1 / 40

Cisco Global Site Selector

Cisco Global Site Selector. Vikas Deolaliker. Product Manager, ECBU. September, 2011. Global Site Selector. Product overview. Cisco GSS in a Nutshell. Upto 16 GSS can work in a cluster to meet the needs of large Enterprise and Service Provider. ACE GSS4492R-K9 HW

obelia
Télécharger la présentation

Cisco Global Site Selector

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Cisco Global Site Selector Vikas Deolaliker Product Manager, ECBU September, 2011

  2. Global Site Selector Product overview

  3. Cisco GSS in a Nutshell Upto 16 GSS can work in a cluster to meet the needs of large Enterprise and Service Provider. ACE GSS4492R-K9HW SF-GSS-V1.3-K9 SW SF-GSS-DDOSLICDDoS SF-GSS-GIPLICFXGeoIPGSLB Support SF-GSS-V6LICFXIPv6 Support • License free IPv6 Support • DDoS Protection • Geographical and Resource Affinity • Supports Cisco ACE/CSS/CSM http://cio.cisco.com/en/US/products/hw/contnetw/ps4162/products_installation_and_configuration_guides_list.html

  4. More specifically … GSS participates in your DNS Infrastructure to enforce BCDR, GSLB, DNS Security policies. • Provides Universal DNS-based Disaster Recovery – redirects clients to back-up data center for any device that support SNMP MIB and uses DNS • Protects the DNS infrastructure with DNS-based DDOS mitigation software • Delivers Advance Global Traffic Management • Global Server Load Balancing (GSLB) for geographically dispersed Server Load Balancers and Caches • Connect clients to the best server based on: • Network topology • Server load • Availability of content and devices

  5. Release 4.1 Highlights SLB 2001:0DB8:AC10:FE01:: Globally route clients based on - Geographical Proximity - RTT Proximity - Site Persistence - Site Health Datacenter A Key Benefits a GSS Network Route clients based on geographical proximity to application Support for IPv6 addressing for clients and servers Extreme scalability for cloud datacenters Reduce operational costs through enhanced GUI and ANM integration LDNS d c SLB 2001:0DB8:AC10:FE01:: User 2001:0DB8:AC10:FE01:: Datacenter B b Available on CCO: September 22nd, 2011

  6. Geolocation Based Global Delivery Geolocation Highlights GSSNetwork • (a) GeoIP based Proximity • Proximity calculations using GeoIP distances • (b) GeoRegions: GeoIP based Regions • Regions based on GeoIP database entries. (Add single country or multiple countries). Granularity down to states • Sticky support for GeoRegions • (c) GeoSAL: GeoIP based Source Address Lists • SALs can be based on GeoIP based Regions • (d) New GUI Design (Kubric Look & Feel) • GUI option to configure all GeoIP functionality a c SLB LDNS Datacenter A User 2001:0DB8:AC10:FE01:: SLB b Datacenter B d

  7. GeoProximity Data Center C Data Center A User 2001:0DB8:AC10:FE01:: Data Center D Data Center B Servers ACE • Override RTT based Proximity • Pick the application based on geographical distance between probing device and client LDNS • Licensable Feature Internet GSS LDNS Internet

  8. GeoRegions GeoRegions • Define Regions based on logical groups. For example BRIC (Brazil, Russia, India, China). • Create geographically grouped resource pools. For example, US-Central-Datacenter Use the regions to group resources (VIPs, NS, CRA) and clients (source address lists) • Define persistence policy based on GeoRegions US-Central-Datacenter

  9. Operational Flexibility Lower the Operation Expense • ANM • Import GSSM configuration into ANM and monitor VIP status and DNS rules status/hit count statistics from ANM GUI • Suspend/Activate VIPs/Rules/GSS SW RelNum from ANM GUI • HTTPs KAL • Add HTTPS-HEAD to existing KAL types: ICMP, TCP, HTTP HEAD, KAL-AP, Scripted KAL, CRA, and Name Server • Global Shared KeepAliveActivate/Suspend • GUI Logging

