all SLB devices from the site. Binds a template to the site. To use the BW-Cost metric, use this option to bind a GSLB SNMP template to the site.
[no] weight num Assigns a weight to the site. If the Weighted-Site metric is enabled in the policy and all metrics before Weighted-Site result in a tie, the site with the highest weight is preferred. The weight can be from 1 100. The default is 1. Default Mode Example See above. Global configuration mode The following example creates a site named NY-site and adds SLB AX Series site-ax-1 with IP address 10.10.10.10 to the site:
AX(config)#gslb site NY-site AX(config gslb-site)#slb-dev site-ax-1 10.10.10.10
gslb system auto-map module

Description Syntax Enable auto-mapping of IP address to resource name. [no] gslb system auto-map module {all | slb-server | slb-virtual-server | slb-device | gslb-service-ip | gslb-site | gslb-group | hostname} Disabled Global configuration mode See Auto-mapping on page 73.
Default Mode Usage
gslb system auto-map ttl

Description Configure the TTL for DNS A or AAAA records created by the auto-mapping feature. [no] gslb system auto-map ttl seconds
Syntax
173 of 260

CLI Command Reference - Main Configuration Commands Parameter seconds Description Maximum number of seconds for which an A or AAAA record created by auto-mapping is valid. You can specify 1-65535 seconds.
Default
300
gslb system ip-ttl

Description Syntax Change the IP Time-to-Live (TTL) in DNS replies to clients. [no] gslb system ip-ttl num Parameter num Default Mode Usage 255 Global configuration mode This option applies only to DNS server mode. The option does not apply to DNS proxy mode. The TTL value is used in all replies, regardless of the clients original TTL. Description TTL, 1-255.
gslb system prompt

Description Disable or re-enable display of the confirmation prompt for gslb system reset and no gslb [option] all commands. [no] gslb system prompt The prompt is enabled. Global configuration mode
Syntax Default Mode
174 of 260

gslb system reset

Description Syntax Default Mode Usage Reset the entire GSLB configuration. gslb system reset N/A Global configuration mode This command unloads all geo-location files, and reloads the default iana file. This command does not remove the GSLB configuration. If you want to entirely remove the GSLB configuration, see no gslb all on page 187.
gslb system wait

Description Syntax Delay startup of GSLB following startup of the AX device. [no] gslb system wait seconds Parameter seconds Default Mode 0 seconds (no delay) Global configuration mode Description Length of the delay, 0-16384 seconds.
gslb template csv

Description Configure a template for extracting geo-location data from an imported CSV file. [no] gslb template csv template-name no gslb template csv all
Syntax
175 of 260

CLI Command Reference - Main Configuration Commands Parameter template-name all Description Name of the template, 1-63 characters. Removes all CSV templates from the configuration. The all option is valid only with the no form of the command shown above.
Note:
To remove all CSV templates and SNMP templates, use the following command: no gslb template all This command changes the CLI to the configuration level for the specified template, where the following commands are available. (The other commands are common to all CLI configuration levels. See the AX Series CLI Reference.) Command [no] delimiter {character | ASCII-code} Description
Specifies the character used in the file to delimit fields. You can type the character or enter its decimal ASCII code (0-255). The num option specifies the field position within the CSV file. You can specify from 1-64. The following options specify the type of geolocation that is located in the field position: ip-from Specifies the beginning IP address in the range or subnet. ip-to-mask Specifies the ending IP address in the range, or the subnet mask. continent Specifies the continent where the IP address range or subnet is located. country Specifies the country where the IP address range or subnet is located. state Specifies the state where the IP address range or subnet is located. city Specifies the city where the IP address range or subnet is located.
[no] field num type-of-data
Default
There is no default CSV template. When you configure one, the field locations are not set. The default delimiter character is a comma ( , ).
176 of 260

CLI Command Reference - Main Configuration Commands Mode Usage Global configuration mode To load a geo-location data file and use the CSV template to extract the data, see gslb geo-location load on page 158. The following commands configure a CSV template called test1-tmplte:
Example
AX(config)#gslb template csv test1-tmplte AX(config-gslb template csv)#field 1 ip-from AX(config-gslb template csv)#field 2 ip-to-mask AX(config-gslb template csv)#field 5 continent AX(config-gslb template csv)#field 3 country
gslb template snmp

Description Syntax Configure an SNMP template to query data for use by the BW-Cost metric. [no] gslb template snmp template-name no gslb template snmp all Parameter template-name all Description Name of the template, 1-63 characters. Removes all SNMP templates from the configuration. The all option is valid only with the no form of the command shown above.
Note:
To remove all CSV templates and SNMP templates, use the following command: no gslb template all This command changes the CLI to the configuration level for the specified template, where the following commands are available. (The other commands are common to all CLI configuration levels. See the AX Series CLI Reference.) Command [no] auth-key string Description Specifies the authentication key. The key string can be 1-127 characters long. This command is applicable if the security level is auth-no-priv or auth-priv.
177 of 260

CLI Command Reference - Main Configuration Commands [no] auth-proto {sha | md5} Specifies the authentication protocol. This command is applicable if the security level is authno-priv or auth-priv.
[no] community communitystring [no] contextengine-id id [no] contextname id
For SNMPv1 or v2c, specifies the community string required for authentication. Specifies the ID of the SNMPv3 protocol engine running on the site AX device. Specifies an SNMPv3 collection of management information objects accessible by an SNMP entity. Specifies the IP address of the site AX device. Specifies the SNMP interface ID. Specifies the amount of time between each SNMP GET to the site AX devices. You can specify 1-999 seconds. The default is 3. Specifies the interface MIB object to query on the site AX device.
[no] host ipaddr [no] interface id [no] interval seconds
[no] oid oid-value
Note:
If the object is part of a table, make sure to append the table index to the end of the OID. Otherwise, the AX device will return an error. [no] port portnum Specifies the protocol port on which the site AX devices listen for the SNMP requests from the GSLB AX device. You can specify 1-65535. The default is 161. Specifies the encryption key. The key string can be 1-127 characters long. This command is applicable only if the security level is auth-priv. Specifies the privacy protocol used for encryption. This command is applicable only if the security level is auth-priv.
[no] priv-key string
[no] priv-proto {aes | des}
178 of 260

CLI Command Reference - Main Configuration Commands [no] securityengine-id id Specifies the ID of the SNMPv3 security engine running on the site AX device. For each command, the ID is a string 1-127 characters long.
[no] securitylevel {no-auth | auth-no-priv | auth-priv}
Specifies the SNMPv3 security level: no-auth Authentication is not used and encryption (privacy) is not used. This is the default. auth-no-priv Authentication is used but encryption is not used. auth-priv Both authentication and encryption are used.
[no] username name [no] version {v1 | v2c | v3}
Specifies the SNMPv3 username required for access to the SNMP agent on the site AX device. Specifies the SNMP version running on the site AX device.
Default Mode Usage
See above. Global configuration mode The community command applies only to SNMPv1 or v2c. Most of the other commands, with the exception of the version, interval, port, and interface commands, apply to SNMPv3. You can not delete an SNMP template if the template is in use by a site. To delete a template, first remove it from all site configurations that are using it.
Example
The following commands configure a GSLB SNMP template for SNMPv2c:
AX(config)#gslb template snmp snmp-1 AX(config-gslb template snmp)#version v2c AX(config-gslb template snmp)#host 192.168.214.124 AX(config-gslb template snmp)#oid .1.3.6.1.2.1.2.2.1.16.12 AX(config-gslb template snmp)#community public AX(config-gslb template snmp)#exit
179 of 260

CLI Command Reference - Main Configuration Commands Example The following commands configure a GSLB SNMP template for SNMPv3. In this example, authentication and encryption are both used.
AX(config)#gslb template snmp snmp-2 AX(config-gslb template snmp)#security-level auth-priv AX(config-gslb template snmp)#host 192.168.214.124 AX(config-gslb template snmp)#username read AX(config-gslb template snmp)#oid .1.3.6.1.2.1.2.2.1.16.12 AX(config-gslb template snmp)#priv-proto des AX(config-gslb template snmp)#auth-key 12345678 AX(config-gslb template snmp)#priv-key 12345678
gslb zone
Description Configure a GSLB zone, which identifies the top-level name for the services load balanced by GSLB. [no] gslb zone zone-name no gslb zone all Note: DNSSEC is not supported for GSLB wildcard zones. Parameter zone-name Description Name of the zone, up to 127 alphanumeric characters, or * (wildcard character matching on all zone names). You can use lower case characters and upper case characters. However, since Internet domain names are case-insensitive, the AX device internally converts all upper case characters in GSLB zone names to lower case. all Removes all GSLB zones from the configuration. The all option is valid only with the no form of the command shown above.
Syntax
This command changes the CLI to the configuration level for the specified zone, where the following zone-related commands are available:
180 of 260

CLI Command Reference - Main Configuration Commands Command [no] disable [no] dns-mxrecord name priority Description Disables all services in the GSLB zone.
Configures a DNS Mail Exchange (MX) record for the zone. The name is the fully-qualified domain name of the mail server for the zone. If more than one MX record is configured for the same zone, the priority specifies the order in which the mail server should attempt to deliver mail to the MX hosts. The MX with the lowest priority value has the highest priority and is tried first. The priority can be 0-65535. There is no default. MX records configured on a zone are used only for services on which MX records are not configured.
Note:
If you want the GSLB AX device to return the IP address of the mail service in response to MX requests, you must configure Address records for the mail service. [no] dns-nsrecord domain-name
Configures a DNS name server record for the specified domain.
[no] dns-soarecord [external] dns-server-name mailbox-name [expire seconds] [refresh seconds] [retry seconds] [serial num] [ttl seconds] Configures a DNS start of authority (SOA) record for the GSLB zone. The external option causes the AX device to replace the internal SOA record with an external SOA record when a request is received from an external client. This prevents external clients from gaining access to internal information. The feature must also be enabled in the GSLB policy. Performance by Design Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
181 of 260

CLI Command Reference - Main Configuration Commands The refresh option specifies the number of seconds other DNS servers wait before requesting updated information for the GSLB zone. The retry option specifies how many seconds other DNS servers wait before resending a refresh request, if GSLB does not respond to the previous request. The expire option specifies how many seconds GSLB can remain unresponsive to a refresh request before the other DNS server drops responding to queries for the zone. The serial option specifies the initial serial number of the SOA record. This number is automatically incremented each time a change occurs to any records in the zone file. You can specify a serial number from 0-2147483647. The default is based on the current system time on the GSLB AX device when you create the SOA record. The ttl option specifies the number of seconds GSLB will cache and reuse negative replies (NXDOMAIN messages). A negative reply is an error message indicating that a requested domain does not exist. Note: The ttl option is equivalent to the minimum option in BIND 9. [no] policy policy-name Applies the specified GSLB policy to the zone. You can specify default for the GSLB policy name, if you have not configured another policy and applied it to the zone. The GSLB policy applied to the zone is also applied to the services in that zone.
[no] service port [service-name]
Adds a service to the zone. The port option specifies the service port and can be a well-known name recognized by the CLI or a port number from 1 to 65535. The service-name can be 1-31 alphanumeric characters or * (wildcard character matching on all service names). For the same reason described for zone names, the AX device converts all upper case characters in GSLB service names to lower case. This command changes the CLI to the configuration level for the service, where the following GSLB-related commands are available:
182 of 260

CLI Command Reference - Main Configuration Commands action action-type Specifies the action to perform for DNS traffic: drop Drops DNS queries from the local DNS server. reject Rejects DNS queries from the local DNS server and returns the Refused message in replies. forward {both | query | response} Forwards requests or queries, as follows: forward both Forwards queries to the Authoritative DNS server, and forwards responses to the local DNS server. forward query Forwards queries to the Authoritative DNS server, but does not forward responses to the local DNS server. forward response Forwards responses to the local DNS server, but does not forward queries to the Authoritative DNS server. Note: Use of the actions configured for services also must be enabled in the GSLB policy, using the dns action command at the configuration level for the policy. See dns on page 197. disable Disables all services in the GSLB zone. dns-a-record {service-name | ip service-ipaddr} {as-backup | as-replace | no-resp | static | ttl num | weight num} Configures a DNS Address (A) record for the service, for use with the DNS replace-ip option in the GSLB policy. (See dns on page 197.) as-backup This option is used to specify the backup servers in the dns-a-record within the GSLB zone. These are the servers that will be returned to the client if the primary servers fail and backup server mode is enabled. as-replace This option is used with the ip-replace option in the policy. When both options are set (as-replace here and ipPerformance by Design Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
183 of 260

