Beruflich Dokumente
Kultur Dokumente
PATENT PROTECTION
A10 Networks products are protected by patents in the U.S. and elsewhere. The following website is provided to satisfy the virtual pat-
ent marking provisions of various jurisdictions including the virtual patent marking provisions of the America Invents Act. A10 Net-
works' products, including all Thunder Series products, are protected by one or more of U.S. patents and patents pending listed at:
https://www.a10networks.com/company/legal-notices/a10-virtual-patent-marking
TRADEMARKS
A10 Networks trademarks are listed at:
https://www.a10networks.com/company/legal-notices/a10-trademarks
CONFIDENTIALITY
This document contains confidential materials proprietary to A10 Networks, Inc. This document and information and ideas herein may
not be disclosed, copied, reproduced or distributed to anyone outside A10 Networks, Inc. without prior written consent of A10 Net-
works, Inc.
Anyone who uses the Software does so only in compliance with the terms of the End User License Agreement (EULA), provided later in
this document or available separately. Customer shall not:
1. reverse engineer, reverse compile, reverse de-assemble or otherwise translate the Software by any
means
2. sublicense, rent or lease the Software.
DISCLAIMER
This document does not create any express or implied warranty about A10 Networks or about its products or services, including but not
limited to fitness for a particular use and non-infringement. A10 Networks has made reasonable efforts to verify that the information
contained herein is accurate, but A10 Networks assumes no responsibility for its use. All information is provided "as-is." The product
specifications and features described in this publication are based on the latest information available; however, specifications are sub-
ject to change without notice, and certain features may not be available upon initial product release. Contact A10 Networks for current
information regarding its products or services. A10 Networks’ products and services are subject to A10 Networks’ standard terms and
conditions.
ENVIRONMENTAL CONSIDERATIONS
Some electronic components may possibly contain dangerous substances. For information on specific component types, please con-
tact the manufacturer of that component. Always consult local authorities for regulations regarding proper disposal of electronic com-
ponents in your area.
FURTHER INFORMATION
For additional information about A10 products, terms and conditions of delivery, and pricing, contact your nearest A10 Networks loca-
tion, which can be found by visiting www.a10networks.com.
Table of Contents
page 3 | ACOS 4.1.1-P6 Global Server Load Balancing Guide - 27 October 2017
A10 Thunder Series and AX Series
ACOS 4.1.1-P6 Global Server Load Balancing Guide - 27 October 2017 | page 4
A10 Thunder Series and AX Series
BW Cost .........................................................................................................................................................................................................56
Configuring Bandwidth Cost (Process) ............................................................................................................................57
Least-Response ........................................................................................................................................................................................60
Admin-IP .......................................................................................................................................................................................................60
Round-Robin .............................................................................................................................................................................................60
Alias-Admin-Preference ......................................................................................................................................................................60
Configuring Alias Admin Preference .................................................................................................................................61
Configuring Alias Admin Preference (CLI) ......................................................................................................................61
Weighted-Alias .........................................................................................................................................................................................61
Configuring Weighted Alias ....................................................................................................................................................61
Configuring Weighted Alias (CLI) ........................................................................................................................................62
page 5 | ACOS 4.1.1-P6 Global Server Load Balancing Guide - 27 October 2017
A10 Thunder Series and AX Series
ACOS 4.1.1-P6 Global Server Load Balancing Guide - 27 October 2017 | page 6
A10 Thunder Series and AX Series
page 7 | ACOS 4.1.1-P6 Global Server Load Balancing Guide - 27 October 2017
A10 Thunder Series and AX Series
admin-ip ......................................................................................................................................................................................................166
admin-ip-enable .....................................................................................................................................................................................167
admin-preference ..................................................................................................................................................................................167
alias-admin-preference ......................................................................................................................................................................168
auto-map ....................................................................................................................................................................................................169
bw-cost ........................................................................................................................................................................................................169
bw-cost-enable .......................................................................................................................................................................................170
capacity ........................................................................................................................................................................................................170
connection-load .....................................................................................................................................................................................172
dns action ...................................................................................................................................................................................................173
dns active-only ........................................................................................................................................................................................173
dns addition-mx .....................................................................................................................................................................................174
dns auto-map ...........................................................................................................................................................................................175
dns backup-alias .....................................................................................................................................................................................176
dns backup-server .................................................................................................................................................................................177
dns cache ....................................................................................................................................................................................................178
dns cname-detect .................................................................................................................................................................................179
dns delegation .........................................................................................................................................................................................180
dns external-ip .........................................................................................................................................................................................181
dns external-soa .....................................................................................................................................................................................182
dns geoloc-action .................................................................................................................................................................................183
dns geoloc-alias ......................................................................................................................................................................................184
dns geoloc-policy ..................................................................................................................................................................................185
dns hint ........................................................................................................................................................................................................186
dns ip-replace ..........................................................................................................................................................................................187
dns ipv6 mapping .................................................................................................................................................................................188
dns ipv6 mix ..............................................................................................................................................................................................189
dns ipv6 smart .........................................................................................................................................................................................190
dns logging ...............................................................................................................................................................................................191
dns proxy block <query> .................................................................................................................................................................192
dns proxy block <type> ....................................................................................................................................................................193
dns proxy block action .......................................................................................................................................................................194
dns selected-only ...................................................................................................................................................................................195
dns server ....................................................................................................................................................................................................196
dns sticky .....................................................................................................................................................................................................198
dns ttl .............................................................................................................................................................................................................200
edns client-subnet geographic ....................................................................................................................................................201
geo-location ..............................................................................................................................................................................................202
geo-location-match .............................................................................................................................................................................203
geographic ................................................................................................................................................................................................204
health-check .............................................................................................................................................................................................205
ip-list ..............................................................................................................................................................................................................205
least-response ..........................................................................................................................................................................................206
metric-fail-break ......................................................................................................................................................................................206
metric-force-check ................................................................................................................................................................................206
metric-order ..............................................................................................................................................................................................207
num-session ..............................................................................................................................................................................................208
num-session-enable ............................................................................................................................................................................209
round-robin ...............................................................................................................................................................................................209
weighted-alias .........................................................................................................................................................................................210
weighted-ip ...............................................................................................................................................................................................211
ACOS 4.1.1-P6 Global Server Load Balancing Guide - 27 October 2017 | page 8
A10 Thunder Series and AX Series
weighted-ip-enable .............................................................................................................................................................................212
weighted-site ...........................................................................................................................................................................................212
weighted-site-enable ..........................................................................................................................................................................213
Show Commands .......................................................................................................................................... 214
show gslb cache .....................................................................................................................................................................................215
show gslb config ....................................................................................................................................................................................216
show gslb fqdn .......................................................................................................................................................................................218
show gslb geo-location .....................................................................................................................................................................219
show gslb group ....................................................................................................................................................................................222
show gslb ip-list ......................................................................................................................................................................................224
show gslb memory ...............................................................................................................................................................................225
show gslb policy .....................................................................................................................................................................................225
show gslb protocol ...............................................................................................................................................................................225
show gslb rdt ............................................................................................................................................................................................226
show gslb samples conn ..................................................................................................................................................................228
show gslb samples conn-load .......................................................................................................................................................229
show gslb samples rdt ........................................................................................................................................................................231
show gslb service ...................................................................................................................................................................................231
show gslb service-group ...................................................................................................................................................................232
show gslb service-ip ............................................................................................................................................................................233
show gslb service-port .......................................................................................................................................................................234
show gslb session ..................................................................................................................................................................................234
show gslb site ..........................................................................................................................................................................................235
show gslb slb-device ...........................................................................................................................................................................237
show gslb state .......................................................................................................................................................................................238
show gslb statistics ...............................................................................................................................................................................238
show gslb zone .......................................................................................................................................................................................239
Clear Command ............................................................................................................................................. 243
clear gslb .....................................................................................................................................................................................................243
page 9 | ACOS 4.1.1-P6 Global Server Load Balancing Guide - 27 October 2017
A10 Thunder Series and AX Series
ACOS 4.1.1-P6 Global Server Load Balancing Guide - 27 October 2017 | page 10
GSLB Introduction
About GSLB
Global Server Load Balancing (GLSB) refers to load balancing applications that direct users to multiple data
center sites. Each site consists of server farms that provide users with fast response time and sufficient redun-
dancy to protect against the failure of a complete data center. Each GSLB implementation falls under one of
these categories:
• DNS-Based GSLB: Domain Name System technology is utilized to extend load balance globally
• IP-Based GSLB: Route health injection advertises VIP availability throughout the network.
The A10 implementation of GSLB extends load balancing to a global geographic scale by offering a choice of
DNS Proxy or DNS Server methods. A10 GSLB adds a layer of availability and performance to applications
with minimal impact to existing DNS architectures while allowing the selection of the most appropriate
method for a network environment:
• Proxy Mode: The ACOS device acts as proxy for an external DNS server. The device can update A and
AAAA records in response to client requests and forwards requests for all other record types to the
external DNS server.
• Server Mode: The ACOS device directly responds to queries for specific service IP addresses in the GSLB
zone while forwarding other query types to the DNS server). In server mode, the device can reply with
A, AAAA, MX, NS, PTR, SRV, and SOA records. For all other records, the ACOS device attempts proxy
mode.
The device can be configured to use only DNS server mode for all replies. If the configuration does not
contain the applicable DNS record, the controller responds with a server failure message if is not manag-
ing the FQDN.
The final chapter includes a description of commands available in the ACOS command line interface.
page 11 | ACOS 4.1.1-P6 Global Server Load Balancing Guide - 27 October 2017
A10 Thunder Series and AX Series
About this Manual
Manual Structure
The GSLB Guide includes the following chapters:
• GSLB Deployment Options – Describes controllers and devices; proxy and server modes; configuration
synchronization; and usage within A10 partitions and aVCS environments.
• GSLB Implementation Examples – Provides several GSLB configuration examples.
• DNS Options – Describes DNS options supported by the device that complement the GSLB implemen-
tation.
• Geo Location Mappings – Describes loading geo-locations: manually or by loading from a file.
• Configuring GSLB through the GUI – Provides GUI steps for many of the processes presented in the
guide.
• GSLB CLI Command Reference – Describes CLI commands that configure GSLB.
ACOS 4.1.1-P6 Global Server Load Balancing Guide - 27 October 2017 | page 12
GSLB Deployment Options
This chapter describe the following GSLB Deployment Concepts and Options:
• “aVCS” on page 21
GSLB Overview
DNS-based GSLB uses Domain Name Service (DNS) technology to extend load balancing to a global scale.
Global Server Load Balancing (GSLB) adds intelligence to authoritative DNS servers. The GSLB controller eval-
uates DNS replies and directs traffic to the 'best' site by replacing the IP address in the DNS reply.
• Provide data center failover to minimize downtime and ensure application availability
• Provide faster performance and improved user experience by directing users to the nearest site
page 13 | ACOS 4.1.1-P6 Global Server Load Balancing Guide - 27 October 2017
A10 Thunder Series and AX Series
DNS-Based GSLB Protocol
• Increase data center efficiency by using flexible policies to distribute traffic to multiple sites
A GSLB controller administers protocol activities. The protocol must be enabled on the GSLB controller.
The GSLB controller collects the following information from the accessible site load balancers:
• Connection load
A GSLB Controller Group consists of multiple controllers, within a GSLB zone, whose service IP status and
GSLB configurations are synchronized. GSLB Controller Groups provide redundancy that protects against the
failure of an individual device. The ACOS device can automatically synchronize GSLB configurations and VIP-
server status among multiple GSLB controllers for a GSLB zone. See “Controller Groups and GSLB Synchroni-
zation” on page 17 for more information.
Enabling the protocol on site devices within a GSLB configuration is operational for base configuration. Spe-
cific policy options and the default health checks require the protocol to be enabled.
When running GSLB in server mode, proxy DNS servers require only a VIP; the configuration of a real server or
service group is not required. When running GSLB in proxy mode, the real server and service group are
required along with the VIP.
Server mode and proxy mode are configured as DNS options. See “DNS Options” on page 63.
1. Configure health monitors for the DNS server to be proxied and the GSLB services to be load balanced.
2. Configure a DNS proxy.
3. Configure a GSLB policy as described in “Configuring Policies” on page 40).
ACOS 4.1.1-P6 Global Server Load Balancing Guide - 27 October 2017 | page 14
A10 Thunder Series and AX Series
GSLB Deployment Modes
See “gslb protocol” on page 139 for a description of gslb protocol commands.
Server Mode
An ACOS device in server mode responds directly to queries for specific service IP addresses in the GSLB
zone; the device still forwards other types of queries to the DNS server. In server mode, the ACOS device can
reply with A, AAAA, MX, NS, PTR, SRV, and SOA records. For all other records, the ACOS device attempts proxy
mode.
You can configure GSLB to use only the GSLB DNS server for all replies. When the configuration does not con-
tain the applicable DNS record, the controller responds with a server failure message when it does not man-
age the FQDN.
An ACOS device becomes a GSLB ACOS device when you configure GSLB on the device and enable the GSLB
protocol, for the controller function. The GSLB protocol uses port 4149. The protocol is registered on this port
for both TCP and UDP.
page 15 | ACOS 4.1.1-P6 Global Server Load Balancing Guide - 27 October 2017
A10 Thunder Series and AX Series
GSLB Deployment Modes
The dns server command is a GSLB Policy mode command that enables an ACOS device to act as a DNS
server for specific service IPs in the GSLB zone to which the policy is applied. To configure DNS server mode
on a device, apply a policy with a DNS server command to a zone or service on the device.
Example
This command configures a policy to setup a device as a DNS server to use DNS TXT resource records to carry
multiple pieces of DNS TXT data within one TXT record, then applies the policy to a service.
Proxy Mode
An ACOS device in proxy mode acts as a proxy for an external DNS server. In proxy mode, the ACOS device
updates A and AAAA records in response to client requests and forwards requests for other record types to
the external DNS server. DNS proxy is a DNS virtual service; its configuration is similar to that of an SLB ser-
vice.
By default, a GSLB policy configures the device to act in DNS proxy mode. The no dns server command dis-
ables DNS server mode within a policy where DNS server mode was previously enabled.
These steps describe the DNS proxy configuration process. For a description of SLB commands and pro-
cesses, see the “ADC Command Line Interface Reference Guide” and the “Application Delivery and Server
Load Balancing Guide”.
1. Configure a real server for the DNS server to be proxied (slb server command)
ACOS 4.1.1-P6 Global Server Load Balancing Guide - 27 October 2017 | page 16
A10 Thunder Series and AX Series
Controller Groups and GSLB Synchronization
“Scenario 1: GSLB Proxy Mode” on page 25 contains a DNS proxy configuration example.
Each group consists of member ACOS devices. Among the members, the group a Master which manages
group synchronization. The Master device synchronizes GSLB configurations and VIP-server status among
the GSLB controllers within the group. A group can contain up to 15 members. By default no primary mem-
bers are defined.
On each GSLB controller, the configuration for a GSLB group includes a list of primary group members. Group
member addresses, after they are configured on the Master device, are pushed to the other devices in the
group. After the GSLB process starts on an ACOS device, the device joins the controller group by connecting
to the primary group members to exchange group management traffic. By default, no primary group mem-
bers are defined.
Controller groups provide a learning option that enables an ACOS device to learn IP addresses of member
when they are added to the group. Learning is enabled by default.
This feature is different from the ACOS Series Virtual Chassis System (aVCS) feature. aVCS is used for multiple
ACOS devices that serve as mutual backups within the same LAN.
page 17 | ACOS 4.1.1-P6 Global Server Load Balancing Guide - 27 October 2017
A10 Thunder Series and AX Series
Controller Groups and GSLB Synchronization
The master controller and the other controllers periodically send keepalive messages. If the other controllers
stop receiving keepalive messages from the master controller, a new master is elected.
To designate a master controller for the GSLB group, set the priority of the desired ACOS device to a higher
value than the other members. It is recommended that you make GSLB configuration changes for the group-
wide parameters (shown below) on the master. The group synchronization feature will push your configura-
tion to the other group members.
GSLB Synchronization
The master controller synchronizes GSLB configurations and VIP server status among multiple controllers in
a GSLB group. The master synchronizes the following GSLB configuration items when updating the configu-
rations on other controllers:
• Service IPs
• Sticky Persistence
• Geo-location files
The master controller sends the following status information to the other controllers:
• aRDT data
ACOS 4.1.1-P6 Global Server Load Balancing Guide - 27 October 2017 | page 18
A10 Thunder Series and AX Series
Controller Groups and GSLB Synchronization
• Device status
Until the configuration synchronization status reaches “FullSync”, GSLB configuration information can be
edited directly on group members that are not the master. When multiple devices are configured differently,
changes on the master overwrite changes on other group members when “FullSync” is reached.
After the configuration synchronization status reaches “FullSync”, directly changing the configuration on a
member device is not supported and generates the error message “Operation denied by Group Master”.
• When a L3V network contains two or more controllers that use the same public NAT address, a GSLB
group accepts only one controller as a group member. The ACOS GSLB controller rejects subsequent
connection requests from the same external IP.
• In VRRP-A deployments, the GSLB configuration synchronizes with the active VRRP-A device, which
then pushes the GSLB configuration changes to the VRRP-A standby device.
• The CLI prompt displays the ACOS device’s role within the GSLB group. Status indicator can be either
“Master” or “Member”, as shown in these examples:
ACOS-Master(config)#
ACOS-Member(config)#
The group role indicator is disabled with the no terminal gslb-prompt command.
• DNS auto-mapping: Maps group IP resources to IP addresses on the ACOS device. (auto-map)
• DNS suffix: DNS suffix used for DNS discovery. You can specify the suffix (name) that GSLB appends to
the domain name when sending a dns-discover query. For example, for group name “group” and suffix
“example.com”, strings are sent in the DNS discovery query as “group.example.com”. (suffix)
• Priority: Value used during master election for the group. Higher priority values are preferred over
lower priority values. For example, priority value 200 is preferred over priority value 100. (priority)
• Primary controller: IP addresses of the other GSLB controllers to connect to within the group. You can
specify up to 15 IP addresses. (primary)
page 19 | ACOS 4.1.1-P6 Global Server Load Balancing Guide - 27 October 2017
A10 Thunder Series and AX Series
Controller Groups and GSLB Synchronization
• Learning: Allows the device to learn the IP addresses of additional group members from primary con-
trollers (learn).
• Automatic configuration save: Automatically saves the configuration on a group member when the con-
figuration is saved on the group’s master controller. (config-save)
• Automatic configuration merge following master takeover: Automatically merges the previous master’s
configuration to the new master following takeover of the master role. (config-merge)
• Configuration allowed on all group members: Allows GSLB configuration to be performed on any group
member. (config-anywhere)
• Inherit configuration: Allows a GSLB controller to acquire its GSLB configuration from another device.
(inherit)
• Standalone operation: Allows this GSLB controller to operate independently of the group. (standaone)
ACOS 4.1.1-P6 Global Server Load Balancing Guide - 27 October 2017 | page 20
A10 Thunder Series and AX Series
Partition-specific Group Management
The following GSLB parameters cannot be configured for individual partitions; they are only configured
globally and are effective within all ACOS device partitions:
• GSLB system-wide settings: gslb system, gslb dns, gslb protocol, and gslb active-rdt
GSLB parameter labels do not span partitions; zones in two partitions cannot use the same zone name.
For each partition, you can create one group, the “partition group”. Only one GSLB Group is supported to
implement mapping. The following synchronization scenario is supported: from shared partition group to
shared partition group. View and inheritance features are not supported in this release.
For additional information about L3V Partitions, see the System Configuration and Administration Guide.
aVCS
Typical aVCS deployments support a virtual chassis with multiple devices. Real-time configuration synchroni-
zation results in virtual chassis devices with identical GSLB configurations. This can result in multiple GSLB
controllers tying for highest priority. In this case, the controller with the highest last 4 bytes in its manage-
ment interface MAC address is elected group master.
GSLB groups synchronize configuration between ACOS devices. When a group is enabled and the GSLB con-
figuration can be managed by the GSLB group, aVCSdoes not synchronize the GSLB configuration to the
vBlade. When the vMaster is not the same device as the GSLB group master, configuring GSLB in a member
controller requires enabling the config-anywhere option in the GSLB group.
page 21 | ACOS 4.1.1-P6 Global Server Load Balancing Guide - 27 October 2017
A10 Thunder Series and AX Series
Cloud-based Computing Solution
The feature supports IPv4 resource records and does not support IPv6 records.
The GSLB Cloud Computing Solution may be appropriate when using multiple web-based service providers
to provide server load balancing services. It can allow you to shift from one web-based service provider to
another to use services that cost less or that have better health metrics. When using a cloud-based SLB ser-
vice provider for web-based services, the provider sends a CNAME record to access the cloud servers. The
cloud servers can be dynamically imported into the ACOS device via the CNAME record in order to do GSLB.
The example below shows the generation of dynamic service-ip addresses by hostname via DNS. This can be
accomplished using the following CLI configurations on an ACOS device:
ACOS 4.1.1-P6 Global Server Load Balancing Guide - 27 October 2017 | page 22
GSLB Implementation Examples
Overview
This chapter lists the GSLB configuration steps (“Basic GSLB Configuration” on page 23) and contains CLI
commands that implement several GSLB scenarios.
These scenarios demonstrate this configuration process. Supplemental steps are added to the basic process
for more complex configurations.
1. Create an FQDN string by configuring a zone and the service that corresponds to that string.
2. If a custom policy is required, create a GSLB policy to specify a set of metrics and DNS options.
3. To implement the custom policy, apply it to the zone or individual services.
4. (Optional) Configure an action to perform on DNS queries for the FQDN:
• Forward Response – Forwards responses to local DNS server; does not forward queries to Authorita-
tive DNS server.
• Forward Both – Forwards queries to Authoritative DNS server; forwards responses to local DNS
server.
• Forward Query – Forwards queries to Authoritative DNS server; does not forward responses to local
DNS server.
• Drop – Drops DNS queries from local DNS server.
• Reject – Rejects DNS queries from local DNS server; returns “Refused” message in replies.
page 23 | ACOS 4.1.1-P6 Global Server Load Balancing Guide - 27 October 2017
A10 Thunder Series and AX Series
Basic GSLB Configuration
9. Select a service-IP type. See “Step 1: Select a service-IP type” on page 39.
10.Configure DNS Records. See “Step 2: Configure DNS Records” on page 39.
11.Manually configure Geo-Location entries. See “Step 3: Manually Configure Geo-location Entries (If
Required)” on page 40.
ACOS 4.1.1-P6 Global Server Load Balancing Guide - 27 October 2017 | page 24
A10 Thunder Series and AX Series
Scenario 1: GSLB Proxy Mode
These commands create and enable the VIP for GSLB client DNS queries.
Service IP Assignment
These commands associate two servers with GSLB labels that can be referenced by GSLB sites.
page 25 | ACOS 4.1.1-P6 Global Server Load Balancing Guide - 27 October 2017
A10 Thunder Series and AX Series
Scenario 1: GSLB Proxy Mode
GSLB Site
These commands create a GSLB site and binds the virtual servers to the site. (See “Configuring Sites” on
page 37.)
GSLB Policy
These commands create a GSLB policy that, when applied, places the device in proxy mode for the specified
zone. (See “Configuring Policies” on page 40.). By default, policies place a zone in proxy mode.
