Cisco global site selector
This presentation is the property of its rightful owner.
Sponsored Links
1 / 40

Cisco Global Site Selector PowerPoint PPT Presentation


  • 360 Views
  • Uploaded on
  • Presentation posted in: General

Cisco Global Site Selector. Vikas Deolaliker. Product Manager, ECBU. September, 2011. Global Site Selector. Product overview. Cisco GSS in a Nutshell. Upto 16 GSS can work in a cluster to meet the needs of large Enterprise and Service Provider. ACE GSS4492R-K9 HW

Download Presentation

Cisco Global Site Selector

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Cisco global site selector

Cisco Global Site Selector

Vikas Deolaliker

Product Manager, ECBU

September, 2011


Product overview

Global Site Selector

Product overview


Cisco gss in a nutshell

Cisco GSS in a Nutshell

Upto 16 GSS can work in a cluster to meet the needs of large Enterprise and Service Provider.

ACE GSS4492R-K9HW

SF-GSS-V1.3-K9 SW

SF-GSS-DDOSLICDDoS

SF-GSS-GIPLICFXGeoIPGSLB Support

SF-GSS-V6LICFXIPv6 Support

  • License free IPv6 Support

  • DDoS Protection

  • Geographical and Resource Affinity

  • Supports Cisco ACE/CSS/CSM

http://cio.cisco.com/en/US/products/hw/contnetw/ps4162/products_installation_and_configuration_guides_list.html


More specifically

More specifically …

GSS participates in your DNS Infrastructure to enforce BCDR, GSLB, DNS Security policies.

  • Provides Universal DNS-based Disaster Recovery – redirects clients to back-up data center for any device that support SNMP MIB and uses DNS

  • Protects the DNS infrastructure with DNS-based DDOS mitigation software

  • Delivers Advance Global Traffic Management

    • Global Server Load Balancing (GSLB) for geographically dispersed Server Load Balancers and Caches

    • Connect clients to the best server based on:

      • Network topology

      • Server load

      • Availability of content and devices


Release 4 1 highlights

Release 4.1 Highlights

SLB

2001:0DB8:AC10:FE01::

Globally route clients based on

- Geographical Proximity

- RTT Proximity

- Site Persistence

- Site Health

Datacenter A

Key Benefits

a

GSS Network

Route clients based on geographical proximity to application

Support for IPv6 addressing for clients and servers

Extreme scalability for cloud datacenters

Reduce operational costs through enhanced GUI and ANM integration

LDNS

d

c

SLB

2001:0DB8:AC10:FE01::

User

2001:0DB8:AC10:FE01::

Datacenter B

b

Available on CCO: September 22nd, 2011


Geolocation based global delivery

Geolocation Based Global Delivery

Geolocation Highlights

GSSNetwork

  • (a) GeoIP based Proximity

    • Proximity calculations using GeoIP distances

  • (b) GeoRegions: GeoIP based Regions

    • Regions based on GeoIP database entries. (Add single country or multiple countries). Granularity down to states

    • Sticky support for GeoRegions

  • (c) GeoSAL: GeoIP based Source Address Lists

    • SALs can be based on GeoIP based Regions

  • (d) New GUI Design (Kubric Look & Feel)

    • GUI option to configure all GeoIP functionality

a

c

SLB

LDNS

Datacenter A

User

2001:0DB8:AC10:FE01::

SLB

b

Datacenter B

d


Geoproximity

GeoProximity

Data Center C

Data Center A

User

2001:0DB8:AC10:FE01::

Data Center D

Data Center B

Servers

ACE

  • Override RTT based Proximity

  • Pick the application based on geographical distance between probing device and client LDNS

  • Licensable Feature

Internet

GSS

LDNS

Internet


Georegions

GeoRegions

GeoRegions

  • Define Regions based on logical groups. For example BRIC (Brazil, Russia, India, China).