CLI Command Reference - Main Configuration Commands replace in the policy), the client receives only the IP address set here by service-ip. no-resp Prevents the IP address for this site from being included in DNS replies to clients. static This option is used with the dns server option in the policy. When both options are set (static here and dns server in the policy), the GSLB AX device acts as the DNS server for the IP address set here by service-ip. ttl num Assigns a TTL to the service, 0-2147483647. By default, the TTL of the zone is used. This option can be used with the dns server option in the policy, or with DNS proxy mode enabled in the policy. weight num Assigns a weight to the service. If the Weighted-IP metric is enabled in the policy and all metrics before WeightedIP result in a tie, the service on the site with the highest weight is selected. The weight can be 1-100. By default, the weight is not set. Note: The no-resp option is not valid with the static or as-replace option. If you use no-resp, you cannot use static or as-replace. dns-cname-record alias [alias ...] [as-backup] [admin-preference num] [weight num] Configures DNS Canonical Name (CNAME) records for the service. as-backup Specifies that the record is a backup record. admin-preference num Default is 100. Please contact A10 Networks for information. weight num Please contact A10 Networks for information. dns-mx-record name priority Configures a DNS Mail Exchange (MX) record for the service. The name is the fully-qualified domain name of the mail server for the service.
184 of 260

CLI Command Reference - Main Configuration Commands If more than MX record is configured for the same service, the priority specifies the order in which the mail server should attempt to deliver mail to the MX hosts. The MX record with the lowest priority number has the highest priority and is tried first. The priority can be 0-65535. There is no default. Note: If you want the GSLB AX device to return the IP address of the mail service in response to MX requests, you must configure A records for the mail service. dns-ns-record domain-name [as-backup] Configures a DNS name server record. The as-backup option specifies that the record is a backup record. To use the asbackup option, you also must use the dns backup-alias command in the policy. (See dns on page 197.) dns-ptr-record domain-name Configures a DNS pointer record. dns-srv-record domain-name priority [port portnum] [weight num] Configures a DNS service record. The priority can be 0-65535. There is no default. The port portnum specifies the protocol port to return to the client, and can be 0-65534. There is no default. If you do not specify the port, GSLB finds the port for the SRV record and sends it to the client. If you do specify the port, GSLB sends the specified port to the client. The weight num specifies the weight and can be 0-65535. The default is 10. dns-txt-record aaaa bbbb cccc Enables use of DNS TXT resource records to carry multiple pieces of DNS TXT data within one TXT record. Note: The AX device has a special handler that enables you to enter non-printable characters that the CLI does not support. For details, please contact A10 Support.
185 of 260

CLI Command Reference - Main Configuration Commands Note: This option also requires the dns server txt command at the configuration level for the GSLB policy. geo-location location-name [...] {action action | alias url | policy policy-name} Configures geolocation settings. The location must already be configured. (See gslb geo-location on page 156.) action action Specifies the action to perform for DNS traffic. The action options are the same as those for the action command described above. alias url Maps an alias configured with the alias option (see above) to the specified location for this service. policy policy-name Applies the specified GSLB to clients from the geo-location. health-check {gateway | port portnum [...]} Please contact A10 Networks for information. admin-ip {service-name | service-ipaddr} [...] Specifies the list of service IP addresses in the DNS reply. policy policy-name Applies the specified GSLB policy to the service. no gslb service all [no] template dnssec template-name [no] ttl seconds Removes all services from the zone.
Binds a DNSSEC template to the zone. (See DNSSEC Support on page 133.) Changes the TTL of each DNS record contained in DNS replies received from the DNS for which the AX Series is a proxy, for this zone. You can specify from 0 to 1000000000 (one billion) seconds. This TTL setting overrides the TTL setting in the GSLB policy. The default is 10. The TTL of the DNS reply can be overridden in two different places in the GSLB configuration: (1) If a GSLB policy is assigned to the individual
186 of 260

CLI Command Reference - Main Configuration Commands service, then the TTL from that policy is used. (2) If no policy is assigned to the individual service, but the TTL is set in the zone, then the zones TTL setting is used. (This is the level set by the ttl command shown earlier this section.) Default Mode Example Default settings are described above, where applicable. Global configuration mode The following example creates a zone named ax-gslb-zone:
AX(config)#gslb zone ax-gslb-zone AX(config gslb-zone)#
Example
The following example uses the wildcard character at the end of the gslb zone command. This has the result of identifying all GSLB zones so that the next line of the configuration creates a positive match on all DNS domains that have the prefix of www.
AX#configure AX(config)#gslb zone * AX(config-gslb zone)#service http www
Example
The following commands create a default GSLB policy and then specify that a backup server at IP 192.168.123.1 will be returned to the client if the primary servers fail.
AX(config)#gslb policy default AX(config-gslb policy)#dns backup-server AX(config-gslb policy)#exit AX(config)#gslb zone z1 AX(config-gslb zone)#service 80 http AX(config-gslb zone-gslb service)#dns-a-record 192.168.123.1 as-backup AX(config-gslb zone-gslb service)#exit
no gslb all
Description Syntax Default Mode Delete all GSLB configuration commands. no gslb all N/A Global configuration mode
187 of 260

CLI Command Reference - Policy Configuration Commands Usage If you only want to reset GSLB instead of removing the GSLB configuration, see gslb system reset on page 175. The all option is also supported with the no forms of the GSLB configuration commands described in the other sections in this chapter. For syntax information, see the sections for the individual commands.
Policy Configuration Commands

The commands in this section configure GSLB policies. The CLI changes to this level when you enter the gslb policy policy-name command from the global Config level.
active-rdt
Description Configure the active-Round Delay Time (aRDT) metric. aRDT measures the round-delay-time for a DNS query and reply between a site AX device and the GSLB local DNS. Syntax [no] active-rdt [difference num] [fail-break] [ignore-id group-id] [keep-tracking] [limit ms] [samples num-samples] [single-shot] [skip count] [timeout seconds] [tolerance num-percentage] Parameter difference num fail-break Description Number from 0 to 16383 specifying the rounddelay-time difference. Enables GSLB to stop if the configured aRDT limit in a policy is reached. The fail-break action depends on whether the GSLB controller is running in server mode or proxy mode: Server mode: If a backup-alias is configured, the GSLB controller returns the backup-alias to
188 of 260

CLI Command Reference - Policy Configuration Commands the client; otherwise, the controller returns a SERVFAIL error to the client. Proxy mode: If a backup-alias is configured, the GSLB controller returns the backup-alias to the client; otherwise, the controller returns the response from the backend DNS server. Note: To configure the aRDT limit, use the limit option (describe below). To configure GSLB to return a CNAME record as a backup, enable the backup-alias option using the dns backup-alias command at the configuration level for the policy. To configure the backup alias for a service within a zone, use the following command at the configuration level for the service: dns-cname-record alias-name as-backup ignore-id group-id Excludes the IP addresses in the specified IP list from aRDT data collection. Specify an ID from 0-31. (To configure an IP list, see gslb ip-list on page 161.) Continues tracking of aRDT for clients after the track time expires. By default, GSLB stops collecting aRDT samples for a client (stops tracking the client) after the time has exceeded the number of seconds specified by the global aRDT track setting. Specifies the aRDT limit for the policy. This option is useful for applying site selection based on aRDT limits and geo-location. This option is required if you plan to use the DNS geoloc-policy option. You can specify 1-16383 ms. To configure aRDT limit by geo-location: 1. Enable the active-rdt bind-geoloc option on each GSLB site. 2. Enable the dns geoloc-policy option in the default GSLB policy, and enable the active-rdt option in the policies for geo-locations. If applicable, configure the aRDT limit. 3. On the service within the zone, enable the geolocation option and specify the GSLB policy to use for that location. samples num-samples Number from 1 to 8 specifying the number of samples to collect.
keep-tracking
limit ms
189 of 260

CLI Command Reference - Policy Configuration Commands single-shot skip count Collects a single sample only. When single-shot is configured, this option determines the number of site AX devices that can exceed their single-shot timeouts, without the aRDT metric itself being skipped by the GSLB AX device during site selection. You can skip from 1-31 sites. When single-shot is configured, this option determines the number of seconds each site AX device should wait for the DNS reply. If the reply does not arrive within the specified timeout, the site becomes ineligible for selection, in cases where selection is based on the aRDT metric. You can specify 1-255 seconds. Specifies how much the aRDT values must differ in order for GSLB to prefer one geo-location or site over another based on aRDT.
timeout seconds
tolerance num-percentage
Default
Disabled. When you enable the aRDT metric, it has the following default settings:
difference 0 fail-break disabled ignore-id not set keep-tracking disabled limit 16383 ms samples 5 single-shot Disabled. Multiple samples are taken at regular intervals. skip 3 timeout 3 seconds tolerance 10 percent.
Mode Usage
GSLB Policy This metric requires the GSLB protocol to be enabled both on the GSLB controller and on the site AX devices.
190 of 260

CLI Command Reference - Policy Configuration Commands Example The following command enables the aRDT metric:
AX(config gslb-policy)#active-rdt
active-servers
Description Configure the Active-Servers metric, which prefers the VIP with the highest number of active servers. Active-servers is a measure of the number of active real servers bound to a virtual port residing on a GSLB site. Syntax [no] active-servers [fail-break] Parameter fail-break Description Enables GSLB to stop if the number of active servers for all services is 0. The fail-break action depends on whether the GSLB controller is running in proxy mode or server mode: Server mode: If a backup-alias is configured, the GSLB controller returns the backup-alias to the client; otherwise, the controller returns a SERVFAIL error to the client. Proxy mode: If a backup-alias is configured, the GSLB controller returns the backup-alias to the client; otherwise, the controller returns the response from the backend DNS server. Default Mode Usage Disabled GSLB Policy Use this command to eliminate inactive real servers from being eligible for selection. The following command enables the Active-Servers metric:
Example
AX(config gslb-policy)#active-servers
191 of 260

CLI Command Reference - Policy Configuration Commands
admin-ip
Description Syntax Allows you to assign administrative weights to IP addresses. [no] admin-ip [top-only] Parameter top-only Description Returns only the first (top) IP address in the IP list. This option overrides the default behavior, in which GSLB sends all IP addresses to the requesting client after those addresses have been vetted according to the metrics in the policy.
Default Mode Usage
Disabled GSLB Policy The prioritized list is sent to the next metric for further evaluation. If admin-ip is the last metric, the prioritized list is sent to the client. To configure the ordered list of IP addresses for a service, use the ip-order command at the service configuration level for the GSLB zone. See gslb zone on page 180.
admin-preference
Description Enable or disable the Admin-Preference metric, which prefers the site whose SLB device has the highest administratively set weight. [no] admin-preference Disabled GSLB Policy To set the GSLB Admin-Preference value for a site, use the admin-preference command at the configuration level for the SLB device within the site. (See gslb site on page 168.) The following command enables the Admin-Preference metric:
Syntax Default Mode Usage
Example
AX(config gslb-policy)#admin-preference
192 of 260

alias-admin-preference
Description Enable or disable the Alias Admin Preference metric, which selects the DNS CNAME record with the highest administratively set preference. This metric is similar to the Admin Preference metric, but applies only to DNS CNAME records. [no] alias-admin-preference Disabled GSLB Policy Metric order does not apply to this metric. When enabled, this metric always has high priority. To configure the Alias Admin Preference metric: 1. At the configuration level for the GSLB service, use the admin-preference preference command to assign an administrative preference to the DNS CNAME record for the service. (See gslb service-ip on page 166.) 2. At the configuration level for the GSLB policy:
Use the alias-admin-preference command to enable the Alias
Admin Preference metric. Enable one or both of the following DNS options, as applicable to your deployment: DNS backup-alias DNS geoloc-alias (See dns on page 197.) 3. If using the backup-alias option, use the dns-cname-record as-backup option on the service. (See gslb service-ip on page 166.)
bw-cost
Description Configure the BW-Cost metric. This mechanism queries the bandwidth utilization of each site, and selects the site(s) whose bandwidth utilization has not exceeded a configured threshold during the most recent query interval. [no] bw-cost [fail-break]
Syntax
193 of 260

