GSS Physical Connectivity

Unanswered Question
Sep 1st, 2008


The data center site receives traffic through internet on the outside of its firewall. After the firewall is the ACE for load balancing requests. Where does the GSS fit into this topology and how is it physically connected i.e. via Ethernet0 or Ethernet1. Why do we need two interfaces.

Is there any easy to follow configuration example for GSS.


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Syed Iftekhar Ahmed Mon, 09/01/2008 - 11:01

GSS is part of DNS Infrastructure.

It doesnt need to be inline with FW/LB or any other device.

Just treat it as a Intelligent DNS server. Only requirement is that GSS needs to probe VIPs configured of LBs (or in some cases Servers directly-- if needed). Which means probe traffic from GSS to VIPs should be allowed by the intermediated Security devices.

You can use only one interface if you want. With two interface you can dedicate one interface for Inter-GSS traffiac and other interface for probe traffic.

Syed Iftekhar Ahmed

new_networker Mon, 09/01/2008 - 11:33


Is there any easy configuration for single site GSS functionality.

In our case, there are two GSS; one at Primary site and other at DR. The GSS at primary site should always send client requests to the primary. Only in case of unavailability of the primary site, the GSS should route the client requests to the DR site.


Syed Iftekhar Ahmed Mon, 09/01/2008 - 13:06

You will need to define a DNS rule on GSS with "ordered list". Ordered list method Uses next VIPs or NS Forwarders when all previous VIPs or NS Forwarders are OFFLINE or overloaded.

A DNS rule on GSS defines the desision logic for GSS.

A typical DNS rules is as follows

For requests arriving from a "certain D-Proxy"

and asking for a "certain Hosted Domain"

use this "Answer Group"

and use this "Balance Method" to choose the best answer.

I am afraid there is no shortcut, you will need to go through the GSS GSLB guide to understand GSS terms and implement it

Syed Iftekhar Ahmed

new_networker Mon, 09/01/2008 - 15:10

Is it possible to configure the DNS rules via CLI. The configuration guide talks about DNS Rule Wizard & Builder, both of which I believe are GUI based.

If there is a CLI equivalent, please let me know the commands for

For requests arriving from a "certain D-Proxy"

and asking for a "certain Hosted Domain"

use this "Answer Group"

and use this "Balance Method" to choose the best answer.


new_networker Mon, 09/01/2008 - 16:42

Ok. After I created DNS rule, VIP balance type etc how can I configure redirection to the DR sight in case of primary site failure.

If I were to configure VIP method as 'ordered', would the DR site VIP group contain a private IP OR public IP for the DR. If so, then how would the request be re-routed to the DR from Primary.

The data center setup is that the internet line is directly terminated on the outside of our first/edge device i.e. the firewall. GSS would probably be placed on the DMZ or inside of the firewall.

How can the re-routing be achieved ?


new_networker Mon, 09/01/2008 - 18:37

In addition to the previous request, could you also please clarify the below - taken from your another post


Typical flow is as follows

1. Client will hit their DNS servers (configured on their machines as primary/backup dns server).

2. "Client's DNS server" will query "DNS server authoritative for" for

3. "DNS server authoritative for" will ask "client's DNS server" to query "GSS - Authoritative for"

4. "Client's DNS server" will query GSS for

5. GSS will send the ip add of (which should be configured on ACE as VIP).

6. "Client's DNS server" will handover this VIP to client

7. Client will hit the VIP configured on ACE (for application


Here at point 5, the VIP that GSS shall send is a private IP or public IP ?. I am assuming it cannot be private since the client will not be able initiate a request to VIP on private IP over the internet.

Lastly, if the client requests for two different URL's which translates to two different VIPs, would it require two GSS A records in the primary authoritative DNS or one GSS should suffice. If so, how will it be.

Awaiting your reply.

Kind Regards.

Syed Iftekhar Ahmed Mon, 09/01/2008 - 22:15

Both GSS's at the two data centers will be running the same DNS rule. You will need to create two answer groups.

