I'm new to this equipment so bear with me. I am hoping to get a "plain english" explanation about the following doc. Here is my situation. I have 2 sites, a main and a backup, different networks, geographically remote with a point to point connection between the two. I also have a l2l tunnel between the two if it is needed. I have a web application I need to establish some redundancy for. If site A or webserver A goes down I need traffic to be directed to Site B Webserver B. Easy enough probably, according to the doc, it sounds like this is what I need to do, but I must be missing something. Any further explanation would be helpful and appreciated.
Basic Global Load Balancing Site Redundancy Using the CSS with DNS
Have you already configured the CSS? If so, what are you missing? or what is not working for you?
What parts of this setup are giving you a hard time. Thanks!
I have not yet set this up. It is a little difficult because the diagram shown does not display all the ip addresses.
I'm really just trying to understand how it works.
Ok, I have a specific question now. In the document referenced above "Basic Global Server Load Balancing Site Redundancy Using the CSS with DNS", I have a few questions.
Are the CSS's becoming the authoritative DNS servers for the domain www.yourdomain.com ? If so, that means I have to create 2 NS records at my authoritative dns, 1 primary to VIP 1, and 1 secondary to VIP 2? I know it says this in the document, but if they mean A records instead of NS records, then the CSS's are not authoritative for www.yourdomain.com.
So I guess my question is do I create 2 NS records pointing to the VIP's or do I create 2 A records on my authoritative DNS to the VIP's? Hope that makes sense. thanks in advance.
In regards to your questions:
- I've set GSLB in the past following this link step by step and I've had no issues. In regards to the configuration of the CSS, no commands are missing. What do you mean when you say that some IPs are missing?
- Regarding your DNS questions, yes, the CSS' would be the authoritative DNS servers for the domains configured on the CSS', as long as you configure the NS records ( not A records ) on your DNS servers. So, you need to configure NS records and not A records on your DNS servers, pointing to the VIPs of the CSS; if you want the CSS to become the authoritative DNS servers for those domains.
- NAT shouldn't be a problem as long as it is properly configured. Remember that you need to configure NAT for DNS, also for the requests that come to the VIPs and don't forget the APP session between the Master and the Backup site.
I hope this helps. Thanks!
The comment I made about missing IP's just refers to the diagram in the document. Only the VIP's are listed in the image, that's all. So far I have...
Hopefully it will work this way without making css authoritative for mydomain.com, only ftp.mydomain.com? thanks again for the help, this is my first experience with css.
Update: The above seems to work. I only have 1 Css up at the moment, but I am able to resolve ftp.mydomain.com! I had to add the command "dns-server" to the Css for it to resolve the name. Will I need this command once I bring up the other Css and establish the APP session? The command was not in the doc. Thanks.
I just noticed that. You are right, you need to add the dns-server command to the CSS in order to get DNS resolutions. Is good to know that things are moving forward for you. Thanks!
Thanks again. Just stumbled upon that.
In this scenario, would there be anything that would prevent me from having the CSS monitor services/servers on separate networks?
I have several servers on a DMZ and one server on the inside I would like to do this with. Should I have to move all the servers to the same network? For some reason, I was told we would have to purchase a second pair in that scenario.
It shouldn't be a problem for the CSS to have more VLANS and servers configured, besides the portion that is used for the GSLB setup. Thanks!
So the servers don't have to be on the interfaces of the CSS? Would there be an advantage to having the servers on the physical interfaces of the CSS as opposed to somewhere else on the network?
The only advantage of having the servers directly connected to the interfaces of the CSS is that you don't need to worry about the routing on your network. If you are going to have the server somewhere else in your network, you must make sure that routing is properly configured, so the responses from the servers are indeed sent back to the CSS. Thanks!
Ok, I think I have one more issue before I move forward with this. I have read somewhere that the CSS needs to be inline with all client/server traffic.
For the above GSLB scenario, does the CSS need to be inline with all the traffic from client to server?
Can the CSS reside on the "DMZ" and be the authoritative DNS for a server on the "inside"?
In this case a 5510 would contain static 1 to 1 nat's for the CSS in the DMZ, the 2 servers in the DMZ (directly attached to CSS) and 1 server on the inside (not inline with CSS). Possible?
I think what I'm looking at is a one armed config?
Your network setup doesn't needs to be inline for this work; but you need to control the flows and make sure that the servers go trough the CSS when answering back, otherwise the sessions of your clients would be broken. All this means that you need to control the routing on your network and avoid assymetric flows from occuring.
Regarding the DNS question, yes, the CSS can be on the DMZ and be the authoritative DNS for the servers inside, as long as the final reponse to the queries made for the domains running on the CSS are made to the CSS.
Regarding NAT, you can have static 1 to 1 NAT and it shouldn't be a problem, it all depends on a good configuration and the proper control of the routing within the network.
Thanks & Regards,
Another thing missing in the documentation, which may help another CSS beginner is
on the secondary CSS. The secondary CSS was not preferring the main site and I was not getting any hits on the acl, added the command and now all is working.