CLI Command Reference - Policy Configuration Commands Parameter fail-break Description Enables GSLB to stop if the current BW-Cost value is over the limit. The fail-break action depends on whether the GSLB controller is running in proxy mode or server mode: Server mode: If a backup-alias is configured, the GSLB controller returns the backup-alias to the client; otherwise, the controller returns a SERVFAIL error to the client. Proxy mode: If a backup-alias is configured, the GSLB controller returns the backup-alias to the client; otherwise, the controller returns the response from the backend DNS server. Default Mode Example Disabled GSLB Policy The following command enables the BW-Cost metric:
AX(config gslb-policy)#bw-cost
capacity
Description Configure the TCP/UDP Session-Capacity metric. This mechanism provides a way to shift load away from a site before the site becomes congested. Example: Site As maximum session capacity is 800,000 and Site Bs maximum session capacity is 500,000. If the Session-Capacity threshold is set to 90, then for Site A the capacity threshold is 90% of 800,000, which is 720,000. Likewise, the capacity threshold for Site B is 90% of 500,000, which is 450,000. Syntax [no] capacity [threshold num-percentage] [fail-break] Parameter threshold num-percentage Description Number from 0 to 100 specifying the maximum percentage of a site AX Series session table that can be used. If the session table utilization is greater than the specified percentage, the GSLB AX Series prefers other sites over this site.
194 of 260

CLI Command Reference - Policy Configuration Commands fail-break Enables GSLB to stop if the session utilization on all site SLB devices is over the threshold. The fail-break action depends on whether the GSLB controller is running in proxy mode or server mode: Server mode: If a backup-alias is configured, the GSLB controller returns the backup-alias to the client; otherwise, the controller returns a SERVFAIL error to the client. Proxy mode: If a backup-alias is configured, the GSLB controller returns the backup-alias to the client; otherwise, the controller returns the response from the backend DNS server. Default Disabled. When you enable the capacity metric, the default threshold is 90 percent. GSLB Policy This metric requires the GSLB protocol to be enabled both on the GSLB controller and on the site AX devices. The following command enables the capacity metric at the default value of 90% utilization of TCP/UDP session capacity:
Mode Usage
Example
AX(config gslb-policy)#capacity
connection-load
Description Configure the Connection-Load metric, which prefers sites that have not exceeded their thresholds for new connections. [no] connection-load [limit number-of-connections] | [samples number-of-samples interval seconds] [fail-break] Parameter limit numberof-connections Description Number that specifies the maximum average number of new connections per second the site AX Series can have. You can specify from 1 to 999999999 (999,999,999).
Syntax
195 of 260

CLI Command Reference - Policy Configuration Commands samples numberof-samples interval seconds Number of samples for the SLB device (the site AX Series) to collect, and the number of seconds between each sample. You can specify 1-8 samples and an interval of 1-60 seconds. fail-break Enables GSLB to stop if the connection load for all sites is over the limit. The fail-break action depends on whether the GSLB controller is running in proxy mode or server mode: Server mode: If a backup-alias is configured, the GSLB controller returns the backup-alias to the client; otherwise, the controller returns a SERVFAIL error to the client. Proxy mode: If a backup-alias is configured, the GSLB controller returns the backup-alias to the client; otherwise, the controller returns the response from the backend DNS server. Default Disabled. When you enable the Connection-Load metric, the default limit is not set (unlimited). The default number of samples is 5, and the default interval is 5 seconds. GSLB Policy This command applies only to GSLB selection of a site. The command does not affect the number of connections the site AX Series itself allows. This metric requires the GSLB protocol to be enabled both on the GSLB controller and on the site AX devices. Example The following command sets the connection load limit to 1000 new connections:
Mode Usage
AX(config gslb-policy)#connection-load limit 1000
196 of 260

dns
Description Syntax Configure DNS parameters for the policy. [no] dns { action | active-only [fail-safe] | addition-mx | auto-map | backup-alias | backup-server | cache [aging-time {seconds | ttl}] | cname-detect | delegation | external-ip | external-soa | geoloc-action | geoloc-alias | geoloc-policy | hint | ip-replace | ipv6 options | logging {both | query | response | none} proxy block option | selected-only [num] | server [addition-mx] [any] [authoritative options] [mx] [ns [auto-ns]] [ptr [auto-ptr]] [srv] [txt] | sticky [network-mask | /prefix-length] [aging-time minutes] [ipv6-mask mask-length] | ttl num }
197 of 260

CLI Command Reference - Policy Configuration Commands Parameter action Description Enable GSLB to perform the DNS actions specified in the service configurations.
Note:
To configure the DNS action for a service, use the action action-type command at the configuration level for the service. See gslb zone on page 180. active-only [fail-safe] Removes IP addresses from DNS replies when those addresses fail health checks. Note: If none of the IP addresses in the DNS reply pass the health check, the GSLB AX Series does not use this metric, since it would result in an empty IP address list. The fail-safe option returns a list of server IP addresses for failed servers to the client. Without this option, IP addresses of failed servers are omitted from the reply. addition-mx Appends MX records in the Additional section in replies for A records, when the device is configured for DNS proxy or cache mode. Enables creation of A and AAAA records for IP resources configured on the AX device. For example, this option is useful for auto-mapping VIP addresses to service-IP addresses. (See Auto-mapping on page 73.) Returns the alias CNAME record configured for the service, if GSLB does not receive an answer to a query for the service and no active DNS server exists. This option is valid in server mode or proxy mode. To configure the backup alias for a service within a zone, use the following command at the configuration level for the service: dns-cname-record alias-name as-backup backup-server Designates one or more backup servers that can be returned to the client if the primaries should fail.
auto-map
backup-alias
cache [aging-time seconds| ttl]
Enables the GSLB AX device to cache DNS replies. The AX device uses information in the cached DNS entries to reply to subsequent client
198 of 260

CLI Command Reference - Policy Configuration Commands requests, as opposed to sending a new DNS request for every client query. By default, the AX device caches a DNS reply for the duration of the TTL in the reply. You can override the entry TTL by setting the cache aging time. You can specify 1-1,000,000,000 seconds (nearly 32 years). Do not type commas when you enter the number. If you change the aging time but later decide to restore it to its default value, use the ttl option instead of seconds. cname-detect Disabling this option skips the Cname response. If enabled, the GSLB-AX applies the zone and service policy to the Cname record instead of applying it to the address record. Enables sub-zone delegation. The feature allows you to delegate authority or responsibility for a portion of the DNS namespace from the parent domain to a separate sub-domain which may reside on one or more remote servers and may be managed by someone other than the network administrator who is responsible for the parent zone. (For more information, see DNS Subzone Delegation on page 85.) Returns the external IP address configured for a service IP. If this option is disabled, the internal address is returned instead. The external IP address must be configured on the service IP. (Use the external-ip command at the configuration level for the service IP.) external-soa Replaces the internal SOA record with an external SOA record to prevent external clients from gaining information that should only be available to internal clients. If this option is disabled, the internal address is returned instead. The external SOA record must be configured in the GSLB zone. (Use the external-soa record command at the gslb zone configuration level.) geoloc-action Performs the DNS traffic handling action specified for the clients geo-location. The action is specified as part of service configuration in a zone.
delegation
external-ip
199 of 260

CLI Command Reference - Policy Configuration Commands Note: To configure the DNS action for a service, use the geo-location locationname action-type command at the configuration level for the service. See gslb zone on page 180. geoloc-alias Returns the alias name configured for the clients geo-location. (This option does the same thing as the alias-geoloc option, which is deprecated in AX Release 2.0.) Uses the GSLB policy assigned to the clients geo-location.
geoloc-policy hint {addition | answer | none}
Enables hints, which appear in the Additional Section of the DNS response. Hints are A or AAAA records that are sent in the response to a clients DNS request. These records provide a mapping between the host names and IP addresses. addition Appends hints in the Additional Section (default). answer Appends hints in the Answer Section. none Does not append hints in the DNS response. The hint option applies to the following record types: NS, MX, and SRV.
ip-replace
Replaces the IP addresses in the DNS reply with the service IP addresses configured for the service. (To configure the service IP addresses, use the service-ip command at the configuration level for the service. See gslb zone on page 180.) Enables support for IPv6 AAAA records. The following options are supported: mapping {addition | answer | exclusive | replace} Specifies the actions in response to an
ipv6 options
200 of 260

CLI Command Reference - Policy Configuration Commands IPv6 DNS query. You can enable one or more of these options. addition Append AAAA records in the DNS Addition section of replies. answer Append AAAA records in the DNS Answer section of replies. exclusive Replace A records (IPv4 address records) with AAAA records. replace Reply with AAAA records only. Note: The current release has the following limitations:
Health checks and the GSLB protocol use IPv4 only. IP address-related metrics such as aRDT are always based on IPv4. Virtual servers for GSLB service IPs are required to have both an IPv4
and an IPv6 address. mix Enables GSLB to return both AAAA and A records in the same answer. smart Enables IPv6 return by query type. For the ipv4-ipv6 mapping records, an A query (IPv4) will return an A record and an AAAA query (IPv6) will return an AAAA record. logging options Configures DNS logging. The both | none | query | response option specifies the types of messages to log. To restrict logging to a specific geo-location or IP address, use one of the following options: proxy block options Blocks DNS t queries from being sent to an internal DNS server. The AX device must be in GSLB proxy mode for the feature to work. The options can be one or more of the following: a aaaa ns mx srv cname
201 of 260

CLI Command Reference - Policy Configuration Commands ptr soa txt num query-type range {start-query-type end-query-type} action [drop | reject] (For more information, see DNS Proxy Block on page 91.) selected-only [num] Enables return of only the selected IP addresses. You can specify 1-128 records can be returned after selection occurs. If the number is greater than the selected number, then GSLB ignores this configuration. Enables the GSLB AX device to act as a DNS server, for specific service IPs in the GSLB zone. When you enable the server option, the GSLB AX directly responds to Address queries for specific service IP addresses in the GSLB zone. The AX device still forwards other types of queries to the DNS server. If you use the server option, you do not need to use the cname-detect option. When a client requests a configured alias name, GSLB applies the policy to the CNAME records. To place the server option into effect, you also must enable the static option on the individual service IP. (To configure the service IP addresses, use the service-ip command at the configuration level for the service. See gslb zone on page 180.) addition-mx Enables the GSLB AX device to provide the A record containing the mail servers IP address in the Additional section, when the device is configured for DNS server mode. any Enables the GSLB AX device to provide all resource records that are available, when the AX device is configured for DNS server mode. When a client issues a type ANY request (which is actually a pseudo
server [options]
202 of 260

CLI Command Reference - Policy Configuration Commands resource record that is expressed by the wildcard code *), then the AX device includes all RR information it has available. authoritative [options] Makes the AX device the authoritative DNS server for the GSLB zone, for the service IPs in which you enable the static option. (See below.) If you omit the authoritative option, the AX device is a non-authoritative DNS server for the zone domain. addition-mx This option appends the MX record in the Addition section, when the device is configured for DNS server mode. any Provides all records. full-list The full-list option appends all A records in the Authoritative section of DNS replies. ns-list This option appends all Name Server (NS) Resource Records (RR) in the Authority section of DNS replies. mx Provides the MX record in the Answer section, and the A record for the mail server in the Additional section, when the device is configured for DNS server mode. ns [auto-ns] Provides the name server record. The auto-ns option causes the policy to provide A records for NS records automatically. ptr [auto-ptr] Provides the pointer record. The auto-ptr option causes the policy to provide pointer records automatically. srv Provides the service record. txt Provides the service record. TXT resource records can be used to carry multiple pieces of DNS TXT data within a single record. Note: The server option is not valid with the ip-replace option. They are mutually exclusive.
203 of 260