Answer group1 --> for VIPS in DC1

Answer group2 --> for VIPS in DC2

DNS rule will state that use orderlist for Answer gp1 & Answer gp2. Which means serve Answers in AnswerGp1 and if these answers are not available then serve from AnswerGp2.

As I said earlier GSS is a part of Global DNS infrastructure thus it mostly resolves to Public IP.

I have done installations where there are isolated GSS Networks (Split DNS) where the Global GSS Network serves public IPs & Inranet GSS N/W serves Private IP.

In short If your GSSs are deployed for internet traffic then they should serve public



new_networker Mon, 09/01/2008 - 23:17

I have a query on adding answers to the answer group.


1. Define VIP-Type Answer

2. Define answer-group

3. Add answer to the VIP-Type Answer group

My query is that if I have already configured VIP-Type Answer (step 1), why do I need to mention the IP addressses again while adding answer to the VIP-Type Answer Group.


new_networker Tue, 09/02/2008 - 02:57

Oops..I didn't mention I was using CLI. Could you please shed light on CLI part. That's where my concern is.


new_networker Tue, 09/02/2008 - 03:16

As an example,

- To create an answer:

answer vip

- To add an answer to the answer group


Is it correct, the IP address needs to be entered twice.


Syed Iftekhar Ahmed Tue, 09/02/2008 - 12:01

Here you are just assigning Answers to the Answer Group. Answer group has no ip assigned to it. These IPs are only used to reference/identify Answer from the avaiable/configured Answers.


sateeshk10 Tue, 09/02/2008 - 19:45


Sorry to interrupt you ...

I have some queries related to this

GSS1 -- DC1

GSS2 --- DC2

VIP DC1 == -

VIP DC2 === (Public) - in my FW

My requiremnet is if GSS1 is not avail then Gss2 shld respond. for the same i have created

one answer group (VIP type)

Two VIP answers (public IP ihave given in ANSWER and Mapped two answer to one answer group..

In answers VIP tab i need to give public IP/privte IP (natted IP)??

I have created two KAL-AP with privte IP(, and same ampped to answers,

is it right??

In ANS grp i need to give more weight to DC1 like(10) and DC2 is 1.. to achive the same???

Above config will meet my requirments??

Please help in this regard..right now i am testing, Now i need to put it in production at earliest..pls help me out in this reg..

Thanks in advance..

Once again i am sorry to break the conversation..



Syed Iftekhar Ahmed Tue, 09/02/2008 - 21:29


Within a GSS network both GSS will have the same DNS rule. SO if DNS request hits any of the GSS it will get the similar result.

When you delegate subdomain to two GSSs then any of the GSS can get hit.

What you could achieve is that Any of the GSSs should respond with VIP at DC1 only. Only if VIP at DC1 is not available (DC1 is down ) then both GSSs should serve A-record of VIP at DC2.

In order to achieve this you will need to create VIP type Answers for both DCs and group them in an Answer group.

In DNS rule select this answer group and select ordered list as the load balancing algo

(Assign lower order value to the prefered answer)

for example if you assign 1 to DC1 Answer & order 2 to DC2 answer then GSS will server Answer1 and will only server answer 2 if ANswer1 is offline.

Weight is used for weighted roundrobin algo.

For example if you want GSS to reply with Answer1 to first request & Answer2 to next two requests then you will assign weight1 to Answer1 & Weight2 to Answer2.You will also need to select roundrobin as algo to make it work.

Syed Iftekhar Ahmed

sateeshk10 Wed, 09/03/2008 - 05:22


Thanks for info..

For creating answers I need to give the private IP or public as i told you that i natted public with private IP??



sateeshk10 Wed, 09/03/2008 - 13:09


Along with abv mentioned setup i would like to enable proximity..?? Is it make sense..

If so, i want to install special router SLA at DC1 and DC2?? how to configure...I have gone trgh the documetns bit confussion..pls explain saimple and brief...if possible




This Discussion