GSLB Zone
These commands create a GSLB zone and implement two services within the zone. DNS address records are
included for each zone. (See “Creating an FQDN String (Zones and Services)” on page 37.)
ACOS 4.1.1-P6 Global Server Load Balancing Guide - 27 October 2017 | page 26
A10 Thunder Series and AX Series
Scenario 1: GSLB Proxy Mode
ACOS-1(config)#
page 27 | ACOS 4.1.1-P6 Global Server Load Balancing Guide - 27 October 2017
A10 Thunder Series and AX Series
Scenario 2: GSLB Server Mode
These commands create and enable the VIP for GSLB client DNS queries.
These commands associate two servers with GSLB labels that can be referenced by GSLB sites.
ACOS 4.1.1-P6 Global Server Load Balancing Guide - 27 October 2017 | page 28
A10 Thunder Series and AX Series
Scenario 2: GSLB Server Mode
These commands create two GSLB sites and bind the virtual servers to the sites. (See “Configuring Sites” on
page 37.)
These command create a GSLB policy that, when applied, places the device in server mode for the specified
zone (See “Configuring Policies” on page 40.).
These commands create a GSLB zone and implement two services within the zone. DNS address records are
included for each zone (See “Creating an FQDN String (Zones and Services)” on page 37.).
page 29 | ACOS 4.1.1-P6 Global Server Load Balancing Guide - 27 October 2017
A10 Thunder Series and AX Series
Scenario 2: GSLB Server Mode
ACOS 4.1.1-P6 Global Server Load Balancing Guide - 27 October 2017 | page 30
A10 Thunder Series and AX Series
Scenario 3: GSLB Controllers and Site Devices
See “GSLB Controllers and Devices (Scenario 3)” on page 118. for the GUI implementation.
These commands create and enable the VIP for GSLB client DNS queries.
page 31 | ACOS 4.1.1-P6 Global Server Load Balancing Guide - 27 October 2017
A10 Thunder Series and AX Series
Scenario 3: GSLB Controllers and Site Devices
For each site SLB device, enter the IP address of the ACOS device that provides SLB at the site. For the VIP
server names, enter the service IP name as previously configured.
These command create a GSLB policy that, when applied, places the device in server mode for the specified
zone.
These commands create a GSLB zone and implement two services within the zone. DNS address records are
included for each zone (See “Creating an FQDN String (Zones and Services)” on page 37.).
ACOS 4.1.1-P6 Global Server Load Balancing Guide - 27 October 2017 | page 32
A10 Thunder Series and AX Series
Scenario 3: GSLB Controllers and Site Devices
These commands create and enable the VIP for GSLB client DNS queries on ACOS-31.
These commands create and enable the VIP for GSLB client DNS queries on ACOS-32.
page 33 | ACOS 4.1.1-P6 Global Server Load Balancing Guide - 27 October 2017
A10 Thunder Series and AX Series
Scenario 3: GSLB Controllers and Site Devices
ACOS 4.1.1-P6 Global Server Load Balancing Guide - 27 October 2017 | page 34
GSLB Elements
This chapter describes the primary structural components of a GSLB Configuration. Sections include:
“GSLB Implementation Examples” on page 23 provides examples demonstrating usage of elements this
chapter describes.
• Zones – A GSLB zone is a DNS domain for GSLB. An ACOS device can be configured with one or more
GSLB zones.
Example: mydomain.com is a zone.
• Services – A service is an application, such as HTTP or FTP. Each service is given an FQDN with a zone
managed by the GSLB. A zone may include the FQDN of multiple services,
Example: www.mydomain.com is an FQDN where www is the HTTP service.
• Sites – A site is a server farm that is locally managed by an ACOS device that performs load balancing
for the site. Each zone can contain one or more GSLB sites.
• Service-IP – A service-ip identifies a virtual server by its IP address and specifies the port that hosts the
service provided by the server. The service-ip definition can also include health checks and an external
IP address that facilitates access from outside of the internal network.
page 35 | ACOS 4.1.1-P6 Global Server Load Balancing Guide - 27 October 2017
A10 Thunder Series and AX Series
Configuring GSLB Elements
• Policies – A policy is a data structure that defines a set of metric settings and DNS options. After a pol-
icy is configured, it is applied to a zone or a service level within a zone. Zones and services use policies
to manage client requests by selecting the best site and specifying DNS options for the request.
GSLB zones can be configured with the same domain on multiple partitions, facilitating independent poli-
cies for internal and external services for a domain. This also allows the same domain to be configured on dif-
ferent partitions, regardless of the mode each partition is running.
Policies, service groups, and service-IP names can be duplicated in different partitions, but they must be con-
figured separately in each partition. The default GSLB policy is used globally and can only be configured in
the shared partition. GSLB site configurations are unique and cannot be duplicated in different partitions.
Example: The zone name “example.com” and service name combine to form the “www.example.com”
FQDN.
You can configure all of a service’s parameters, including its site, service-IP, and zone membership. You can
configure a service and all its required parameters.
An FQDN group combines multiple FQDNs (services) to provide a single point of contact for enabling or dis-
abling services at multiple levels of granularity.
“Configuring FQDN Service Groups” on page 43 describes the process of configuring FQDN Service Groups.
ACOS 4.1.1-P6 Global Server Load Balancing Guide - 27 October 2017 | page 36
A10 Thunder Series and AX Series
Configuring GSLB Elements
Configuring a Zone
The gslb zone command places the device in zone configuration mode, which includes a command that
associates a service to the zone. The command creates a zone when it references a zone not yet configured.
See “gslb zone” on page 153..
Example: This command creates a zone named a10-venus.com and places the device in zone config-
uration mode.
ACOS(config)# gslb zone a10-venus.com
ACOS(config-zone:a10-venus.com)#
Command are available in service configuration mode to configure a DNS records for the service, specify
DNS traffic actions, enable health check parameters, and configure geo-location settings.
Example: These commands create the www service for the previously created a1-venus.com zone and con-
figure two DNS Address records for the service. The device remains in a10-venus.com-www service configu-
ration after the commands.
Configuring Sites
The gslb site command places the device in site configuration mode, which includes commands that
associate real servers and s a service to the zone. The command creates a new zone when it references a zone
that is not yet configured. See “gslb site” on page 145.
The ip-server command, available from site configuration mode, associates the real server at the specified
IP address to the configuration mode site. See “[no] ip-server service-ip” on page 146.
The slb-dev command specifies an access IP address for the site and places the device in slb-dev configura-
tion mode. Within this mode, commands are available that map virtual servers to the site and specifies access
attributes to the device. See “[no] slb-dev device-name [ip-addr]” on page 147.
page 37 | ACOS 4.1.1-P6 Global Server Load Balancing Guide - 27 October 2017
A10 Thunder Series and AX Series
Configuring GSLB Elements
The vip-server command adds the GSLB VIP server to the SLB device.
Example 1: This example creates the “oxygen” site and associates the real server at 10.10.1.1 with the site.
The ip-server command references the name of a previously configured service-ip which, in addition to
the IP address of the real server, defines server implementation parameters within the site.
Example 2: This example creates the “nitrogen” site and associates a virtual server at 10.10.1.5 with the site.
This command includes a command that references an SLB that serves as the virtual server. SLB configura-
tion is beyond the scope of this manual and covered in the ADC Configuration Guide.
The gslb service-ip command places the device in service-ip configuration mode. The command creates a
service IP when it references one that is not yet configured. See “gslb service-ip” on page 143.. The service-ip
label is referenced by sites to associate servers to the site.
• To assign an external IP address to the service, use the external-ip command. An external IP address
is needed if the service IP address is an internal IP address that cannot be reached from outside the
internal network.
• To configure a service port on the service, use the port command.
ACOS 4.1.1-P6 Global Server Load Balancing Guide - 27 October 2017 | page 38
A10 Thunder Series and AX Series
Configuring GSLB Elements
• Health Monitor – Health monitor used to check the reachability and responsiveness of the service.
• Dev Name – Name for the SLB device (this device) in the GSLB configuration.
• Health Monitor – Health monitor for checking the reachability and responsiveness of the service.
SLB device
SLB device – The service is load balanced by another ACOS device. Options included
• Device Name – Name for the SLB device. (This name does not need to be the same as the hostname
of the SLB device, although this is a handy way to simplify administration.)
• Device IP – IP address of the SLB device.
• Health Monitor – Health monitor for checking the reachability and responsiveness of the service.
Configure DNS records for the service. GSLB returns these records, when applicable, in response to DNS
requests. You can configure the following types of records:
page 39 | ACOS 4.1.1-P6 Global Server Load Balancing Guide - 27 October 2017
A10 Thunder Series and AX Series
Configuring GSLB Elements
A geo-location maps a range of client IP addresses to a description of the clients’ geographic location. GSLB
includes an IANA geo-location database, which is loaded by default.
• Forward Response – Forwards responses to the local DNS server, but does not forward queries to
the Authoritative DNS server.
• Forward Both – Forwards queries to the Authoritative DNS server, and forwards responses to the
local DNS server.
• Forward Query – Forwards queries to Authoritative DNS server; does not forward responses to
local DNS server.
• Drop – Drops DNS queries from the local DNS server.
• Reject – Rejects DNS queries from the local DNS server and returns the “Refused” message in
replies.
• Policy – Uses the selected GSLB policy instead of the policy used by the zone.
Configuring Policies
A policy is a data structure that defines a set of DNS Options and metric settings that zones and services use
to evaluate each site. For the evaluation of sites, A10 uses a fixed list of site addresses. This list is constructed
based on the original list when a site becomes active. This fixed metric evaluation function does not do
ordering or re-ordering of the original list.
After a policy is configured, it is applied to a zone or a service level within a zone. Zones and services use pol-
icies to manage client requests by selecting the best site and specifying DNS options for the request.
For a description of GSLB Policies and specific implementation details, See “GSLB Metrics” on page 45.
ACOS 4.1.1-P6 Global Server Load Balancing Guide - 27 October 2017 | page 40
A10 Thunder Series and AX Series
Configuring GSLB Elements
For a description of DNS options and specific implementation details, See “DNS Options” on page 63.
The gslb policy command places the device in policy configuration mode, which includes commands that
associate real servers and a service to the zone. The command creates a zone when it references a zone that
is not yet configured. See “gslb policy” on page 139.
Example: This command creates the kaibab policy and places the device in kaibab policy configuration
mode.
The zone (See “[no] policy policy-name” on page 154.) and zone-service (See “[no] service port
[service-name]” on page 155.) configuration modes include a policy command that applies a specified
policy to the zone or service.
Example: This command applies the kaibab policy on the example.com zone. The policy is referenced by all
services configured on the zone.
Example: This command applies the kaibab policy on the www.example.com service.
Default Policy
In the “default” GSLB policy, the following metrics are enabled by default:
• Health-Check
• Geographic
• Round-Robin
Although the Geographic metric is enabled by default, there are no default geo-location mappings. To use
the Geographic metric, you must load or manually configure geolocation mappings. (See “Loading or Con-
figuring Geo-Location Mappings”.
GSLB defines a default policy that is used by zones and policy for which a custom policy is not explicitly
assigned. The default policy has default settings and can be modified from policy configuration mode. The
default policy cannot be deleted.
page 41 | ACOS 4.1.1-P6 Global Server Load Balancing Guide - 27 October 2017
A10 Thunder Series and AX Series
Configuring GSLB Elements
Example: This command places the device in default policy configuration mode, where subsequent com-
mands modify the default policy.
ACOS 4.1.1-P6 Global Server Load Balancing Guide - 27 October 2017 | page 42
A10 Thunder Series and AX Series
Configuring FQDN Service Groups
• Entire FQDN group (all zones in the group, and all their services)
The gslb service-group command places the device in service-group configuration mode. See “gslb ser-
vice-group” on page 142.
Example: These commands create an FQDN group called “example-group” and add an FQDN for GSLB ser-
vices to it.
page 43 | ACOS 4.1.1-P6 Global Server Load Balancing Guide - 27 October 2017
A10 Thunder Series and AX Series
Configuring FQDN Service Groups
ACOS 4.1.1-P6 Global Server Load Balancing Guide - 27 October 2017 | page 44
GSLB Metrics
GSLB Metrics that are assigned through policies assigned to GSBLB sites. This chapter presents these topics
• “Metrics That Require the GSLB Protocol on Site ACOS Devices” on page 45
To enable a metric, enter the metric name at the configuration level for the policy. For example, to enable the
Admin-Preference metric, enter the following commands:
To disable a GSLB metric, use the “no” form of the metric at the configuration level for the policy. For example,
to disable the Health-Check metric, enter these commands:
page 45 | ACOS 4.1.1-P6 Global Server Load Balancing Guide - 27 October 2017
A10 Thunder Series and AX Series
Managing GSLB Metrics
GSLB does not need to be enabled on the site ACOS devices, but enabling it is recommended to collect site
information that GSLB requires to generate the following metrics:
• Session-capacity
• aRDT
• Connection-Load
• Num-Session
Enabling the GSLB protocol is required when using default health-check methods. However, when you mod-
ify default health checks, the GSLB protocol does not need to be enabled. (See “Health-Check” on page 47.)
Metric order does not apply to the Alias-Admin-Preference and Weighted-Alias metrics. When enabled, Alias-
Admin-Preference always has high priority.
The metric-order command configures the precedence order of metrics in a GSLB policy (See “metric-
order” on page 207.). The following is the default metric order:
1. Health-Check
2. Weighted-IP
3. Weighted-Site
4. Session-Capacity
5. Active-Servers
6. aRDT
7. Geographic
8. Connection-Load
9. Num-Session
10.Admin-Preference
11.BW-Cost
12.Least-Response
13.Admin-IP
ACOS 4.1.1-P6 Global Server Load Balancing Guide - 27 October 2017 | page 46
A10 Thunder Series and AX Series
Metric Descriptions
Metric Descriptions
A GSLB policy consists of one or more metrics. These sections describe GSLB Metrics that are implemented
through policies that are applied to zones and services.
• “Health-Check” on page 47
• “Weighted-IP” on page 48
• “Weighted-Site” on page 49
• “Geographic” on page 55
• “Least-Response” on page 60
• “Admin-IP” on page 60
• “Round-Robin” on page 60
• “Alias-Admin-Preference” on page 60
• “Weighted-Alias” on page 61
Health-Check
The Health-Check metric checks the availability (health) of the real servers and service ports. Sites whose real
servers and service ports respond to the health checks are preferred over sites in which servers or service
ports are unresponsive to the health checks.
ICMP (Layer 3 health check), TCP, UDP, HTTP, HTTPS, FTP, SMTP, POP3, SNMP, DNS, RADIUS, LDAP, RTSP, SIP
You can use the default health methods or configure new methods for any of these services.
page 47 | ACOS 4.1.1-P6 Global Server Load Balancing Guide - 27 October 2017
A10 Thunder Series and AX Series
Metric Descriptions
By default, the GSLB protocol generates its own packets when sending a health check to a service. If the GSLB
protocol cannot reach the service, then another health check is performed using standard network traffic.
Health-Check Precedence
Health monitoring for a GSLB service can be performed at the following levels and in the following order:
Using the GSLB Health Monitor option does not affect its precedence. The GSLB Health Monitor configura-
tion includes health monitors in GSLB group synchronizations. For GSLB configuration synchronization, see
“Controller Groups and GSLB Synchronization” on page 17.
For the GSLB service, use health monitors for the application types of the services. For example, for an HTTP
service, use an HTTP health monitor. If the Health-Check metric is enabled in the GSLB policy, the metric will
use the results of service health checks to select sites.
To monitor the health of the real servers providing the services, configure health monitors on the site SLB
devices. Configure the health monitors for the proxied DNS server and the GSLB services on the GSLB ACOS
device. Configure the health monitors for real servers and their services on the site ACOS devices.
Weighted-IP
Weighted-IP – Service IP addresses with higher administratively assigned weights are used more often than
service IP addresses with lower weights.
The Weighted-IP metric skews selection toward specific IP addresses. GSLB selects higher-weighted IP
addresses more often than lower-weighted IP addresses.
If DNS caching is used, the cycle starts over if the cache aging timer expires.
ACOS 4.1.1-P6 Global Server Load Balancing Guide - 27 October 2017 | page 48
A10 Thunder Series and AX Series
Metric Descriptions
Weighted-Site
Weighted-Site – Sites with higher administratively assigned weights are used more often than sites with
lower weights. The Weighted-Site metric skews selection toward specific sites. GSLB selects higher-weighted
sites more often than lower-weighted sites.
Example: if there are two sites (A and B), and A has weight 2 whereas B has weight 4, GSLB will select site B
twice as often as site A. Specifically, GSLB will select site B the first 4 times, and will then select site A the next
2 times. This cycle then repeats: B is chosen 4 times, then A is chosen the next 2 times, then B is chosen the
next 4 times, and so on.
If DNS caching is used, the cycle starts over if the cache aging timer expires.
Session Capacity
Session Capacity – Sites with more available sessions based on respective maximum Session-Capacity are
preferred.
Active Servers
Active Servers – Sites with the most currently active servers are preferred.
aRDT measures the round-delay-time for a DNS query and reply between a site ACOS device and the GSLB
local DNS. You can configure aRDT to take a single sample or periodic samples.
The aRDT metric uses the following options, which are configurable on a global basis:
• Domain – Specifies the query domain. To measure the active round-delay-time (aRDT) for a client, the
site ACOS device sends queries for the domain name to a client’s local DNS. An aRDT sample consists
of the time between when the site ACOS device sends a query and when it receives the response.
Only one aRDT domain can be configured. It is recommended to use a domain name that is likely to be
in the cache of each client’s local DNS. The default domain name is “google.com”.
The ACOS device averages multiple aRDT samples together to calculate the aRDT measurement for a cli-
ent. (See the description of Track below.)
• Interval – Specifies the number of seconds between queries. You can specify 1-16383 seconds. The
default is 1.
page 49 | ACOS 4.1.1-P6 Global Server Load Balancing Guide - 27 October 2017
A10 Thunder Series and AX Series
Metric Descriptions
• Retry – Specifies the number of times GSLB will resend a query if there is no response. You can specify
0-16. The default is 3.
• Sleep – Specifies the number of seconds GSLB stops tracking aRDT data for a client after a query fails.
You can specify 1-300 seconds. The default is 3.
• Timeout – Specifies the number of milliseconds GSLB will wait for a reply before resending a query.
You can specify 1-16383 milliseconds (ms). The default is 3000 ms.
• Track – Specifies the number of seconds during which the ACOS device collects samples for a client.
The samples collected during the track time are averaged together, and the averaged value is used as
the aRDT measurement for the client. You can specify 3-16383 seconds. The default is 60 seconds.
The averaged aRDT measurement is used until it ages out. The aging time for averaged aRDT measure-
ments is 10 minutes by default and is configurable on individual sites, using the aRDT aging-time com-
mand.
To configure global aRDT options, use the gslb active-rdt command (See “gslb active-rdt” on page 132.)
Default Settings
When you enable aRDT, a site ACOS device sends some DNS requests to the GSLB domain’s local DNS. The
GSLB ACOS device then averages the aRDT times of 5 samples.
The single-shot option is useful if you do not want to frequently update the aRDT measurements. For exam-
ple, if the GSLB domain's clients tend to remain logged on for long periods of time, using the single-shot
option ensures that clients are not frequently sent to differing sites based on aRDT measurements.
• timeout – Specifies the number of seconds each site ACOS device should wait for the DNS reply. If the
reply does not arrive within the specified timeout, the site becomes ineligible for selection, in cases
where selection is based on the aRDT metric. You can specify 1-255 seconds. The default is 3 seconds.
• skip – Specifies the number of site ACOS devices that can exceed their single-shot timeouts, without
the aRDT metric itself being skipped by the GSLB ACOS device during site selection. You can skip from
1-31 sites. The default is 3.
Multiple Samples
To periodically retake aRDT samples, do not use the single-shot option. In this case, the ACOS device uses the
averaged aRDT value based on the number of samples measured for the intervals.
ACOS 4.1.1-P6 Global Server Load Balancing Guide - 27 October 2017 | page 50
A10 Thunder Series and AX Series
Metric Descriptions
For example, if you set aRDT to use 3 samples with an interval of 5 seconds, the aRDT is the average over the
last 3 samples, collected in 5-second intervals. If you configure single-shot instead, a single sample is taken.
Store-By
By default, the GSLB ACOS device stores one aRDT measurement per site SLB device. Optionally, you can con-
figure the GSLB ACOS device to store one measurement per geo-location instead. This option is configurable
on individual GSLB sites. (See “Changing aRDT Settings for a Site” on page 52.)
Tolerance
Default measurement tolerance is 10 percent. If the aRDT measurements for more than one site are within 10
percent, GSLB ACOS device considers the sites to be equal in terms of aRDT. You can adjust the tolerance to
any value from 0-100 percent.
Enabling aRDT
Enter the active-rdt command (See “active-rdt” on page 163.) at the configuration level for the GSLB policy:
If you omit all the options, the site ACOS device send DNS requests to the GSLB domain’s local DNS. The GSLB
ACOS device averages the aRDT times of the samples. The aRDT measurements are regularly updated. You
can use the samples option to change the number of samples to 1-8.
To enable single-shot aRDT instead, use the single-shot option. You also can use the skip and timeout
options.
These commands access the configuration level for GSLB policy “gslbp2” and enable the aRDT metric, using
default settings:
These commands access the configuration level for GSLB policy “gslbp3” and enable the aRDT metric, using
single-shot.
page 51 | ACOS 4.1.1-P6 Global Server Load Balancing Guide - 27 October 2017
A10 Thunder Series and AX Series
Metric Descriptions
In this example, each site ACOS device will send a single DNS query to the GSLB domain’s local DNS, and wait
3 seconds (the default) for a reply. The site ACOS devices will then send their aRDT measurements to the
GSLB ACOS device. However, if more than 3 site ACOS devices fail to send their aRDT measurements to the
GSLB ACOS device, the ACOS device will not use the aRDT metric.
• aging-time – Specifies the maximum amount of time a stored aRDT result can be used. You can spec-
ify 1-60 minutes. The default is 10 minutes.
• bind-geoloc – Stores the aRDT measurements on a per geo-location basis. Without this option, the
measurements are stored on a per site-SLB device basis.
• ignore-count – Specifies the ignore count if aRDT is out of range. You can specify 1-15. The default is 5.
• ipv6-mask – Specifies the client IPv6 mask length, 1-128. The default is 128.
• limit – Specifies the limit. You can specify 1-16383. The default is 16383 milliseconds.
• mask – Based on the subnet mask or mask length, the entry can be a host address or a subnet address.
The default is 32.
• range-factor – Specifies the maximum percentage a new aRDT measurement can differ from the pre-
vious measurement. If the new measurement differs from the previous measurement by more than
the allowed percentage, the new measurement is discarded and the previous measurement is used
again.
For example, if the range-factor is set to 25 (the default), a new measurement that has a value from 75%
to 125% of the previous value can be used. A measurement that is less than 75% or more than 125% of
the previous measurement can not be used.
You can specify 1-1000. The default is 25.
• smooth-factor – Blends the new measurement with the previous one, to smoothen the measure-
ments.
For example, if the smooth-factor is set to 10 (the default), 10% of the new measurement is used, along
with 90% of the previous measurement. Similarly, if the smooth-factor is set to 50, 50% of the new mea-
surement is used, along with 50% of the previous measurement.
You can specify 1-100. The default is 10.
