Cisco Global Site Selector

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 1© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 1

Cisco Global Site Selector

Vikas Deolaliker

Product Manager, ECBU

September, 2011

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2

PRODUCT OVERVIEWGlobal Site Selector


Cisco GSS in a NutshellDNS Services DNS authority for A-records and AAAA records

(Rel. 4.1)Answers of type: A-record, AAAA, NS and CRADdos for DNS Security12K – 28K DNS RPS depending upon configuration complexity

GSS Network Configuration Limits

Destination: 2000 hosted domains (128 chars with wildcards)Source: 60 Source Address ListsResources: 4000 VIPs across 256 SLBs (increasing to 8K in Rel 4.1)KALs: MP, ICMP, TCP, HTTP/Head, KAL-AP, SNMP, CRA, NSPolicy: 4000 DNS rules across GSS Network

GSLB Services

Availability: Site Level FailoverGSLB Methods: Geographical, Topological, Least Loaded, Client Source Resolver Hast, Ordered List, Ratio, RR/WRRResource Affinity: Sticky, Cookies.

Management, Monitoring & Logging

User Interface: GUI (with new Cisco Kubric Look & feel) & CLIAuthorization: RBACManagement Station Support: ANM Support

Pricing $ 20K plus licenses for DDOS, GeoIP

• License free IPv6 Support• DDoS Protection• Geographical and Resource Affinity• Supports Cisco ACE/CSS/CSM

http://cio.cisco.com/en/US/products/hw/contnetw/ps4162/products_installation_and_configuration_guides_list.html

ACE GSS4492R-K9 HWSF-GSS-V1.3-K9 SWSF-GSS-DDOSLIC DDoSSF-GSS-GIPLICFX GeoIP GSLB SupportSF-GSS-V6LICFX IPv6 Support

Upto 16 GSS can work in a cluster to meet the needs of large Enterprise and Service Provider.


More specifically …• Provides Universal DNS-based Disaster Recovery – redirects clients to

back-up data center for any device that support SNMP MIB and uses DNS

• Protects the DNS infrastructure with DNS-based DDOS mitigation software

• Delivers Advance Global Traffic Management Global Server Load Balancing (GSLB) for geographically dispersed Server Load Balancers and CachesConnect clients to the best server based on:

Network topology Server load Availability of content and devices

GSS participates in your DNS Infrastructure to enforce BCDR, GSLB, DNS Security policies.


Release 4.1 Highlights

Key Benefits1. Route clients based on

geographical proximity to application

2. Support for IPv6 addressing for clients and servers

3. Extreme scalability for cloud datacenters

4. Reduce operational costs through enhanced GUI and ANM integration

a

User2001:0DB8:AC10:FE01::

LDNS

GSS Networ

k

SLB2001:0DB8:AC10:FE01::

Datacenter A

SLB2001:0DB8:AC10:FE01::

Datacenter B

b

dc

Globally route clients based on

- Geographical Proximity

- RTT Proximity

- Site Persistence

- Site Health

Available on CCO: September 22nd, 2011


Geolocation Based Global Delivery

(a) GeoIP based Proximity• Proximity calculations using GeoIP distances

(b) GeoRegions: GeoIP based Regions• Regions based on GeoIP database entries. (Add

single country or multiple countries). Granularity down to states

• Sticky support for GeoRegions

(c) GeoSAL: GeoIP based Source Address Lists

• SALs can be based on GeoIP based Regions

(d) New GUI Design (Kubric Look & Feel)• GUI option to configure all GeoIP

functionality


LDNS

GSS Network

SLB

Datacenter A

SLB

Datacenter B

b d

ca

Geolocation Highlights


Data Center C Data Center A Data Center D

Data Center B

Internet

Servers

ACE GSS


LDNS

Internet

GeoProximity

• Override RTT based Proximity

• Pick the application based on geographical distance between probing device and client LDNS

• Licensable Feature


GeoRegions

o Define Regions based on logical groups. For example BRIC (Brazil, Russia, India, China).