CLI Command Reference - Policy Configuration Commands sticky [network-mask | /prefix-length] [aging-time minutes] [ipv6-mask mask-length] Sends the same service IP address to a client for all requests from that client for the service address. Sticky DNS ensures that, during the aging-time, a client is always directed to the same site. /prefix-length Adjusts the granularity of the feature. The default prefix length is 32, which causes the AX device to maintain separate stickiness information for each local DNS server. For example, if two clients use DNS 10.10.10.25 as their local DNS server, and two other clients use DNS 10.20.20.99 as their local DNS server, the AX maintains separate stickiness information for each set of clients, by maintaining separate stickiness information for each of the local DNS servers. aging-time minutes Specifies how many minutes a DNS reply remains sticky. You can specify 1-65535 minutes. ipv6-mask mask-length Adjusts the granularity of the feature for IPv6. The default mask length is 128. Note: If you enable the sticky option, the sticky time must be as long or longer than the zone TTL. (Use the ttl command at the configuration level for the zone. See gslb zone on page 180.) ttl num Changes the TTL of each DNS record contained in DNS replies received from the DNS for which the AX Series is a proxy. You can specify 01000000 (1,000,000) seconds.
Default
This command has the following defaults:

action disabled active-only disabled; when you enable this option, fail-safe is
disabled by default
addition-mx disabled auto-map disabled
204 of 260

backup-alias disabled backup-server disabled cache disabled; when you enable this option, the default aging time
for a cached DNS reply is the TTL set by the DNS server in the reply
cname-detect enabled delegation disabled external-ip enabled geoloc-action disabled geoloc-alias disabled geoloc-policy disabled hint enabled for addition option ip-replace disabled ipv6 all options disabled logging disabled proxy disabled selected-only disabled server disabled sticky disabled; when you enable this option, the default prefix is /
32, the default aging time is 5 minutes, and the default IPv6 mask length is 128.
ttl 10 seconds
Mode Usage
GSLB Policy If more than one of the following options are enabled, GSLB uses them in the order listed, beginning with sticky: 1. 2. 3. 4. sticky server cache proxy (The command does not have a separately configurable proxy option. The proxy option is automatically enabled when you configure the DNS proxy.)
205 of 260

CLI Command Reference - Policy Configuration Commands The site address selected by the first option that is applicable to the client and requested service is used. Example The following command enables CNAME detection:
AX(config gslb-policy)#dns cname-detect
Example
The following configuration excerpt uses the ipv6 mix option to enable mixing of IPv4 and IPv6 service-ip addresses in DNS answers. Both A and AAAA records will be included in replies to either A or AAAA requests from clients.
gslb service-ip ip1 20.20.20.100 port 80 tcp gslb service-ip ip2 20.20.20.102 port 80 tcp gslb service-ip ipv61 fe80::1 port 80 tcp gslb service-ip ipv62 fe80::2 port 80 tcp gslb service-ip ipv63 fe80::3 port 80 tcp gslb policy p8 dns ipv6 mix dns server gslb zone a8.com policy p8 service http www dns-a-record ip2 static dns-a-record ip1 static dns-a-record ipv61 static dns-a-record ipv62 static dns-a-record ipv63 static
Example
The following configuration excerpt uses the ipv6 smart option. For IPv4IPv6 mapping records, an A query will be answered by an A record and an AAAA query will be answered by an AAAA record. More specifically, if a client sends an A query, GSLB returns A records in the answer section, and AAAA records in the additional section. If a client sends an AAAA query,
206 of 260

CLI Command Reference - Policy Configuration Commands GSLB returns AAAA records in the answer section, and A records in the additional section.
gslb service-ip ip1 20.20.20.100 ipv6 ffff::1 port 80 tcp gslb service-ip ip2 20.20.20.102 ipv6 ffff::2 port 80 tcp gslb policy p8 dns ipv6 mapping addition dns ipv6 smart dns server gslb zone a8.com policy p8 service http www dns-a-record ip2 static dns-a-record ip1 static
dnssec key-generate
Description Syntax Generate the DNSSEC keyset. [no] dnssec key-generate name algorithm [RSASHA1 | RSASHA256 | RSASHA512 | NSEC3RSASHA1] keysize num Parameter name algorithm Description Name of the DNSSEC keyset. Specify which RSA SHA algorithm is used to generate the DNSSEC key pair (ZSK and KSK): RSASHA1 RSASHA256 RSASHA512 NSEC3RSASHA1 Note: Selecting one of the first three algorithms (RSASHA1, RSASHA256, or RSASHA512) will cause the standard NSEC resource record to be generated for the zone. However, selecting the fourth algorithm option (NSEC3RSASHA1) causes the NSEC3/NSEC3PARAM record to be gen-
207 of 260

CLI Command Reference - Policy Configuration Commands erated for the zone, which is helpful in mitigating the threat posed by zone walking. keysize num Number of bits in the DNSSEC key. You can specify 512-4096 bits, in multiples of 64 bits. The default value is 1024 bits.
Default Mode
N/A Global config
export dnssec-dnskey
Description Syntax Export the DS keyset from the child zone to the parent zone. [no] import dnssec-dnskey authoritative-zone-name [use-mgmt-port] url Parameter zone-name use-mgmt-port url Description Authoritative zone name of the dnskey. Uses the management interface as the source interface for the connection to the remote device. File transfer protocol, username (if required), and directory path. You can enter the entire URL on the command line or press Enter to display a prompt for each part of the URL. If you enter the entire URL and a password is required, you will still be prompted for the password. The password can be up to 255 characters long. To enter the entire URL: tftp://host/file ftp://[user@]host[:port]/file scp://[user@]host/file rcp://[user@]host/file http://[user@]host/file https://[user@]host/file sftp://[user@]host/file Default N/A
208 of 260

CLI Command Reference - Policy Configuration Commands Mode Usage Global config When using the CLI commands to import/export a DS/DNSKEY record to/ from a parent/child zone, it is not necessary to list the AX devices internal file name for the resource record. Instead, you can simply include the name of the DNS zone from which you will be importing or exporting the file.
geo-location
Description Configure a geographic location. GSLB forwards client requests from IP addresses within the locations range to the GSLB site that serves the location. [no] geo-location location-name start-ip-addr [mask ip-mask | end-ip-addr] Parameter location-name start-ip-addr mask ip-mask end-ip-addr Default Mode Usage None. GSLB Policy To prefer the location configured with this command over a globally configured location, use the gslb policy geo-location match-first policy command. (See geo-location match-first on page 209.) The following example configures geographic location CN.BeiJing for IP address range 200.1.1.1 through 200.1.1.253: Description Name of the location, up to 127 alphanumeric characters. Beginning IP address for the range. Network mask. Ending IP address for the range.
Syntax
Example
AX(config gslb-policy)#geo-location CN.BeiJing 200.1.1.1 200.1.1.253
geo-location match-first
Description Configure the policy to prefer either the globally configured geo-location or the one configured in this policy. If a client IP address matches the IP ranges in a globally configured location and in a location configured in this policy, the geo-location match-first command specifies which matching geo-location to use.
209 of 260

CLI Command Reference - Policy Configuration Commands Syntax [no] geo-location match-first {global | policy} Parameter global policy Description GSLB prefers globally configured locations over locations configured in this policy. GSLB prefers locations configured in this policy over globally configured locations.
Default Mode Example
global GSLB Policy The following command configures the GSLB AX Series to prefer locations configured in this policy:
AX(config gslb-policy)#geo-location match-first policy
geo-location overlap
Description Enable overlap matching mode. If there are overlapping addresses in the geo-location database, use this option to enable the AX device to find the most precise match. [no] geo-location overlap [global | policy] Parameter global policy Description GSLB prefers globally configured locations over locations configured in this policy. GSLB prefers locations configured in this policy over globally configured locations.
Syntax
Default Mode Usage
Disabled GSLB Policy If you suspect a public IP address in your domain is not unique and the same IP address may be associated with different hosts, you can enable the geolocation overlap option. This causes the AX device to search the geo-location database for the match best (or longest matching IP address). Otherwise, the AX device will use its default behavior, which is to scan the specified geo-location database using the match first algorithm, which uses the first IP address-region mapping discovered. (See Geo-location Overlap on page 57.)
210 of 260

geographic
Description Enable or disable the Geographic metric. The Geographic metric prefers sites that are within the geographic location of the client. [no] geographic Enabled GSLB Policy You must configure the geographic location, by configuring a geo-location name, then assigning the geo-location to a GSLB site. To configure a geolocation, assign a client IP address range to a location name. (See gslb geolocation on page 156 and geo-location on page 209.) To assign the geolocation to a site, use the geo-location command at the site configuration level. (See gslb site on page 168.) The following command disables the Geographic metric:
Example
AX(config gslb-policy)#no geographic
health-check
Description Enable or disable the Health-Check metric. The Health-Check metric prefers sites that pass their health checks. [no] health-check Enabled GSLB Policy This metric requires the GSLB protocol to be enabled both on the GSLB controller and on the site AX devices, if the default health checks are used on the service IPs. If you use a custom health monitor, or you explicitly apply the default Layer 3 health monitor to the service, the GSLB protocol is not used for any of the health checks. In this case, the GSLB protocol is not required to be enabled on the site AX devices, although use of the protocol is still recommended. Example The following command disables the Health-Check metric:
AX(config gslb-policy)#no health-check
211 of 260

import dnssec-dnskey
Description Syntax Import the DNSKEY keyset from the child zone to the parent zone. [no] import dnssec-dnskey authoritative-zone-name [use-mgmt-port] url Parameter authoritativezone-name use-mgmt-port url Description Authoritative zone name of the dnskey. Uses the management interface as the source interface for the connection to the remote device. File transfer protocol, username (if required), and directory path. You can enter the entire URL on the command line or press Enter to display a prompt for each part of the URL. If you enter the entire URL and a password is required, you will still be prompted for the password. The password can be up to 255 characters long. To enter the entire URL: tftp://host/file ftp://[user@]host[:port]/file scp://[user@]host/file rcp://[user@]host/file http://[user@]host/file https://[user@]host/file sftp://[user@]host/file Default Mode Usage N/A Global config When using the CLI commands to import/export a DS/DNSKEY record to/ from a parent/child zone, it is not necessary to list the AX devices internal file name for the resource record. Instead, you can simply include the name of the DNS zone from which you will be importing or exporting the file.
212 of 260

import dnssec-ds
Description Syntax Import the DS keyset from the child zone to the parent zone. [no] import dnssec-ds child-zone-name [use-mgmtport] url Parameter Description
child-zone-name Child zone name of the ds keyset. use-mgmt-port url Uses the management interface as the source interface for the connection to the remote device. File transfer protocol, username (if required), and directory path. You can enter the entire URL on the command line or press Enter to display a prompt for each part of the URL. If you enter the entire URL and a password is required, you will still be prompted for the password. The password can be up to 255 characters long. To enter the entire URL: tftp://host/file ftp://[user@]host[:port]/file scp://[user@]host/file rcp://[user@]host/file http://[user@]host/file https://[user@]host/file sftp://[user@]host/file Default Mode Usage N/A Global config When using the CLI commands to import/export a DS/DNSKEY record to/ from a parent/child zone, it is not necessary to list the AX devices internal file name for the resource record. Instead, you can simply include the name of the DNS zone from which you will be importing or exporting the file.
213 of 260

ip-list
Description Syntax Default Usage Example Use an IP list to exclude a set of IP addresses from aRDT polling. [no] ip-list list-name None To configure an IP list, see gslb ip-list on page 161. The following commands configure a GSLB IP list and use the list to exclude IP addresses from aRDT data collection:
AX(config)#gslb ip-list iplist1 AX(config-gslb ip-list)#ip 192.168.1.0 /24 id 3 AX(config-gslb ip-list)#ip 10.10.10.10 /32 id 3 AX(config-gslb ip-list)#ip 10.10.10.20 /32 id 3 AX(config-gslb ip-list)#ip 10.10.10.30 /32 id 3 AX(config-gslb ip-list)#exit AX(config)#gslb policy pol1 AX(config-gslb policy)#ip-list iplist1 AX(config-gslb policy)#active-rdt ignore-id 3
least-response
Description Enable or disable the Least-Response metric, which prefers VIPs that have the fewest hits. [no] least-response Disabled GSLB Policy The following command enables the Least-Response metric:
Syntax Default Mode Example
AX(config gslb-policy)#least-response
214 of 260

metric-fail-break
Description Syntax Default Mode Enable GSLB to stop if there are no valid service IPs. [no] metric-fail-break Disabled GSLB Policy
metric-force-check
Description Syntax Default Force the GSLB controller to always check all metrics in the policy. [no] metric-force-check By default, the GSLB controller stops evaluating metrics for a site once a metric comparison definitively selects or rejects a site. GSLB Policy
Mode
metric-order
Description Syntax Configure the order in which the GSLB metrics in this policy are used. [no] metric-order metric [metric ...] Parameter metric [metric ...] Description One or more of the following metrics: active-rdt active-servers admin-preference bw-cost capacity connection-load geographic health-check least-response Performance by Design Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012
215 of 260