  10. Ease of Management GSS network is managed as a system – reduces number of touchpoints Ease of Management • GSS is a system not a device • Self synchronization of upto 16 GSSes • Single Point of management via GUI • Does not sacrifice device level access (SSH to box) • Any GSS can run GUI and a 2nd GSS serves as standby • Easy to use Interface • IOS Syntax • 100 new CLI commands since v1.3 • Single interface for monitoring, troubleshooting and configuration • Supports Import/Export of Configuration in industry standard formats • Role based Access Control • Remote Syslog Support • Management Integration with ANM • ANM - support the activation and suspension of a DNS rules and answers • ANM – communicates to the primary GSS manager (PGSSM) via CLI, RMI and SSH. Configuration parameters to establish this communication is the GSS IP address and SSH credentials • Four of eight Administrators Logon consumed by ANM • ANM issues commands to the PGSSM then the PGSSM relays these commands to the rest of the GSSs in the cluster. GSS Network ANM GSS GUI

  11. IDN Support Internationalized Domain Names (IDNs) are domain names that contain non-ASCII characters. (for example, Arabic or Chinese). The ASCII form of an IDN label is termed as "A-label". Non-ascii code uses Unicode form or "U-label". GSS can be configured for non-ascii URL

  12. DNSSEC Ready DNSSECrequests are automatically forwarded *matching* non-A DNS queries to the external name server. For *matching* A queries with DO (DNS OK) flag setGSSforwards the request to the external name server and the external NS provides a DNSSEC response which the GSS forwards to the D-proxy; For all rest, GSS responds back as it currently does with a plain DNS response. Configuration is quick and simple. gss2-tb1.cisco.com# configure terminal gss2-tb1.cisco.com(config)#property set ServerConfig.dnsserver.enableEDNS 1 gss2-tb1.cisco.com(config)#property set ServerConfig.dnsserver.nsForwardAQueriesWithDOFlag1

  13. Extreme Scalability • Thousand of Applications • GSS answers are VIPs declared on ACE. In Rel 4.1, GSS support 256 ACEs and 8000 VIPs and 2000 domains • Vast Pools of Resources • KeepAliveis the way GSS monitors resources behind the VIP that it serves. KAL-AP is Cisco proprietary keepalive. In Rel 4.1, GSS supports 128 KAL-APs configuration. • Global Clients and Servers • - GSS responds with VIPs that are closest to the requesting client (LDNS). In Rel 4.1, GSS uses GeoIP to determine proximity in addition to existing probing mechanisms. • ANM for Cluster Management • - ANM can activate/suspend answers on GSSand manage all 16 GSSes in a cluster Global Application Delivery GSS Network ACE c Datacenter A LDNS ACE b User Datacenter B a d Utilization Utilization

  14. End to End Solutions: GSS, ACE, N7K ACE+GSS Cloud Solution ACE Integration Points LDNS • Wide Area Vmotion (OTV/DWS) • GSS upon notification of a vmotion changes the answer for an query thereby helping customer preserve WAN bandwidth • ACE Virtualization • GSS treats ACE contexts as separate ACE devices thereby enabling virtual datacenters for each customer B, C, D, … • Virtual GSS • - With Rel 5.1 (CY12), vGSS can offer dedicated GSS functionality per VLAN. User Secondary Datacenter GSS Network ACE Primary Datacenter c vm B a vm C D B b

  15. GSSIPv6 Support

  16. GSS 4.1 – Q4CY11 • GeoIP based GSLB • GeoIP based proximity • GeoIP based DNS Rules and Sticky • (b) IPv6 • Support for AAAA response • Support for persistence • IPv6 Management over IPv6 interface • (c) New GUI Design (Kubric Look & Feel) • (d) Configuration Scalability • 8000 answers GSSNetwork SLB Datacenter A a LDNS d SLB c Datacenter B User 2001:0DB8:AC10:FE01:: b

  17. GSS Release Map Release 3.2 - HTTPs KAL - Workaround DNSSEC - Bug Fixes Release 3.3 (Private Only) - Geo IP Proximity - 8K Answers Support - ANM support for 8K Answers Release 4.1.1 - IPv6 dot.ONE release - Bug Fixes 2011 2012 Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec Jan Feb Release 4.1 - IPv6 Support - Geo IP GSLB - ANM support for 8K Answers

  18. 2012 GSSDirection • Release 5.0 (CC’ed) • DNSSec with FIPS • SOA & NS Record • HW Refresh • Release 4.1 (September, 2011) • IPv6 Support (AAAA) • GeoIP (Proximity, GeoRegions, GeoSALs) 2011 • Release 3.2 (Feb, 2011) • HTTPs KAL • DNSSec Forwarding • Critical Bug Fixes