Use the active-rdt command sat the configuration level for the site:
ACOS 4.1.1-P6 Global Server Load Balancing Guide - 27 October 2017 | page 52
A10 Thunder Series and AX Series
Metric Descriptions
Use an IP list to exclude a set of IP addresses from aRDT polling. You can configure an IP list in either of the
following ways:
• Use a text editor on a PC or use the ACOS GUI to configure a black/white list, then load the entries from
the black/white list into an IP list.
• Use this command to configure individual IP list entries.
To configure an IP list using the CLI, use the gslb ip-list command at the global configuration level of the
CLI:
The command changes the CLI to the configuration level for the list, where the ip command is available. This
command creates an IP entry in the list. Based on the subnet mask or mask length, the entry can be a host
address or a subnet address.
This load command loads the entries from a black/white list into the IP list.
To use the IP list to specify the IP addresses to exclude from aRDT data collection, use the active-rdt
ignore-id command at the configuration level for the GSLB policy:
Network topologies often include site devices that either require NAT to access local DNS servers or are iso-
lated from the servers by firewalls. GSLB controllers cannot obtain valid site-based metrics from site devices
in these topologies.
The GSLB controllers must be members of a GSLB Controller group, which is a data structure that synchro-
nizes communications and designates a Master Controller among the members. The A10 GLOBAL SERVER
LOAD BALANCING GUIDE describes the function and implementation of GSLB Controller groups.
GSLB Controller based metrics are not supported in IPv6 or L3V partition configurations.
Each location includes a GSLB controller that can access the client LDNS and its local site devices. Each GSLB
Controller only queries its local site device and the originating LDNS server to derive the RDT metrics. The
controllers send the metrics to the GSLB Master Controller. By default, the metric is based on the response
time between the controller and the LDNS server. An option is available that adds the response time
between the controller and site device to the controller-LDNS response time.
page 53 | ACOS 4.1.1-P6 Global Server Load Balancing Guide - 27 October 2017
A10 Thunder Series and AX Series
Metric Descriptions
These commands implement GSLB Controller-Based metrics. See “Configuring GSLB Controller-Based Met-
rics” on page 126. for the GUI implementation.
These commands bind controllers to the GSLB sites (ACOS-1 to ELY and ACOS-2 to RENO).
These commands implement controller-based metrics on the GLSB policy named RHOMBUS
ACOS 4.1.1-P6 Global Server Load Balancing Guide - 27 October 2017 | page 54
A10 Thunder Series and AX Series
Metric Descriptions
These commands enable the GSLB controller and configures the GSLB group.
Geographic
Geographic – Services located within the client’s geographic region are preferred.
Geo-Location
You can configure GSLB to prefer site VIPs for DNS replies that are geographically closer to the clients. For
example, if a domain is served by sites in both the USA and Asia, you can configure GSLB to favor the USA site
for USA clients while preferring the Asian site for Asian clients.
To configure geo-location:
• Load geo-location data. You can load geo-location data from a file or manually configure individual
geo-location mappings.
Loading geo-location data from a file is simpler than manually configuring geo-location mappings, espe-
cially if you have more than a few GSLB sites.
The ACOS software includes an Internet Assigned Numbers Authority (IANA) database. The IANA database
contains the geographic locations of the IP address ranges and subnets assigned by the IANA. The IANA
database is loaded on the ACOS device, and it is enabled by default.
CNAME Support
As an extension to geo-location support, you can configure GSLB to send a Canonical Name (CNAME) record
instead of an Address record in DNS replies to clients. A CNAME record maps a domain name to an alias for
that domain. For example, you can associate the following aliases with the domain “example.com”:
page 55 | ACOS 4.1.1-P6 Global Server Load Balancing Guide - 27 October 2017
A10 Thunder Series and AX Series
Metric Descriptions
• www.example.co.cn
• mail.example.com
• ftp.example.com
Each of the aliases in the list above can be associated with a different geo-location:
If a client’s IP address is within the geo-location that is associated with www.1.example.com, then GSLB places
a CNAME record for www.1.example.com in the DNS reply to that client.
• dns geoloc-alias
• For individual services in the zone, configure the aliases and associate them with geo-locations.
Connection Load
Connection-Load – Sites that are not exceeding their thresholds for new connections are preferred.
Num Session
Num-Session – Sites that are not exceeding available Session-Capacity threshold compared to other sites are
treated as having the same preference.
Admin Preference
Admin-Preference – The site with the highest administratively set preference is selected.
BW Cost
The BW-Cost metric selects sites based on bandwidth utilization on the site ACOS links.
ACOS 4.1.1-P6 Global Server Load Balancing Guide - 27 October 2017 | page 56
A10 Thunder Series and AX Series
Metric Descriptions
To compare sites based on bandwidth utilization, the GSLB ACOS device sends SNMP GET requests for a
specified MIB interface object, such as ifInOctets, to each site.
• If the SNMP object value is less than or equal to the site’s configured bandwidth limit, the site is eligible
for selection.
• If the SNMP object value is greater than the bandwidth limit configured for the site, then the site is
ineligible.
The GSLB ACOS device sends the SNMP requests at regular intervals. Once a site is ineligible, the site can
become eligible again at the next interval if the utilization is below the configured limit minus the threshold
percentage.
To use the BW-Cost metric, an SNMP template must be configured and bound to each site. The GSLB SNMP
template specifies the SNMP version and other information necessary to access the SNMP agent on the site
ACOS device, and the Object Identifier (OID) of the MIB object to request.
• Bandwidth limit – The bandwidth limit specifies the maximum value of the requested MIB object for
the site to be eligible for selection.
• Bandwidth threshold – For a site to regain eligibility when BW-Cost is being compared, the SNMP
object’s value must be below the threshold-percentage of the limit value.
For example, if the limit value is 80,000 and the threshold is 90 (percent), then the limit value must be
72,000 or less, for the site to become eligible again based on bandwidth cost. Once a site again becomes
eligible, the SNMP object’s value is again allowed to increase up to the bandwidth limit value (80,000 in
this example).
Enable the BW-Cost metric in the GSLB policy. By default, the BW-Cost metric is disabled.
page 57 | ACOS 4.1.1-P6 Global Server Load Balancing Guide - 27 October 2017
A10 Thunder Series and AX Series
Metric Descriptions
The gslb template snmp command configures a GSLB SNMP template. This command adds the template
and changes the CLI to the configuration level for the template, where the following template-related com-
mands are available:
The version command specifies the SNMP version running on the site ACOS device.
The host command specifies the IP address of the site ACOS device.
The oid command specifies the interface MIB object to query on the site ACOS device. If the object is part of
a table, append the table index to the end of the OID. Otherwise, the ACOS device will return an error.
The community command (SNMPv1 / SNMPv2c) specifies the community string required for authentication.
The username command (SNMPv3) specifies the SNMPv3 username required for access to the SNMP agent
on the site ACOS device.
• no-auth – Authentication is not used and encryption (privacy) is not used. This is the default.
The auth-proto and auth-key commands are applicable in auth-no-priv or auth-priv. security levels.
Auth-proto specifies the authentication protocol. Auth-key command specifies the authentication key.
The priv-proto and priv-key commands are applicable for auth-priv. security level. The priv-proto
command specifies the privacy protocol used for encryption. The priv-key command specifies the
encryption key.
The context-engine-id command specifies the SNMPv3 protocol engine ID running on the site ACOS
device. The context-name command specifies an SNMPv3 collection of management information objects
accessible by an SNMP entity. The security-engine-id command specifies the ID of the SNMPv3 security
engine running on the site ACOS device.
The interval command specifies the amount of time between each SNMP GET to the site ACOS devices.
The port command specifies the port where site ACOS devices listen for SNMP requests from the GSLB ACOS
device.
To apply a GSLB SNMP template to a GSLB site, use the template command at the configuration level for the
site:
ACOS 4.1.1-P6 Global Server Load Balancing Guide - 27 October 2017 | page 58
A10 Thunder Series and AX Series
Metric Descriptions
To configure the bandwidth limit and threshold on a site, use the bw-cost limit command at the site’s con-
figuration level
To enable the bandwidth cost metric in a GSLB policy, use the bw-cost command at the configuration level
for the policy:
Use the show gslb site command to display BW-Cost data for a site.
The following commands apply the SNMP template to a site and set the bandwidth limit and threshold:
The following commands enable the BW-Cost metric in the GSLB policy:
page 59 | ACOS 4.1.1-P6 Global Server Load Balancing Guide - 27 October 2017
A10 Thunder Series and AX Series
Metric Descriptions
The following commands configure a GSLB SNMP template for SNMPv3. In this example, authentication and
encryption are both used.
Least-Response
Least-Response – Service IP addresses with the fewest hits are preferred.
Admin-IP
Admin-IP – Sites are preferred based on administratively assigned weight.
Round-Robin
Round-Robin – Sites are selected in sequential order.
The ACOS device uses Round-Robin as a tie-breaker to select a site. This is true even if the Round-Robin met-
ric is disabled in the GSLB policy.
Alias-Admin-Preference
The Alias-Admin-Preference metric selects the DNS CNAME record with the highest administratively set pref-
erence. This metric is similar to the Admin-Preference metric, but applies only to DNS CNAME records.
The Alias Admin Preference metric, which selects the DNS CNAME record with the highest administratively
set preference, can be used in DNS Proxy or DNS Server mode. Similarly, the Weighted Alias metric, which
expresses a preference for higher-weighted CNAME records, can be used in DNS Proxy or DNS Server mode.
• DNS proxy – Enable the geoloc-alias option. After GSLB retrieves the DNS response from the DNS
answer, GSLB selects a DNS A record using IP metrics, and then tries to insert the DNS CNAME record
ACOS 4.1.1-P6 Global Server Load Balancing Guide - 27 October 2017 | page 60
A10 Thunder Series and AX Series
Metric Descriptions
into the answer based on geo-location settings. While inserting the CNAME record, if the Alias metrics
are enabled, GSLB may remove some CNAME records and related service IPs.
• DNS server – If applicable, enable the backup-alias option. If there is no DNS A record to return, GSLB
tries to insert all backup DNS CNAME records. During insertion, if Alias metrics are enabled, GSLB may
remove some CNAME records. No DNS A records are returned.
This option also requires the dns-cname-record as-backup option on the service.
1. At the configuration level for the GSLB service, assign an administrative preference to the DNS CNAME
record for the service.
2. At the configuration level for the GSLB policy:
• Enable the Alias Admin Preference metric.
• Enable one or both of the following DNS options, as applicable to your deployment:
• DNS backup-alias
• DNS geoloc-alias
3. If using the backup-alias option, use the dns-cname-record as-backup option on the service.
2. To enable the Alias Admin Preference metric, use the alias-admin-preference command (See “alias-
admin-preference” on page 168.) at the policy configuration level
Weighted-Alias
The Weighted-Alias metric evaluates CNAME records. CNAME records with higher weight values have prefer-
ence over CNAME records with lower weight values. This metric is similar to Weighted-IP, but applies only to
DNS CNAME records.
1. At the configuration level for the GSLB service, assign a weight to the DNS CNAME record for the service.
2. At the configuration level for the GSLB policy:
page 61 | ACOS 4.1.1-P6 Global Server Load Balancing Guide - 27 October 2017
A10 Thunder Series and AX Series
Metric Descriptions
• Enable one or both of the following DNS options, as applicable to your deployment:
• DNS backup-alias
• DNS geoloc-alias
3. If using the backup-alias option, use the dns-cname-record as-backup option on the service.
ACOS 4.1.1-P6 Global Server Load Balancing Guide - 27 October 2017 | page 62
DNS Options
This chapter describes available DNS options. These section describe DNS options and their implementation.
GSLB does not have a separately configurable “proxy” option. The proxy option is automatically enabled
when you configure the DNS proxy as part of GSLB configuration.
The site address selected by the first option that is applicable to the client and requested service is used.
To append all Name Server (NS) Resource Records (RR) in the Authority Section of a DNS reply from a GSLB
ACOS device in server mode, use the fdns server authoritative ns-list command at the gslb policy
configuration level.
page 63 | ACOS 4.1.1-P6 Global Server Load Balancing Guide - 27 October 2017
A10 Thunder Series and AX Series
Support for DNS TXT Records
GSLB supports the ability to use DNS TXT resource records for the following purposes:
• Carry multiple pieces of DNS TXT data within one TXT record
Then use the dns-txt-record command at the service config level within a GSLB zone:
The ACOS device has a special handler that enables you to enter non-printable characters that the CLI does
not support.
To display the DNS TXT switch, use the show gslb policy command:
The feature is defined on a GSLB policy basis. When the policy is assigned to a GSLB zone, the feature is
implemented for DNS server CNAME records that are managed within the zone
ACOS 4.1.1-P6 Global Server Load Balancing Guide - 27 October 2017 | page 64
A10 Thunder Series and AX Series
DNS Option Descriptions
1. This code associates a pre-configured Health Monitors (HMONITOR-1) to DNS servers accessed from the
GSLB zone. This code does not include the configuration of the HMONITOR-1 Health Monitor.
ACOS(config)# slb server s1 www1.example.com
ACOS(config-real server)# health-check HMONITOR-1
ACOS(config-real server)# exit
ACOS(config)# slb server s2 www2.example.com
ACOS(config-real server)# port 80 tcp
ACOS(config-real server-node port)# health-check HMONITOR-1
ACOS(config-real server-node port)# exit
ACOS(config-real server)# exit
2. This code configures the policy for replying to CNAME records. The other policy commands filter CNAME
records that are DOWN and enable the return of a single CNAME record.
3. This code implements the CNAME reply policy to the zone that accesses the DNS servers.
page 65 | ACOS 4.1.1-P6 Global Server Load Balancing Guide - 27 October 2017
A10 Thunder Series and AX Series
DNS Option Descriptions
The cname-detect and external-ip options are enabled by default. All the other DNS options are disabled by
default.
DNS Action
The DNS action option enables GSLB to perform DNS actions specified in the service configurations.
The dns action command enables the active-only fail-safe option and returns a list of server IP addresses
for failed servers (See “dns action” on page 173.).
ACOS 4.1.1-P6 Global Server Load Balancing Guide - 27 October 2017 | page 66
A10 Thunder Series and AX Series
DNS Option Descriptions
DNS Active-only
By default, if all of the servers failed to pass the health check, then the GSLB controller would return an
empty list to the client, rather than sending the list of IP addresses for the servers that had failed the health
check.
You can configure the ACOS device to send the list of IP addresses (associated with servers that failed their
health checks) back to the client. The feature can be enabled using the new dns active-only metric option.
In association with this feature, you can also designate one or more backup servers, and the IP addresses for
these servers will be sent to the client in the event that all of the primary servers have failed. This behavior
requires that you enable the dns backup-server feature within the GSLB policy, and that you specify the
backup servers within the DNS A-record for the GSLB zone service.
• active-only fail-safe – A list of IP addresses for the servers that failed the health check are sent back to
the client.
• backup-server – Designate one or more backup servers that can be returned to the client if the
primaries should fail.
These commands enable the DNS active-only fail-safe option within a GSLB policy, so a list of IP addresses
are sent to the client for the servers that fail the health check.
DNS Addition-MX
The DNS Addition-MX option appends MX records in the Additional section in replies for A records, when the
device is configured for DNS proxy or cache mode. (See “dns addition-mx” on page 174.).
DNS Auto-Mapping
An ACOS device acting as a GSLB controller can retrieve the data needed to build the DNS system by auto-
matically returning DNS records by name. This GSLB Auto-Mapping feature reduces the required amount of
DNS management work when deploying GSLB.
page 67 | ACOS 4.1.1-P6 Global Server Load Balancing Guide - 27 October 2017
A10 Thunder Series and AX Series
DNS Option Descriptions
• Names exceeding 20 characters must be changed to DNS domain, with labels separated by the '.' char-
acter.
With, GSLB Auto-mapping, the ACOS device automatically creates the service by taking the name of a system
resource, or "module", and appending it to the front of a zone to create the service name (DNS name).
Once the servers and other network devices have been configured with basic information, auto-mapping
enables the GSLB protocol to support DNS queries for the following modules (or system resources):
• SLB server
• SLB device
• GSLB site
• GSLB service-IP
• GSLB Group
• Hostname
By default, system auto-mapping is disabled until you configure the modules. However, after system auto-
mapping has been configured, the query name is the object’s name.
The gslb system auto-map module command (global configuration level) configures auto-mapping.
The dns auto-map command (See “dns auto-map” on page 175. ) configures auto-mapping for a zone level.
This command enables creation of A and AAAA records for IP resources configured on the ACOS device. This
option is useful for auto-mapping VIP addresses to service-IP addresses.
ACOS 4.1.1-P6 Global Server Load Balancing Guide - 27 October 2017 | page 68
A10 Thunder Series and AX Series
DNS Option Descriptions
Example: ,For a real server of us-svr1, and wildcard zone of example.com, the query name should be us-
svr1.example.com
Next, the commands below configure a GSLB policy “auto-map”, for the zone “example.com”. A wildcard ser-
vice IP is used. If a client sends a query for a host within the “example.com” zone (for example, an ACOS with
the name "sj-acos"), then the full service name is “sj-acos.example.com”., and the GSLB protocol will respond
to the client’s query by providing the management IP address and the IP address for the inbound data inter-
face.
The dns backup-alias command (See “dns backup-alias” on page 176. ) configures the DNS backup-alias
option.
1. Use the dns backup-server command (See “dns backup-server” on page 177. )to enable the backup
server mode within the GSLB policy:
2. Specify the backup servers in the dns-a-record within the GSLB zone service with the dns-a-record
(See “gslb zone” on page 153. ) command.
page 69 | ACOS 4.1.1-P6 Global Server Load Balancing Guide - 27 October 2017
A10 Thunder Series and AX Series
DNS Option Descriptions
DNS Cache
The DNS Cache option enables the GSLB ACOS device to cache DNS replies. The ACOS device uses informa-
tion in the cached DNS entries to reply to subsequent client requests, as opposed to sending a new DNS
request for every client query.
When this option is enabled, the ACOS device caches a DNS reply for the duration of the TTL in the reply
when the aging time parameter is set to zero. To override the entry TTL, set the cache aging time to a value
greater than zero.
The dns cache command (See “dns cache” on page 178. ) configures the DNS cache option.
The dns cache command (See “dns cname-detect” on page 179. ) configures the DNS cname-detect option.
By delegating responsibility for a sub-zone (or “sub-domain”), you are effectively dividing up the name
space. This division allows for partitioning the responsibility for the DNS name space management.
ACOS 4.1.1-P6 Global Server Load Balancing Guide - 27 October 2017 | page 70
A10 Thunder Series and AX Series
DNS Option Descriptions
For example, assume a San Jose-based company is expanding rapidly and decides to open an office in New
York for its finance division. With the additional traffic generated by client DNS resolvers on the East Coast,
the parent domain, (“example.com”) may no longer suffice. In this case, it might be helpful to add a separate
sub-zone (“finance.example.com”) for the New York office. Such a scenario is shown in Figure 4 on page 71.
Figure 4 shows the root zone at the top of the DNS hierarchy. The figure also illustrates the following import-
ant points:
• The next level down are the Top Level Domains (TLDs), or the DNS servers responsible for managing
the resource records for the “.com”, “.org” and other domains.
• The parent zone is located beneath the TLDs. It is at this level within the DNS structure that the organi-
zation’s main domain (“example.com”) is located.
• A separate sub-zone (“finance.example.com”), representing the New York office, has been delegated
from the parent zone.
As this hypothetical sub-zone is branched off of the parent domain, it might be helpful to delegate responsi-
bility for managing this new sub-zone to an IT administrator who is also located in New York.
Keep in mind that during the process of delegating authority for any sub-zone, an NS record must be added
to the zone file within the authoritative name server for the parent zone. This must be done so that other
DNS servers and clients will recognize the new server as being authoritative for the particular delegated sub-
zone.
page 71 | ACOS 4.1.1-P6 Global Server Load Balancing Guide - 27 October 2017
A10 Thunder Series and AX Series
DNS Option Descriptions
Details:
• Sub-zone delegation is enabled within a GSLB policy and applied at the zone level.
• When delegating a sub-zone, the GSLB ACOS device must be in server mode. The feature will not work
with the GSLB ACOS device in proxy mode.
• Once a sub-zone has been delegated from the parent zone, client resolvers will send a query for the NS
record, and the response from the GSLB ACOS device will have the NS record in the Authority section
and the IP address in the Additional section of the full DNS response.
The ACOS device supports configuration of glue records. A glue record can be configured to prevent circular
dependencies, which can occur if the name server is located in a sub-zone of the parent domain. Such a sce-
nario can make it impossible for the client resolver to locate the IP for the name server, because it is located
within a sub-zone of the parent domain. Configuring a glue record eliminates this problem by providing an
address record that appears in the Additional section of the full DNS response, and this enables the client to
find the name server.
The dns delegation command (See “dns delegation” on page 180. ) enables DNS subzone delegation.
The following command creates the sub-zone to be delegated. Note that this also requires the configuration
of a wildcard service.
Alternatively, use these commands (instead of the previous gslb zone command block) to have the feature
support DNSSEC by removing the “sub.” from the zone config. See the DDoS Mitigation Guide (for ADC) for
information about DNS Security Extensions (DNSSEC).
ACOS 4.1.1-P6 Global Server Load Balancing Guide - 27 October 2017 | page 72
A10 Thunder Series and AX Series
DNS Option Descriptions
This command applies the delegation policy (delegate-1) at the zone level for the service group level:
The following command configures the GSLB service IP “dc1-vip” at IP 10.10.10.10 and disables the health
check at the service IP level and at port 80 for TCP.
The following command configures the GSLB service IP “ns-ip-1” at IP 172.16.10.203 and disables the health
check at the service IP level and at port 80 for TCP.
The following commands configure a GSLB site called “dc1”. The site has an ACOS device, “dc1-acos” at IP
10.10.10.50.
page 73 | ACOS 4.1.1-P6 Global Server Load Balancing Guide - 27 October 2017
A10 Thunder Series and AX Series
DNS Option Descriptions
The following commands configure a GSLB site called “dc2”. The site has an ACOS device, “dc2-acos” at IP
172.16.10.50.
The following commands configure a GSLB site called “dc5”. The site has an ACOS device, “dc5-ax” at IP
172.16.11.50.
The following commands configure three GSLB policies: (1) the default GSLB policy, (2) GSLB policy “5” (for
delegation), and (3) GSLB policy “dns-server”. The ACOS delegates authority for the sub-domain
“sub.sub.example.com.jp” to nameserver "ns01.sub.sub.example.com.jp".
The following commands create the GSLB zone “sub.sub.example.com.jp” and creates a wildcard service
within the zone. The GSLB policy “5”, created above, is assigned to the wildcard service, and an NS record is
created for the name server, “ns01.sub.sub.example.com.jp”.
ACOS 4.1.1-P6 Global Server Load Balancing Guide - 27 October 2017 | page 74
A10 Thunder Series and AX Series
DNS Option Descriptions
The following commands are used within the same GSLB zone “sub.sub.example.com.jp” to creates a service
for port 53 called “ns01”. The GSLB policy “dns-server”, created above, is assigned to the service, and an A
record is created for “ns-ip-1” to return the associated Service-IP if the DNS is in server mode.
The following commands creates the GSLB zone “sub.example.com.jp” and enables the http service. Then,
the policy “dns-server” is bound and A records are create for “dc1-vip” and “dc2-vip”.