CLI Command Reference - Policy Configuration Commands num-session weighted-ip weighted-site Default By default, metrics are used in the following order: 1. Health-Check 2. Weighted-IP 3. Weighted-Site 4. Session-Capacity 5. Active-Servers 6. aRDT 7. Geographic 8. Connection-Load 9. Num-Session 10. Admin-Preference 11. BW-Cost 12. Least-Response The Health-Check, Geographic and Round-Robin metrics are enabled by default. The Round-Robin metric does not appear in the list above because this is the metric of last resort. Mode Usage GSLB Policy The first metric you specify with this command becomes the primary metric. If you specify additional parameters, they are used in the priority you specify. All remaining metrics are prioritized to follow the metrics you specify. The GSLB AX Series uses each metric, in the order specified, to compare the IP addresses returned in DNS replies to clients. If a metric is disabled, the metric order does not change. The GSLB AX Series skips the metric and continues to the next enabled metric. The Round-Robin metric can not be re-ordered. To display the metric order used in a policy, see show gslb policy on page 234.
216 of 260

num-session
Description Configure the Num-Session metric, which evaluates a site based on available session capacity and tolerance threshold compared to another site. Sites that are at or below their thresholds of current available sessions are preferred over sites that are above their thresholds. Example: Site A has 800,000 sessions available and Site B has 600,000 sessions available. If Num-Session is enabled, then Site A is preferred because it has a larger number of available sessions than site B. If the tolerance option is enabled (with a default value of 10 percent), and if Site A has 800,000 sessions available and Site B has 600,000 sessions available, then Site A will continue to be preferred until Site Bs available sessions exceed Site As available sessions by more than 10 percent. In this case, Site A will remain the preferred site until Site Bs available sessions exceed 800,000 by more than ten percent (or 80,000 sessions). If Site As available sessions remain constant, and Site Bs available sessions increase to the point that they exceed 880,000 sessions, the Site B would become the preferred site. Note: When dealing with smaller base numbers, a small fluctuation in the number of available sessions can cause flapping from one site to another. Thus, when configuring sites with smaller capacities, it is recommended to use a larger tolerance number to prevent frequent flapping between preferred sites. [no] num-session [tolerance num] Parameter num-percentage Description Number from 0 to 100 specifying the percentage by which the number of available sessions on site SLB devices can differ without causing the NumSession metric to select one site device over another. (See the Usage description.)
Syntax
Default
Disabled. When you enable the Num-Session metric, the default tolerance is 10 percent. GSLB Policy The GSLB AX Series considers site SLB devices to be equal if the difference in the number of available sessions on each device does not exceed the tolerance percentage. The tolerance percentage ensures that minor differ-
Mode Usage
217 of 260

CLI Command Reference - Policy Configuration Commands ences in available sessions do not cause frequent, unnecessary, changes in site preference. This metric requires the GSLB protocol to be enabled both on the GSLB controller and on the site AX devices. Example The following command changes the available-session tolerance threshold to 70 percent:
AX(config gslb-policy)#num-session tolerance 70
round-robin
Description Syntax Default Mode Usage Configure the Round-Robin metric, which selects sites in sequential order. [no] round-robin Enabled GSLB Policy The AX device uses Round-Robin to select a site at the end of the policy parameters evaluation. This is true even if the Round-Robin metric is disabled in the GSLB policy. The following command disables the Round-Robin metric:
Example
AX(config gslb-policy)#no round-robin
weighted-alias
Description Enable the Weighted Alias metric, which prefers CNAME records with higher weight values over CNAME records with lower weight values. This metric is similar to Weighted-IP, but applies only to DNS CNAME records. [no] weighted-alias Disabled GSLB Policy
Syntax Default Mode
218 of 260

CLI Command Reference - Policy Configuration Commands Usage Metric order does not apply to this metric. To configure the Weighted Alias metric: 1. At the configuration level for the GSLB service, use the weight command to assign a weight to the DNS CNAME record for the service. (See gslb service-ip on page 166.) 2. At the configuration level for the GSLB policy:
Enable the Weighted Alias metric. Enable one or both of the following DNS options, as applicable to
your deployment: DNS backup-alias DNS geoloc-alias (See dns on page 197.) 3. If using the backup-alias option, use the dns-cname-record as-backup option on the service. (See gslb service-ip on page 166.)
weighted-ip
Description Configure the Weighted-IP metric, which uses service IP addresses with higher weight values more often than addresses with lower weight values. [no] weighted-ip [total-hits] Parameter total-hits Description First sends requests to the service IP addresses that have fewer hits. After all service IP addresses have the same number of hits, GSLB sends requests based on weight. This option is disabled by default.
Syntax
Default Mode Usage
Disabled GSLB Policy As a simple example, assume that the Weighted-IP metric is the only enabled metric, or at least always ends up being used as the tie breaker. The total-hits option is disabled. IP address 10.10.10.1 has weight 4 and IP address 10.10.10.2 has weight 2. During a given session aging period, the first 4 requests go to 10.10.10.1, the next 2 requests go to 10.10.10.2, and so on, (4 to 10.10.10.1, then 2 to 10.10.10.2).
219 of 260

CLI Command Reference - Policy Configuration Commands Here is an example using the same two servers and weights, with the totalhits option enabled. IP address 10.10.10.1 has weight 4 and total hits 8, and IP address 10.10.10.2 has weight 2 and total hits 0. In this case, the first 4 requests go to 10.10.10.2, then the requests are distributed according to weight. Four requests go to 10.10.10.1, then two requests go to 10.10.10.2, and so on. To display the total hits for a service IP address, use the show gslb service-ip command. (See gslb service-ip on page 166.) To assign a weight to a service IP address, use the following command at the configuration level for the zone service: dns-a-record name weight num Example The following command disables the Weighted-IP metric:
AX(config gslb-policy)#no weighted-ip
weighted-site
Description Configure the Weighted-Site metric, which uses sites with higher weight values more often than sites with lower weight values. [no] weighted-site [total-hits] Parameter total-hits Description First sends requests to the sites that have fewer hits. After all service sites have the same number of hits, GSLB sends requests based on weight. This option is disabled by default.
Syntax
Default
Disabled. When you enable the Weighted-Site metric, the default weight of each site is 1. GSLB Policy As a simple example, assume that the Weighted-Site metric is the only enabled metric, or at least always ends up being the tie breaker. Site A has weight 4 and site B has weight 2. During a given session aging period, the first 4 requests go to site A, the next 2 requests go to site B, and so on, (4 to A, then 2 to B). Here is an example using the same two sites and weights, with the total-hits option enabled. Site A has weight 4 with total hits 8, and site B has weight 2 with total hits 0. In this case, the first 4 requests go to site B, then requests are sent as described above. Four requests go to site A, then 2 requests go to site B, and so on.
Mode Usage
220 of 260

CLI Command Reference - Policy Configuration Commands To assign a weight to a site, use the following command at the configuration level for the site: weight num Example The following command disables the Weighted-Site metric:
AX(config gslb-policy)#no weighted-site
221 of 260

CLI Command Reference - Show Commands
Show Commands
This section describes the GSLB show commands.
show gslb cache

Description Show the DNS messages cached on the GSLB AX device. The GSLB AX device caches DNS replies if either of the following GSLB policy options are enabled:
DNS caching aRDT metric (if the single-shot option is used)
Syntax
show gslb cache [service-name ...] [zone zone-name] Option zone-name service-name Description Displays cached DNS messages for the specified zone. Displays cached DNS messages for the specified service.
Mode Example
All The following command displays cached DNS messages for service www.testme.com:http:
AX#show gslb cache www.testme.com:http QD = Question Records, AN = Answer Records NS = Authority Records, AR = Additional Records Flag = DNS Flag, Len = Cache Length A = Authoritative Answer, D = Recursion Desired R = Recursion Available Zone: testme.com Service Alias Len TTL Flag QD AN NS AR --------------------------------------------------------------------------www.testme.com:http 96 3055 DR 1 4 0 0

Field Zone
show gslb cache fields

Description GSLB zone name.
222 of 260

CLI Command Reference - Show Commands TABLE 6
Field Service Alias Len TTL
show gslb cache fields (Continued)

Description GSLB service. Alias, if configured, that maps to the DNS Canonical Name (CNAME) for the service. Length of the DNS message, in bytes. Number of seconds for which the cached message is still valid.
show gslb config

Description Syntax Show the GSLB configuration commands that are in the running-config. show gslb config [ active-rdt | dns | geo-location | group | ip-list | policy | protocol | service-ip | site | system template | view | zone | common-filters (| include string) ] All The show gslb config command can be used in shared partitions, private partitions, and gslb-view. When used in shared partitions When used within a shared partition, the show gslb config command can include the following:
active-rdt: Show GSLB aRDT configuration dns: Show GSLB global DNS configuration geo-location: Show GSLB global geo-location configuration
Mode Usage
223 of 260

group: Show GSLB group configuration ip-list: Show GSLB IP list configuration policy: Show GSLB policy configuration protocol: Show GSLB protocol configuration service-ip: Show GSLB service-ip configuration site: Show GSLB site configuration system: Show GSLB system options template: Show GSLB template configuration view: Show GSLB view zone: Show GSLB zone configuration
When used in private partitions When used within a private partition, the show gslb config command can include the following:
group: Show GSLB Group configuration ip-list: Show GSLB IP list configuration policy: Show GSLB policy configuration service-ip: Show GSLB service-IP configuration site: Show GSLB site configuration template: Show GSLB template configuration zone: Show GSLB zone configuration
Note:
When the show gslb config command is used within a private partition, the following command completions are not supported: active-rdt, dns, geo-location, protocol, system, and view. When used in gslb-view When used in gslb-view, the show gslb config command can include the following:
group: Show GSLB Group configuration ip-list: Show GSLB IP list configuration policy: Show GSLB policy configuration site: Show GSLB site configuration
224 of 260

template: Show GSLB template configuration zone: Show GSLB zone configuration
Note:
When the show gslb config command is used in gslb-view, the following command completions are not supported: active-rdt, dns, geo-location, protocol, service-ip, system, and view. Details about L3V Deployments When using the new show gslb config command filters in L3V partitions, only the following command completions are supported: group, ip-list, policy, service-ip, site, template, and zone. The following show gslb config command options are not supported in L3V deployments, and by extension, not supported by the new gslb show command enhancements: active-rdt, dns, geo-location, protocol, system and view.
Show gslb config XXX for shared partitions

The command syntax when used within a shared partition is as follows: show gslb config [ active-rdt | dns | geo-location | group | ip-list | policy | protocol | service-ip | site | system template | view | zone | [common-filters (| include string) ] CLI Example
Show gslb config zone Show gslb config site zone Show gslb config service-ip zone | include aaa
225 of 260

CLI Command Reference - Show Commands Show gslb config for gslb-view The command syntax when used within gslb-view is as follows: show gslb config [ group | ip-list | policy | service-ip | site | template | zone | common filters(| include xxx) ] CLI Example:
Show gslb config zone Show gslb config site template Show gslb config zone | include aaa
Show gslb config for private partition The command syntax when used within a private partition is as follows: show gslb config [ group | ip-list | policy | service-ip | site | template | zone | common filters(| include xxx) ] CLI Example:
Show gslb config zone Show gslb config site template Show gslb config service-ip zone | include aaa
226 of 260

show gslb fqdn

Description Syntax Show GSLB statistics using a Fully Qualified Domain Name (FQDN). show gslb fqdn domain-name [domain-name ... ] [ dns-a-record | dns-cname-record | dns-mx-record | dns-ns-record | dns-ptr-record | dns-srv-record | dns-txt-record | session | cache ] All 2.7.0 This command allows you to show various parameters for an FQDN, such as:
DNS cache information DNS A Record Service-IP statistics Statistics for MX, PTR, SRV, CNAME and other record types DNS session information
Mode Introduced in Release Usage
227 of 260

show gslb geo-location

Description Syntax Show the status of GSLB geo-location mappings. show gslb geo-location { [db [geo-location-name] [[statistics] ip-range range-start range-end] [[statistics] depth num] [[statistics] directory num] [[statistics] top num [percent [global]]] [statistics]] [file [file-name]] [ip ipaddr] [rdt [active [geo-location-name ...] [site site-name] [depth num]] Option db [options] Description Displays the geo-location database. If you specify a geo-location name, only the entries for that geo-location are shown. Otherwise, entries for all geo-locations are shown. ip-range Displays entries for the specified IP address range. depth num Specifies how many nodes within the geo-location data tree to display. For example, to display only continent and country entries and hide individual state and city entries, specify depth 2. By default, the full tree (all nodes) is displayed. directory num Please contact A10 Networks for information. top num [percent [global]] Please contact A10 Networks for information. statistics Displays client statistics for the specified geo-location. file [file-name] Displays the geo-location database files on the AX device, and their load status. (Data from a
228 of 260