o Create geographically grouped resource pools. For example, US-Central-Datacenter Use the regions to group resources (VIPs, NS, CRA) and clients (source address lists)

o Define persistence policy based on GeoRegions

GeoRegions

US-Central-Datacenter


Operational Flexibility

• ANM• Import GSSM configuration into ANM

and monitor VIP status and DNS rules status/hit count statistics from ANM GUI

• Suspend/Activate VIPs/Rules/GSS SW Rel Num from ANM GUI

• HTTPs KAL• Add HTTPS-HEAD to existing KAL

types: ICMP, TCP, HTTP HEAD, KAL-AP, Scripted KAL, CRA, and Name Server

• Global Shared KeepAlive Activate/Suspend

• GUI Logging

Lower the Operation Expense


Ease of Management• GSS is a system not a device

Self synchronization of upto 16 GSSes Single Point of management via GUI Does not sacrifice device level access (SSH to box) Any GSS can run GUI and a 2nd GSS serves as standby

• Easy to use Interface IOS Syntax 100 new CLI commands since v1.3 Single interface for monitoring, troubleshooting and configuration Supports Import/Export of Configuration in industry standard formats Role based Access Control Remote Syslog Support

• Management Integration with ANM ANM - support the activation and suspension of a DNS rules and answers ANM – communicates to the primary GSS manager (PGSSM) via CLI, RMI

and SSH. Configuration parameters to establish this communication is the GSS IP address and SSH credentials

Four of eight Administrators Logon consumed by ANM ANM issues commands to the PGSSM then the PGSSM relays these

commands to the rest of the GSSs in the cluster.

GSS Network

Ease of Management

ANM

GSSGUI

GSS network is managed as a system – reduces number of touchpoints


IDN Support

1. Internationalized Domain Names (IDNs) are domain names that contain non-ASCII characters. (for example, Arabic or Chinese).

2. The ASCII form of an IDN label is termed as "A-label". Non-ascii code uses Unicode form or "U-label".

3. GSS can be configured for non-ascii URL


DNSSEC Ready

1. DNSSEC requests are automatically forwarded *matching* non-A DNS queries to the external name server.

2. For *matching* A queries with DO (DNS OK) flag setGSS forwards the request to the external name server and the external NS provides a DNSSEC response which the GSS forwards to the D-proxy;

3. For all rest, GSS responds back as it currently does with a plain DNS response.

Configuration is quick and simple. gss2-tb1.cisco.com# configure terminal

gss2-tb1.cisco.com(config)#property set ServerConfig.dnsserver.enableEDNS 1

gss2-tb1.cisco.com(config)#property set ServerConfig.dnsserver.nsForwardAQueriesWithDOFlag1


Extreme Scalability

(a) Thousand of Applications- GSS answers are VIPs declared on ACE. In Rel

4.1, GSS support 256 ACEs and 8000 VIPs and 2000 domains

(b) Vast Pools of Resources- KeepAlive is the way GSS monitors resources

behind the VIP that it serves. KAL-AP is Cisco proprietary keepalive. In Rel 4.1, GSS supports 128 KAL-APs configuration.

(c) Global Clients and Servers- GSS responds with VIPs that are closest to the requesting client (LDNS). In Rel 4.1, GSS uses GeoIP to determine proximity in addition to existing probing mechanisms.

(d) ANM for Cluster Management- ANM can activate/suspend answers on GSS and manage all 16 GSSes in a cluster

a

User

LDNS

GSS Netwo

rk

ACE

Datacenter A

ACE

Datacenter B

b

c

d

Utilization

Utilization

Global Application Delivery


End to End Solutions: GSS, ACE, N7K

Integration Points(a) Wide Area Vmotion (OTV/DWS)

- GSS upon notification of a vmotion changes the answer for an query thereby helping customer preserve WAN bandwidth

(b) ACE Virtualization- GSS treats ACE contexts as separate ACE

devices thereby enabling virtual datacenters for each customer B, C, D, …

(c) Virtual GSS- With Rel 5.1 (CY12), vGSS can offer dedicated GSS functionality per VLAN.

a

UserLDNS

GSS Netwo

rk

ACE

SecondaryDatacenter

ACE

Primary Datacenter

ACE+GSS Cloud Solution

D BC vm vm B cb


GSS IPv6 SupportComponent IPv6 is Supported on …

Platform & Tools access-group, access-list, interface ip, ip default-gateway, ip route, ip anycast, setup, ping, dnslookup, show, traceroute, tcpdump, ftp, scp, telnet