The following command enables the GSLB and makes this ACOS device the GSLB controller.
DNS External-IP
The DNS external-ip option configures the device to return the external IP address configured for a service IP.
If this option is disabled, the internal address is returned instead.
The dns external-ip command (See “dns external-ip” on page 181.) configures the DNS external-ip option.
DNS External-SOA
The DNS external-soa option replaces the internal SOA record with an external SOA record to prevent exter-
nal clients from gaining information that should only be available to internal clients. If this option is disabled,
the internal address is returned.
The dns external-soa command (See “dns external-soa” on page 182.) configures the DNS external-soa
option.
page 75 | ACOS 4.1.1-P6 Global Server Load Balancing Guide - 27 October 2017
A10 Thunder Series and AX Series
DNS Option Descriptions
DNS Geoloc-Action
The DNS geoloc-action option performs the DNS traffic handling action specified for the client’s geo-loca-
tion. The action is specified as part of service configuration in a zone.
The dns geoloc-action command (See “dns geoloc-action” on page 183.) configures the DNS geoloc-
action option.
DNS Geoloc-Alias
The DNS geoloc-alias option replaces the IP address with its alias configured on the GSLB ACOS device.
The dns geoloc-alias command (See “dns geoloc-alias” on page 184.) configures the DNS geoloc-alias
option.
DNS Geoloc-Policy
The DNS geoloc-policy option returns the alias name configured for the client’s geo-location.
The dns geoloc-policy command (See “dns geoloc-policy” on page 185.) configures the DNS geoloc-policy
option.
You can disable the appearance of hints in a DNS response. In addition, you also can determine where in the
DNS response the hints will appear.
• NS
• MX
• SRV
ACOS 4.1.1-P6 Global Server Load Balancing Guide - 27 October 2017 | page 76
A10 Thunder Series and AX Series
DNS Option Descriptions
These commands configure the ACOS device to include the Hint Record in the Answer Section of the DNS
response. One possible use is when the local DNS server has trouble parsing the Additional Section that
appears in a full DNS reply.
DNS IP-Replace
The DNS ip-replace option replaces the IP addresses with the set of addresses administratively assigned to
the service in the zone configuration.
The dns ip-replace command (See “dns ip-replace” on page 187.) configures the DNS external-soa option.
DNS IPv6
DNS ipv6 options enables support for IPv6 AAAA records.
• The dns ipv6 mapping command (See “dns ipv6 mapping” on page 188.) specifies the ACOS device
response to IPv6 DNS query.
• The dns ipv6 max command (See “dns ipv6 mix” on page 189.) configures the ACOS device to return
AAAA and A records in the same response.
• The dns ipv6 smart command (See “dns ipv6 smart” on page 190.) enables IPv6 return by query
type.
DNS Logging
The following output options for GSLB logging are supported:
Logging only to remote log servers is useful for deployments that experience high volumes of GSLB DNS traf-
fic. Sending the logs for this activity to a group of remote servers prevents these messages from flooding the
ACOS device’s log.
page 77 | ACOS 4.1.1-P6 Global Server Load Balancing Guide - 27 October 2017
A10 Thunder Series and AX Series
DNS Option Descriptions
• Logging only to remote log servers applies specifically to GSLB DNS logging, configurable globally and
in individual GSLB policies.
• Logging templates are included in HA or VRRP-A configuration synchronization. They are not included
in GSLB synchronization among GSLB groups.
1. Configure a logging group and logging template, if not already configured. Logging groups also are
supported in previous releases. Beginning in ACOS 2.7.2-P2, you also can use logging groups for GSLB.
You can configure the logging group to receive log traffic over TCP or UDP, depending on which Layer 4
protocol the servers use to receive log traffic.
2. In the GSLB policy, enable DNS logging and specify the SLB logging group to use. By specifying a log-
ging group, you enable remote logging and disable local logging, for GSLB DNS events.
The policy in this example is set to run GSLB in DNS server mode. Logging of GSLB DNS events to remote log-
ging servers also is supported for proxy mode. The syntax for the logging portion of the configuration is the
same.
These commands configure the logging group, which consist of the logging server, service group, and log-
ging template.
ACOS 4.1.1-P6 Global Server Load Balancing Guide - 27 October 2017 | page 78
A10 Thunder Series and AX Series
DNS Option Descriptions
These commands configure the DNS VIP that will intercept UDP DNS requests from clients:
These commands configure the service-IP and the site. This is the site that GSLB helps clients reach. The site
SLB device that is load-balancing the server (192.1.1.190) is a Thunder device (192.1.1.100). The site SLB
device’s configuration is not shown.
The following commands configure the GSLB policy. The dns logging both template log command
enables logging of DNS events to remote logging servers and disables logging of the events to the local buf-
fer.
These commands configure the zone, “example.com” and service, “www”. For this service, a static DNS
Address (A) record is configured. Based on this configuration, GSLB responds to client queries for www.exam-
ple.com with the IP address of service-IP “gs3”.
page 79 | ACOS 4.1.1-P6 Global Server Load Balancing Guide - 27 October 2017
A10 Thunder Series and AX Series
DNS Option Descriptions
Query Log
The first message logs the DNS query message intercepted by ACOS and forwarded to the GSLB DNS server.
The message provides the following details:
• May 30 17:22:16 10.1.1.180 – Timestamp indicating the system time on the ACOS device when GSLB
generated the message.
• QUERY – Type of DNS message.
• Fwd 10.1.1.190 – VIP address of the GSLB DNS server to which ACOS forwarded the request.
• If GSLB is running in DNS server mode, this is the GSBL DNS VIP configured on the same device.
• If GSLB is running in DNS proxy mode, this is the IP address of the external DNS server bound to by
the DNS VIP.
• 10.1.1.68 – Client IP address (local DNS).
• www.example.com – The host for which the client is requesting the IP address.
• A – The type of query. In this example, this is a query for an IPv6 address (A).
Response Log
The second message logs the response to the client’s DNS query.
• 10.1.1.190 – VIP address of the GSLB DNS server from which the response is sent.
• www.example.com – The host for which the client is requesting the IP address.
• A – Type of record in the response. In this case, the response includes an IPv4 address record.
ACOS 4.1.1-P6 Global Server Load Balancing Guide - 27 October 2017 | page 80
A10 Thunder Series and AX Series
DNS Option Descriptions
• Answer count
• A – Record type
• 1 – Class type
• 10 – TTL
• 4 – Data length
• 192.1.1.190 – DNS VIP address of the GSLB DNS server (or proxy, if proxy mode is used)
DNS Proxy
GSLB does not have a separately configurable “proxy” option. The proxy option is automatically enabled
when you configure the DNS proxy as part of GSLB configuration.
The DNS Proxy Block feature can be used to block DNS queries based on DNS query type, DNS query number,
or by specifying a range of numbers.
The feature can be used to block the following well-known DNS types:
• A (type 1)
• CNAME (type 5)
• MX (type 15)
• NS (type 2)
• SOA (type 6)
page 81 | ACOS 4.1.1-P6 Global Server Load Balancing Guide - 27 October 2017
A10 Thunder Series and AX Series
DNS Option Descriptions
After specifying the type of DNS query to be blocked, select an action to perform on the selected DNS query
type, for example, drop or reject.
When selecting an action to perform on a query type, keep in mind the following caveats:
• Selecting a DNS query type without specifying the action will cause the default action to be applied to
the selected query type. The default action is “drop”.
• Selecting an action without specifying the query type will cause the feature to essentially remain dis-
abled. If no query type has been identified, then no action is applied, even if an action has been speci-
fied.
Implementing this feature may reduce the amount of traffic sent to back-end DNS servers. This can increase
efficiency by reducing the burden on those servers. This feature may also be desirable in situations where
resource records reside on a DNS server that is accessible to both internal and external clients. In such situa-
tions where the same DNS server is being accessed by both internal and external clients, the DNS Proxy Block
feature helps prevent sensitive resource records on an internal DNS server from being leaked to external cli-
ents.
• The GSLB ACOS device must be operating in proxy mode to support the DNS Proxy Block feature.
• The feature is configured within the GSLB policy and is applied at the zone and service levels.
• Multiple query types can be specified, but only one action can be applied to those query types. There-
fore, the first bullet below would be an acceptable configuration, but the second bullet would not:
• Reject both SRV and CNAME query types (OK)
The following example shows the commands used to create a GSLB policy, enable the DNS Proxy Block fea-
ture for A records, and then applies the policy to the zone called “example.com” for the service http.
ACOS 4.1.1-P6 Global Server Load Balancing Guide - 27 October 2017 | page 82
A10 Thunder Series and AX Series
DNS Option Descriptions
ACOS(config-zone:example.com-service:www)# exit
ACOS(config-zone:example.com)#
DNS Selected-only
The DNS selected-only option configures the device to return only the selected IP addresses.
The dns selected-only command (See “dns selected-only” on page 195. ) enables return of only selected IP
addresses. The command specifies a limit of records that can be returned after a record is selected. When the
number of records exceed the configured value, GSLB ignores this configuration.
DNS Server
The DNS Server options enables the GSLB ACOS device to act as a DNS server for specific service IPs in the
GSLB zone. When this setting is enabled, the ACOS device responds directly to address queries for specific
service IP addresses in the GSLB zone. The ACOS device still forwards other types of queries to the DNS
server.
In DNS Server mode, the dns cname-detect command is not required. When a client requests a configured
alias name, GSLB applies the policy to the CNAME records. The dns server command is not valid with the
dns ip-replace command. They are mutually exclusive.
DNS Server mode requires the enalbing of the static option on the individual service IP. (To configure the
service IP addresses, use the service-ip command at the configuration level for the service.
The dns server command (See “dns server” on page 196. ) configures the DNS external-ip option.
DNS Sticky
The DNS Sticky options sends the same service IP address to a client for all requests from that client for the
service address.
The dns sticky command (See “dns sticky” on page 198. ) programs the device to send the same service IP
address to a client for all requests from that client for the service address. Sticky DNS ensures that, during the
aging-time, a client is always directed to the same site.
page 83 | ACOS 4.1.1-P6 Global Server Load Balancing Guide - 27 October 2017
A10 Thunder Series and AX Series
DNS Option Descriptions
To ensure that the clients’ local DNS servers do not cache the DNS replies for too long, you can configure the
GSLB ACOS device to override the TTL values of the Address records in the DNS replies before sending the
replies to clients.
The TTL of the DNS reply can be overridden in two different places in the GSLB configuration:
1. If a GSLB policy is assigned to the individual service, the TTL set in that policy is used.
2. If no policy is assigned to the individual service, but the TTL is set in the zone, then the zone’s TTL setting
is used.
In DNS server mode, the DNS response from the ACOS device includes an IP TTL (maximum number of Layer
3 hops), with a default value equal to 255. This IP TTL can be configured using the following CLI command:
gslb system ip-ttl.
The dns ttl command (See “dns ttl” on page 200. ) programs the ACOS device to change the TTL of each
DNS record contained in DNS replies received from the DNS for which the ACOS device is a proxy.
ACOS 4.1.1-P6 Global Server Load Balancing Guide - 27 October 2017 | page 84
Geo Location Mappings
You can configure geo-location mappings manually or by loading the mappings from a file. Configuring the
geo-location mappings manually might not be practical, unless you have only a few sites.
The geo-location configuration options are described in detail below. To skip the descriptions and go directly
to configuration instructions, see one of the following sections. Each section provides the procedure for one
of the approaches to configuring geo-location mappings.
• Internet Assigned Numbers Authority (IANA) database – The IANA database contains geographic loca-
tions of IP address ranges and subnets assigned by the IANA. This database is loaded by default.
• Custom database in CSV format – You can load a custom geo-location database from a file in comma-
separated-values (CSV) format. However, before loading the file, you must first configure a CSV tem-
plate on the ACOS device because the data in the file is formatted by the template.
Geo-Location Mappings
A geo-location mapping consists of a geo-location name and an IP address or IP range.
• If you manually map a geo-location to an GSLB site, GSLB uses the mapping.
• If no geo-location is configured for a GSLB site, GSLB automatically maps the service-ip to a geo-loca-
tion in the loaded geo-location database.
• If a service-ip cannot be mapped to a geo-location, GSLB maps the site ACOS device to a geo-location.
page 85 | ACOS 4.1.1-P6 Global Server Load Balancing Guide - 27 October 2017
A10 Thunder Series and AX Series
Loading or Configuring Geo-Location Mappings
If more than one geo-location matches a client’s IP address, the most specific match is used. For example, if a
client is in the same city as a site ACOS, that site will be preferred. If the client and site are in the same state
but in different cities, the site in that state will be preferred.
Only one database can be active. If you load more than one database, the most-recently loaded one
becomes the active one, and the older database is no longer used. Data from the older database is not
merged into the new database. Using the “load” command to load a new database will synchronize the
start-up configuration among all GSLB group members.
There is full parity in the synchronization, so the process works in reverse also. Unloading a geo-location
database from a configuration, or deleting a geo-location database, will remove that database from all GSLB
group members.
The example above shows how the CSV file appears when displayed in a text editor. If the same data were
displayed in a spreadsheet application, it would appear like Figure 5 below.
The database file can contain more types of information (fields, or columns) than are required for the GSLB
database. When you load the CSV file into the geo-location database, the CSV template on the ACOS device
filters the file to extract the required data, while ignoring the rest of the data. In the example below, only the
fields shown in bold type will be extracted and placed into the geo-location database:
ACOS 4.1.1-P6 Global Server Load Balancing Guide - 27 October 2017 | page 86
A10 Thunder Series and AX Series
Loading or Configuring Geo-Location Mappings
The IP addresses in this example are in bin4 format. Dotted decimal format (for example: 69.26.125.0) is also
supported. If you use bin4 format, the ACOS device automatically converts the addresses into dotted deci-
mal format when you load the database into GSLB.
Here is an example for IP address 192.0.2.18, the first IP address in the example CSV file:
1. Prepare the database file. (This step requires an application that can save to text for CSV format, and it
cannot be performed on the ACOS device.)
2. Configure a CSV template on the ACOS device. The CSV template specifies the field positions (or col-
umns) in the database that should be extracted, such as IP address and location information.
3. Import the CSV file onto the ACOS device.
4. Load the CSV file.
5. Display the geo-location database.
page 87 | ACOS 4.1.1-P6 Global Server Load Balancing Guide - 27 October 2017
A10 Thunder Series and AX Series
Loading or Configuring Geo-Location Mappings
You can enter the entire URL on the command line or press Enter to display a prompt for each part of the
URL.If you enter the entire URL and a password is required, you will still be prompted for the password. To
enter the entire URL:
• tftp://host/file
• ftp://[user@]host[:port]/file
• scp://[user@]host/file
• disk:path
• sftp://[user@]host/file
(For information about the use-mgmt-port option, see the “Using the Management Interface as the Source
for Management Traffic” chapter in the System Configuration and Administration Guide.)
Use the file name you specified when you imported the CSV file, and the name of the CSV template to be
used for extracting data from the file.
To display information about CSV files as they are being loaded, use the show gslb geo-location command:
ACOS 4.1.1-P6 Global Server Load Balancing Guide - 27 October 2017 | page 88
A10 Thunder Series and AX Series
Manually Configuring Geo-Location Mappings
1. Configure each geographic location (geo-location) as a named range of client IP addresses. You can con-
figure geo-locations globally and within individual GSLB policies.
To configure a geo-location, use the gslb geo-location command at the global configuration
level or at the configuration level for the GSLB policy:
2. Associate a site with a geo-location name, using the geo-location command at the configuration
level for the site:
If you configure geo-locations globally and at the configuration level for individual sites, and a client IP
address matches both a globally configured geo-location and a geo-location configured on a site, the glob-
ally configured geo-location is used by default. To configure the GSLB ACOS device to use geo-locations con-
figured on individual sites instead, use the geo-location match-first policy command at the configuration
level for the policy.
To search for an entry in the geo-location database that is based on client IP address, use the show gslb geo-
location command:
The commands in this example load a custom geo-location database from a CSV file called “test.csv”, and
then display the database. The test.csv file is shown in “Example Database File” on page 86.
The following command imports the file onto the ACOS device:
The following commands initiate loading the data from the CSV file into the geo-location database, and dis-
play the status of the load operation:
page 89 | ACOS 4.1.1-P6 Global Server Load Balancing Guide - 27 October 2017
A10 Thunder Series and AX Series
Geo-location Overlap
ACOS(config)#
The following command displays the geo-location database extracted from the CSV file.
Geo-location: NA
From To/Mask Last Hits Sub T P-Name
--------------------------------------------------------------------------------
0 1 G
ACOS(config)#
Geo-location Overlap
The geo-location overlap option searches the geo-location database for the “match best” instead of search-
ing the database using the “match first” algorithm. This behavior may be helpful if you suspect that more
than one host has been mapped to a single public IP address.
ACOS 4.1.1-P6 Global Server Load Balancing Guide - 27 October 2017 | page 90
A10 Thunder Series and AX Series
Geo-location Overlap
In addition, third-party companies sell geo-location databases, and some of these databases may contain
millions of mappings between geographic regions and ranges of IP addresses. As with the IANA database
files, these files can also be imported into the ACOS device’s global database.
Geo-location information can also be manually configured on the ACOS device at the GSLB policy level.
A GSLB policy is typically created for each GSLB zone, so you could, for example, have separate zones for a
company that has offices in New York and San Jose. Each of these GSLB zones might have its own geo-loca-
tion file, with each file containing highly granular information that maps IP addresses and local regions.
When configuring geo-location for a GSLB zone, you will need to use the match first command to decide
whether to search the Global database (containing the IANA file) or if you would prefer to search the GSLB
Policy database.
The match first command determines which of the two geo-location databases will be used to parse incom-
ing DNS requests from clients. That is, it allows you to decide whether the Global database or GSLB Policy
database will be searched.
Once this configuration decision has been made, then the next thing that you need to do is decide if you
want to enable the geo-location overlap command.
The geo-location overlap command is disabled by default because it tends to tax the ACOS processors.
The default behavior for the ACOS device is to use the match first algorithm (not to be confused with the
match first option described above), is to scan the geo-location database for the first IP address that matches
the client’s Source IP.
In contrast, the geo-location overlap option uses match best algorithm, meaning the entire geo-location file
must be scanned in order to locate the optimal response to send back to the client. This is very demanding
on the ACOS CPU.
For example, if a company has a site in New York and San Jose:
In this situation, there exists an overlap in the IP address from 1.1.1.1 to 1.1.1.3.
page 91 | ACOS 4.1.1-P6 Global Server Load Balancing Guide - 27 October 2017
A10 Thunder Series and AX Series
Geo-location-based Access Control
To remedy this confusing situation, one can enable the geo-location overlap option to cause the ACOS
device to search the geo-location database for the match best (or longest matching IP address).
However, if the geo-location overlap option is disabled, then the ACOS device will revert to its default behav-
ior, which is to use the match first algorithm to check the client’s IP address against the database and then
use the first IP address-region mapping discovered when parsing the database.
If you believe your manually-configured geo-location databases may have two or more domains tied to the
same IP address, you can use the geo-location-match overlap command at the GSLB policy configuration
level of the CLI to enable geo-location overlap.
The following command enables geo-location overlap at the GSLB policy level. The overlap option is used to
enable match best behavior for the geo-location database within the default GSLB policy. By enabling this
behavior, the match first algorithm will not be used, and instead the ACOS device will attempt to find the
best match by searching for the longest string that matches the source IP address in the client’s request.
• Send the traffic to a specific service group (if configured using a black/white list)
The ACOS device determines a client’s location by looking up the client’s subnet in the geo-location data-
base used by Global Server Load Balancing (GSLB).
This feature requires you to load a geo-location database, but does not require any other configuration of
GSLB. Instead, SLB features are used along with the IANA database. The ACOS system image includes the
Internet Assigned Numbers Authority (IANA) database. By default, the IANA database is not loaded but you
can easily load it, as described in the configuration procedure later in this section.
Geo-location-based VIP access works only if the class list is imported as a file. The CLI does not support con-
figuration of class-list entries for this application.
ACOS 4.1.1-P6 Global Server Load Balancing Guide - 27 October 2017 | page 92
A10 Thunder Series and AX Series
Geo-location-based Access Control
L US 1
L US.CA 2
L US.CA.SJ 3
The following commands import the class list onto the ACOS device, configure a policy template, and bind
the template to a virtual port. The connection limits specified in the policy template apply to clients who
send requests to the virtual port.
• default geo-location database (iana) is already loaded (“gslb system geo-location load” on page 149).
• the c-share class list was previously created
The show slb geo-location statistics command verifies operation of the policy.
1. Configure a black/white list. You can configure the list using a text editor on a PC or enter it directly into
the GUI. If you configure the list using a text editor, import the list onto the ACOS device.
page 93 | ACOS 4.1.1-P6 Global Server Load Balancing Guide - 27 October 2017
A10 Thunder Series and AX Series
Geo-location-based Access Control
2. Configure an SLB policy (PBSLB) template. In the template, specify the black/white list name, and the
actions to perform for the group IDs in the list.
3. Load a geo-location database, if one is not already loaded.
4. Apply the policy template to the virtual port for which you want to control access.
• Remote option – Use a text editor on a PC, then import the list onto the ACOS device.
• Local option – Enter the black/white list directly into a management GUI window.
With either method, the syntax is the same. The black/white list must be a text file that contains entries
(rows) in the following format:
The “L” indicates that the client’s location will be determined using information in the geo-location database.
The geo-location is the string in the geo-location database that is mapped to the client’s IP address; for exam-
ple, “US”, “US.CA”, or “US.CA.SanJose”.
The group-id is a number from 1 to 31 that identifies a group of clients (geo-locations) in the list. The default
group ID is 0, which means no group is assigned. On the ACOS device, the group ID specifies the action to
perform on client traffic.
The #conn-limit specifies the maximum number of concurrent connections allowed from a client. The # is
required only if you do not specify a group ID. The connection limit is optional. For simplicity, the examples in
this section do not specify a connection limit.
L "US" 1
L "US.CA" 2
L "JP" 3
1. Import a black/white list onto the ACOS device with the bw-list command.
2. To configure a PBSLB template, use the slb template policy commands:
The command creates the template and changes the CLI to the configuration for the template, where
the bw-list name and bw-list id PBSLB-related commands are available.
3. Load a geo-location database with the gslb system geo-location load command.
4. To apply a policy template to a virtual port, use the template policy command in configuration mode
ACOS 4.1.1-P6 Global Server Load Balancing Guide - 27 October 2017 | page 94
A10 Thunder Series and AX Series
Geo-location-based Access Control
To clear SLB geo-location statistics, use the clear slb geo-location command.
The black/white list can either be imported or by selecting ADC >> BW-Lists in the GUI. Refer to the DDos
Mitigation Guide (DMG) for additional information about black/white lists.
The following commands apply the policy template to port 80 on virtual server “vip1”:
Full-Domain Checking
By default, when a client requests a connection, the ACOS device checks the connection count only for the
specific geo-location level of the client. If the connection limit for that specific geo-location level has not
page 95 | ACOS 4.1.1-P6 Global Server Load Balancing Guide - 27 October 2017
A10 Thunder Series and AX Series
Geo-location-based Access Control
been reached, then the client’s connection is permitted. Likewise, the permit counter is incremented only for
that specific geo-location level.
Table 1 shows an example set of geo-location connection limits and current connections.