CLI Command Reference - Show Commands geo-location database file does not enter the geolocation database until you load the file. See gslb geo-location load on page 158.) ip ipaddr rdt [options] Displays geo-location database entries for the specified IP address. Displays aRDT data for geo-locations. You can use the following options: active Displays data for aRDT. geo-location-name Displays aRDT data only for the specified GSLB geo-location. site site-name Displays aRDT data only for the specified GSLB site. depth num Specifies how many nodes within the geo-location data tree to display. For example, to display only continent and country entries and hide individual state and city entries, specify depth 2. By default, the full tree (all nodes) is displayed. Mode Usage All The matched client IP address and the hits counter indicate the working status of the geo-location configuration. The following command shows the status of a geo-location named pc:
Example
AX#show gslb geo-location pc Last = Last Matched Client, Hits = Count of Client matched Sub = Count of Sub Geo-location T = Type, G(global)/P(policy), P-Name = Policy name Geo-location: pc From To Last Hits Sub T P-Name ----------------------------------------------------------------------------1.2.2.0 1.2.2.255 (empty) 0 0 P default
Table 7 describes the fields in the command output. TABLE 7 show gslb geo-location fields
Description Name of the geo-location. Beginning address in the address range assigned to the geolocation.
Field Geo-location From
229 of 260

Field To Last
show gslb geo-location fields (Continued)

Description Ending address in the address range assigned to the geo-location. Client IP address that most recently matched the geo-location. If the value is empty, no client addresses have matched. Total number of client IP addresses that have matched the geo-location. Number of sublocations within the geo-location. For example, if you configure the following geo-locations, geo-location pc has two sublocations, pc.office and pc.lab. geo-location pc 10.1.0.0 mask /16 geo-location pc.office 10.1.1.0 mask /24 geo-location pc.lab 10.1.2.0 mask /24 Type of geo-location: G The geo-location is configured at the global level in the AX Series configuration.
Hits Sub
P-Name
P The geo-location is configured within a GSLB policy. Name of the GSLB policy where the geo-location is configured.
Example
The following command shows the load status information for a geo-location database file:
AX(config)#show gslb geo-location file test1 T = T(Template)/B(Built-in), Per = Percentage of loading Filename T Template Per Lines Success Error -----------------------------------------------------------------------------test1 T t1 98% 11 10 0
Example
The following command displays entries in the geo-location database:
AX(config)#show gslb geo-location db Last = Last Matched Client, Hits = Count of Client matched T = Type, Sub = Count of Sub Geo-location G(global)/P(policy), S(sub)/R(sub range) M(manually config) Global Name From To Last Hits Sub T -----------------------------------------------------------------------------NA (empty) (empty) (empty) 0 1 G Geo-location: NA, Global
230 of 260

Name From To Last Hits Sub T -----------------------------------------------------------------------------US (empty) (empty) (empty) 0 10 GS Geo-location: NA.US, Global Name From To Last Hits Sub T -----------------------------------------------------------------------------69.26.125.0 69.26.125.255 (empty) 0 0 GR 69.26.126.0 69.26.126.255 (empty) 0 0 GR 69.26.127.0 69.26.127.255 (empty) 0 0 GR ...
show gslb group

Description Syntax Show information for GSLB controller groups. show gslb group [ brief | group-name [...] [statistics] | statistics ] All The following commands add a GSLB controller to the default GSLB group, enable the devices membership in the group, and display group information:
Mode Example
AX(config)#gslb group default AX(config-gslb group)#enable AX(config-gslb group)#show gslb group brief Pri = Priority, Attrs = Attributes D = Disabled, L = Learn P = Passive, * = Master Name default Pri Attrs Master 255 L* local Member 2 ------------------------------------------------------------------------------

Field Name
show gslb group brief fields

Description Name of the GSLB controller group.
231 of 260

Field Pri Attrs
show gslb group brief fields (Continued)

Description Priority of the master controller. GSLB group attributes of this member: D Member is disabled. L Group learning is enabled on this member. P Members connection with this member (the member on which you enter the show gslb group command) is passive. The group connection between any two controller group members is a client-server connection. The group member that initiates the connection is the client, and has the passive side of the connection. The other member is the server. * Member is the current master for the group. Note: Attributes are displayed only when at least two group members are connected. IP address of the current master for the group. Number of GSLB controllers in the group. This number includes all configured group members and all learned group members.
Master Member
AX(config-gslb group)#show gslb group Pri = Priority, Attrs = Attributes D = Disabled, L = Learn P = Passive, * = Master Group: default, Master: 192.168.101.72 Member local 192.168.1.131 192.168.1.132 ID Pri Attrs Status OK Synced Synced ----------------------------------------------------------------------------22e40d29 255 L* 941a1229 100 ab301229 100 P

Field Member
show gslb group fields

Description GSLB controllers currently in the group. The local member is the GSLB controller on which you entered this show command. Group member ID assigned by the controller group feature.
ID
232 of 260

Field Pri Attrs
show gslb group fields (Continued)

Description Priority of the GSLB controller. GSLB group attributes of the member: D Member is disabled. L Group learning is enabled on this member. P Members connection with this member (the member on which you enter the show gslb group command) is passive. The group connection between any two controller group members is a client-server connection. The group member that initiates the connection is the client, and has the passive side of the connection. The other member is the server. * Member is the current master for the group. Note: Attributes are displayed only when at least two group members are connected. When the GSLB group is starting up, this column shows the protocol status. After the group is established, this column shows the group status. Protocol status: Idle Active OpenSent OpenConfirm Established Group status of the member: Ready FullSync/MasterSync Synced Note: If the group status of the member is OK, this AX device (the one on which you entered the command) knows of the member, but no connection between this AX device and the member is required.
Status
233 of 260

show gslb ip-list

Description Syntax Display information for GSLB IP lists. show gslb ip-list [ brief | list-name | id num | ip ipaddr | statistics ] All
Mode
show gslb memory

Description Syntax Display memory allocation information for GSLB. show gslb memory [mem-loc-id [...]] [interval seconds] All
Mode
show gslb policy

Description Syntax Mode Example Show GSLB metric settings for GSLB policies. show gslb policy [policy-name] All The following command shows the configuration of GSLB policy www:
AX#show gslb policy www Policy name: www MO = Metric Order, En-Value = Enabled or Value Type | MO| Option | En-Value | Description ================================================================================ DNS | | action | no | Action | | active-only | no | Only return active service-IP(s) | | selected-only| no | Only return selected service-IP(s) | | cname-detect| yes | Apply policy on CNAME records | | external-ip | yes | Return external IP | | external-soa| no | Return external SOA
234 of 260

| | IPv6 Mapping| no | A/AAAA Mapping | | IPv6 Mix | no | Both IPv4 and IPv6 Server | | IPv6 Smart | no | Return IPv6 Server by Query Type | | ip-replace | no | Replace DNS server's service-IPs | | GL-alias | no | Return CNAME Records by Geo-loc | | GL-action | no | Action by Geo-location | | GL-policy | no | Policy by Geo-location | | Bak-alias | no | Return Alias when fail | | Bak-server | no | Return fallback server when fail | | cache | no | Cache DNS proxy response | | addition-mx | no | Addition MX Records | | delegation | no | Sub Zone Delegation | | pxy-block | no | Block DNS Queries in proxy mode | | server | no | Run GSLB in DNS server mode | | sticky | no | Stick to DNS Record | | ttl | 10 | TTL value, unit: sec | | Log | global | DNS Logging | | IP List | no | Filter by IP List | | AutoMap | no | Auto build DNS Infrastructure | | Hint | addition | Append Hint Records -------------------------------------------------------------------------------Metric | | Force-Check | no | Check Service-IP for all metrics | | Fail-Break | no | Break if no valid service-IP -------------------------------------------------------------------------------health-check | 1 | | yes | Service-IP's health | | Preference | no | Check Health Preference geographic | 7 | | yes | Geographic round-robin | 15| | yes | Round robin selection -------------------------------------------------------------------------------weighted-ip | 2 | | no | Service-IP's weight | | total-hits | no | Weighed IP by total hits weighted-site | 3 | | no | Site's weight | | total-hits | no | Weighed Site by total hits capacity | 4 | | no | Session capacity of SLB device | | threshold | 90 | Threshold of session capacity | | fail-break | no | Break when exceed threshold active-servers | 5 | | no | Active servers of SLB device | | fail-break | no | Break when no active server active-rdt | 6 | | no | Active Round delay time | | tolerance | 10 | RDT tolerance | | difference | 0 | RDT Difference | | samples | 5 | Count of RDT samples | | limit | 16383 | Limit of usable RDT | | fail-break | no | Break when no valid RDT | | single-shot | no | Wait for A-RDT Samples | | timeout | 3 | Timeout of single-shot | | skip | 3 | Skip query if no samples | | keep-track | no | Keep tracking clients | | ignore-id | no | Ignore IP Address by group ID connection-load | 8 | | no | Service-IP's connection load | | limit | unlimited | Limit of connection load | | fail-break | no | Break when exceed limit | | number | 5 | Number of conn-load samples | | interval | 5 | Interval between two samples num-session | 9 | | no | Session number of SLB device | | tolerance | 10 | Tolerance of session number
235 of 260

active-weight | 10| | no | Weight based on active servers admin-preference| 11| | no | Admin preference of SLB device bw-cost | 12| | no | Cost of Bandwidth | | fail-break | no | Break when exceed limit least-response | 13| | no | Least response service-IP admin-ip | 14| | no | Admin preference of Service-IP | | top-only | no | Highest priority server only -------------------------------------------------------------------------------alias-admin-pf | | | no | Admin preference of alias name weighted-alias | | | no | Weight of alias name -------------------------------------------------------------------------------auto-map | | module | all | DNS Auto Mapping Modules | | ttl | 300 | DNS Auto Mapping TTL -------------------------------------------------------------------------------geo-location | | match-first | global | Geo-location table to use first | | overlap | no | Geo-location overlap matching
Table 10 describes the fields in the command output. TABLE 10 show gslb policy fields
Field Policy name Type MO Option En-Value Description Description Name of the GSLB policy. Name of the GSLB metric. For GSLB metrics, indicates the order in which the metrics are used. Metric or option name. For metric, indicates whether they are enabled (yes or no). For options, indicates the value. Description of the metric or option.
show gslb protocol

Description Show the status of the GSLB protocol on the GSLB AX Series and the SLB devices (site AX Series). show gslb protocol [[geo-location-name] port portnum] All
Syntax
Mode
236 of 260

CLI Command Reference - Show Commands Example
AX#show gslb protocol GSLB site: aapg slb-dev: ax (127.0.0.1) Established Session ID: 26702 Connection succeeded: 1 |Connection failed: Open packet sent: 1 |Open packet received: Open session succeeded: 1 |Open session failed: Sessions Dropped: 0 |Update packet received: Keepalive packet sent: 1408 |Keepalive packet received: Notify packet sent: 0 |Notify packet received: Message Header Error: 0 GSLB site: abc slb-dev: ax1 (127.0.0.2) Established Session ID: 65410 Connection succeeded: 1 |Connection failed: Open packet sent: 1 |Open packet received: Open session succeeded: 1 |Open session failed: Sessions Dropped: 0 |Update packet received: Keepalive packet sent: 1408 |Keepalive packet received: ...
The following command shows GSLB protocol status information on an AX device acting as a GSLB controller:
0 1 0 34411 1407 0
0 1 0 34411 1407
show gslb rdt

Description Syntax Show aRDT data. show gslb rdt [geo-location [active [geo-location-name ...] [site site-name] [depth num]] [slb-device [active [geo-location-name ...] [ip ipaddr [...]]] | [local-info] Option geo-location slb-device local-info active Description Displays aRDT data based on geo-location. Displays aRDT data based on SLB device. Displays local aRDT data on a site AX device. Displays data for aRDT.
237 of 260