  • Create geographically grouped resource pools. For example, US-Central-Datacenter Use the regions to group resources (VIPs, NS, CRA) and clients (source address lists)

  • Define persistence policy based on GeoRegions

US-Central-Datacenter


Operational flexibility

Operational Flexibility

Lower the Operation Expense

  • ANM

    • Import GSSM configuration into ANM and monitor VIP status and DNS rules status/hit count statistics from ANM GUI

    • Suspend/Activate VIPs/Rules/GSS SW RelNum from ANM GUI

  • HTTPs KAL

    • Add HTTPS-HEAD to existing KAL types: ICMP, TCP, HTTP HEAD, KAL-AP, Scripted KAL, CRA, and Name Server

  • Global Shared KeepAliveActivate/Suspend

  • GUI Logging


Ease of management

Ease of Management

GSS network is managed as a system – reduces number of touchpoints

Ease of Management

  • GSS is a system not a device

    • Self synchronization of upto 16 GSSes

    • Single Point of management via GUI

    • Does not sacrifice device level access (SSH to box)

    • Any GSS can run GUI and a 2nd GSS serves as standby

  • Easy to use Interface

    • IOS Syntax

    • 100 new CLI commands since v1.3

    • Single interface for monitoring, troubleshooting and configuration

    • Supports Import/Export of Configuration in industry standard formats

    • Role based Access Control

    • Remote Syslog Support

  • Management Integration with ANM

    • ANM - support the activation and suspension of a DNS rules and answers

    • ANM – communicates to the primary GSS manager (PGSSM) via CLI, RMI and SSH. Configuration parameters to establish this communication is the GSS IP address and SSH credentials

    • Four of eight Administrators Logon consumed by ANM

    • ANM issues commands to the PGSSM then the PGSSM relays these commands to the rest of the GSSs in the cluster.

GSS Network

ANM

GSS

GUI


Idn support

IDN Support

Internationalized Domain Names (IDNs) are domain names that contain non-ASCII characters. (for example, Arabic or Chinese).

The ASCII form of an IDN label is termed as "A-label". Non-ascii code uses Unicode form or "U-label".

GSS can be configured for non-ascii URL


Dnssec ready

DNSSEC Ready

DNSSECrequests are automatically forwarded *matching* non-A DNS queries to the external name server.

For *matching* A queries with DO (DNS OK) flag setGSSforwards the request to the external name server and the external NS provides a DNSSEC response which the GSS forwards to the D-proxy;

For all rest, GSS responds back as it currently does with a plain DNS response.

Configuration is quick and simple.

gss2-tb1.cisco.com# configure terminal

gss2-tb1.cisco.com(config)#property

set ServerConfig.dnsserver.enableEDNS 1

gss2-tb1.cisco.com(config)#property

set ServerConfig.dnsserver.nsForwardAQueriesWithDOFlag1


Extreme scalability

Extreme Scalability

  • Thousand of Applications

    • GSS answers are VIPs declared on ACE. In Rel 4.1, GSS support 256 ACEs and 8000 VIPs and 2000 domains

  • Vast Pools of Resources

    • KeepAliveis the way GSS monitors resources behind the VIP that it serves. KAL-AP is Cisco proprietary keepalive. In Rel 4.1, GSS supports 128 KAL-APs configuration.

  • Global Clients and Servers

    • - GSS responds with VIPs that are closest to the requesting client (LDNS). In Rel 4.1, GSS uses GeoIP to determine proximity in addition to existing probing mechanisms.

  • ANM for Cluster Management

  • - ANM can activate/suspend answers on GSSand manage all 16 GSSes in a cluster

Global Application Delivery

GSS Network

ACE

c

Datacenter A

LDNS

ACE

b

User

Datacenter B

a

d

Utilization

Utilization


End to end solutions gss ace n7k

End to End Solutions: GSS, ACE, N7K

ACE+GSS Cloud Solution

ACE

Integration Points

LDNS

  • Wide Area Vmotion (OTV/DWS)

    • GSS upon notification of a vmotion changes the answer for an query thereby helping customer preserve WAN bandwidth

  • ACE Virtualization

    • GSS treats ACE contexts as separate ACE devices thereby enabling virtual datacenters for each customer B, C, D, …

  • Virtual GSS

    • - With Rel 5.1 (CY12), vGSS can offer dedicated GSS functionality per VLAN.