KAL ICP, TCP, HTTP, HTTPs, KALAP

Resource Grouping

VIP, Name Server, CRA, Locations, Regions, Zones

Traffic Management

Proximity, DNS Rules

GSLB Response with AAAA for queries from IPv4 or IPv6 LDNSRespond with both A and AAAA records if availableDNS Rules supports IPv6 Source Address Lists and AAAA Query type filters

SNMP and Monitoring

IPv6 SNMP MIB Support


GSS 4.1 – Q4CY11(a) GeoIP based GSLB

• GeoIP based proximity • GeoIP based DNS Rules and Sticky

(b) IPv6 • Support for AAAA response• Support for persistence• IPv6 Management over IPv6 interface

(c) New GUI Design (Kubric Look & Feel)

(d) Configuration Scalability• 8000 answers

a


LDNS

GSS Network

SLB

Datacenter A

SLB

Datacenter B

b

dc


GSS Release Map

Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec Jan Feb

2011 2012

Release 3.3 (Private Only) - Geo IP Proximity - 8K Answers Support - ANM support for 8K Answers

Release 3.2 - HTTPs KAL - Workaround DNSSEC - Bug Fixes

Release 4.1 - IPv6 Support - Geo IP GSLB - ANM support for 8K Answers

Release 4.1.1 - IPv6 dot.ONE release - Bug Fixes


2011Release 4.1 (September, 2011)

IPv6 Support (AAAA)GeoIP (Proximity, GeoRegions, GeoSALs)

2012GSS Direction

Release 3.2 (Feb, 2011)HTTPs KALDNSSec ForwardingCritical Bug Fixes

Release 5.0 (CC’ed)DNSSec with FIPSSOA & NS RecordHW Refresh


GlobalStrike GSS 5.1

1. Security and Compliance• (a) DNSSEC strengthens the integrity of DNS Query/Response

transaction from threats such as • Forged or bogus response• Removal of Records (RRs) in responses• Incorrect application of wildcard expansion rules

• (b) USGv6 and IPv6 Ph 2 Logo certification• FIPS compliant or validated encryption with acceleration• Common Criteria EAL-2

2. Platfom Refresh• (c) UCS server based appliance (San Luis)• vGSS

3. GeoIP Enhancements• (d) Logical Grouping of Geo Regions

4. KAL- AP• Enhancements and scalability

Key Asks in GlobalStrike

a


LDNS

GSS Network

SLB

Datacenter A

SLB

Datacenter B

b

dc

Concept Committed 8/22/2011


GSS Roadmap Rel 4.0Q4CY11

Rel 5.01HCY12

1 1

2

1

2

3 3

4 4DCI Services• Automation to support

Vmotion over DCI

User

LDNS

GSS Network

SLB

Datacenter A

SLB

Datacenter B

24

3 DCI Services• Automation through

integration with ANM• Exploring LISP Support

GSLB Services

• Geo IP based Proximity

DNS Services

• IPv6: Support for AAAA, A6, CNAME DNS Records

DNS Services

• DNSSEc with FIPS• SOA & NS Record Support

GSLB Services

• Share KAL Status Among Peers

• KAL-AP with VIP Capacity/Load

Operation Optimization

• Audit Logs • Log Source IP • Sync CLI and GUI User• View KAL logs through GUI

Operational Optimization

• Authentication using AD• Automated Backup• Activate/Suspend Answers• Enhanced Reporting• Alerts/Alarms

5 5Hardware Platform• GSS-4492R

Hardware Platform• Hardware Refresh with

FIPS compliance


Ease of Deployment

Mobile FixedWireless

Dedicated/ATM/FR

ISDN/Dial

IP Control/Forwarding Plane

Cable DSL

Data Center #1

DNS Global Control Plane

ClientsRequestingWeb Sites

DNS RequestsDNS ResponseLayer 3 CommunicationsDNS Resolvers (DNSR): IE, Firefox, etc.