CLI Command Reference - Show Commands site site-name depth num Displays aRDT data only for the specified GSLB site. Specifies how many nodes within the geo-location data tree to display. For example, to display only continent and country entries and hide individual state and city entries, specify depth 2. By default, the full tree (all nodes) is displayed.
ip ipaddr [...] Displays aRDT data only for the specified clients. Mode Usage All All of the options except local-info are applicable when you enter the command on a GSLB AX device. To display local aRDT data on a site AX device, enter the command on the site AX device and use the local-info option. Here is an example of the output for this command when entered on the GSLB AX device:
Example
AX#show gslb rdt
TTL = Time to live(Unit: min), T = Type, A(active) Device: site1/remote IP 10.10.10.2 20.20.20.21 192.168.217.1 192.168.217.11 TTL 10 10 10 10 T| A| A| A| A| 1 0 41 38 41 2 0 40 54 40 3 0 29 46 29 4 0 46 50 46 5 0 38 43 38 6 0 42 38 42 34 30 7 0 34 8 0 30 ------------------------------------------------------------------------------
Device: site2/local IP 10.10.10.2 20.20.20.21 192.168.217.1 192.168.217.11 TTL 10 10 10 10 T| A| A| A| A| 1 35 20 16 20 2 52 20 44 20 3 35 16 20 16 4 40 16 16 16 5 54 20 20 20 6 56 16 18 16 20 18 7 44 20 8 48 18 ------------------------------------------------------------------------------
T = Type: A(active), TS = Time Stamp(unit: min)
238 of 260

Geo-location cn.sh cn.bj jp us Site site1 site2 site1 site2 site1 site2 site1 site2 T RDT TS A 38 A 18 A 30 A 18 A 30 A 18 A 0 A 48 10 10 10 10 10 10 10 10 ------------------------------------------------------------------------------
This example shows the default display (with no additional options). The TTL results are organized by site AX device, then by geo-location. Table 11 describes the fields in the command output. TABLE 11 show gslb rdt fields
Field Device IP TTL T 1-8 Geo-location Site T RDT TS Description Site AX device. IP address at the other end of the aRDT exchange. Time-to-live for the Active-TT entry. RDT type, which can be A (aRDT). Individual aRDT measurements (in units of seconds). Geo-location name for which aRDT measurements have been taken. GSLB site name within the geo-location. RDT type. (See descriptions above.) Individual aRDT measurements (in units of seconds). System time stamp of the aRDT measurement.
show gslb samples conn

Description Syntax Show the number of connections that are currently on a virtual port. show gslb samples conn {service-name | vipaddr} port-num [range-start] [range range-start range-end]
239 of 260

CLI Command Reference - Show Commands Option service-name | vipaddr port-num range-start range range-start range-end Description Specifies the service name or service IP. Specifies the virtual port. Specifies the range start.
Collects samples only for the specified range of service port numbers.
Mode Usage
All The number of connections on the site is sampled based on the GSLB status interval. (This is configurable using the gslb protocol command. See gslb protocol on page 163.) Samples are listed row by row. The first 7 samples appear on row 1, the second 7 samples appear on row 2, and so on. If you disable the GSLB protocol, the data is cleared.
Example
The following example shows connection activity for virtual port 80 on virtual server china.
AX#show gslb samples conn china 80 0 | 1 2 3 4 5 6 7 ---------------------------------------------------------------------------1 | 15000 25000 35000 45000 55000 65000 75000 2 | 85000 95000 105000
show gslb samples conn-load

Description Syntax Show the number of connections on each virtual server. show gslb samples conn-load num-samples interval [service-name | vipaddr] [port-num] Option num-samples num-samples service-name | vipaddr Description Number of connection-load samples to collect and display. Number of seconds to wait between collection of each sample. Collects samples only for the specified service IP.
240 of 260

CLI Command Reference - Show Commands port-num Collects samples only for the specified service port number.
Mode Example
All The following command shows 5 connection-load samples, collected at 5second intervals:
AX#show gslb samples conn-load 5 5 ip1:80, average is: 36 | 1 2 3 4 5 6 7 ---------------------------------------------------------------------------1 | 0 0 11 1 168 ip2:80, average is: 38 | 1 2 3 4 5 6 7 ---------------------------------------------------------------------------1 | 0 0 22 2 168 ip3:80, average is: 60 | 1 2 3 4 5 6 7 ---------------------------------------------------------------------------1 | 120 0 0 0 180 ip4:80, average is: 86 | 1 2 3 4 5 6 7 ---------------------------------------------------------------------------1 | 240 0 0 0 192
In this example, five samples, taken at 5-second intervals, are shown for each of four services (ip1:80 to ip4:80). The services are listed by service IP and service port. In each section, the numbers across the top are column numbers. The numbers along the leftmost column are row numbers. The other numbers are the actual connection load data. For example, for ip1:80 (service port 80 on service IP ip1), there were no connections during the first or second data samples, and 11 connections during the third sample.
241 of 260

show gslb samples rdt

Description Syntax Show the aRDT between the GSLB AX Series and a client. show gslb samples rdt [geo-location-name [active [geo-location-name ...] [site site-name] [depth num]] [slb-device [active [geo-location-name ...] [site site-name] [depth num]] [local-info] Option geo-locationname slb-device local-info active site site-name depth num Description Displays aRDT data only for the specified GSLB geo-location. Displays aRDT data only for the specified SLB device. Displays local aRDT data on a site AX device. Displays data for aRDT. Displays aRDT data only for the specified GSLB site. Specifies how many nodes within the geo-location data tree to display. For example, to display only continent and country entries and hide individual state and city entries, specify depth 2. By default, the full tree (all nodes) is displayed.
Mode Usage
All Eight aRDT samples are displayed for each device. Times are shown in 10millisecond (ms) increments. In the example below, the first aRDT time for Device1 is 50 ms. If you disable the GSLB protocol, the data is cleared.
242 of 260

show gslb service

Description Syntax Show the configuration information for services. show gslb service {cache | dns-a-record | dns-cname-record | dns-mx-record | dns-ns-record | dns-ptr-record | dns-srv-record | session} [service-name ...] [zone zone-name] [ip ipaddr {subnet-mask | /mask-length}] Option cache dns-a-record dns-cnamerecord dns-mx-record dns-ns-record dns-ptr-record dns-srv-record dns-txt-record session service-name zone zone-name ip ipaddr {subnet-mask | /mask-length} Description Displays service information in the GSLB DNS cache. Displays Address records for GSLB services. Displays CNAME records for GSLB services. Displays MX records for GSLB services. Displays name server records for GSLB services. Displays pointer records for GSLB services. Displays service records for GSLB services. Displays DNS TXT records for GSLB services. Displays current GSLB sessions for services. Specifies a service name. Specifies a zone name.
Specifies a client host or subnet address. (This option applies only to the session option.)
Mode
All
243 of 260

CLI Command Reference - Show Commands Example The following example shows CNAME information for zone a10.com:
AX#show gslb service dns-cname-record a10.com Zone: a10.com Alias = Alias Name, Geoloc = Geo-location G-Geoloc = Matched Global Geo-location P-Geoloc = Matched Policy Geo-location Service Alias Geoloc G-Geoloc P-Geoloc -----------------------------------------------------------------------------http:www http.a10.com pc1 (empty) (empty) ftp:ftp ftpp.a10.com pc1 (empty) pc1
show gslb service-ip

Description Shows information for a GSLB service. show gslb service-ip {service-name | vipaddr | local-info} Option service-name | vipaddr local-info Example Description Specifies the service name or VIP address. Shows local SLB virtual-server information.
The following command shows information for the beijing service:
AX#show gslb service-ip beijing V = Is Virtual server, E = Enabled P-Cnt = Count of Service Ports Service-IP IP V E State P-Cnt Hits -----------------------------------------------------------------------------:Device1:beijing 2.1.1.10 Y Y UP 3 0
Table 12 describes the fields in the command output. TABLE 12 show gslb service-ip fields
Field Service-IP IP V E State P-Cnt Hits Description Device name and service IP name. IP address of the service. Indicates whether the service IP is a virtual server IP address (Y) or a real server IP address (N). Indicates whether the service IP is enabled. Indicates the service IP state: UP or DOWN. Number of service ports on the service IP. Number of times the service IP has been selected.
244 of 260

show gslb service-port

Description Syntax Show information about the GSLB service ports configured on the sites. show gslb service-port [local-info] Option local-info Mode Example All The following command shows information about all the configured GSLB service ports. Description Shows local SLB virtual-port information.
AX#show gslb service-port Attrs = Attributes, Act-Svrs = Active Real Servers Curr-Conn = Current Connections D = Disabled, P = GSLB Protocol, L = Local Protocol Service-Port Attrs State Act-Svrs Curr-Conn -----------------------------------------------------------------------------10.77.27.222:80 L DOWN 0 0 10.10.10.1:80 DOWN 0 0 67.67.6.84:80 UP 1 0 67.67.6.82:21 UP 1 0 192.168.100.6:80 DOWN 0 0
Table 13 describes the fields in the command output. TABLE 13 show gslb service-port fields
Field Service-Port Attrs State Act-Svrs Curr-Conn Description Service IP address and service port number. Indicates whether the service port is reached using the GSLB protocol or the local (SLB) protocol. Indicates the service state: IP or DOWN. Number of active real servers for the service. Current number of connections to the service.
show gslb session

Description Show cached GSLB policy selections. Selections are cached on a zone:service basis. While a cached GSLB policy selection is valid (that is, before it ages out), the cached selection is used for subsequent requests from the same client for the same zone and service.
245 of 260

CLI Command Reference - Show Commands Syntax show gslb session [service-name ...] [zone zone-name] [ip ipaddr {subnet-mask | /mask-length}] Option service-name zone zone-name ip ipaddr {subnet-mask | /mask-length} Mode All Description Specifies a service name. Specifies a zone name.
Specifies a client host or subnet address.
show gslb site

Description Syntax Show GSLB site information. show gslb site [site-name ...] [bw-cost] [statistics] Option site-name bw-cost statistics Mode Example All The following command shows information for GSLB site Site1: Description Displays information only for the specified site. Displays BW-Cost information. Displays statistics.
AX#show gslb site Site1 Site Device/server VIP Vport State Hits ------------------------------------------------------------------Site1 Device1 (device) 2.1.1.10 Up 0 1.2.2.2 21 Up 23 Up 80 Up 2.1.1.11 Up 0 21 Up 80 Up 2.1.1.12 Up 0 21 Up 23 Up 80 Up serverB (server) Up 0 3.1.1.10 80 Up
246 of 260

CLI Command Reference - Show Commands Table 14 describes the fields in the command output. TABLE 14 show gslb site fields
Field Site Device/server VIP Vport State Hits Description GSLB site name. Device name and device IP address or real server name and real server IP address. Virtual IP address for the service. Virtual port number. Virtual port state. Number of times the service IP was selected.
Table 15 describes the fields in the command output when the bw-cost option is used. TABLE 15 show gslb site bw-cost fields
Field Site Template Current Highest Limit U Type Len Value TI Description GSLB site name. SNMP template name. Current value of the SNMP object used for measurement. Highest value of the SNMP object used for measurement. Limit configured for the BW-Cost metric. Indicates whether the site is usable, based on the BW-Cost measurement. Data type of the SNMP object. Data length of the SNMP object. Value of the SNMP object. Time interval between measurements.
Example
The following command shows GSLB site statistics:
AX#show gslb site statistics Site Hits Last ----------------------------------------------------------------------------site1 14 2.1.1.10 site2 0 (empty) site3 0 (empty) site4 0 (empty)
247 of 260

CLI Command Reference - Show Commands Table 16 describes the fields in the command output when the statistics option is used. TABLE 16 show gslb site statistics fields
Field Site Hits Last Description GSLB site name. Number of times the site was selected. Site that was most recently selected.
show gslb slb-device

Description Syntax Show information about an SLB device used by GSLB. show gslb slb-device [ device-name | local-info | rdt active [device-name ... | ip ipaddr ...] ] Option device-name local-info rdt options Description Displays information only for the specified SLB device. Displays local SLB device information on a site SLB device. Displays aRDT data. You can use the following options: active Displays data for aRDT. device-name Displays aRDT data only for the specified SLB device. ip ipaddr Displays aRDT data only for the specified client IP address(es). Mode All
248 of 260

CLI Command Reference - Show Commands Example The following command shows information about SLB device Device1:
AX#show gslb slb-device Device1 APF = Administrative Preference, Sub-Cnt = Count of Service-IPs Sesn-Uzn = Session Utilization Sesn-Num = Number of Available Sessions Device IP APF Sesn-Uzn Sesn-Num Sub-Cnt -----------------------------------------------------------------------------site1:Device1 1.2.2.2 200 0% 0 3
Table 17 describes the fields in the command output. TABLE 17 show gslb site fields
Field Device IP APF Sesn-Uzn Sesn-Num Sub-Cnt Description Site name and device name. SLB devices IP address. Administrative preference for the device. Current session utilization on the device. Number of sessions available on the device. Number of service IPs on the device.
show gslb state