Using the default behavior, the connection request from the client at US.CA.SanJose is allowed even though
CA has reached its connection limit. Likewise, a connection request from a client at US.CA is allowed. How-
ever, a connection request from a client whose location match is simply “US” is denied.
After these three clients are permitted or denied, connection permit and deny counters are updated.
Based on full-domain checking, all three connection requests from the clients in the example above are
denied. This is because the US domain has reached its connection limit. Likewise, the counters for each
domain are updated as follows:
To enable full-domain checking for geo-location-based connection limiting, use the geo-location full-
domain-tree command at the configuration level for the PBSLB template.
It is recommended to enable or disable this option before enabling GSLB. Changing the state of this option
while GSLB is running can cause the related statistics counters to be incorrect.
• Permit
ACOS 4.1.1-P6 Global Server Load Balancing Guide - 27 October 2017 | page 96
A10 Thunder Series and AX Series
Geo-location-based Access Control
• Deny
• Connection number
• Connection limit
To enable the share option, use the geo-location share command at the configuration level for the PBSLB
policy template. It is recommended to enable or disable this option before enabling GSLB. Changing the
state of this option while GSLB is running can cause the related statistics counters to be incorrect.
page 97 | ACOS 4.1.1-P6 Global Server Load Balancing Guide - 27 October 2017
A10 Thunder Series and AX Series
Geo-location-based Access Control
ACOS 4.1.1-P6 Global Server Load Balancing Guide - 27 October 2017 | page 98
Gateway Health Monitoring
To simplify health monitoring of a GSLB site, you can use a gateway health check. A gateway health check is a
Layer 3 health check (ping) sent to the gateway router for an SLB site. If a site’s gateway router fails a health
check, it is likely that none of the services at the site can be reached. GSLB stops using the site until it begins
to pass gateway health checks again.
In most cases, an ICMP health check is sufficient; use the default ICMP health check or configure a custom
one. For more detailed health analysis, use an external health check. For example, use a script to get SNMP
information from the gateway, and base the gateway’s health status on the retrieved information.
Health-Check Precedence
Health checking for a GSLB service can be performed at the following levels.
Using the GSLB Health Monitor option does not affect its precedence. The GSLB Health Monitor configura-
tion includes health monitors in GSLB group synchronizations. For GSLB configuration synchronization,
“GSLB Synchronization” on page 18.
If the gateway health check is unsuccessful, the service IP is marked Down. If the gateway health check is suc-
cessful, then the port health check can be used to check the status of the ports (assuming ports have been
configured on the service IP). Otherwise, if no service ports are configured on the service IP, then the Layer 3
health check of the service IP is used.
page 99 | ACOS 4.1.1-P6 Global Server Load Balancing Guide - 27 October 2017
A10 Thunder Series and AX Series
Configuring Gateway Health Checking for GSLB Sites
1. Configure the health monitor, unless you plan to use the default ICMP health monitor.
2. On the SLB device at the site, create an SLB real server configuration with the gateway router’s IP
address. If you configured a custom health check, make sure to apply it to the real server.
3. On the GSLB controller, specify the site’s gateway IP address in the SLB-device configuration for the site.
For a service IP that can be reached on any of multiple links, create a separate SLB-device configuration, with-
out using the gateway option. The gateway health status for this SLB-device will be Down only if all the gate-
way health checks performed for the other SLB-device configurations for the site fail.
1. On the site ACOS device – To create the gateway router, use the slb server command at the global con-
figuration level of the CLI on the site ACOS device:
To use the default Layer 3 health monitor, no further configuration is needed on the site ACOS device.
When using a custom ICMP monitor, configure the monitor, then use the health-check command at
the configuration level for the real server (gateway):
2. On the GSLB controller — To specify the site’s gateway IP address, use the gateway command at the con-
figuration level for the SLB device, within the site configuration:
To disable gateway health checking at the SLB-device configuration level, use the no gateway health-check
command. After entering this command, the SLB device stops accepting gateway status information.
ACOS 4.1.1-P6 Global Server Load Balancing Guide - 27 October 2017 | page 100
A10 Thunder Series and AX Series
Site with Single Gateway Link
On the GSLB controller, the following commands enable gateway health checking for site device “site-acos”:
The following command displays the gateway health status for GSLB sites:
GSLB-ACOS(config)#
In this example, the gateway health status for SLB-device configuration “site-acos” on the “remote” site is Up.
page 101 | ACOS 4.1.1-P6 Global Server Load Balancing Guide - 27 October 2017
A10 Thunder Series and AX Series
Site with Multiple Gateway Links
On the GSLB controller, these commands enable gateway health checking for each of the site’s links. A
unique SLB-device name is used for each link, even though both links are for the same SLB device (20.1.1.1).
If the same services can be reached through either link, an additional SLB-device configuration is required:
No gateway is specified in the SLB-device configuration. The gateway health status will be Up unless the
health checks for 2.2.2.1 and 3.3.3.1 both fail.
ACOS 4.1.1-P6 Global Server Load Balancing Guide - 27 October 2017 | page 102
A10 Thunder Series and AX Series
Multiple-Port Health Monitoring
The default health monitor for a service is the default Layer 3 health monitor (ICMP ping). The default health
monitor for a service port is the default TCP or UDP monitor, depending on the transport protocol.
By default, if the GSLB protocol is enabled and can reach the service, health checking is performed over the
GSLB protocol. Otherwise, health checking is performed using standard network traffic instead. Optionally,
you can disable use of the GSLB protocol for health checking, on individual service-IPs.
To configure a multiple-port health check, use the health-check-port command at the configuration level
for the service IP. You can specify up to 64 ports.
Applying a health monitor is required only if you do not plan to use the default health monitors. (See
“Default Health Monitors” on page 103.)
The following commands apply a custom HTTP health monitor to service IP “gslb-srvc2”. The commands uti-
lize a health monitor (http) whose configuration is not included in the example.
The following commands enable a multi-port health check for the HTTP service “www” on service IP
“gslb-srvc2” in GSLB zone “abc.com”:
page 103 | ACOS 4.1.1-P6 Global Server Load Balancing Guide - 27 October 2017
A10 Thunder Series and AX Series
Multiple-Port Health Monitoring
ACOS 4.1.1-P6 Global Server Load Balancing Guide - 27 October 2017 | page 104
Application Groups
When persistence is enabled, ACOS ensures that requests for different services are sent to the same site.You
configure application groups so that certain services are grouped together. When a client requests those ser-
vices, they are always directed to the same site. For example, if a user requests the WWW service, and then
later requests the Secure WWW service, then persistence ensures that both requests go to the same site.
Configuring dependency ensures that when one service is down on a site, ACOS marks all services as unus-
able for that site. Client traffic is then redirected to a site where persistence can be maintained for all services.
For example, a service group may consistent of email protocols. If POP service is down, then all other ser-
vices, such as IMAP and SMTP, are also marked as down.
Persistence and dependency can be configured individually or together. In both cases, a service should be
configured in only one service-group.
1. Configure the virtual servers or services with the appropriate port and protocol.
2. Define the GSLB data centers or sites.
a. Configure the devices in the data centers, as well as the virtual servers or services in the data centers.
3. Configure the applications and logical components in the system, such as the FQDN.
4. Group the defined applications together and then enable persistence and dependency.
To configure GSLB application groups with persistence and failover dependency, enter the following com-
mands at the GSLB service-group configuration level:
persistent site
dependency site
page 105 | ACOS 4.1.1-P6 Global Server Load Balancing Guide - 27 October 2017
A10 Thunder Series and AX Series
Site persistence With Per-VIP Failover Granularity
The “persistent site” command can specify an IPv4 mask, IPv6 mask length, or aging-time that determines
the period after which persistence is no longer maintained to a server when there is no traffic from the client
(default aging-time is 5 minutes). Aging time is refreshed when the site receives a request from the client.
This example configures two GSLB sites, one for New York and one for San Francisco. These sites will support
the WWW and Secure WWW applications. Persistence and dependency are configured for these GSLB sites.
1. These commands configure GSLB data centers in New York and San Francisco. The virtual servers are
grouped into data centers. Each data center has four servers with port 80 configured (vip1 - vip4), and
four servers with port 443 configured (vip5 - vip8). The sites reference the servers through GSLB service-
ip assignments that are not included in the example (See “gslb service-ip” on page 143.).
2. These commands define the www.example.com and secure.example.com FQDNs. They assign the
WWW service to virtual servers 1 through 4, and the Secure WWW service to virtual servers 5 through 8.
ACOS 4.1.1-P6 Global Server Load Balancing Guide - 27 October 2017 | page 106
A10 Thunder Series and AX Series
Site persistence With Per-VIP Failover Granularity
3. The next commands group the applications (WWW and Secure WWW) together and configure depen-
dency for failover grouping, as well as persistence with an aging-time of 10 minutes.
page 107 | ACOS 4.1.1-P6 Global Server Load Balancing Guide - 27 October 2017
A10 Thunder Series and AX Series
Site persistence With Per-VIP Failover Granularity
ACOS 4.1.1-P6 Global Server Load Balancing Guide - 27 October 2017 | page 108
Configuring GSLB through the GUI
This chapter provides configuration examples for Global Server Load Balancing (GSLB). These examples
implement a basic GSLB deployment. The examples assume that the default GSLB policy is used, without any
changes to the policy settings.
Steps consist of an action and the resulting GUI response. For example, the following line instructs the user
to select ADC >> SLB from the main menu, which opens the SLB Virtual Server Roster panel in the GUI:
1. Select ADC >> SLB (primary menu) Open SLB Virtual Server Roster
1. Select System >> Settings (primary menu) Open Access Control panel
2. Select DNS (secondary menu Open Configure DNS panel
page 109 | ACOS 4.1.1-P6 Global Server Load Balancing Guide - 27 October 2017
A10 Thunder Series and AX Series
GSLB Proxy Mode (Scenario 1)
1. ADC >> SLB (primary menu) Open SLB Virtual Server roster
2. Select Servers (secondary menu) Open SLB Servers Roster
3. Click Create button Open Create Server panel
4. Data Entry: Create Server panel
Name: ACOS-11
Host: 10.10.0.53
Port Section: Click Create button Open Update Port panel
5. Data Entry: Update Port panel
Port Number: 53
Protocol: TCP
Click Create button Return to S:B Servers Roster
ACOS 4.1.1-P6 Global Server Load Balancing Guide - 27 October 2017 | page 110
A10 Thunder Series and AX Series
GSLB Proxy Mode (Scenario 1)
Virtual Port section: Click Create button Opens SLB Create Virtual Port panel
4. Data Entry: SLB Create Virtual Port panel
Protocol: dns-tcp
Port: 53
Service Group: (Drop Down): DNS-GRP1
5. Expand General Fields section
6. Data Entry: General Fields section
GSLB Enable: (checkbox) select
7. Click Create button Return to SLB Update Virtual Server panel
8. Click Update button Return to SLB Virtual Servers roster
page 111 | ACOS 4.1.1-P6 Global Server Load Balancing Guide - 27 October 2017
A10 Thunder Series and AX Series
GSLB Proxy Mode (Scenario 1)
ACOS 4.1.1-P6 Global Server Load Balancing Guide - 27 October 2017 | page 112
A10 Thunder Series and AX Series
GSLB Proxy Mode (Scenario 1)
page 113 | ACOS 4.1.1-P6 Global Server Load Balancing Guide - 27 October 2017
A10 Thunder Series and AX Series
GSLB Server Mode Group (Scenario 2)
1. Select System >> Settings (primary menu) Open Access Control panel
2. Select DNS (secondary menu Open Configure DNS panel
3. Data Entry: Open Configure DNS panel
Hostname: ACOS-2
Click Update DNS button
4. Click Update DNS button GUI displays success message
ACOS 4.1.1-P6 Global Server Load Balancing Guide - 27 October 2017 | page 114
A10 Thunder Series and AX Series
GSLB Server Mode Group (Scenario 2)
SLB Service Group configuration, required in step 4, is not featured in this example. Refer to the ADC Config-
uration Guide.
1. Select ADC >> SLB (primary menu) Open SLB Virtual Server Roster
2. Select Virtual-Servers (secondary menu) Open SLB Virtual Servers roster
3. Click Create button Open SLB Create Virtual Server panel
4. Data Entry: SLB Create Virtual Server panel
Name: DNS2
IP Address: 10.20.0.53
Virtual Port section: Click Create button Opens SLB Create Virtual Port panel
5. Data Entry: SLB Create Virtual Port panel
Protocol: dns-tcp
Port: 53
Service Group: (Drop Down): DNS-GROUP
6. Expand General Fields section
7. Data Entry: General Fields section
GSLB Enable: (checkbox) select
8. Click Create button Return to SLB Update Virtual Server panel
9. Click Update button Return to SLB Virtual Servers roster
page 115 | ACOS 4.1.1-P6 Global Server Load Balancing Guide - 27 October 2017
A10 Thunder Series and AX Series
GSLB Server Mode Group (Scenario 2)
ACOS 4.1.1-P6 Global Server Load Balancing Guide - 27 October 2017 | page 116
A10 Thunder Series and AX Series
GSLB Server Mode Group (Scenario 2)
page 117 | ACOS 4.1.1-P6 Global Server Load Balancing Guide - 27 October 2017
A10 Thunder Series and AX Series
GSLB Controllers and Devices (Scenario 3)
ACOS 4.1.1-P6 Global Server Load Balancing Guide - 27 October 2017 | page 118
A10 Thunder Series and AX Series
GSLB Controllers and Devices (Scenario 3)
1. Select System >> Settings (primary menu) Open Access Control panel
2. Select DNS (secondary menu Open Configure DNS panel
3. Data Entry: Open Configure DNS panel
Hostname: ACOS-3
Click Update DNS button
4. Click Update DNS button GUI displays success message
SLB Service Group configuration, required in step 4, is not featured in this example. Refer to the ADC Config-
uration Guide.
1. Select ADC >> SLB (primary menu) Open SLB Virtual Server Roster
2. Select Virtual-Servers (secondary menu) Open SLB Virtual Servers roster
3. Click Create button Open SLB Create Virtual Server panel
4. Data Entry: SLB Create Virtual Server panel
Name: DNS3
IP Address: 10.30.0.53
Virtual Port section: Click Create button Opens SLB Create Virtual Port panel
5. Data Entry: SLB Create Virtual Port panel
Protocol: dns-tcp
Port: 53
Service Group: (Drop Down): DNS-GROUP
6. Expand General Fields section
7. Data Entry: General Fields section
GSLB Enable: (checkbox) select
8. Click Create button Return to SLB Update Virtual Server panel
9. Click Update button Return to SLB Virtual Servers roster
page 119 | ACOS 4.1.1-P6 Global Server Load Balancing Guide - 27 October 2017
A10 Thunder Series and AX Series
GSLB Controllers and Devices (Scenario 3)
ACOS 4.1.1-P6 Global Server Load Balancing Guide - 27 October 2017 | page 120
A10 Thunder Series and AX Series
GSLB Controllers and Devices (Scenario 3)
page 121 | ACOS 4.1.1-P6 Global Server Load Balancing Guide - 27 October 2017
A10 Thunder Series and AX Series
GSLB Controllers and Devices (Scenario 3)
ACOS 4.1.1-P6 Global Server Load Balancing Guide - 27 October 2017 | page 122
A10 Thunder Series and AX Series
GSLB Controllers and Devices (Scenario 3)
1. Select GSLB >> Global Opens GSLB Update Global (System) Panel
2. Select Protocol Opens GSLB Update Global (Protocol) panel
3. Data Entry: Update GSLB Global (Protocol) panel
Enable as GSLB controller: (checkbox) select
4. Click Update GSLB Global Protocol button
1. Select System >> Settings (primary menu) Open Access Control panel
2. Select DNS (secondary menu Open Configure DNS panel
3. Data Entry: Open Configure DNS panel
Hostname: ACOS-31
Click Update DNS button
4. Click Update DNS button GUI displays success message
1. ADC >> SLB (primary menu) Open SLB Virtual Server roster
2. Select Servers (secondary menu) Open SLB Servers Roster
3. Click Create button Open Create Server panel
4. Data Entry: Create Server panel
Name: ACOS-31P
Host: 10.1.1.58
Port Section: Click Create button Open Update Port panel
5. Data Entry: Update Port panel
page 123 | ACOS 4.1.1-P6 Global Server Load Balancing Guide - 27 October 2017
A10 Thunder Series and AX Series
GSLB Controllers and Devices (Scenario 3)
Port Number: 53
Protocol: TCP
Click Create button
1. Select GSLB >> Global Opens GSLB Update Global (System) Panel
2. Select Protocol Opens GSLB Update Global (Protocol) panel
ACOS 4.1.1-P6 Global Server Load Balancing Guide - 27 October 2017 | page 124
A10 Thunder Series and AX Series
GSLB Controllers and Devices (Scenario 3)
1. Select System >> Settings (primary menu) Open Access Control panel
2. Select DNS (secondary menu Open Configure DNS panel
3. Data Entry: Open Configure DNS panel
Hostname: ACOS-32
Click Update DNS button
4. Click Update DNS button GUI displays success message
SLB Service Group configuration, required in step 4, is not featured in this example. Refer to the ADC Config-
uration Guide.
1. ADC >> SLB (primary menu) Open SLB Virtual Server roster
2. Select Servers (secondary menu) Open SLB Servers Roster
3. Click Create button Open Create Server panel
4. Data Entry: Create Server panel
Name: ACOS-32P
Host: 10.1.2.68
Port Section: Click Create button Open Update Port panel
5. Data Entry: Update Port panel
Port Number: 53
Protocol: TCP
Click Create button
page 125 | ACOS 4.1.1-P6 Global Server Load Balancing Guide - 27 October 2017
A10 Thunder Series and AX Series
Configuring GSLB Controller-Based Metrics
1. Select GSLB >> Global Opens GSLB Update Global (System) Panel
2. Select Protocol Opens GSLB Update Global (Protocol) panel
3. Data Entry: Update GSLB Global (Protocol) panel
Enable as site device: (checkbox) select
4. Click Update GSLB Global Protocol button
ACOS 4.1.1-P6 Global Server Load Balancing Guide - 27 October 2017 | page 126
A10 Thunder Series and AX Series
Configuring GSLB Controller-Based Metrics
1. Select System >> Settings (prmary menu) Open Access Control panel
2. Select DNS (secondary menu Open Configure DNS panel
3. Data Entry: Open Configure DNS panel
Hostname: ACOS-1
IP Address: 10.10.1.58
Click Update DNS button
4. Click Update DNS button GUI displays success message
page 127 | ACOS 4.1.1-P6 Global Server Load Balancing Guide - 27 October 2017
A10 Thunder Series and AX Series
Configuring GSLB Controller-Based Metrics
ACOS 4.1.1-P6 Global Server Load Balancing Guide - 27 October 2017 | page 128
A10 Thunder Series and AX Series
Configuring GSLB Controller-Based Metrics
1. Select GSLB >> Global Opens GSLB Update Global (System) Panel
2. Select Protocol (secondary menu) Opens GSLB Update Global (Protocol) panel
3. Data Entry: Update GSLB Global (Protocol) panel
Enable as GSLB controller: (checkbox) select
4. Click Update GSLB Global Protocol button
page 129 | ACOS 4.1.1-P6 Global Server Load Balancing Guide - 27 October 2017
A10 Thunder Series and AX Series
Configuring GSLB Controller-Based Metrics
ACOS 4.1.1-P6 Global Server Load Balancing Guide - 27 October 2017 | page 130
GSLB CLI Command Reference
This chapter lists the CLI commands for Global Server Load Balancing (GSLB). The commands are organized
into the following sections:
• delete geo-location
• gslb active-rdt
• gslb geo-location
• gslb group
• gslb ip-list
• gslb policy
• gslb protocol
• gslb service-group
• gslb service-ip
• gslb site
page 131 | ACOS 4.1.1-P6 Global Server Load Balancing Guide - 27 October 2017
A10 Thunder Series and AX Series
Main Configuration Commands
• gslb zone
• import geo-location
delete geo-location
Description Delete or replace a custom geo-location database from the ACOS device.
Parameter Description
all Deletes all manually configured geo-locations from the configura-
tion.
file-name Delete the specified geo-location from the configuration.
Default N/A
Usage This command is available only if you have already imported a geo-location
database file.
gslb active-rdt
Description Configure global aRDT settings.
ACOS 4.1.1-P6 Global Server Load Balancing Guide - 27 October 2017 | page 132
A10 Thunder Series and AX Series
Main Configuration Commands
track seconds
}
Parameter Description
domain Specifies the query domain. To measure the active-Round Delay Time (aRDT) for a client,
domain-name the site ACOS device sends queries for the domain name to a client’s local DNS. An aRDT
sample consists of the time between when the site ACOS device sends a query and when it
receives the response.
Only one aRDT domain can be configured. It is recommended to use a domain name that is
likely to be in the cache of each client’s local DNS.
The ACOS device averages multiple aRDT samples together to calculate the aRDT measure-
ment for a client. (See the description of track below.)
The default domain is google.com.
icmp Programs the device to use ICMP packets, instead of DNS requests, to calculate response
delay time.
interval seconds Specifies the number of seconds between queries. You can specify 1-16383 seconds.
The default interval is 1 second.
port portnum Specifies the port. You can specify ports 0-65535.
The default port is 0.
retry num Specifies the number of times GSLB will resend a query if there is no response. You can
specify 0-16.
The default is 3.
sleep seconds Specifies the number of seconds GSLB stops tracking aRDT data for a client after a query
fails. You can specify 1-300 seconds.
The default is 3 seconds.
timeout ms Specifies the number of milliseconds GSLB will wait for a reply before resending a query.
You can specify 1-16383 ms.
The default is 3000 ms.
track seconds Specifies the number of seconds during which the ACOS device collects samples for a cli-
ent. The samples collected during the track time are averaged together, and the averaged
value is used as the aRDT measurement for the client. You can specify 3-16383 seconds.
The default is 60 seconds.
The averaged aRDT measurement is used until it ages out. The aging time for averaged
aRDT measurements is 10 minutes by default and is configurable on individual sites, using
the active-rdt aging-time command in GSLB site configuration mode.
page 133 | ACOS 4.1.1-P6 Global Server Load Balancing Guide - 27 October 2017
A10 Thunder Series and AX Series
Main Configuration Commands
Parameter Description
drop Drops DNS queries that do not match any zone service.
ignore Ignores DNS queries that do not match any zone service.
none No action (default)
reject Rejects DNS queries that do not match any zone service, and returns
the “Refused” message in replies.
Parameter Description
both [template template-name] Log both the DNS query and response.
query [template template-name] Log only the DNS query.
response [template template-name] Log only the DNS response.
none Do not log any DNS messages.
ACOS 4.1.1-P6 Global Server Load Balancing Guide - 27 October 2017 | page 134
A10 Thunder Series and AX Series
Main Configuration Commands
gslb geo-location
Description Configure a global geographic location by assigning a location name to a client
IP address range. GSLB forwards client requests from addresses within the speci-
fied IP address range to the GSLB site that serves the location.
Parameter Description
location-name Name of location. Use a period between string labels (ranges). Each range can contain up
to 15 alphanumeric characters. Entire name can contain up to 127 characters.
Example: Asia.japan.123456789.xyz
ACOS device can perform a partial match on geo-locations. Example: if IP 1.1.1.1 belongs
to “Asia.japan”, but only “Asia” is configured, the ACOS device still selects the proper site.
