Attention: The Community will be in read-only mode on 12/14/2017 from 12:00 am pacific to 11:30 am.
During this time you will only be able to see content. Other interactions such as posting, replying to questions, or marking content as helpful will be disabled for few hours.
We apologize for the inconvenience while we perform important updates to the Community.
I am planning to use GSS in a web server farm design. There is only one DMZ with web servers on it, but it is multihomed to two ISPs. We would like to acheive redundancy in case one ISP fails.
We are planning to use GSS because we would iike to find another way to do this instead of applying for our own IP address block.
Any one has experience in this?
Solved! Go to Solution.
If your app is configured such that it gets differnet public IPs from two ISPs then GSS can help you out.
Remember GSS is simply an Intelligent DNS server that checks the avaialability of the the A record before handing it out to the requesting DNS server.
So in case if your app exists at x.x.x.x and y.y.y.y for the world (from the two ISPs) then GSS can probe both IPs x.x.x.x & y.y.y.y( via configured probing methods like icmp, Tcp or HTTP head) and will only respond back to the client with A record of the Primary service (If you want it like that, you can also configure GSS to hand over x.x.x.x & y.y.y.y to clients on roundrobin basis).
Our plan is to get differnet IPs from the two ISPs, the incoming packet will get translated back to the private IP on our firewall (one for each ISP connection), which will then send it to the web server.
In this case, where do you place the GSS, and do we need one GSS for each ISP connection?
Also, in our case, the web services we are trying to host is only a sub-domain of our company, so on the GSS, we are going to put subdomain.companyA.com, because the www.companyA.com is hosted elsewhere and is using the corporate DNS. In this case, does the GSS has to talk to the corporate DNS who is responsible for the www.companyA.com? Or the GSS can become authoritative for the subdomain subdomain.companyA.com, and just answer to DNS request from other DNS on the Internet?
Do you know of any cisco scenario or config example for this kind of setup? I can't find any so far.
Thanks a lot.
In order to probe the two public IPs the GSS should be on the public side to check the public IPs of the App.
One GSS will do but it will be single point of failure.
You need to delegate authority to the GSS for the subdomain (in fact that's how GSS works). So the dns query for subdomain.companyA.com will first hit your existing DNS servers (authoritative for companyA.com), Your existing DNS servers will have a NS record pointing to the DNS server authoritative (GSS in this case) for subdomain.company.com.
Requesting DNS server will then ask GSS for subdomain.companyA.com.
Please read one of my old post for more details
Syed Iftekhar Ahmed
Thanks for your reply.
In that case, the only DNS server that the GSS need to talk to is the authoritative DNS in our company for www.companyA.com, and the GSS do not need to talk to any other DNS on the Internet?
Also, if we use 2 GSS for redundancy purpose, one GSS will have the IP from one ISP, whild the second GSS will have the IP from the 2nd ISP. The corporate DNS will have NS record for both GSS for the subdomain, but if one GSS goes down, how would the corporate DNS knows about it, is there keep-alive type of testing between the DNS server and the GSS?
What is the typical location of the GSS, behind our ISP facing firewall or outside of the firewall, or in the DMZ behind our firewall?
All client DNS servers (on Internet) will end up asking GSS's for the A records (of the subdomain GSS is authoritative) through the typical DNS process.
So all Internet DNS servers do need to contact GSS to get the subdomain based A records resolved.
Typically two GSSs are deployed in two datacenters (at two different physical locations). In your case it will make sense to connect two GSSs to two ISPs.
Corporate DNS server will pass on both GSSs information (in form of NS record) to the client DNS Servers. If Client DNS servers couldnt reach one GSS then they will attempt to connect the 2nd GSS and will get their answers.
Inter GSS traffic in a typical GSS network carries hardcoded IP addresses of each other. This makes it impossible to place GSSs behind a firewall (or for that matter behind any NAT device).
If its needed to place them behind Firewall then they can be configured as standalone devices and be place behind firewalls.
The only downside of this approach is that you will have to configure the two GSSs seperately ( vs in typical GSS networkm, you configure on and the other gets the config from the 1st GSS).
Syed Iftekhar Ahmed
But if we put the GSS behind the firewall in the DMZ, we can use the public IP in the DMZ on the GSS, so NATting is required there, in that case, it should work, right? So each GSS will be behind the firewall facing each ISP, and they will talk to each other using the static public IP.
Thanks a lot!