Description Syntax Mode Usage Show GSLB state information collected by GSLB debugging. show gslb state All To collect state information, enable GSLB debugging and use the state option. (See the example below.) The following commands enable GSBL debugging with retention of state information, and initiate display of the state information:
Example
site-ax-1(config)#debug gslb state site-ax-1(config)#show gslb state
show gslb statistics

Description Syntax Show statistics for the GSLB protocol, for sites, or for zones. show gslb statistics {message | site | zone}
249 of 260

CLI Command Reference - Show Commands Mode Usage All The show gslb statistics message command shows the same output as the show gslb protocol command. Similarly, the show gslb statistics site command shows the same output as the show gslb site statistics command, and the show gslb statistics zone command shows the same output as the show gslb zone statistics command. The following command shows statistics for the GSLB protocol:
Example
AX#show gslb statistics message GSLB site: site1 slb-dev: remote (20.20.20.2) Established Session ID: 40576 Connection success: 4 |Connection failure: Open packet sent: 4 |Open packet received: Open session success: 1 |Open session failure: Dropped sessions: 0 |Update packet received: Keepalive packet sent: 1219 |Keepalive packet received: Notify packet sent: 0 |Notify packet received: Message Header Error: 0 | GSLB site: site2 slb-dev: local (192.168.217.2) Established Session ID: 104 Connection success: 1 |Connection failure: Open packet sent: 1 |Open packet received: Open session success: 1 |Open session failure: Dropped sessions: 0 |Update packet received: Keepalive packet sent: 2 |Keepalive packet received: Notify packet sent: 0 |Notify packet received: Message Header Error: 0 | GSLB controller: 192.168.217.2 Established Session ID: 104 Connection success: 0 |Connection failure: Open packet sent: 1 |Open packet received: Open Sent 1 |Open session failure: Dropped sessions: 0 |Update packet sent: Keepalive packet sent: 2 |Keepalive packet received: Notify packet sent: 0 |Notify packet received: Message Header Error: 0 |
0 1 3 5101 1218 0 0
1 1 0 22 1 0 0
0 1 0 22 1 0 0
show gslb zone

Description Syntax Show GSLB zone information. show gslb zone [zone-name] [dns-mx-record] [dns-ns-record] [dns-soa-record] [statistics]
250 of 260

CLI Command Reference - Show Commands Option zone-name dns-mx-record dns-ns-record dns-soa-record statistics Mode Example All The following example shows information for zone a10.com: Description Displays information only for the specified zone. Displays the MX records for the zone(s). Displays the name server records for the zone(s). Displays the start-of-authority records for the zone(s). Displays statistics for the zone(s).
AX#show gslb zone a10.com Zone Service Policy TTL -----------------------------------------------------------------------------a10.com www 20 http:www www 20 ftp:ftp ftp 30
Table 18 describes the fields in the command output. TABLE 18 show gslb zone fields
Field Zone Service Policy TTL Description Zone name. Service type and service name. GSLB policy name. DNS TTL value set by GSLB in DNS replies to queries for the zone address.
Example
The following command shows MX records for zones:
AX#show gslb zone dns-mx-record Pri = Priority, Last = Last Server Owner MX-Record Pri Hits Last -----------------------------------------------------------------------------mail.abc.com:smtp mail1.abc.com 0 0 mail2.xyz.com 10
251 of 260

CLI Command Reference - Show Commands Table 19 describes the fields in the command output. TABLE 19 show gslb zone dns-mx-record fields
Field Owner MX-Record Pri Hits Last Description Zone and service name to which the MX record belongs. Name of the MX record. Priority (preference) set for the MX record. Number of times the record has been used. Most recent time the record was used.
Example
The following command shows GSLB zone statistics:
AX(config-gslb zone-gslb service)#show gslb zone example.com statistics GSLB Zone example.com: Total Number of Services configured: 1 Rcv-query = Received Query, Sent-resp = Sent Response M-Proxy = Proxy Mode, M-Cache = Cache Mode M-Svr = Server Mode, M-Sticky = Sticky Mode Service Rcv-query Sent-resp M-Proxy M-Cache M-Svr M-Sticky ----------------------------------------------------------------------------http:www 16 15 3 0 0 12 Total 16 15 3 0 0 12
Table 20 describes the fields in the command output. TABLE 20 show gslb zone statistics fields
Field GSLB Zone Total Number of Services configured Service Rcv-query Sent-resp M-Proxy M-Cache Description Zone name. Number of GSLB services configured for the zone.
M-Svr
Service type and service name. Number of DNS queries received for the service. Number of DNS replies sent to clients for the service. Number of DNS replies sent to clients by the AX device as a DNS proxy for the service. Number of cached DNS replies sent to clients by the AX device for the service. (This statistic applies only if the DNS cache option is enabled in the policy.) Number of DNS replies sent to clients by the AX device as a DNS server for the service. (This statistic applies only if the DNS server option is enabled in the policy.)
252 of 260

CLI Command Reference - Show Commands TABLE 20 show gslb zone statistics fields (Continued)
Field M-Sticky Description Number of DNS replies sent to clients by the AX device to keep the clients on the same site. (This statistic applies only if the DNS sticky option is enabled in the policy.)
253 of 260

CLI Command Reference - Clear Command
Clear Command
clear
Description Clear statistics or reset functions. Sub-command parameters are required for specific sub-commands. clear gslb {options} Sub-Command all cache debug fqdn geo-location group ip-list memory protocol rdt samples server service session site slb-device statistics options zone Description Clears all GSLB statistics. Clears the GSLB DNS cache. Clears debug statistics. Clears FQDN statistics. Clears geo-location statistics. Clears GSLB group statistics. Clears IP-list statistics. Clears memory statistics. Clears GSLB protocol statistics. Clears RDT samples. Clears aRDT samples. Clears server statistics. Clears service statistics. Clears GSLB sessions. Clears site statistics. Clears SLB device samples. Clears message, site, or zone statistics. Clears zone statistics.
Syntax
254 of 260

CLI Command Reference - DNSSEC Commands
DNSSEC Commands
This section describes the commands for DNSSEC. (For more on this feature, see DNSSEC Support on page 133.)
dnssec key-generate
Description Syntax Generate a key for DNSSEC. dnssec key-generate name algorithm [RSASHA1 | RSASHA256 | RSASHA512 | NSEC3RSASHA1] keysize num Parameter name algorithm [RSASHA1 | RSASHA256 | RSASHA512 | NSEC3RSASHA1] Description Key filename.
RSA SHA algorithm to use to generate the DNSSEC key pair (ZSK and KSK). You can specify any of the following algorithms: RSASHA1 (default) RSASHA256 RSASHA512 NSEC3RSASHA1 Selecting one of the first three algorithms (RSASHA1, RSASHA256, or RSASHA512) will cause the standard NSEC resource record to be generated for the zone. However, selecting the fourth algorithm option (NSEC3RSASHA1) causes the NSEC3/NSEC3PARAM record to be generated for the zone, which is helpful in mitigating the threat posed by zone walking. Different zones can use different DNSSEC templates and thus have different algorithms.
keysize num
number of bits in the DNSSEC key, which can range from 512-4096 bits. Values must be specified in multiples of 64 bits, and the default value is 1024 bits.
255 of 260

CLI Command Reference - DNSSEC Commands Default Mode See above. Global configuration mode
dnssec template
Description Syntax Configure a DNSSEC template. [no] dnssec template template-name This command changes the CLI to the configuration level for the specified DNSSEC template, where the following commands are available. Command [no] combinationslimit num Description
Maximum number of combinations per Resource Record Set (RRset), where RRset is defined as all the records of a particular type for a particular domain, such as all the quad-A (IPv6) records for www.example.com. You can specify 165535. Lifetime for DNSSEC key resource records. The TTL can range from 1-864,000 seconds. Key signing key (KSK) for establishing the chain of trust and is the private counterpart to the public zone signing key used to sign authentication keys for the zone. At least one KSK is needed to sign successfully, but no more than two KSKs can be configured.
[no] dnskey-ttl seconds [no] ksk name
[no] returnnsec-on-failure Returns an NSEC or NSEC3 record in response to a client request for an invalid domain. As originally designed, DNSSEC would expose the list of device names within a zone, allowing an attacker to gain a list of network devices that could be used to create a map of the network. [no] signaturevalidity-period days Period for which a signature will remain valid. The time can range from 5 to 30 days.
256 of 260

CLI Command Reference - DNSSEC Commands [no] zsk name [active | published | deprecated]
Zone signing key (ZSK) for signing the domain names zone. At least one ZSK is needed to sign successfully, but no more than two ZSKs can be configured. active Sets key status to active. published Sets key status to published. deprecated Sets key status to deprecated.
Default
The default DNSSEC template has the following defaults:

combinations-limit 31 dnskey-ttl 14,400 seconds (4 hours) ksk Not set return-nsec-on-failure enabled signature-validity-period 10 zsk Not set
Mode
dnssec sign-zone-now
Description Syntax Immediately trigger zone-signing. dnssec sign-zone-now name Parameter name Default Description Name of the DNS zone.
Signing begins 30 seconds after the zone or DNSSEC template configuration is changed. Global configuration mode
Mode
257 of 260

CLI Command Reference - DNSSEC Commands
show dnssec template

Description Syntax Mode Display information for a DNSSEC template. show dnssec template name All
258 of 260
259 of 260
Performance by Design
Corporate Headquarters A10 Networks, Inc. 3 West Plumeria Dr San Jose, CA 95134 USA Tel: +1-408-325-8668 (main) Tel: +1-888-822-7210 (support toll-free in USA) Tel: +1-408-325-8676 (support direct dial) Fax: +1-408-325-8666 www.a10networks.com
2012 A10 Networks Corporation. All rights reserved.
260

AX GSLB Guide v2 7 0-20121010

Uploaded by

Copyright:

Available Formats

AX GSLB Guide v2 7 0-20121010

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

AX GSLB Guide v2 7 0-20121010

Uploaded by

Copyright:

Available Formats

GlobalServerLoadBalancingGuide

AX Series Advanced Traffic Manager

A10 Networks, Inc. 10/10/2012 - All Rights Reserved

Information in this document is subject to change without notice. Trademarks

A10 Networks Inc. Software License and End User Agreement

AX Series - GSLB Configuration Guide

End User License Agreement

Performance by Design Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012

AX Series - GSLB Configuration Guide

Performance by Design Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012

AX Series - GSLB Configuration Guide

Performance by Design Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012

AX Series - GSLB Configuration Guide

Performance by Design Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012

AX Series - GSLB Configuration Guide

Obtaining Technical Assistance

Collecting System Information

USING THE GUI (RECOMMENDED)

3. Email the file as an attachment to [email protected].

USING THE CLI

AX Series - GSLB Configuration Guide

Performance by Design Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012

AX Series - GSLB Configuration Guide

About This Document

Performance by Design Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012

AX Series - GSLB Configuration Guide

A10 Virtual Application Delivery Community

Performance by Design Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012

AX Series - GSLB Configuration Guide

Collecting System Information.............................................................................................................. 7

Performance by Design Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012

AX Series - GSLB Configuration Guide

Auto-mapping Advanced DNS Options

Partition-specific Group Management GSLB Configuration Examples

Implementation Details .........................................................................................................................97

GSLB Configuration Synchronization

AX Series - GSLB Configuration Guide

Geo-location-based Access Control

Cloud-based Computing Solution DNSSEC Support

CLI Command Reference

Main Configuration Commands ........................................................................................................ 153

AX Series - GSLB Configuration Guide

Policy Configuration Commands.......................................................................................................188

Performance by Design Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012

AX Series - GSLB Configuration Guide

Show Commands................................................................................................................................ 222

Clear Command .................................................................................................................................. 254

DNSSEC Commands .......................................................................................................................... 255

Performance by Design Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012

AX Series - GSLB Configuration Guide

Performance by Design Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012

AX Series - GSLB Configuration Guide

users to the nearest site

ment by distributing load to multiple sites

Performance by Design Document No.: D-030-01-00-0029 - Ver. 2.7.0 10/10/2012

AX Series - GSLB Configuration Guide

GSLB Deployment Modes

Zones, Services, and Sites

that performs Server Load Balancing (SLB) for the site.