The command changes the CLI to the configuration level for the location, where
the following location-related commands are available:
Command Description
[no] ip start-ip-addr Beginning IPv4 address for the range.
{mask ip-mask | end-ip-addr}
• mask ip-mask - Network mask
• end-ip-addr - Ending IP address of the range
[no] ipv6 start-ipv6-addr Beginning IPv6 address for the range.
{mask ipv6-mask | end-ipv6-addr}
• mask ipv6-mask - Network mask
• end-ipv6-addr - Ending IP address of range
Default N/A
Usage Geographic location can be configured in a GSLB policy, which specifies using
either the globally configured geographic location or the policy-configured loca-
tion. (See “geo-location” on page 202 and “geo-location-match” on page 203.)
• If you manually map a geo-location to an GSLB site, GSLB uses the mapping.
• If no geo-location is configured for a GSLB site, GSLB automatically maps the
service-ip to a geo-location in the loaded geo-location database.
• If a service-ip cannot be mapped to a geo-location, GSLB maps the site
ACOS device to a geo-location.
page 135 | ACOS 4.1.1-P6 Global Server Load Balancing Guide - 27 October 2017
A10 Thunder Series and AX Series
Main Configuration Commands
gslb group
Description Configure GSLB group settings. GSLB controllers within a GSLB group automati-
cally synchronize GSLB configuration information and data.
The command changes the CLI to the configuration level for the group, where
the following group-related commands are available:
Other available commands are common to all CLI configuration levels. See the
CLI Reference.
Command Description
[no] auto-map [option] Automatically creates IP-to-name mappings for resources within the zone. The option
can be one of the following:
• data-interface
• learn
• mgmt-interface
• primary
• smart
This is disabled by default.
This option is applicable only to GSLB zones that use wildcard service names
[no] config-anywhere Allows GSLB to be configured on any group member, without restricting the changes
to the master controller.
This is disabled by default.
[no] config-merge If this option is used and the current GSLB controller has the highest priority of all
group members, then this current controller will attempt to retrieve the config file
from the master GSLB controller before assuming control.
This is disabled by default.
[no] config-save Enables automatic configuration save on this GSLB group member when the config-
uration is saved on the group master.
This is enabled by defaul.t
[no] dns-discover Discover member via DNS protocol. When this option is used, you do not need to
configure a primary IP address, because GSLB will send a DNS query (based on the
group name) to discover other group members.
For example, if group name is “group.example.com” then GSLB will send the DNS dis-
cover query with domain name “group.example.com”.
This is disabled by defaul.t
ACOS 4.1.1-P6 Global Server Load Balancing Guide - 27 October 2017 | page 136
A10 Thunder Series and AX Series
Main Configuration Commands
Command Description
[no] enable Activates the ACOS device’s membership in the GSLB controller group.
This is disabled by defaul.t
[no] learn Enables the ACOS device to learn the IP addresses of other group members from the
group’s primary controllers.
This is enabled by defaul.t
[no] primary ipaddr Specifies the IP address of another group member, to be a primary member. After the
GSLB process starts on an ACOS device, the device joins the controller group by con-
necting to the primary group members to exchange group management traffic.
You can specify up to 15 primary members. Enter the command separately for each
member.
This is not set by default.
[no] priority num Specifies the priority of the ACOS device to become the master for the group. You can
specify 1-255.
The default is 100.
[no] standalone Run GSLB Group in standalone mode.
This is disabled by default.
[no] suffix name This option allows you to configure the DNS suffix that will be used for dns-discovery.
You can specify the suffix (or name) that GSLB will append to the domain name when
sending the dns-discover query. For example, if the group name is “group” and the
suffix is “example.com”, then the concatenated strings are sent in the DNS discovery
query as “group.example.com”.
This is not set by default.
Mode Except for the gslb keyword in front of the command, the syntax is the same as
the health monitor command at the global configuration level for the CLI. For
information about the options, see the CLI Reference.
page 137 | ACOS 4.1.1-P6 Global Server Load Balancing Guide - 27 October 2017
A10 Thunder Series and AX Series
Main Configuration Commands
gslb ip-list
Description Configure a list of IP addresses and group IDs to use as input to other GSLB com-
mands.
The command changes the CLI to the configuration level for the list, where the
following IP-list-related commands are available:
(The other commands are common to all CLI configuration levels. See the CLI
Reference.)
Parameter Description
[no] ip ipaddr Creates an IP entry in the list. Based on the subnet mask or mask length,
[subnet-mask | /mask-length] the entry can be a host address or a subnet address. The id option adds
id group-id the entry to a group. The group-id can be 0-31.
[no] load bwlist-name Loads the entries from a black/white list into the IP list.
Default None
Example The following commands configure a GSLB IP list and use the list to exclude IP
addresses from aRDT data collection:
ACOS 4.1.1-P6 Global Server Load Balancing Guide - 27 October 2017 | page 138
A10 Thunder Series and AX Series
Main Configuration Commands
gslb policy
Description Configure a GSLB policy.
Parameter Description
default The default GSLB policy included in the software.
policy-name Name of the policy, up to 63 alphanumeric characters.
This command changes the CLI to the configuration level for the specified GSLB
policy. For information about the commands available at the GSLB policy level,
see “Policy Configuration Commands” on page 161.
Default N/A
gslb protocol
Description Enable the GSLB protocol or set protocol options.
Parameter Description
auto-detect Enables auto-detection.
This is disabled by default.
enable Enables the GSLB protocol:
{controller | device}
• controller – Use this option on the ACOS device on which GSLB is configured.
• device – Use this option on the ACOS devices that are SLB devices at the
GSLB sites.
limit option See “gslb protocol limit” on page 141.
page 139 | ACOS 4.1.1-P6 Global Server Load Balancing Guide - 27 October 2017
A10 Thunder Series and AX Series
Main Configuration Commands
Parameter Description
ping Test GSLB connectivity from the GSLB ACOS device to a site ACOS device.
[site | ip-addr]
• site - GSLB site name of the site ACOS device.
• ip-addr - The IP address of the site ACOS device.
status-interval seconds Changes the number of seconds between GSLB status messages. You can spec-
ify 1-1800 seconds.
The default is 30 seconds.
use-mgmt-port Use the management route table instead of the data route table.
This is disabled by default.
NOTE: For the limit options, see “gslb protocol limit” on page 141.
Usage The GSLB protocol uses port 4149 and is registered on this port for both TCP and
UDP.
ACOS devices use the GSLB protocol for GSLB management traffic. The protocol
must be enabled on the GSLB controller, and it is recommended (but not
required) that you enable the protocol on the site ACOS devices.
The following GSLB policy metrics require the protocol to be enabled on both
the site ACOS devices as well as the GSLB controller:
• Session-Capacity
• aRDT
• Connection-Load
• Num-Session
The GSLB protocol is also required for the Health-Check metric, if the default
health checks are used. If you modify the health checks, the GSLB protocol is not
required.
Example The following command enables the GSLB protocol on a GSLB device:
Example The following command enables the GSLB protocol on a site device:
ACOS 4.1.1-P6 Global Server Load Balancing Guide - 27 October 2017 | page 140
A10 Thunder Series and AX Series
Main Configuration Commands
Parameter Description
ardt-query Limits the number of aRDT Query messages (0-1000000).
The default is 200 query messages.
ardt-response Limits the number of aRDT Response Messages (0-1000000).
The default is 1000 response messages.
ardt-session Limits the number of aRDT sessions (0-1000000)
The default is 32768 sessions.
conn-response Limits the number Connection Load Response Messages (0-
1000000).
By default no limit is set.
message Limits the number of messages (0-1000000).
The default is 10000 (ten thousand) messages.
response Limits the number of Response Messages (0-1000000).
The default is 3600 response messages.
page 141 | ACOS 4.1.1-P6 Global Server Load Balancing Guide - 27 October 2017
A10 Thunder Series and AX Series
Main Configuration Commands
gslb service-group
Description Configure an FQDN group.
This command creates the group and changes the CLI to the configuration level
for it. At this level, the following commands are available:.
Parameter Description
[no] dependency site All services become unavailable on the site when one service
goes down. Facilitates traffic redirection to a site that can main-
tain persistence for all services. Default setting is disabled.
Only valid when persistent site is enabled.
[no] disable Disables all FQDN members.
[no] disable-site site-name Disables the given site name in the service-group.
[no] persistent site [AGE][V4][V6] Enables site persistence for the configuration mode service
group. Parameter options include:
• AGE – Specifies enforcement period. Valid options include:
• <no parameter> – default period of five minutes.
• aging-time <1-65535> – specifies period (minutes)
• V4 – Specifies IPv4 mask. Valid formats include:
• <no parameter> – IPv4 mask of /32.
• /nn – specifes IPv4 mask length
• A.B.C.D – must specify valid IPv4 mask
• V6 – Specifies IPv6 mask length. Valid formats include:
• <no parameter> – default IPv6 mask of 128.
• ipv6-mask <1-128> – specifies IPv6 mask length
[no] member service-name.zone-name Adds the specified service, in FQDN format.
Example These commands 1) create an FQDN; 2) create an FQDN group called “example-
group”; and 3) adds the FQDN for GSLB services to the group:
ACOS 4.1.1-P6 Global Server Load Balancing Guide - 27 October 2017 | page 142
A10 Thunder Series and AX Series
Main Configuration Commands
gslb service-ip
Description Configure a service IP, which can be a virtual server’s or real server’s IP address.
Parameter Description
service-name Name of the service, up to 63 alphanumeric characters.
ipaddr IP address of the virtual server or real server. You can specify an IPv4 or IPv6 address.
(If you are changing the configuration of a GSLB service that is already configured,
this parameter is not required.)
This command changes the CLI to the configuration level for the specified
service, where the following GSLB-related commands are available:
Command Description
disable Disables GSLB for the service IP address.
enable Enables GSLB for the service IP address.
[no] external-ip ipaddr Assigns an external IP address to the service IP. The external IP
address allows a service IP that has an internal IP address to be
reached from outside the internal network.
[no] health-check monitor-name Configures service IP monitoring. If you enter the command with no
options, the default Layer 3 health monitor (ICMP ping) is used.
• monitor-name – The service is checked using the specified Layer
3, 4 or 7 health monitor.
[no] health-check-disable Disables the health-check monitor.
[no] health-check-protocol-disable Disables the GSLB protocol health monitor.
[no] ipv6 ipv6-addr Maps the specified IPv6 address to an IPv4 service IP. This option
also requires IPv6 DNS AAAA support to be enabled in the GSLB
policy. (See the ipv6-mapping option in “DNS IPv6” on page 77.)
[no] port num {tcp | udp} Adds service port to service IP. Changes CLI to configuration level
for specified service port, where these commands are available:
• disable – Disables GSLB for service port.
• enable – Enables GSLB for service port.
• [no] health-check [monitor-name] – Enables health moni-
toring for the service port. If you do not specify a health monitor,
the default health monitor is used. (See “Usage” below.)
• [no] health-check-disable – Enables or disables health
monitoring for service port.
• [no] health-check-follow-port – Specify the port to follow
for health status. The port cannot follow itself or use port 0.
• [no] health-check-protocol-disable – Disable the GSLB
protocol health monitor for the port.
page 143 | ACOS 4.1.1-P6 Global Server Load Balancing Guide - 27 October 2017
A10 Thunder Series and AX Series
Main Configuration Commands
Default No services are configured by default. When you configure a service, the service
is enabled by default, and the default port is 80. The default health monitor for a
service is the default Layer 3 health monitor (ICMP ping). The default health
monitor for a service port is the default TCP or UDP monitor, depending on the
transport protocol. (For more on health checking, see “Usage” below.)
Usage If you leave the health monitor for a service left at its default setting (the default
ICMP ping health check), health checks are performed within the GSLB protocol.
If you use a custom health monitor, or explicitly apply the default Layer 3 health
monitor to the service, the GSLB protocol is not used for any of the health checks.
If you use a custom health monitor for a service port, the port number specified
in the service configuration is used instead of the port number specified in the
health monitor configuration.
The following policy metric options are not supported for IPv6 service IPs:
• active-rdt
• ip-list
• dns external-ip
• dns ipv6 mapping
• geo-location
Example The following example creates a GSLB service IP address named “gslb-srvc2” with
IP address 192.160.20.99:
ACOS 4.1.1-P6 Global Server Load Balancing Guide - 27 October 2017 | page 144
A10 Thunder Series and AX Series
Main Configuration Commands
gslb site
Description Configure a GSLB site.
Replace site-name with the name for the site (1-63 characters).
This command changes the CLI to the configuration level for the specified site,
where the following site-related commands are available:
Command Description
[no] active-rdt option Configures options for the aRDT metric:
• aging-time minutes –Specifies the maximum amount of time a stored aRDT
result can be used. You can specify 1-15360 minutes. The default is 10 minutes.
(“No” form of command is not available).
• bind-geoloc – Stores the aRDT measurements on a per geo-location basis. With-
out this option, the measurements are stored on a per site-SLB device basis.
• ignore-count num – Specifies the ignore count if aRDT is out of range. You can
specify 1-15. The default is 5.
• limit num – Specifies the maximum aRDT allowed for the site. If the aRDT mea-
surement for a site exceeds the configured limit, GSLB does not eliminate the site.
Instead, GSLB moves to the next metric in the policy. You can specify 1-16383 milli-
seconds (ms). The default is 16383. (“No” form of command is not available).
• mask {/mask-length | mask-ipaddr} – Specifies the IPv4 client subnet mask
length. The default mask length is 32. (“No” form of command is not available).
• range-factor num – Specifies the maximum percentage a new aRDT measure-
ment can differ from the previous measurement. If the new measurement differs
from the previous measurement by more than the allowed percentage, the new
measurement is discarded and the previous measurement is used again.
For example, if the range-factor is set to 25 (the default), a new measurement that
has a value from 75% to 125% of the previous value can be used. Measurements is
less than 75% or more than 125% of the previous measurement can not be used.
You can specify 0-1000. The default is 25.
• smooth-factor num – Blends the new measurement with the previous one, to
smoothen the measurements.
For example, if the smooth-factor is set to 10 (the default), 10% of the new mea-
surement is used, along with 90% of the previous measurement. Similarly, if the
smooth-factor is set to 50, 50% of the new measurement is used, along with 50%
of the previous measurement.
You can specify 1-100. The default is 10. (“No” form of command is not available).
(For information about the aRDT metric, see “active-rdt” on page 163.)
[no] auto-map Enables DNS auto-mapping for site resources.
page 145 | ACOS 4.1.1-P6 Global Server Load Balancing Guide - 27 October 2017
A10 Thunder Series and AX Series
Main Configuration Commands
Command Description
[no] bw-cost options Configures options for the BW-Cost metric:
• limit num– Specifies the maximum amount the SNMP object queried by the
GSLB ACOS device can increase since the previous query, in order for the site to
remain eligible for selection. You can specify 0-2147483647. There is no default.
If a site becomes ineligible due to being over the limit, the percentage parameter is
used. In order to become eligible for selection again, the site’s limit value must not
exceed
limit*threshold-percentage.
ACOS 4.1.1-P6 Global Server Load Balancing Guide - 27 October 2017 | page 146
A10 Thunder Series and AX Series
Main Configuration Commands
Command Description
[no] slb-dev Specifies the device that provides SLB for the site. The IP address must be reachable
device-name by the GSLB controller when GSLB protocol is enabled. This command changes the
[ip-addr] CLI to the slb-dev configuration level where the following commands are available:
• admin-preference num – Assigns a preference value to the SLB device. If the
Admin-Preference metric is enabled in the policy and all metrics before this one
result in a tie, the SLB device with the highest Admin-Preference value is preferred.
You can specify from 0 – 255. The default is 100.
• auto-detect {ip | port | ip-and-port | disabled} – Enables DNS auto
detect at service IP level, port level, or both. You can also disable auto-detect.
• [no] auto-map – Enables DNS auto-mapping for this site.
• [no] gateway ipaddr – Specifies the gateway the SLB device will use to reach
the GSLB local DNS for collecting aRDT measurements.
• gateway health-check – Enables gateway health checking. A gateway health
check is a Layer 3 health check (ping) sent to the gateway router for an SLB site.
This option is enabled by default.
• gateway health-check-disable – Disables gateway health checking. Gateway
health check is enabled by default.
• max-client num – Specifies the maximum number of clients for which the GSLB
ACOS device (controller) saves data such as aRDT measurements for each of the
clients. You can specify 1-2147483647. The default is 32768.
• [no] proto-aging-fast – This option enables a quick refresh of data sent from
a site ACOS device to the ACOS controller by “aging out” data from a site ACOS
device. This can be used to obtain fresh health status information from a site
ACOS. For example, when a virtual server is deleted from a site-ACOS device, but
this information could not be sent to the ACOS controller, then the status in the
controller will continue to appear as "UP" for a long time until it is aged out. The
"proto-aging-fast" command forces the GSLB controller to start aging the health
status immediately after receiving updated information from a site ACOS.
• proto-aging-time seconds – If communication between a site ACOS device
and the GSLB controller is interrupted, then the data for that site will become stale.
The GSLB controller can continue to rely upon this old information, but after some
time, the old data for the site must be purged. The lifespan of this old data is the
sum of the time set using the gslb protocol status-interval command, plus the
time you set using this proto-aging-time option. The default value is 60 seconds.
You can specify from 1 to 65535 seconds.
• [no] proto-compatible – Enables GSLB protocol compatibility between a con-
troller running 2.6.1 or later and a site ACOS device running 2.4.x. This option is
disabled by default.
• [no] vip-server {name | ipaddr} – Maps this SLB site to a globally config-
ured GSLB service IP address. If you use the name option, the name must be the
name of a configured service IP. (To configure the service IP, use the gslb service-ip
command. See “gslb service-ip” on page 143.)
[no] template Binds a template to the site. To use the BW-Cost metric, use this option to bind a
template-name GSLB SNMP template to the site.
[no] weight num Assigns a weight to the site. If the Weighted-Site metric is enabled in the policy and
all metrics before Weighted-Site result in a tie, the site with the highest weight is pre-
ferred. The weight can be from 1 – 100. The default is 1.
page 147 | ACOS 4.1.1-P6 Global Server Load Balancing Guide - 27 October 2017
A10 Thunder Series and AX Series
Main Configuration Commands
Example The following example creates a site named “NY-site” and adds SLB ACOS device
“site-acos-1” with IP address 10.10.10.10 to the site:
Default 10 seconds
Parameter Description
resource-type Enables DNS auto-mapping for the specified resource type. When auto-mapping is enabled,
ACOS can respond to DNS queries for resources of the specified type that are within the GSLB
zone. The resource-type option can be one of the following:
• gslb-group – Enables auto-mapping for GSLB groups.
• gslb-service-ip – Enables auto-mapping for service-IPs.
• gslb-site – Enables auto-mapping for GSLB sites.
• hostname – Enables auto-mapping for the ACOS device hostname.
• slb-device – Enables auto-mapping for SLB devices.
• slb-server – Enables auto-mapping for real server names.
• slb-virtual-server – Enables auto-mapping for virtual server names.
Default Disabled
ACOS 4.1.1-P6 Global Server Load Balancing Guide - 27 October 2017 | page 148
A10 Thunder Series and AX Series
Main Configuration Commands
Replace seconds with the maximum number of seconds for which an A or AAAA
record created by auto-mapping is valid. You can specify 1-65535 seconds.
Parameter Description
iana Loads the Internet Assigned Numbers Authority (IANA) database. The IANA
database contains the geographic locations of the IP address ranges and
subnets assigned by the IANA. The IANA database is included in the ACOS
system software. The IANA geo-location database is loaded by default.
file-name csv-template-name Loads a custom database. You can load a custom geo-location database
from a file in comma-separated-values (CSV) format. This option requires
configuration of a CSV template on the ACOS device. When you load the
CSV file, the data is formatted based on the template. (To configure a CSV
template, see “gslb template csv” on page 150.).
Usage You can load more than one database. The geo-location match command
determines the IP address used when databases contain overlapping addresses.
Example The following command loads geo-location data from a CSV file:
page 149 | ACOS 4.1.1-P6 Global Server Load Balancing Guide - 27 October 2017
A10 Thunder Series and AX Series
Main Configuration Commands
Default 0
Usage This option applies only to DNS server mode. The option does not apply to DNS
proxy mode.
The TTL value is used in all replies, regardless of the client’s original TTL.
Replace seconds with the desired startup delay interval (0-16384 seconds).
This command changes the CLI to the configuration level for the specified
template, where the following commands are available.
ACOS 4.1.1-P6 Global Server Load Balancing Guide - 27 October 2017 | page 150
A10 Thunder Series and AX Series
Main Configuration Commands
(The other commands are common to all CLI configuration levels. See the CLI
Reference.)
Parameter Description
[no] delimiter Specifies the character used in the file to delimit fields. You can type the
{character | ASCII-code} character or enter its decimal ASCII code (0-255).
[no] field num type-of-data The num option specifies the field position within the CSV file. You can spec-
ify from 1-64. The following options specify the type of geo-location that is
located in the field position:
• ip-from – Specifies beginning IP address in range or subnet.
• ip-to-mask – Specifies ending IP address in range or subnet mask.
• continent – Specifies continent location of IP address range or subnet.
• country – Specifies country location of IP address range or subnet.
• state – Specifies state location of IP address range or subnet.
• city – Specifies city location of IP address range or subnet.
[no] ipv6-enable Support IPv6 IP ranges.
Default There is no default CSV template. When you configure one, the field locations are
not set. The default delimiter character is a comma ( , ).
Usage To load a geo-location data file and use the CSV template to extract the data, see
“gslb system geo-location load” on page 149.
This command changes the CLI to the configuration level for the specified
template, where the following commands are available.
page 151 | ACOS 4.1.1-P6 Global Server Load Balancing Guide - 27 October 2017
A10 Thunder Series and AX Series
Main Configuration Commands
(The other commands are common to all CLI configuration levels. See the CLI Reference.)
Parameter Description
[no] auth-key string Specifies the authentication key. The key string can be 1-127 characters
long. This command is applicable if the security level is auth-no-priv or
auth-priv.
[no] auth-proto {sha | md5} Specifies the authentication protocol. This command is applicable if the
security level is auth-no-priv or auth-priv.
[no] community community- For SNMPv1 or v2c, specifies the community string required for authentica-
string tion.
[no] context-engine-id id Specifies the ID of the SNMPv3 protocol engine running on the site ACOS
device.
[no] context-name id Specifies an SNMPv3 collection of management information objects acces-
sible by an SNMP entity.
[no] host {name | ipaddr} Specifies the IP address of the site ACOS device.
[no] interface id Specifies the SNMP interface ID. 0-2147483647
[no] interval seconds Specifies the amount of time between each SNMP GET to the site ACOS
devices. You can specify 1-999 seconds. The default is 3.
[no] oid oid-value Specifies the interface MIB object to query on the site ACOS device.
If the object is part of a table, make sure to append the table index to the
end of the OID. Otherwise, the ACOS device will return an error.
[no] port portnum Specifies the protocol port on which the site ACOS devices listen for the
SNMP requests from the GSLB ACOS device. You can specify 1-65535. The
default is 161.
[no] priv-key string Specifies the encryption key. The key string can be 1-127 characters long.
This command is applicable only if the security level is auth-priv.
[no] priv-proto {aes | des} Specifies the privacy protocol used for encryption. This command is appli-
cable only if the security level is auth-priv.