User

Secondary

Datacenter

GSS Network

ACE

Primary Datacenter

c

vm

B

a

vm

C

D

B

b


Gss ipv6 support

GSSIPv6 Support


Gss 4 1 q4cy11

GSS 4.1 – Q4CY11

  • GeoIP based GSLB

    • GeoIP based proximity

    • GeoIP based DNS Rules and Sticky

  • (b) IPv6

    • Support for AAAA response

    • Support for persistence

    • IPv6 Management over IPv6 interface

  • (c) New GUI Design (Kubric Look & Feel)

  • (d) Configuration Scalability

    • 8000 answers

GSSNetwork

SLB

Datacenter A

a

LDNS

d

SLB

c

Datacenter B

User

2001:0DB8:AC10:FE01::

b


Gss release map

GSS Release Map

Release 3.2

- HTTPs KAL

- Workaround DNSSEC

- Bug Fixes

Release 3.3 (Private Only)

- Geo IP Proximity

- 8K Answers Support

- ANM support for 8K Answers

Release 4.1.1

- IPv6 dot.ONE release

- Bug Fixes

2011

2012

Jan

Feb

Mar

Apr

May

Jun

Jul

Aug

Sep

Oct

Nov

Dec

Jan

Feb

Release 4.1

- IPv6 Support

- Geo IP GSLB

- ANM support for 8K Answers


G ss direction

2012

GSSDirection

  • Release 5.0 (CC’ed)

    • DNSSec with FIPS

    • SOA & NS Record

    • HW Refresh

  • Release 4.1 (September, 2011)

    • IPv6 Support (AAAA)

    • GeoIP (Proximity, GeoRegions, GeoSALs)

2011

  • Release 3.2 (Feb, 2011)

    • HTTPs KAL

    • DNSSec Forwarding

    • Critical Bug Fixes


Globalstrike gss 5 1

GlobalStrikeGSS 5.1

Concept Committed 8/22/2011

Key Asks inGlobalStrike

GSSNetwork

1. Security and Compliance

  • (a) DNSSEC strengthens the integrity of DNS Query/Response transaction from threats such as

    • Forged or bogus response

    • Removal of Records (RRs) in responses

    • Incorrect application of wildcard expansion rules

  • (b) USGv6 and IPv6Ph 2 Logo certification

  • FIPS compliant or validated encryption with acceleration

  • Common Criteria EAL-2

    2. Platfom Refresh

    • (c) UCS server based appliance (San Luis)

    • vGSS

  • GeoIP Enhancements

    • (d) Logical Grouping of Geo Regions

      4. KAL- AP

    • Enhancements and scalability

  • SLB

    Datacenter A

    a

    LDNS

    d

    SLB

    c

    Datacenter B

    User

    2001:0DB8:AC10:FE01::

    b


    Gss roadmap

    GSS Roadmap

    Rel 4.0

    Q4CY11

    Rel 5.0

    1HCY12

    • DNS Services

    • IPv6: Support for AAAA, A6, CNAME DNS Records

    • DNS Services

    • DNSSEc with FIPS

    • SOA & NS Record Support

    1

    1

    GSS Network

    SLB

    • Operation Optimization

    • Audit Logs

    • Log Source IP

    • Sync CLI and GUI User

    • View KAL logs through GUI

    • Operational Optimization

    • Authentication using AD

    • Automated Backup

    • Activate/Suspend Answers

    • Enhanced Reporting

    • Alerts/Alarms

    2

    2

    Datacenter A

    LDNS

    1

    2

    • GSLB Services

    • Geo IP based Proximity

    • GSLB Services

    • Share KAL Status Among Peers

    • KAL-AP with VIP Capacity/Load

    4

    3

    3

    SLB

    Datacenter B

    User

    3

    • DCI Services

    • Automation to support Vmotion over DCI

    4

    4

    • DCI Services

    • Automation through integration with ANM

    • Exploring LISP Support

    • Hardware Platform

    • GSS-4492R

    5

    5

    • Hardware Platform

    • Hardware Refresh with FIPS compliance


    Ease of deployment

    DNS

    4

    5

    1

    3

    2

    Data Center #2

    Data Center #1

    Ease of Deployment

    GSS participates in the DNS infrastructure – Lower Latency

    Intermediate Name Server

    Supporting: .com

    GSS becomes the Authoritive Name Server for the entire Zone supporting all applications for the SP

    Root Name Server

    DNS Global Control Plane

    IP Control/Forwarding Plane

    CNR

    QIP

    ISP#1

    Client Name servers

    (D-proxy)

    BIND

    ISP#3

    ISP#2

    Clients

    Requesting

    Web Sites

    DNS Requests

    DNS Response

    Layer 3 Communications

    Fixed

    Wireless

    Dedicated/

    ATM/FR

    Mobile

    ISDN/Dial

    DSL

    Cable

    DNS

    DNS Resolvers (DNSR): IE, Firefox, etc.