BINDCNR

QIPISP#1

ISP#2Client Name servers(D-proxy)

ISP#3

Root Name Server

Data Center #2

Intermediate Name Server

Supporting: .com

GSS becomes the Authoritive Name Server for the entire Zone supporting all applications for

the SP

DNS

DNS

GSS participates in the DNS infrastructure – Lower Latency


www.fifa.com

Use Case: Policy based GSLB

User

Mes

h Li

nk

nameserver.fifa.comwww.fifa.com “NS” Record 10.86.191.150 “NS” Record 10.86.191.134

VIP=10.86.191.147

SLB

Datacenter B

DN

S qu

ery

ww

w.fi

fa.c

om A” Record

10.86.191.147

Proximity Selects Answer based on lowest RTT. RTT measured between client’s d-

proxy and a probing device (Cisco Router and/or GSS)

GSS uses DRP to communicate with probes

Disaster Recovery Site Health Check

Datacenter Load KAL-AP

Ratio based GLSB

GSLB Can Redirect Traffic Based On

DNS GSS Milan10.86.191.134

DNS

GSS Johannesburg10.86.191.150

SLB

Datacenter AVIP=10.86.191.131

1 Add NS Record for both GSSes

2 Create Mesh Link

3 Add DNS Rules + SAL + DDL + Qtype + Add Clauses

P-DNS216.1.1.1

DN

S Query

ww

w.fifa.com

10.8

6.19

1.13

4

DNS Query,

www.fifa.com

GSLB policy enables redirection based on proximity, site health, server load and user preferences

http://www.fifa.com/

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 23Cisco Confidential© 2011 Cisco and/or its affiliates. All rights reserved. 23

Mobile

FixedWireless

Cable

DSL

Dedicated/ATM/FR

ISDN/Dial TokyoData

Center #2


Resolver

Use Case: BCDR

DNS Name Servers

NJ Back-up

Data Center #3

ChicagoData

Center #1


GSS Cluster

Recovering Service Availability after FailureActive-Passive Design Network fail-over can happen within 10s Application/Server

Recovery time is based on the time it take to complete data Synchronization of back-end data base, application servers and Web servers

Supported by Cisco’s SolutionsGSS, CSS, CSM, ACE


Mobile

FixedWireless

Cable

DSL

Dedicated/ATM/FR

ISDN/Dial TokyoData

Center #2


Resolver

Use Case: Securing DNS Infrastructure

Compromised DNS Name Servers or DNS bots

NJ Back-up

Data Center #3

ChicagoData

Center #1


Provides Security Focused, highly available, DNS/DHCP/TFTP infrastructure for one or more data centers.

Automatically identifies DNS-based DDOS attack and mitigates the attacks

Rate limits these specific DNS Request


GSS Release 3.1.2

Before After

1 1

21 2

3 3

No support for IDNA

Limited Integration with SLB Management (ANM)

Bug Fixes

IDNA Support

4 4

4 Tentative

Bug Fixes

KALs did not support HTTPs transport

KALs on HTTPs Transport

User

LDNS

GSS Network

SLB

Datacenter A

SLB

Datacenter B

KAL

2 Integration with SLB Management (ANM)

43


GSS Release 3.2.0

Before After

1 1

24 2

3 3

No HTTPs KAL

DNSSec Deployments Break

GUI based ConfigChanges not logged

HTTPs KAL

4 4

Audit Log for GUI basedConfig Changes

SSL Vulnerabilities Secure Communication on SSL

User

LDNS

GSS Network

SLB

Datacenter A

SLB

Datacenter B

KAL

2 DNSSec workaround to forward A4 records

13


GSS Competitive Side by SideFeature F5 GTM Netscalar

GSLBBrocade GSLB RadWare

GSLBCisco

DNS Services

DNS Services Uses Bind Uses Bind Uses Bind Uses Bind CNR*

DNS Defense Yes No No Unknown Yes

GSLB Services

Dedicated Appl. Yes Yes No Yes Yes

GLSB Functions Yes, 7 methods Yes, 3 method Yes, 3 methods Yes, 3 methods Yes, 7 methods

Dynamic Ratio Yes No No Unknown Yes

Persistence Yes Yes No Yes Yes

Topological Yes No No Yes Yes (manual load)

Geographical Yes Yes Yes Yes Yes (manual load)