[no] security-engine-id id Specifies the ID of the SNMPv3 security engine running on the site ACOS
device. For each command, the ID is a string 1-127 characters long.
[no] security-level Specifies the SNMPv3 security level:
{no-auth |
auth-no-priv | • no-auth – Authentication is not used and encryption (privacy) is not
auth-priv} used. This is the default.
• auth-no-priv – Authentication is used but encryption is not used.
• auth-priv – Both authentication and encryption are used.
[no] username name Specifies the SNMPv3 username required for access to the SNMP agent on
the site ACOS device.
[no] version {v1 | v2c | v3} Specifies the SNMP version running on the site ACOS device.
ACOS 4.1.1-P6 Global Server Load Balancing Guide - 27 October 2017 | page 152
A10 Thunder Series and AX Series
Main Configuration Commands
Usage The community command applies only to SNMPv1 or v2c. Most of the other com-
mands, with the exception of the version, interval, port, and interface com-
mands, apply to SNMPv3.
You can not delete an SNMP template if the template is in use by a site. To delete
a template, first remove it from all site configurations that are using it.
Example The following commands configure a GSLB SNMP template for SNMPv2c:
Example The following commands configure a GSLB SNMP template for SNMPv3. In this
example, authentication and encryption are both used.
gslb zone
Description Configure a GSLB zone, which identifies the top-level name for the services load
balanced by GSLB.
You can use lower case characters and upper case characters. However, since
Internet domain names are case-insensitive, the ACOS device internally converts
all upper case characters in GSLB zone names to lower case.
page 153 | ACOS 4.1.1-P6 Global Server Load Balancing Guide - 27 October 2017
A10 Thunder Series and AX Series
Main Configuration Commands
This command changes the CLI to the configuration level for the specified zone,
where the following zone-related commands are available:
Command Description
[no] disable Disables all services in the GSLB zone.
[no] dns-mx-record name Configures a DNS Mail Exchange (MX) record for the zone. The name is the fully-
priority [ttl num] qualified domain name of the mail server for the zone.
If more than one MX record is configured for the same zone, the priority specifies
the order in which the mail server should attempt to deliver mail to the MX hosts.
The MX with the lowest priority value has the highest priority and is tried first. The
priority can be 0-65535. There is no default.
MX records configured on a zone are used only for services on which MX records
are not configured.
NOTES:
If you want the GSLB ACOS device to return the IP address of the mail service in
response to MX requests, you must configure Address records for the mail service.
Optionally, you can configure the Time-to-Live in seconds. The range is from 0-
2147483647 seconds.
[no] dns-ns-record Configures a DNS name server record for the specified domain.
domain-name [ttl num]
Optionally, you can configure the Time-to-Live in seconds. The range is from 0-
2147483647 seconds.
[no] dns-soa-record Configures a DNS start of authority (SOA) record for the GSLB zone.
[external] • external - causes the ACOS device to replace the internal SOA record with an
dns-server-name external SOA record when a request is received from an external client. This pre-
mailbox-name vents external clients from gaining access to internal information. The feature
[expire seconds] must also be enabled in the GSLB policy.
[refresh seconds] • refresh - specifies the number of seconds other DNS servers wait before
[retry seconds] requesting updated information for the GSLB zone. The retry option specifies
[serial num] how many seconds other DNS servers wait before resending a refresh request, if
[ttl seconds] GSLB does not respond to the previous request. The expire option specifies
how many seconds GSLB can remain unresponsive to a refresh request before
the other DNS server drops responding to queries for the zone.
• serial - specifies the initial serial number of the SOA record. This number is
automatically incremented each time a change occurs to any records in the
zone file. You can specify a serial number from 0-2147483647. The default is
based on the current system time on the GSLB ACOS device when you create
the SOA record.
• ttl - specifies the number of seconds GSLB will cache and reuse negative
replies (NXDOMAIN messages). A negative reply is an error message indicating
that a requested domain does not exist.
NOTES:
The ttl option is equivalent to the “minimum” option in BIND 9.
[no] policy policy-name Applies the specified GSLB policy to the zone. You can specify “default” for the
GSLB policy name, if you have not configured another policy and applied it to the
zone. The GSLB policy applied to the zone is also applied to the services in that
zone.
ACOS 4.1.1-P6 Global Server Load Balancing Guide - 27 October 2017 | page 154
A10 Thunder Series and AX Series
Main Configuration Commands
Command Description
[no] service port Adds a service to the zone. The port option specifies the service port and can be a
[service-name] port number from 0 to 65534. The service-name can be 1-63 alphanumeric char-
acters or * (wildcard character matching on all service names).
For the same reason described for zone names, the ACOS device converts all upper
case characters in GSLB service names to lower case.
This command changes the CLI to the configuration level for the service, where
the following GSLB-related commands are available:
• action action-type – Specifies the action to perform for DNS traffic:
• drop – Drops DNS queries from the local DNS server.
• forward {both | query | response} – Forwards requests or queries, as
follows:
•forward both – Forwards queries to the Authoritative DNS server, and for-
wards responses to the local DNS server.
•forward query – Forwards queries to the Authoritative DNS server, but
does not forward responses to the local DNS server.
•forward response – Forwards responses to the local DNS server, but does
not forward queries to the Authoritative DNS server.
• ignore – Ignores the request.
• reject – Rejects DNS queries from the local DNS server and returns the
“Refused” message in replies.
NOTE: Use of the actions configured for services also must be enabled in the GSLB
policy, using the dns action command at the configuration level for the policy.
See “DNS Action” on page 66.
page 155 | ACOS 4.1.1-P6 Global Server Load Balancing Guide - 27 October 2017
A10 Thunder Series and AX Series
Main Configuration Commands
Command Description
[no] service port GSLB-related commands are available:
[service-name] • disable – Disables all services in the GSLB zone.
(cont.) • dns-a-record {service-name | ip service-ipaddr}
{as-backup | as-replace | no-resp | static | ttl num |
weight num} – Configures a DNS Address (A) record for the service, for use
with the DNS replace-ip option in the GSLB policy. (See “DNS IP-Replace” on
page 77.)
•as-backup – This option is used to specify the backup servers in the dns-a-
record within the GSLB zone. These are the servers that will be returned to
the client if the primary servers fail and backup server mode is enabled.
•as-replace – This option is used with the ip-replace option in the policy.
When both options are set (as-replace here and ip-replace in the pol-
icy), the client receives only the IP address set here by service-ip.
•disable – Disables DNS records for this service in the zone.
•no-resp – Prevents the IP address for this site from being included in DNS
replies to clients.
•static – This option is used with the dns server option in the policy.
When both options are set (static here and dns server in the policy),
the GSLB ACOS device acts as the DNS server for the IP address set here by
service-ip.
•ttl num – Assigns a TTL to the service, 0-2147483647. By default, the TTL of
the zone is used. This option can be used with the dns server option in
the policy, or with DNS proxy mode enabled in the policy. The default TTL is
0 seconds.
•weight num – Assigns a weight to the service. If the Weighted-IP metric is
enabled in the policy and all metrics before Weighted-IP result in a tie, the
service on the site with the highest weight is selected. The weight can be 1-
100. By default, the weight is not set.
NOTE: The no-resp option is not valid with the static or as-replace option. If
you use no-resp, you cannot use static or as-replace.
ACOS 4.1.1-P6 Global Server Load Balancing Guide - 27 October 2017 | page 156
A10 Thunder Series and AX Series
Main Configuration Commands
Command Description
[no] service port • dns-cname-record alias [alias ...] [as-backup]
[service-name] [admin-preference num] [weight num] – Configures DNS Canonical
Name (CNAME) records for the service.
(cont.)
•as-backup – Specifies that the record is a backup record.
•admin-preference num – Specify the administrative preference. If using
the Alias Admin Preference metric, then the DNS CNAME record with the
highest administratively set preference is selected. Default is 100.
•weight num – Specify the weight. If using the Weighted Alias metric, then
the DNS CNAME record with the highest weight is selected. Default is 1.
• dns-mx-record name priority [ttl num] – Configures a DNS Mail
Exchange (MX) record for the service. The name is the fully-qualified domain
name of the mail server for the service. If more than MX record is configured
for the same service, the priority specifies the order in which the mail
server should attempt to deliver mail to the MX hosts. The MX record with the
lowest priority number has the highest priority and is tried first. The prior-
ity can be 0-65535. There is no default. The default TTL is 0 seconds.
NOTE: If you want the GSLB ACOS device to return the IP address of the mail ser-
vice in response to MX requests, you must configure A records for the mail service.
• dns-ns-record domain-name [ttl num] – Configures a DNS name
server record. To use the as-backup option, you also must use the dns
backup-alias command in the policy. (See “DNS Backup Alias” on page 69.)
The default TTL is 0 seconds.
• dns-ptr-record domain-name [ttl num] – Configures a DNS pointer
record. The default TTL is 0 seconds.
• dns-srv-record domain-name port portnum priority
[weight num] [ttl num] – Configures a DNS service record.
The port portnum specifies the protocol port to return to the client, and can
be 0-65534. There is no default. You must specify a port.
The priority can be 0-65535. There is no default.
The weight num specifies the weight and can be 0-65535. The default is 10.
The ttl specifies the time-to-live for the DNS record in second. Typically DNS
records take 24-48 hours to propagate. The default TTL is 0 seconds.
page 157 | ACOS 4.1.1-P6 Global Server Load Balancing Guide - 27 October 2017
A10 Thunder Series and AX Series
Main Configuration Commands
Command Description
[no] service port • dns-txt-record obj-name txt-data [ttl num] – Enables use of DNS
[service-name] TXT resource records to carry multiple pieces of DNS TXT data within one TXT
record.
(cont). The obj-name specifies the text data’s object name, in order to avoid long
URLs of aXPAPI.
The txt-data is the DNS TXXT data that you want inputted in the TXT
record.
The ttl specifies the time-to-live for the DNS record in second. Typically DNS
records take 24-48 hours to propagate. The default TTL is 0 seconds.
NOTE: The ACOS device has a special handler that enables you to enter non-
printable characters that the CLI does not support.
NOTE: This option also requires the dns server txt command at the con-
figuration level for the GSLB policy.
• geo-location location-name - Configures geo-location settings. The loca-
tion must already be configured. (See “gslb geo-location” on page 135.) Enter-
ing this command takes you to the GSLB Zone Service Geo-location
configuration level, where the following commands are available:
•action action – Specifies the action to perform for DNS traffic. The
action options are the same as those for the action command described
above. Another action possible is allow, which allows queries from this
geo-location.
•alias url – Maps an alias configured with the alias option (see above) to
the specified location for this service.
•policy policy-name – Applies the specified GSLB to clients from the geo-
location.
• health-check-gateway enable – Enable service’s health-check gateway.
• health-check-gateway disable – Disable service’s health-check gate-
way.
• health-check-port portnum – Specify the port for the health check for
the service. Use multiple statements to configure more than one port.
• policy policy-name – Applies the specified GSLB policy to the service. If
the service policy is the default policy, then the service will automatically
inherit the policy configured for the overall GSLB Zone. Any non-default pol-
icy configured for the service specifically will be honored over the GSLB Zone
policy.
[no] template dnssec Binds a DNSSEC template to the zone.
template-name
ACOS 4.1.1-P6 Global Server Load Balancing Guide - 27 October 2017 | page 158
A10 Thunder Series and AX Series
Main Configuration Commands
Command Description
[no] ttl seconds Changes the TTL of each DNS record contained in DNS replies received from the
DNS for which the ACOS Series is a proxy, for this zone. You can specify from 0 to
1000000000 (one billion) seconds. This TTL setting overrides the TTL setting in the
GSLB policy. The default is 10.
The TTL of the DNS reply can be overridden in two different places in the GSLB
configuration: (1) If a GSLB policy is assigned to the individual service, then the TTL
from that policy is used. (2) If no policy is assigned to the individual service, but
the TTL is set in the zone, then the zone’s TTL setting is used. (This is the level set
by the ttl command shown earlier this section.)
[no] use-server-ttl Use the configured service Time-to-Live.
Example The following example uses the wildcard character at the end of the gslb zone
command. This has the result of identifying all GSLB zones so that the next line of
the configuration creates a positive match on all DNS domains that have the pre-
fix of “www”.
Example The following commands create a default GSLB policy and then specify that a
backup server at IP 10.10.2.1 will be returned to the client if the primary servers
fail.
page 159 | ACOS 4.1.1-P6 Global Server Load Balancing Guide - 27 October 2017
A10 Thunder Series and AX Series
Main Configuration Commands
import geo-location
Description Imports new geo-location database CSV files into an ACOS device.
The overwrite option overwrite the existing geo-location file under that name
with the new geo-location file that is being imported.
Usage This command imports a geo-location database, saved as a CSV file, into an ACOS
device and allows for periodic synchronization of the database across all GSLB
group members. This command only imports a database; it does not load the
database into the ACOS starting configuration. To load the database file, see
“gslb system geo-location load” on page 149.
Example The following command imports a geo-location database CSV file and config-
ures ACOS to periodically check for updates once a day:
ACOS 4.1.1-P6 Global Server Load Balancing Guide - 27 October 2017 | page 160
A10 Thunder Series and AX Series
Policy Configuration Commands
• active-rdt
• active-servers
• active-servers-enable
• admin-ip
• admin-ip-enable
• admin-preference
• alias-admin-preference
• auto-map
• bw-cost
• bw-cost-enable
• capacity
• connection-load
• dns action
• dns active-only
• dns addition-mx
• dns auto-map
• dns backup-alias
• dns backup-server
• dns cache
• dns cname-detect
• dns delegation
• dns external-ip
• dns external-soa
page 161 | ACOS 4.1.1-P6 Global Server Load Balancing Guide - 27 October 2017
A10 Thunder Series and AX Series
Policy Configuration Commands
• dns geoloc-action
• dns geoloc-alias
• dns geoloc-policy
• dns hint
• dns ip-replace
• dns logging
• dns selected-only
• dns server
• dns sticky
• dns ttl
• geo-location
• geo-location-match
• geographic
• health-check
• ip-list
• least-response
• metric-fail-break
• metric-force-check
• metric-order
• num-session
• num-session-enable
• round-robin
ACOS 4.1.1-P6 Global Server Load Balancing Guide - 27 October 2017 | page 162
A10 Thunder Series and AX Series
Policy Configuration Commands
• weighted-alias
• weighted-ip
• weighted-ip-enable
• weighted-site
• weighted-site-enable
active-rdt
Description Configure the active-Round Delay Time (aRDT) metric.
aRDT measures the round-delay-time for a DNS query and reply between a site
ACOS device and the GSLB local DNS.
Parameter Description
controller This command enables GSLB Controller-based metrics on the device.
GSLB Controller based metrics are not supported in IPv6 or L3V partition configura-
tions.
This is disabled by default.
difference num Number from 0 to 16383 specifying the round-delay-time difference.
The default is 0.
enable Enable active-Round Delay Time for the given policy.
This is disabled by default.
page 163 | ACOS 4.1.1-P6 Global Server Load Balancing Guide - 27 October 2017
A10 Thunder Series and AX Series
Policy Configuration Commands
Parameter Description
fail-break Enables GSLB to stop if the configured aRDT limit in a policy is reached. The fail-break
action depends on whether the GSLB controller is running in server mode or proxy
mode:
• Server mode: If a backup-alias is configured, the GSLB controller returns the
backup-alias to the client; otherwise, the controller returns a blank response error
to the client.
• Proxy mode: If a backup-alias is configured, the GSLB controller returns the
backup-alias to the client; otherwise, the controller returns the response from the
back-end DNS server.
Notes:
• To configure the aRDT limit, use the limit option (describe below).
• To configure GSLB to return a CNAME record as a backup, enable the backup-alias
option using the dns backup-alias command at the configuration level for the
policy. To configure the backup alias for a service within a zone, use the following
command at the configuration level for the service:
dns-cname-record alias-name as-backup
This is disabled by default.
ignore-id group-id Excludes the IP addresses in the specified IP list from aRDT data collection. Specify an
ID from 0-31. (To configure an IP list, see “gslb ip-list” on page 138.)
This is not set by default.
keep-tracking Continues tracking of aRDT for clients after the track time expires. By default, GSLB
stops collecting aRDT samples for a client (stops tracking the client) after the time
has exceeded the number of seconds specified by the global aRDT track setting.
This is disabled by default.
limit ms Specifies the aRDT limit for the policy. This option is useful for applying site selection
based on aRDT limits and geo-location. This option is required if you plan to use the
DNS geoloc-policy option. You can specify 1-16383 ms.
To configure aRDT limit by geo-location:
• 1. Enable the active-rdt bind-geoloc option on each GSLB site.
• 2. Enable the dns geoloc-policy option in the default GSLB policy, and enable the
active-rdt option in the policies for geo-locations. If applicable, configure the
aRDT limit.
• 3. On the service within the zone, enable the geo-location option and specify the
GSLB policy to use for that location.
The default limit is 16383 ms.
proto-rdt-enable his command configures GSLB controller-based metrics to includes both response
times between 1) the controller and the originating LDNS server; and 2) the control-
ler and the site device. When this option is disabled, the metric includes only the
response time between the controller and the originating LDNS server.
This is disabled by default.
samples num-samples Number from 1 to 8 specifying the number of samples to collect.
The default is 5.
ACOS 4.1.1-P6 Global Server Load Balancing Guide - 27 October 2017 | page 164
A10 Thunder Series and AX Series
Policy Configuration Commands
Parameter Description
single-shot Collects a single sample only.
skip count When single-shot is configured, this option determines the number of site ACOS
devices that can exceed their single-shot timeouts, without the aRDT metric itself
being skipped by the GSLB ACOS device during site selection. You can skip from 1-31
sites.
This is disabled by default; multiple samples are taken at regular intervals. When
enabled, the default skip is 3.
timeout seconds When single-shot is configured, this option determines the number of seconds each
site ACOS device should wait for the DNS reply. If the reply does not arrive within the
specified timeout, the site becomes ineligible for selection, in cases where selection
is based on the aRDT metric. You can specify 1-255 seconds.
The default timeout is 3 seconds.
tolerance percentage Specifies how much the aRDT values must differ in order for GSLB to prefer one geo-
location or site over another based on aRDT.
The default is 10 percent.
Default Disabled. When you enable the aRDT metric, it has the default settings described
in the table above.
Usage This metric requires the GSLB protocol to be enabled both on the GSLB controller
and on the site ACOS devices.
active-servers
Description Configure the Active-Servers metric, which prefers the VIP with the highest num-
ber of active servers.
Parameter Description
fail-break Enables GSLB to stop if the number of active servers for all services
is 0. The fail-break action depends on whether the GSLB controller
is running in proxy mode or server mode:
• Server mode: If a backup-alias is configured, the GSLB controller
returns the backup-alias to the client; otherwise, the controller
returns a SERVFAIL error to the client.
• Proxy mode: If a backup-alias is configured, the GSLB controller
returns the backup-alias to the client; otherwise, the controller
returns the response from the back-end DNS server.
page 165 | ACOS 4.1.1-P6 Global Server Load Balancing Guide - 27 October 2017
A10 Thunder Series and AX Series
Policy Configuration Commands
Default Disabled
Usage Use this command to eliminate inactive real servers from being eligible for selec-
tion.
active-servers-enable
Description Enable or disable selecting the service-IP with the highest number of active serv-
ers:
admin-ip
Description Allows you to assign administrative weights to IP addresses.
NOTE: To configure GSLB to return only the top prioritized IP address in query
responses, also enable the dns selected-only option.
ACOS 4.1.1-P6 Global Server Load Balancing Guide - 27 October 2017 | page 166
A10 Thunder Series and AX Series
Policy Configuration Commands
Default Disabled
Usage The prioritized list is sent to the next metric for further evaluation. If admin-ip is
the last metric, the prioritized list is sent to the client. To configure the list of
admin-preferred addresses for a service, use the admin-ip command at the ser-
vice configuration level for the GSLB zone. See “gslb zone” on page 153.
admin-ip-enable
Description Enable or disable admin IP prioritization.
Default Disabled.
admin-preference
Description Enable or disable the Admin-Preference metric, which prefers the site whose SLB
device has the highest administratively set weight.
Default Disabled
Usage To set the GSLB Admin-Preference value for a site, use the admin-preference
command at the configuration level for the SLB device within the site. (See “gslb
site” on page 145.)
page 167 | ACOS 4.1.1-P6 Global Server Load Balancing Guide - 27 October 2017
A10 Thunder Series and AX Series
Policy Configuration Commands
alias-admin-preference
Description Enable or disable the Alias Admin Preference metric, which selects the DNS
CNAME record with the highest administratively set preference. This metric is
similar to the Admin Preference metric, but applies only to DNS CNAME records.
Default Disabled
Usage Metric order does not apply to this metric. When enabled, this metric always has
high priority.
1. At the configuration level for the GSLB service, use the admin-preference
preference command to assign an administrative preference to the DNS
CNAME record for the service. (See “gslb service-ip” on page 143.)
2. At the configuration level for the GSLB policy:
• Use the alias-admin-preference command to enable the Alias Admin
Preference metric.
• Enable one or both of the following DNS options, as applicable to your
deployment (See “Alias-Admin-Preference” on page 60):
•DNS backup-alias
•DNS geoloc-alias
3. If using the backup-alias option, use the dns-cname-record as-backup
option on the service. (See “gslb service-ip” on page 143.)
ACOS 4.1.1-P6 Global Server Load Balancing Guide - 27 October 2017 | page 168
A10 Thunder Series and AX Series
Policy Configuration Commands
auto-map
Description Enable auto-mapping of the specified resource type within the policy.
Parameter Description
module-disable Specify what resource-types you want to disable auto-map-
resource-type ping for. For more information, see “gslb system auto-map
module” on page 148.
By default, all modules have Auto Map M.
ttl num Specify a Time-to-Live for auto-mapping. The default is 300
seconds. You can specify from 1-65535 seconds. For more
information, see “gslb system auto-map ttl” on page 149.
The default TTL is 300 seconds.
bw-cost
Description Configure the BW-Cost metric. This mechanism queries the bandwidth utiliza-
tion of each site, and selects the site(s) whose bandwidth utilization has not
exceeded a configured threshold during the most recent query interval.
[no] bw-cost fail-break
The bandwidth cost fail-break enables GSLB to stop if the current BW-Cost value
is over the limit. The fail-break action depends on whether the GSLB controller is
running in proxy mode or server mode:
NOTE: Use the bw-cost-enable command to enable selection of the site with
the smallest bandwidth cost.
Default Disabled
page 169 | ACOS 4.1.1-P6 Global Server Load Balancing Guide - 27 October 2017
A10 Thunder Series and AX Series
Policy Configuration Commands
bw-cost-enable
Description Enable selection of the site with the smallest bandwidth cost.
Default Disabled.
capacity
Description Configure the TCP/UDP Session-Capacity metric. This mechanism provides a way
to shift load away from a site before the site becomes congested.
Example:
Site A’s maximum session capacity is 800,000 and Site B’s maximum session
capacity is 500,000. If the Session-Capacity threshold is set to 90, then for Site A
the capacity threshold is 90% of 800,000, which is 720,000. Likewise, the capacity
threshold for Site B is 90% of 500,000, which is 450,000.