    Use case policy based gslb

    DNS

    DNS

    Use Case: Policy based GSLB

    GSLB policy enables redirection based on proximity, site health, server load and user preferences

    www.fifa.com

    nameserver.fifa.com

    www.fifa.com“NS” Record 10.86.191.150

    “NS” Record 10.86.191.134

    Add DNS Rules

    + SAL

    + DDL

    + Qtype

    + Add Clauses

    Create Mesh Link

    Add NS Record for both GSSes

    3

    2

    1

    GSLB Can Redirect Traffic Based On

    SLB

    SLB

    DNS Query

    www.fifa.com

    10.86.191.134

    • Proximity

      • Selects Answer based on lowest RTT.

      • RTT measured between client’s d-proxy and a probing device (Cisco Router and/or GSS)

      • GSS uses DRP to communicate with probes

    • Disaster Recovery

      • Site Health Check

    • Datacenter Load

      • KAL-AP

    • Ratio based GLSB

    VIP=10.86.191.131

    P-DNS2

    16.1.1.1

    Datacenter B

    Datacenter A

    GSS Milan

    10.86.191.134

    A” Record

    10.86.191.147

    DNS Query, www.fifa.com

    Mesh Link

    DNS query

    www.fifa.com

    GSS Johannesburg

    10.86.191.150

    User

    VIP=10.86.191.147


    Use case bcdr

    Use Case: BCDR

    Mobile

    Fixed

    Wireless

    Cable

    DSL

    Dedicated/

    ATM/FR

    ISDN/Dial

    DNS Global Control Plane

    GSS Cluster

    Resolver

    DNS Name Servers

    IP Control/Forwarding Plane

    • Recovering Service Availability after Failure

      • Active-Passive Design

      • Network fail-over can happen within 10s Application/Server

      • Recovery time is based on the time it take to complete data Synchronization of back-end data base, application servers and Web servers

    • Supported by Cisco’s Solutions

      • GSS, CSS, CSM, ACE

    NJ Back-upData Center #3

    TokyoData Center #2

    Chicago

    Data Center #1


    Use case securing dns infrastructure

    Use Case: Securing DNS Infrastructure

    Mobile

    Fixed

    Wireless

    Cable

    DSL

    Dedicated/

    ATM/FR

    ISDN/Dial

    DNS Global Control Plane

    Resolver

    Rate limits these specific DNS Request

    IP Control/Forwarding Plane

    Compromised DNS Name Servers or DNS bots

    Provides Security Focused, highly available, DNS/DHCP/TFTP infrastructure for one or more data centers.

    Automatically identifies DNS-based DDOS attack and mitigates the attacks

    NJ Back-upData Center #3

    TokyoData Center #2

    Chicago

    Data Center #1


    Gss release 3 1 2

    GSS Release 3.1.2

    Before

    After

    GSS Network

    SLB

    No support for IDNA

    IDNA Support

    1

    1

    Datacenter A

    LDNS

    1

    Limited Integration with SLB Management (ANM)

    Integration with SLB Management (ANM)

    2

    2

    2

    4

    KAL

    SLB

    3

    3

    3

    Bug Fixes

    Bug Fixes

    Datacenter B

    User

    KALs on HTTPs Transport

    KALs did not support HTTPs transport

    4

    4

    Tentative

    4


    Gss release 3 2 0

    GSS Release 3.2.0

    Before

    After

    GSS Network

    SLB

    No HTTPs KAL

    HTTPs KAL

    1

    1

    Datacenter A

    LDNS

    4

    DNSSec Deployments Break

    DNSSec workaround to forward A4 records

    2

    2

    2

    1

    KAL

    SLB

    3

    3

    3

    Audit Log for GUI based

    Config Changes

    GUI based Config

    Changes not logged

    Datacenter B

    User

    Secure Communication on SSL

    SSL Vulnerabilities

    4

    4


    Gss competitive side by side

    GSS Competitive Side by Side


    Gss performance configuration scalability

    GSS Performance & Configuration Scalability


    Questions

    Questions?


