CSS 11501S GSLB DNS

Unanswered Question
Jan 23rd, 2008

Hi

I am in the process of planning for a GSLB failover solution for a web site. I have attached a very basic diagram showing an example of the topology.

The aim is to have two sites. A primary site and a DR site to be used as a failover solution.

The main site has two web servers that will need to be load balanced and the failover DR site will only have 1 web server.

My initial plan was to use 2 Cisco CSS 11501S devices as I believe this would provide the load balancing and GSLB functionality I require.

To achieve this I was going to use the CSS's as the primary and secondary name servers for the domain. This has raised a few question marks….

Both of our sites are connected to a private WAN (with private IP ranges). See attached diagram. Our internet access is provide through a third party “Firewall Port” directly off the WAN. We don't manage the firewall that connects to the internet. This third party firewall provides the NAT for our public facing services (web servers, mail servers, ftp servers etc).

So my questions are…

* Because the CSS's and web servers are located on a private network will the CSS's be able to respond to the DNS requests with the PUBLIC IP address (as seeen from the internet) of the servers as apposed to the private IP address of the servers? If the firewall in front of the CSS's was connected to the internet this could be done via DNS doctoring but our firewall is on a private subnet!

* Is it possible to get the CSS's to respond to DNS requests for other domain devices that do not reside behind the CSS - E.g. a MX record for a mail server that resides on another 'private' network?

*Is there a better way to achieve this?

Any assistance would be much appreciated!!

Attachment: 
I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Gilles Dufour Thu, 01/31/2008 - 01:21

if the firewall is the one doing the nating, it shoud do dns doctoring.

Does not matter where it is connected.

The firewall inspect the dns response and applies the nating to the address inside.

No matter if it is connected to internet or not.

If the firewall does not do this, you will always have problem.

If you configure the css to answer with the public ip address, you can't access your vip from the internal network anymore.

A GSS has a feature to provide different answer depending on the source ip.

So, this could be a better use here.

Also, be aware we do not support GSLB on the CSS anymore.

So, if this is a new install, it is better to start with a solution that we support - GSS.

For the mx record, we can't do it with the CSS, but you can create a ns record that will forward the mx record request to an external server than can then proide an answer.

The GSS again offers more functionality here.

Gilles.

davidbuit Thu, 01/31/2008 - 02:59

Thanks for the reponse Gilles. When you say

"If you configure the css to answer with the public ip address, you can't access your vip from the internal network anymore."

Do you mean that you will only get the public ip address from a DNS query and therefore this won't work locally?

If I have a host file entry providing the private address resolution for my internal hosts will this work?

"Also, be aware we do not support GSLB on the CSS anymore.

So, if this is a new install, it is better to start with a solution that we support - GSS"

Why is this no longer supported? Are there a lot of problems with GSLB on the CSS? It is pretty hard to justify the cost of a solution including 2 GSS's for GSLB and 1 CSS for server load balancing when comapred to the price of 2 CSS's with the enhanced license for both GSLB and server load balancing.

I have one client that wants to use their existing CSS's for a solution like this and another that is starting from scratch.

Thanks

Actions

This Discussion