cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4364
Views
24
Helpful
12
Replies

Difference between GSSM Standby and GSS

cisco_lite
Level 1
Level 1

I would like to setup two GSS in an redundant mode i.e. with same DNS rules. If one fails other should start servicing the DNS requests.

Both the GSS would be at two different locations and only one would service the requests at any point in time. So should I configure the two devices as

1) Primary GSSM and Standby GSSM

OR

2) Primary GSSM and GSS

1 Accepted Solution

Accepted Solutions

Keepalives are used to investigate health status of VIPs configured on CSS/ACE/CSMs or Servers. Each GSS polls each resource individually.If any GSS find any VIP/Server unavailable, it never responds with the IP of that particular server.So yes keepalives are ensuring failover of the application VIP but not "GSS failover"

AS I said earlier GSS is little different than other appliances with respect to redundancy.

All the GSSs are active and there is no primary/standby concept with GSS's DNS feature(as all GSS serve A records all the time).Primary & Secondary GSSM concept is only limited to which GSS will serve you the GUI to make changes and that's about it. You make dns rule changes at Primary GSSM and it pushes the changes to all other GSSs in the network.

On your Authoritative DNS servers you add DNS records for your application

http://www.abc.com.')">www.abc.com. IN NS gss1.abc.com. <-- NS record for http://www.abc.com')">www.abc.com via GSS1

http://www.abc.com.')">www.abc.com. IN NS gss2.abc.com. <-- NS record for http://www.abc.com')">www.abc.com via GSS2

gss1.abc.com. IN A a.b.c.d <-- A record for GSS1

gss2.abc.com. IN A a.b.c.d <-- A record for GSS2

Your Authoritative DNS server then send GSS1/GSS2 ip to the client's DNS server in roundrobin basis (Roundrobin is default DNS behaviour when multiple records are in DNS database. This roundrobin can be changed, for example on Microsoft DNS servers "http://technet.microsoft.com/en-us/library/cc787484.aspx')">http://technet.microsoft.com/en-us/library/cc787484.aspx")

.

Since both GSS are active the request could be serve by any GSS.

If one GSS fails then the client DNS server (after not gettting DNS queries answered by the failed GSS) will try the other available GSS.

HTH

Syed Iftekhar Ahmed

View solution in original post

12 Replies 12

Definitely Primary GSSM & Standby GSSM.

This will give you access to GSS GUI (to make changes to the rules...etc) even when any of the GSS goes down.

Standby GSSM Performs DNS functions as well as acting as a backup to the Primary GSSM, in the event of failure of that device. All changes to the GSS database, made on the Primary GSSM, are synchronized with the Standby GSSM.

With option 2) Primary GSSM and GSS, You wont be able to access GUI if primary is down. Also you wont have any GSS database copy if GSSM is unrecoverable.

Syed Iftekhar Ahmed

Thanks.

If I were to go with option 1, then how will the two GSS communicate. Is it ok if it were over the internet. Or should it be through site-to-site connectivity in case it is available. Is this architecture supported over the internet if there is no site-to-site connectivity.

Lastly, can I install Primary and Standby GSSM both in the same location, same LAN. And is it a good practice.

Yes Internet can be used for Inter-GSS traffic.

A GSSM-M sends DNS application configuration changes to all GSS's in the

network over TCP ports 2001 - 2009 using a secure session (RMI over SSL).These configuration changes only include IP addresses & DNS names which are in any case open to the world.

You can have both GSS at the same location but it kills the purpose. What if that same location faces the internet outage? Both of you GSS's are down and there is no one in the world resolving your domain names :). For this reason two GSSs should be at two diff locations.

Syed Iftekhar Ahmed

Thanks.

Why is it better to use gss-tcp-keepalives on interface eth1. If I were to use eth1 for gss-tcp-keepalives in the same location (just for e.g.) can the GSS1 & GSS2 be directly connected to each other on eth1.

You need to understand that there are three type of GSS traffic & two interfaces.

1. TCP keepalive traffic ( Which can only use one interface -- By default eth0)

2. Inter-GSS traffic (Which again can only use one interface -- By default eth0)

3. All other traffic like DNS requests, HTTPs, telnet requests are accepted on both physical interfaces.

Its better to use gss-tcp-keepalive on diff interface for two reasons

1. To segregate the two type of traffic.GSS to VIP traffic will use an internal interface, whereas inter gss traffic will use external inteface.