Management

GUI, CLI and Wizard

Yes No No Unknown Yes

Administrative Login Authentication

Local Only Local Only Local Only Local Only RADIUS and RBAC


GSS Performance & Configuration ScalabilityPerformance

Single VIP (ans/sec) 30,000

Complex Configuration (ans/sec) 13,000

NS Forwarding 1500

Configuration LimitsDNS Rules 4000

VIP (Standard/Shared) 2000/4000

# of Active SLBs Probed 256

Max active GSSes in Mesh 16

HTTP Probes (Standard/Fast) 500/100

ICMP Probes (Standard/Fast) 750/150

TCP Probes (Standard/Fast) 1500/150

Scripted SNMP Probes (Standard/Fast) 384/120

KALAP Probes (Standard/Fast) 128/40

Configuration LimitsAnswer Groups (per group max) 2000 (100)

Name Server addresses for NS Forwarding (max per answer group)

100 (30)

DNS Race CRA Devices (max per race, max per answer group)

200 (20,20)

Source IP Addresses configurable for DNS Rules 500

Source Address Groups (Max per group) 60 (30)

Hosted Domains (Max per SLB) 2000 (1000)

Hosted Domain Lists (Max per Domain List) 2000 (500)

Administrative Owners 500

Administrative Regions (Locations) 20 (1000)

Max user ids 256

Max GUI (CLI) sessions 128 (8)


Questions?


BACKUP


Security Focused Functionality

• Improves availability and resiliency of DNS infrastructure with high performance and self protecting DDOS software

• Offloads and optimizes BIND/DNS processing and selects the best site based on:– Intelligent load balancing algorithms &

“clauses”– Proximity to user request– Data center and server loads, availability

& health– Persistence to prevent lost session

information

• Complete and Centralized DNS/DHCP/TFTP management for network-enabled applications

• Security conscious features:• DDOS Mitigation Software• Client to GSS and GSS to GSS

communication encrypted• Private DNS code base

• Supports all DNS-compatible devices• Can be deployed with or without content

switches


Improving DNS Survivability

Detects and mitigates the DNS focused Distributed Denial of Service (DDoS) attacks. Multiple defenses including source verificationWith the granularity and accuracy to provide new levels of business continuity by processing only legitimate DNS requestsDelivering the performance and architecture suitable for the largest enterprises and providers

Addresses DDoS attacks today, and its network-based behavioral anomaly capability will be extended to additional DNS focused threats


Security Focused GSS deployment

ISP-1 ISP-2

PublicWeb Servers

Secure Web Servers

DNS Server

Datacenter A

Cisco GSS

Why here?- Public IP and DNS Host Names - Layers of firewalls and Nating

between DNS and internal servers

Not here?- If hacked private IP available- - DNS traffic Tunneled though

firewall- Violates recommend “Split DNS”

Best Practices

Others

DMZ

Un-secure DNS traffic

http://www.clipartof.com/use_policy


Shared KeepaliveType kal-ap

10.86.191.129 | 10.86.191.145

AnswerGroup grp-bxbAnswer-1 (NY)Answer-1(Bos)

Answer-1(NY) VIP-A 10.86.191.131

Answer-1(Bos) VIP-A 10.86.191.147

Answer-2(NY) VIP-B 10.86.191.136

Answer-2(Bos) VIP-B 10.86.191.153

AnswerGroup grp-rtpAnswer-2 (NY)Answer-2(Bos)

Domain List bxb www.bxb.com

Source Address List Asia124.0.0.0 – 145.0.0.0

87.0.0.0 - 94.0.0.0

Domain List rest www.bxb.com www.sjc.com

Source Address List - Anywhere 0.0.0.0 – 255.255.255.255

Rule – bxb.com

Source Address List Anywhere

Domain List bxb

Balance Clause 1: AnswerGroup grp-bxb Balance Method Round Robin

Balance Clause 2:Balance Clause 3:

Rule – goodFellas.com

Source Address List Asia

Domain List rest

Balance Clause 1: AnswerGroup grp-bxb Balance Method Round Robin

Balance Clause 2:Balance Clause 3:

http://www.bxb.com/

http://www.bxb.com/

http://www.sjc.com/


GSS vs F5 GTMFeature GSS F5Global Traffic Management

Advance Multi-Site Traffic Management w/ Persistence Yes Yes

Integrate DC selection with Server Load Yes Yes

Universal Health checks for Traffic Management Yes YesLeverages Cisco Router Technology for DC selection Yes NO!