  19. GlobalStrikeGSS 5.1 Concept Committed 8/22/2011 Key Asks inGlobalStrike GSSNetwork 1. Security and Compliance • (a) DNSSEC strengthens the integrity of DNS Query/Response transaction from threats such as • Forged or bogus response • Removal of Records (RRs) in responses • Incorrect application of wildcard expansion rules • (b) USGv6 and IPv6Ph 2 Logo certification • FIPS compliant or validated encryption with acceleration • Common Criteria EAL-2 2. Platfom Refresh • (c) UCS server based appliance (San Luis) • vGSS • GeoIP Enhancements • (d) Logical Grouping of Geo Regions 4. KAL- AP • Enhancements and scalability SLB Datacenter A a LDNS d SLB c Datacenter B User 2001:0DB8:AC10:FE01:: b

  20. GSS Roadmap Rel 4.0 Q4CY11 Rel 5.0 1HCY12 • DNS Services • IPv6: Support for AAAA, A6, CNAME DNS Records • DNS Services • DNSSEc with FIPS • SOA & NS Record Support 1 1 GSS Network SLB • Operation Optimization • Audit Logs • Log Source IP • Sync CLI and GUI User • View KAL logs through GUI • Operational Optimization • Authentication using AD • Automated Backup • Activate/Suspend Answers • Enhanced Reporting • Alerts/Alarms 2 2 Datacenter A LDNS 1 2 • GSLB Services • Geo IP based Proximity • GSLB Services • Share KAL Status Among Peers • KAL-AP with VIP Capacity/Load 4 3 3 SLB Datacenter B User 3 • DCI Services • Automation to support Vmotion over DCI 4 4 • DCI Services • Automation through integration with ANM • Exploring LISP Support • Hardware Platform • GSS-4492R 5 5 • Hardware Platform • Hardware Refresh with FIPS compliance

  21. DNS 4 5 1 3 2 Data Center #2 Data Center #1 Ease of Deployment GSS participates in the DNS infrastructure – Lower Latency Intermediate Name Server Supporting: .com GSS becomes the Authoritive Name Server for the entire Zone supporting all applications for the SP Root Name Server DNS Global Control Plane IP Control/Forwarding Plane CNR QIP ISP#1 Client Name servers (D-proxy) BIND ISP#3 ISP#2 Clients Requesting Web Sites DNS Requests DNS Response Layer 3 Communications Fixed Wireless Dedicated/ ATM/FR Mobile ISDN/Dial DSL Cable DNS DNS Resolvers (DNSR): IE, Firefox, etc.

  22. DNS DNS Use Case: Policy based GSLB GSLB policy enables redirection based on proximity, site health, server load and user preferences www.fifa.com nameserver.fifa.com www.fifa.com“NS” Record 10.86.191.150 “NS” Record 10.86.191.134 Add DNS Rules + SAL + DDL + Qtype + Add Clauses Create Mesh Link Add NS Record for both GSSes 3 2 1 GSLB Can Redirect Traffic Based On SLB SLB DNS Query www.fifa.com 10.86.191.134 • Proximity • Selects Answer based on lowest RTT. • RTT measured between client’s d-proxy and a probing device (Cisco Router and/or GSS) • GSS uses DRP to communicate with probes • Disaster Recovery • Site Health Check • Datacenter Load • KAL-AP • Ratio based GLSB VIP=10.86.191.131 P-DNS2 16.1.1.1 Datacenter B Datacenter A GSS Milan 10.86.191.134 A” Record 10.86.191.147 DNS Query, www.fifa.com Mesh Link DNS query www.fifa.com GSS Johannesburg 10.86.191.150 User VIP=10.86.191.147

  23. Use Case: BCDR Mobile Fixed Wireless Cable DSL Dedicated/ ATM/FR ISDN/Dial DNS Global Control Plane GSS Cluster Resolver DNS Name Servers IP Control/Forwarding Plane • Recovering Service Availability after Failure • Active-Passive Design • Network fail-over can happen within 10s Application/Server • Recovery time is based on the time it take to complete data Synchronization of back-end data base, application servers and Web servers • Supported by Cisco’s Solutions • GSS, CSS, CSM, ACE NJ Back-upData Center #3 TokyoData Center #2 Chicago Data Center #1