2.When there is a Firewall performing NAT. Please be aware that the Primary and Secondary GSSM's can not be seperated by a Firewall performing NAT.

Along with this It is recommended to use eth1 for GSS management by using ACLs to allow http,ftp,snmp,telnet type traffic only on eth1 and not on eth0 which is public facing (internet originated dns requests hit this interface).

Syed Iftekhar Ahmed

So is the following setup ok

1. eth0 serves DNS requests

2. eth1 serves tcp keepalives and inter-gss traffic.

How can I designate eth1 to be used for inter-gss traffic. If for e.g I setup two GSS in the same site, and standby GSSM takes over, would the IP of primary GSS passed onto the standby GSSM. Because the firewall would only have one public IP natted to the Primary GSSM IP.

Since your GSSs are in two data centers & Inter-GSS traffic will be over Internet.

Better Idea would be to use

1. eth0 serves DNS requests and inter-gss traffic.

2. eth1 serves tcp keepalives

Within GSS network, Secondary doesnt become primary automatically. You have to do it manually using "gssm

standby-to-primary" command on standby GSSM.Each Gss has its own IP and is not transferred upon failover.

The interface used by keepalives can be changed using the “gss-tcp-keepalives” CLI interface command.

The interface used for inter-GSS communication can be changed using the “gss-communications” CLI interface command.

Syed Iftekhar Ahmed

1. If the switchover is manual, then what is the benefit of tcp-keepalives. Aren't keepalives normally used to automate failover.

2. If the ISP had a host A record for gss, does it mean that after manually switching over to standby GSSM I have to call up the ISP to modify/add host A record pointing to the standby GSSM since the public IP of primary and standby would have to be different.

Keepalives are used to investigate health status of VIPs configured on CSS/ACE/CSMs or Servers. Each GSS polls each resource individually.If any GSS find any VIP/Server unavailable, it never responds with the IP of that particular server.So yes keepalives are ensuring failover of the application VIP but not "GSS failover"

AS I said earlier GSS is little different than other appliances with respect to redundancy.

All the GSSs are active and there is no primary/standby concept with GSS's DNS feature(as all GSS serve A records all the time).Primary & Secondary GSSM concept is only limited to which GSS will serve you the GUI to make changes and that's about it. You make dns rule changes at Primary GSSM and it pushes the changes to all other GSSs in the network.

On your Authoritative DNS servers you add DNS records for your application

http://www.abc.com.')">www.abc.com. IN NS gss1.abc.com. <-- NS record for http://www.abc.com')">www.abc.com via GSS1

http://www.abc.com.')">www.abc.com. IN NS gss2.abc.com. <-- NS record for http://www.abc.com')">www.abc.com via GSS2

gss1.abc.com. IN A a.b.c.d <-- A record for GSS1

gss2.abc.com. IN A a.b.c.d <-- A record for GSS2

Your Authoritative DNS server then send GSS1/GSS2 ip to the client's DNS server in roundrobin basis (Roundrobin is default DNS behaviour when multiple records are in DNS database. This roundrobin can be changed, for example on Microsoft DNS servers "http://technet.microsoft.com/en-us/library/cc787484.aspx')">http://technet.microsoft.com/en-us/library/cc787484.aspx")

.

Since both GSS are active the request could be serve by any GSS.

If one GSS fails then the client DNS server (after not gettting DNS queries answered by the failed GSS) will try the other available GSS.

HTH

Syed Iftekhar Ahmed

Hello Friend,

You answer was very usefull....

I have 1 question here,

How abt the database sysc between pri GSS and sec GSS will happen?(every time when i make changes on GUI it needs sysc with sec GSS)

If it is through inter-gss interface(via internet), how we will make sure that the data which goes through internet is encrypted ?

Regards,

Naren

1.Synchronization occurs automatically between the two devices whenever the GSS network configuration changes.

2.Client to GSS & INter-GSS communication is encrypted

Syed Iftekhar Ahmed

Review Cisco Networking for a $25 gift card