Business Continuance

Provides HA for any type of DNS traffic Yes YesManageability Yes

Dynamic configuration , secure Auto-sync Yes

Network Server Consolidation

Appliance Based DNS Yes (but we have retired CNR) Yes (with Bind)

Full DHCP/TFTP Services Yes (but we have retired CNR) NO!

Security Focused DNS Infrastructure

Integrated DNS-based DDOS protection Yes NO!

Protects BIND Infrastructure Yes NO!Not-Subject to BIND vulnerabilities Yes NO!


GSLB Core Balance FunctionsLoad Balancing Methods

1. Ordered List- Uses next VIPs when all previous VIPs are

overloaded or down

6. Source Address and Domain hash- IP address of client’s DNS proxy and domain used- Always sticks same client to same VIP

2. Static Based on Client’s DNS Address- Maps IP address of client’s DNS to available VIPs

7. DNS Race– Initiates race of A-record responses to client– Finds closest SLB to client’s d-proxy

3. Round Robin – Cycles through available VIPs in order

8. DRP-based Dynamic Network Proximity – Actively localizes client traffic by probing the client

DNS Name servers and routing the client to the closest data center based on the lowest RTT measurement.

– Scales to greater than 400,000

4. Weighted Round Robin– Weighting causes repeat hits (up to 10) to a VIP

9. Global Sticky DNS Database– Dynamically tracks where clients are sent then

ensures they are sent to the same device for subsequent requests

– Entries are based the IP address of client name server and the domain name requested

– Sticky answers are shared between GSSs

5. Least Loaded– Least connections on CSM and least loaded on CSS– Load communicated via CAPP UDP

10. Drop– Silently discards the DNS request


CSS-BCSS-A

ServersSite 1 Keepalives:TCPICMPHTTP-HeadSNMP

CSS-BCSS-A

ServersSite 2

Keep Alives (KAL)

• KALs – back-end process gathers state and load information from devices within the data center such as local server load balancers, and origin servers

• KAL can be grouped and logically “AND” together

• V2.0 added a new KAL type --- SNMP based


Types of GSLB Solutions

Underlying Platform

Network Insertion Pros Cons Dominant Use Case

DNS Based GLSB DNS AuthorityDNS ProxyDNS Traffic Intercept

Accurate Load InfoAccurate Proximity Info

Proximity between Client and Resolver

Caching at client/server/proxy

Disaster Recovery and Business Continuance

Global Traffic Management

DNS Security

Host Route Injection

SLB Add-OnRouter Add-OnServer Add-On

No new protocols requiredGSLB is a routing problem

Support for multiple ISPRoute FlappingLess accurate Load/Proximity Info

No dominant use case

Triangle Data Flow SLB Add-On Accurate Proximity Reverse Path Traffic Localization to nearest Datacenter

GSS is a DNS based GSLB Solution


GSS 3.2.0 Bug Fixes

Identifier Headline CommentsCSCsz42912 Request to implement the show mem command in SNMP CSCtc38727 Manual Reactivation answers in OS with secondary circuit specified kalap CSCtc39127 GSS Running Config is gone, GUI is unavailable but is passing traffic CSCtd01467 IMPORTANT TLS/SSL SECURITY UPDATE CSCte64381 Cisco GSS not functioning as per Internet DNS Standards Fix for ChrystlerCSCtf30643 getBulkRequest with max repetitions 0 crashes snmp on GSS CSCtg60511 GSS sticky mesh staying in INIT state and not replicating sticky entries CSCti20170 High rate of tcp dns request causing dnsserver to crash COPART issueCSCti91605 GSS running out of inodes, unable to ssh CSCti93734 During initialzation GSS returns NXDomain CSCtj23186 Need check to prevent answer-group being added to dns rule w/out answers CSCtj24854 GSS running out of inodes, needs cleanup on /tmp JPMC issueCSCtj28476 ENH: Need to add "core-files verbose" output to gss tech-report Enh request from escalation

CSCtj55505 Tech report should be enhanced & add more sticky and selector logsTo get more debugs from cases like stream the world


Thank you.

Cisco Global Site Selector

Documents

Transcript of Cisco Global Site Selector