    Backup

    backup


    Security focused functionality

    Security Focused Functionality

    • Improves availability and resiliency of DNS infrastructure with high performance and self protecting DDOS software

    • Offloads and optimizes BIND/DNS processing and selects the best site based on:

      • Intelligent load balancing algorithms & “clauses”

      • Proximity to user request

      • Data center and server loads, availability & health

      • Persistence to prevent lost session information

    • Complete and Centralized DNS/DHCP/TFTP management for network-enabled applications

    • Security conscious features:

      • DDOS Mitigation Software

      • Client to GSS and GSS to GSS communication encrypted

      • Private DNS code base

    • Supports all DNS-compatible devices

    • Can be deployed with or without content switches


    Improving dns survivability

    Improving DNS Survivability

    • Detects and mitigates the DNS focused Distributed Denial of Service (DDoS) attacks. Multiple defenses including source verification

    • With the granularity and accuracy to provide new levels of business continuity by processing only legitimate DNS requests

    • Delivering the performance and architecture suitable for the largest enterprises and providers

    • Addresses DDoS attacks today, and its network-based behavioral anomaly capability will be extended to additional DNS focused threats


    Security focused gss deployment

    Security Focused GSS deployment

    Un-secure DNS traffic

    • Why here?

    • Public IP and DNS Host Names

    • Layers of firewalls and Nating between DNS and internal servers

    ISP-1

    ISP-2

    DNS Server

    DMZ

    Cisco GSS

    Public

    Web Servers

    Datacenter A

    • Not here?

    • If hacked private IP available

    • - DNS traffic Tunneled though firewall

    • Violates recommend “Split DNS” Best Practices

    Others

    Secure Web Servers


    Cisco global site selector

    Rule – goodFellas.com

    Rule – bxb.com

    Source Address List Anywhere

    Domain List bxb

    Balance Clause 1:

    AnswerGroupgrp-bxb

    Balance Method Round Robin

    Balance Clause 2:

    Balance Clause 3:

    Source Address List Asia

    Domain List rest

    Balance Clause 1:

    AnswerGroupgrp-bxb

    Balance Method Round Robin

    Balance Clause 2:

    Balance Clause 3:

    Domain List bxb

    www.bxb.com

    AnswerGroup grp-bxb

    Answer-1 (NY)

    Answer-1(Bos)

    AnswerGroup grp-rtp

    Answer-2 (NY)

    Answer-2(Bos)

    Answer-2(NY)

    VIP-B 10.86.191.136

    Answer-2(Bos)

    VIP-B 10.86.191.153

    Domain List rest

    www.bxb.com

    www.sjc.com

    Shared Keepalive

    Type kal-ap

    10.86.191.129 | 10.86.191.145

    Source Address List - Anywhere

    0.0.0.0 – 255.255.255.255

    Source Address List Asia

    124.0.0.0 – 145.0.0.0

    87.0.0.0 - 94.0.0.0

    Answer-1(NY)

    VIP-A 10.86.191.131

    Answer-1(Bos)

    VIP-A 10.86.191.147


    Gss vs f5 gtm

    GSS vs F5 GTM


    Gslb core balance functions

    GSLB Core Balance Functions


    Keep alives kal

    Servers

    Site 1

    Site 2

    Servers

    Keepalives:

    TCP

    ICMP

    HTTP-Head

    SNMP

    CSS-A

    CSS-B

    CSS-A

    CSS-B

    Keep Alives (KAL)

    • KALs – back-end process gathers state and load information from devices within the data center such as local server load balancers, and origin servers

    • KAL can be grouped and logically “AND” together

    • V2.0 added a new KAL type --- SNMP based


    Types of gslb solutions

    Types of GSLB Solutions

    GSS is a DNS based GSLB Solution


    Gss 3 2 0 bug fixes

    GSS 3.2.0 Bug Fixes


  • Login