  24. Use Case: Securing DNS Infrastructure Mobile Fixed Wireless Cable DSL Dedicated/ ATM/FR ISDN/Dial DNS Global Control Plane Resolver Rate limits these specific DNS Request IP Control/Forwarding Plane Compromised DNS Name Servers or DNS bots Provides Security Focused, highly available, DNS/DHCP/TFTP infrastructure for one or more data centers. Automatically identifies DNS-based DDOS attack and mitigates the attacks NJ Back-upData Center #3 TokyoData Center #2 Chicago Data Center #1

  25. GSS Release 3.1.2 Before After GSS Network SLB No support for IDNA IDNA Support 1 1 Datacenter A LDNS 1 Limited Integration with SLB Management (ANM) Integration with SLB Management (ANM) 2 2 2 4 KAL SLB 3 3 3 Bug Fixes Bug Fixes Datacenter B User KALs on HTTPs Transport KALs did not support HTTPs transport 4 4 Tentative 4

  26. GSS Release 3.2.0 Before After GSS Network SLB No HTTPs KAL HTTPs KAL 1 1 Datacenter A LDNS 4 DNSSec Deployments Break DNSSec workaround to forward A4 records 2 2 2 1 KAL SLB 3 3 3 Audit Log for GUI based Config Changes GUI based Config Changes not logged Datacenter B User Secure Communication on SSL SSL Vulnerabilities 4 4

  27. GSS Competitive Side by Side

  28. GSS Performance & Configuration Scalability

  29. Questions?

  30. backup

  31. Security Focused Functionality • Improves availability and resiliency of DNS infrastructure with high performance and self protecting DDOS software • Offloads and optimizes BIND/DNS processing and selects the best site based on: • Intelligent load balancing algorithms & “clauses” • Proximity to user request • Data center and server loads, availability & health • Persistence to prevent lost session information • Complete and Centralized DNS/DHCP/TFTP management for network-enabled applications • Security conscious features: • DDOS Mitigation Software • Client to GSS and GSS to GSS communication encrypted • Private DNS code base • Supports all DNS-compatible devices • Can be deployed with or without content switches

  32. Improving DNS Survivability • Detects and mitigates the DNS focused Distributed Denial of Service (DDoS) attacks. Multiple defenses including source verification • With the granularity and accuracy to provide new levels of business continuity by processing only legitimate DNS requests • Delivering the performance and architecture suitable for the largest enterprises and providers • Addresses DDoS attacks today, and its network-based behavioral anomaly capability will be extended to additional DNS focused threats

  33. Security Focused GSS deployment Un-secure DNS traffic • Why here? • Public IP and DNS Host Names • Layers of firewalls and Nating between DNS and internal servers ISP-1 ISP-2 DNS Server DMZ Cisco GSS Public Web Servers Datacenter A • Not here? • If hacked private IP available • - DNS traffic Tunneled though firewall • Violates recommend “Split DNS” Best Practices Others Secure Web Servers

  34. Rule – goodFellas.com Rule – bxb.com Source Address List Anywhere Domain List bxb Balance Clause 1: AnswerGroupgrp-bxb Balance Method Round Robin Balance Clause 2: Balance Clause 3: Source Address List Asia Domain List rest Balance Clause 1: AnswerGroupgrp-bxb Balance Method Round Robin Balance Clause 2: Balance Clause 3: Domain List bxb www.bxb.com AnswerGroup grp-bxb Answer-1 (NY) Answer-1(Bos) AnswerGroup grp-rtp Answer-2 (NY) Answer-2(Bos) Answer-2(NY) VIP-B 10.86.191.136 Answer-2(Bos) VIP-B 10.86.191.153 Domain List rest www.bxb.com www.sjc.com Shared Keepalive Type kal-ap 10.86.191.129 | 10.86.191.145 Source Address List - Anywhere 0.0.0.0 – 255.255.255.255 Source Address List Asia 124.0.0.0 – 145.0.0.0 87.0.0.0 - 94.0.0.0 Answer-1(NY) VIP-A 10.86.191.131 Answer-1(Bos) VIP-A 10.86.191.147

  35. GSS vs F5 GTM

  36. GSLB Core Balance Functions

  37. Servers Site 1 Site 2 Servers Keepalives: TCP ICMP HTTP-Head SNMP CSS-A CSS-B CSS-A CSS-B Keep Alives (KAL) • KALs – back-end process gathers state and load information from devices within the data center such as local server load balancers, and origin servers • KAL can be grouped and logically “AND” together • V2.0 added a new KAL type --- SNMP based

  38. Types of GSLB Solutions GSS is a DNS based GSLB Solution

  39. GSS 3.2.0 Bug Fixes

More Related