ACOS 4.1.1-P6 Global Server Load Balancing Guide - 27 October 2017 | page 170
A10 Thunder Series and AX Series
Policy Configuration Commands
Parameter Description
enable Enables selection of the service-IP with the highest
available connection capacity.
fail-break Enables GSLB to stop if the session utilization on all
site SLB devices is over the threshold. The fail-break
action depends on whether the GSLB controller is run-
ning in proxy mode or server mode:
• Server mode: If a backup-alias is configured, the
GSLB controller returns the backup-alias to the cli-
ent; otherwise, the controller returns a SERVFAIL
error to the client.
• Proxy mode: If a backup-alias is configured, the
GSLB controller returns the backup-alias to the cli-
ent; otherwise, the controller returns the response
from the back-end DNS server.
threshold percentage Number from 0 to 100 specifying the maximum per-
centage of a site ACOS device session table that can
be used. If the session table utilization is greater than
the specified percentage, the GSLB controller prefers
other sites over this site.
The default threshold is 90 percent.
Default Disabled. See descriptions for default values when the capacity metric is ena-
bled.
Usage This metric requires the GSLB protocol to be enabled both on the GSLB controller
and on the site ACOS devices.
Example The following command enables the capacity metric at the default value of 90%
utilization of TCP/UDP session capacity:
page 171 | ACOS 4.1.1-P6 Global Server Load Balancing Guide - 27 October 2017
A10 Thunder Series and AX Series
Policy Configuration Commands
connection-load
Description Configure the Connection-Load metric, which prefers sites that have not
exceeded their thresholds for new connections.
Parameter Description
enable Enables the Connection-Load metric.
fail-break Enables GSLB to stop if the connection load for all sites is over the limit. Fail-break
action depends on whether the GSLB controller runs in proxy mode or server mode:
• Server mode: If a backup-alias is configured, the GSLB controller returns the
backup-alias to the client; otherwise, the controller returns a SERVFAIL error.
• Proxy mode: If a backup-alias is configured, the GSLB controller returns the
backup-alias to the client; otherwise, the controller returns the response from the
back-end DNS server.
limit number-of-con- Number that specifies the maximum average number of new connections per sec-
nections ond the site ACOS device can have. You can specify from 1 to 999999999
(999,999,999).
The default limit is not set (unlimited).
samples number-of- Number of samples for the SLB device (the site ACOS device) to collect, and the num-
samples interval sec- ber of seconds between each sample. You can specify 1-8 samples and an interval of
onds 1-60 seconds.
The default number of samples is 5, and the default interval is 5 seconds.
Default Disabled. See descriptions for default values when the Connection-Load metric
is enabled.
Usage This command applies only to GSLB selection of a site. The command does not
affect the number of connections the site ACOS device itself allows.
This metric requires the GSLB protocol to be enabled both on the GSLB controller
and on the site ACOS devices.
Example The following command sets the connection load limit to 1000 new connections:
ACOS 4.1.1-P6 Global Server Load Balancing Guide - 27 October 2017 | page 172
A10 Thunder Series and AX Series
Policy Configuration Commands
dns action
Description The dns action command enables GSLB to perform the DNS actions specified in
the service configurations.
To configure the DNS action for a service, use the action action-type
command at the configuration level for the service. See “gslb zone” on page 153.
Default Disabled
Example This command enables GSLB to perform the DNS actions specified in service
configurations.
dns active-only
Description The dns active-only command removes IP addresses from DNS replies when
those addresses fail health checks. If none of the IP addresses in the DNS reply
pass the health check, the ACOS device does not use this metric, because it
results in an empty address list.
The fail-safe option returns a list of server IP addresses for failed servers to the
client. Without this option, IP addresses of failed servers are omitted from the
reply.
The no dns active-only command restores the default mode of disabling the
removal of IP addresses that fail health checks from DNS replies.
page 173 | ACOS 4.1.1-P6 Global Server Load Balancing Guide - 27 October 2017
A10 Thunder Series and AX Series
Policy Configuration Commands
Parameter Description
MODE Specifies the information returned to the client. Valid options include:
• <no parameter> omits IP addresses of failed servers from reply
• fail-safe includes IP addresses of failed servers in client reply.
Default Disabled.
Example This command programs the ACOS device to remove IP address from DNS of
device that fail health check. The address of failed devices are not returned to the
client.
Example This command programs the ACOS device to remove IP address from DNS of
device that fail health check and returns the address list of failed devices to the
client.
Example This command sets the ACOS device to ignore health check failure in its DNS
replies.
dns addition-mx
Description The dns addition-mx command programs the ACOS device to append MX
records in the additional section of replies for A records when the device is con-
figured for DNS proxy or cache mode.
ACOS 4.1.1-P6 Global Server Load Balancing Guide - 27 October 2017 | page 174
A10 Thunder Series and AX Series
Policy Configuration Commands
Default Disabled
Example This command programs the ACOS device to append MX records to the addi-
tional section of replies for A records.
Example The command resets the ACOS device default of not appending MX records.
dns auto-map
Description The dns auto-map command enables the automatic creation of A and AAAA
records for IP resources configured on the ACOS device.
Default Disabled
Example The following command enables the automatic creation of A and AAAA records
for IP resources configured on the ACOS device.
page 175 | ACOS 4.1.1-P6 Global Server Load Balancing Guide - 27 October 2017
A10 Thunder Series and AX Series
Policy Configuration Commands
dns auto-map
ACOS(config-policy:OXYGEN)#
Example The command disables the automatic creation of A and AAAA records.
dns backup-alias
Description The dns backup-alias command returns the alias CNAME record configured for
the service, if GSLB does not receive an answer to a query for the service and no
active DNS server exists. This option is valid in server mode or proxy mode.
To configure the backup alias for a service within a zone, use the dns-cname-
record command at the configuration level for the service.
The no dns backup-alias command restores the default of not returning the
alias CNAME record.
Default Disabled.
Example This command configures the ACOS device to return the alias CNAME record
configured for the service when GSLB does not receive an answer to a query for
the service when no active DNS server exists.
Example This command configures the ACOS device to not return the alias CNAME record
configured for the service when GSLB does not receive an answer to a query for
the service when no active DNS server exists.
ACOS 4.1.1-P6 Global Server Load Balancing Guide - 27 October 2017 | page 176
A10 Thunder Series and AX Series
Policy Configuration Commands
dns backup-server
Description The dns backup-server command designates one or more backup servers that
can be returned to the client if the primaries should fail.
Default Disabled.
Example This command designates the ACOS device as a backup server that can be
returned to the client if the primaries should fail.:
page 177 | ACOS 4.1.1-P6 Global Server Load Balancing Guide - 27 October 2017
A10 Thunder Series and AX Series
Policy Configuration Commands
dns cache
Description The dns cache command enables the GSLB ACOS device to cache DNS replies.
The ACOS device uses information in the cached DNS entries to reply to subse-
quent client requests, as opposed to sending a new DNS request for every client
query.
When this option is enabled, the ACOS device caches a DNS reply for the
duration of the TTL in the reply when the aging time parameter is set to zero. To
override the entry TTL, set the cache aging time to a value greater than zero.
The no dns cache command disables the GSLB ACOS device from caching DNS
replies.
Parameter Description
DURATION Specifies site location mode. Valid options include
• <no parameter> cache period is specified in DNS reply
• aging-time 0 cache period is specified in DNS reply
• aging-time period cache period (seconds)
Value ranges from 1 to 1000000000 (one billion)
Default Disabled.
Example The following command enables the caching of DNS replies and set the TTL to
the period specified in the reply.
ACOS 4.1.1-P6 Global Server Load Balancing Guide - 27 October 2017 | page 178
A10 Thunder Series and AX Series
Policy Configuration Commands
Example This command resets the TTL to the period set to the period specified in the
reply.
Example The command disables the GSLB ACOS device from caching DNS replies.
dns cname-detect
Description The dns cname-detect command enables CNAME response mode. When the
ACOS device is in CNAME response mode, it applies the zone and service policy
to the CNAME record instead of applying it to the address record. When CNAME
response mode is disabled, the zone and service policy is applied to the address
record. Executing this command restores the CNAME response mode setting of
enabled.
Default Enabled
page 179 | ACOS 4.1.1-P6 Global Server Load Balancing Guide - 27 October 2017
A10 Thunder Series and AX Series
Policy Configuration Commands
dns delegation
Description The dns delegation command enables sub-zone delegation mode. When in
sub-zone delegation mode, the device delegates authority or responsibility for a
portion of the DNS name space from the parent domain to a separate sub-
domain which may reside on one or more remote servers and may be managed
by someone other than the network administrator who is responsible for the
parent zone. (see “DNS Sub-zone Delegation” on page 70.)
Default Disabled.
ACOS 4.1.1-P6 Global Server Load Balancing Guide - 27 October 2017 | page 180
A10 Thunder Series and AX Series
Policy Configuration Commands
dns external-ip
Description The dns external-ip command returns the external IP address configured for a
service IP. If this option is disabled, the internal address is returned instead..
The external IP address must be configured on the service IP. Use the external-
ip command at the configuration level for the service IP.
The no dns external-ip command disables the option of returning the external
IP address configured for a service IP.
Default Enabled.
Example These commands disable the option of returning the external IP address config-
ured for a service IP address.
Example These commands enable the option of returning the external IP address config-
ured for a service IP address.
page 181 | ACOS 4.1.1-P6 Global Server Load Balancing Guide - 27 October 2017
A10 Thunder Series and AX Series
Policy Configuration Commands
dns external-soa
Description The dns external-soa command programs the ACOS device to replace the inter-
nal SOA record with an external SOA record, preventing external clients from
gaining accessing internal information.
The external SOA record must be configured in the GSLB zone. (Use the
external-soa record command at the GSLB zone configuration level.)
The no dns external-soa command disables this option. When this option is
disabled, the internal address is returned.
Default Disabled.
Example These commands programs the ACOS device to replace the internal SOA record
with an external SOA record.
Example This command programs the ACOS device to return the internal address..
ACOS 4.1.1-P6 Global Server Load Balancing Guide - 27 October 2017 | page 182
A10 Thunder Series and AX Series
Policy Configuration Commands
dns geoloc-action
Description The dns geoloc-action command programs the ACOS device to perform the
DNS traffic handling action specified for the client’s geo-location. The action is
specified as part of service configuration in a zone.
To configure the DNS action for a service, use the geo-location location-name
action-type command at the configuration level for the service. See “gslb zone”
on page 153.
The no dns geoloc-action command restores the default value, where the ACOS
device does not performing the DNS traffic handling action.
Default Default.
Example These commands programs the ACOS device to perform the DNS traffic handling
action specified for the client’s geo-location.
Example This command programs the ACOS device to not perform the DNS traffic han-
dling action specified for the client’s geo-location.
page 183 | ACOS 4.1.1-P6 Global Server Load Balancing Guide - 27 October 2017
A10 Thunder Series and AX Series
Policy Configuration Commands
dns geoloc-alias
Description The dns geoloc-alias command configures the ACOS device to return the alias
name configured for the client’s geo-location.
The no dns geoloc-alias command configures the ACOS device to not return
alias name configured for the client’s geo-location.
Default Disabled.
Example These commands configure the ACOS device to return the alias name configured
for the client’s geo-location.
Example This command programs the ACOS device to not return alias name configured
for the client’s geo-location.
ACOS 4.1.1-P6 Global Server Load Balancing Guide - 27 October 2017 | page 184
A10 Thunder Series and AX Series
Policy Configuration Commands
dns geoloc-policy
Description The dns geoloc-policy command configures the ACOS device to use the GSLB
policy assigned to the client’s geo-location.
The no dns geoloc-policy command configures the ACOS device to not use the
GSLB policy assigned to the client’s geo-location.
Default Disabled.
Description These commands configure the ACOS device to use the GSLB policy assigned to
the client’s geo-location.
Example The no dns geoloc-policy command configures the ACOS device to not use the
GSLB policy assigned to the client’s geo-location.
Example This command configures the ACOS device to not use the GSLB policy assigned
to the client’s geo-location.
page 185 | ACOS 4.1.1-P6 Global Server Load Balancing Guide - 27 October 2017
A10 Thunder Series and AX Series
Policy Configuration Commands
dns hint
Description The dns hint command manages the appearance of hints that appear in the
Additional Section of DNS responses. Hints are A or AAAA records that are sent in
the response to a client’s DNS request. These records provide a mapping
between the host names and IP addresses.
The hint option applies to the following record types: NS, MX, and SRV.
The no dns action command restores the default value of appending hints in
the Additional section, which is equivalent to the addition option.
Parameter Description
LOCATION Specifies the section where hints are appended. Options include:
• addition Appends hints in the Additional Section (default).
• answer Appends hints in the Answer Section.
• none Does not append hints in the DNS response.
Example These commands configure the ACOS device to append hints in the Answer sec-
tion of the DNS response.
Example This command configure the ACOS device to not append hints to the DNS
response.
Example This command configures the ACOS device to append hints in the Answer sec-
tion of the DNS response.
ACOS 4.1.1-P6 Global Server Load Balancing Guide - 27 October 2017 | page 186
A10 Thunder Series and AX Series
Policy Configuration Commands
dns ip-replace
Description The dns ip-replace command configures the ACOS device to replace the IP
addresses in DNS replies with the service IP addresses configured for the service.
The no dns ip-replace command restores the ACOS default behavior of not
replacing the IP addresses in DNS replies with the service IP addresses
configured for the service.
Default Disabled.
Example These commands configure the ACOS device to replace the IP addresses in DNS
replies with the service IP addresses configured for the service.
Example This command restores the ACOS default behavior of not replacing the IP
addresses in DNS replies with the service IP addresses configured for the service.
page 187 | ACOS 4.1.1-P6 Global Server Load Balancing Guide - 27 October 2017
A10 Thunder Series and AX Series
Policy Configuration Commands
The dns ipv6 mapping command restores the default behavior of not using
AAAA records to respond to IPv6DNS queries.
Parameter Description
ACTION Specifies response actions to IPv6 DNS queries. Valid options include:
• addition – Append AAAA records in DNS Addition section of
replies.
• answer – Append AAAA records in the DNS Answer section of
replies.
• exclusive – Replace A records (IPv4 address) with AAAA records.
• replace – Reply with AAAA records only.
Default Disabled.
Example These commands program the ACOS device to append AAAA records in the DNS
Addition section of replies to IPv6 DNS queries.
Example This command programs the ACOS device to append AAAA records in the DNS
Answer section of replies to IPv6 DNS queries.
ACOS 4.1.1-P6 Global Server Load Balancing Guide - 27 October 2017 | page 188
A10 Thunder Series and AX Series
Policy Configuration Commands
ACOS(config-policy:OXYGEN)#
Example This command programs the ACOS device to replace A record with AAAA records
in response to IPv6 DNS queries.
Example This command programs the ACOS device to use AAAA records only in response
to IPv6 DNS queries.
Example This command programs the ACOS device to not use AAAA records respond to
IPv6 DNS queries.
The no dns ipv6 mix command disables the ability to return AAAA and A records
in the same response.
Default Disabled
Example These commands configure the ACOS device to return AAAA and A records in
the same response.
page 189 | ACOS 4.1.1-P6 Global Server Load Balancing Guide - 27 October 2017
A10 Thunder Series and AX Series
Policy Configuration Commands
Example This command disables the ability to return AAAA and A records in the same
response.
Default Default.
ACOS 4.1.1-P6 Global Server Load Balancing Guide - 27 October 2017 | page 190
A10 Thunder Series and AX Series
Policy Configuration Commands
dns logging
Description The dns logging command enables DNS logging and specifies the messages
that are logged.
Parameter Description
MESSAGE Specifies the information returned to the client. Valid options include:
• query Query messages are logged.
• response Response messages are logged
• both Query and response messages are logged
• none Neither messages are logged
Example These commands enable DNS logging of neither query nor response messages.
page 191 | ACOS 4.1.1-P6 Global Server Load Balancing Guide - 27 October 2017
A10 Thunder Series and AX Series
Policy Configuration Commands
Example This command enables DNS logging of response and query messages.
The no dns proxy block <query> command removes the ACOS device’s DNS
query block. The command requires a record list identical to the list of records
currently blocked.
Parameter Description
ATTRIBUTE_X Specifies information returned to the client. The command must list
at least one attribute and may include more than one. Options
include:
• a
• aaaa
• mx
• ns
• srv
• cname
• ptr
• soa
• txt
Default Disabled.
ACOS 4.1.1-P6 Global Server Load Balancing Guide - 27 October 2017 | page 192
A10 Thunder Series and AX Series
Policy Configuration Commands
Example These commands program the ACOS device to block DNS queries with A and
AAAA records.
Example This command attempts to remove A records from the list of DNS queries the
ACOS device is programmed to block.
Example This command removes the DNS query capacity of the ACOS device.
The no dns proxy block <type> command restores the delivery of the specified
DNS queries.
Parameter Description
TYPE-LIST Specifies the information returned to the client. Valid options
include:
• <1-255> Specifies a single type
• range <1-255> Specifies a single element range of types
• range <1-255> to <1-255> Specifies a range of types
page 193 | ACOS 4.1.1-P6 Global Server Load Balancing Guide - 27 October 2017
A10 Thunder Series and AX Series
Policy Configuration Commands
Example These commands block DNS queries of type 56, 58, and 60-69.
Example This command removes the types 63 to 67 from the DNS query block.
The no dns proxy block action command restores the default value.
Parameter Description
DISPOSITION Specifies the information returned to the client. Valid options
include:
• drop
• reject
• ignore
ACOS 4.1.1-P6 Global Server Load Balancing Guide - 27 October 2017 | page 194
A10 Thunder Series and AX Series
Policy Configuration Commands
dns selected-only
Description The dns selected-only command enables return of only selected IP addresses.
The command specifies a limit of records that can be returned after a record is
selected. When the number of records exceed the configured value, GSLB
ignores this configuration.
Parameter Description
num-record Specifies the limit of records that are returned. Valid options include:
• <no parameter> – enables return of all selected records
• <1-128> – specifies number of records
Default Disabled.
page 195 | ACOS 4.1.1-P6 Global Server Load Balancing Guide - 27 October 2017
A10 Thunder Series and AX Series
Policy Configuration Commands
Example These commands enable the return of 32 records after receiving a query from a
selected IP address.
dns server
Description The dns server command enables a GSLB ACOS device to act as a DNS server for
specific service IPs in the GSLB zone. When this setting is enabled, the device
responds directly to address queries for specific service IP addresses in the GSLB
zone. The ACOS device still forwards other types of queries to the DNS server.
When using this command, the dns cname-detect command is not required.
When a client requests a configured alias name, GSLB applies the policy to the
CNAME records. The server option is not valid with the ip-replace option. They
are mutually exclusive.
When using this command, you also must enable the static option on the
individual service IP. (To configure the service IP addresses, use the service-ip
command at the configuration level for the service. See “gslb zone” on page 153.)
The no dns server command disables the GSLB ACOS device from acting as a
DNS server for specific service IPs in the GSLB zone.
ACOS 4.1.1-P6 Global Server Load Balancing Guide - 27 October 2017 | page 196
A10 Thunder Series and AX Series
Policy Configuration Commands
Parameter Description
RECORD_X Specifies the limit of records that are returned. Valid options include:
• addition-mx – Enables ACOS device to provide the A record containing the
mail server’s IP address in the Additional section, when the device is config-
ured for DNS server mode.
• any – Enables ACOS device to provide all resource records that are available,
when the ACOS device is configured for DNS server mode. When a client
issues a type “ANY” request (which is actually a pseudo resource record that is
expressed by the wildcard code “*”), then the ACOS device includes all RR
information it has available.
• authoritative – Makes the ACOS device the authoritative DNS server for
the GSLB zone, for service IPs in which static is enabled. If omitted,the ACOS
device is a non-authoritative DNS server for the zone domain.
• cname – Allows ACOS device to respond to inbound GSLB DNS requests that
have load-balanced CNAME records.
• ns [auto-ns] – Provides name server record. The auto-ns option causes
the policy to provide A records for NS records automatically.
• ptr [auto-ptr] – Provides the pointer record. The auto-ptr option
causes the policy to provide pointer records automatically.
• full-list – Appends all A records in the Authoritative section.
• mx – Provides MX record in Answer section, and A record for mail server in
Additional section, when device is configured for DNS server mode.
• ns-list – This option appends all Name Server (NS) Resource Records (RR)
in the Authority section of DNS replies.
• ptr [auto-ptr] – Provides the pointer record. The auto-ptr option
causes the policy to provide pointer records automatically.
• sec – Provides DNSSEC support
• srv – Provides the service record.
• txt – Provides the service record. TXT resource records can be used to carry
multiple pieces of DNS TXT data within a single record.
Default Disabled
Example The following command modifies the policy to program the ACOS device to act
as a DNS server for mail server and name server records.
page 197 | ACOS 4.1.1-P6 Global Server Load Balancing Guide - 27 October 2017
A10 Thunder Series and AX Series
Policy Configuration Commands
Example These commands disables the DNS server function on devices upon which the
policy is applied.
dns sticky
Description The dns sticky command programs device to send the same service IP address
to a client for all requests from that client for the service address. Sticky DNS
ensures that, during the aging-time, a client is always directed to the same site.
The prefix length options adjusts the granularity of the feature. The default prefix
length (32 for IPv4, 128 for IPv6) causes the ACOS device to maintain separate
stickiness information for each local DNS server. For example, if two clients use
DNS 10.10.10.25 as their local DNS server, and two other clients use DNS
10.20.20.99 as their local DNS server, the ACOS maintains separate stickiness
information for each set of clients, by maintaining separate stickiness
information for each of the local DNS servers.
When the sticky option is enabled, the sticky time must be at least as long as
the zone TTL as defined by the ttl command at the zone configuration level.
(“gslb zone” on page 153.)
Parameter Description
MASK-V4 Specifies the IPv4 mask size. Valid options include:
• <no parameter> IPv4 mask size of 32
• /<1-32> Specifies IPv4mask size
• dotted decimal notation Must be valid mask value.
MASK-V6 Specifies the IPv6 mask size. Valid options include:
• <no parameter> equivalent to ipv6-mask 128
• ipv6-mask <1-128>
DURATION Specifies duration limit for returning record. Valid options include:
• <no parameter> equivalent to aging-time 5
• aging-time <1-65535>
ACOS 4.1.1-P6 Global Server Load Balancing Guide - 27 October 2017 | page 198
A10 Thunder Series and AX Series
Policy Configuration Commands
Default Disabled.
When the option is enabled, the default prefix is /32, the default aging time is 5
minutes, and the default IPv6 mask length is 128.
Usage If more than one of the following options are enabled, GSLB uses them in the
order listed:
1. sticky
2. server
3. cache
4. proxy (The command does not have a separately configurable “proxy”
option. The proxy option is automatically enabled when you configure the
DNS proxy.)
The site address selected by the first option that is applicable to the client and
requested service is used.
Example These commands enables DNS sticky and establishes default values for aging
time and the masks.
Example This command configures non-default values for the aging time and masks.
Example This command modifies IPv4 mask size without changing the other parameters.
Example This command explicitly changes the parameter values to their defaults.
page 199 | ACOS 4.1.1-P6 Global Server Load Balancing Guide - 27 October 2017
A10 Thunder Series and AX Series
Policy Configuration Commands
dns ttl
Description The dns ttl command programs the ACOS device to change the TTL of each DNS
record in DNS replies received from the DNS for which the device is a proxy.
The dns use-server-ttl command programs the device to use the time-to-live
value in the DNS server response instead of replacing it with a specified value.
The no dns ttl and no dns use-server-ttl command restores the default value of
10 seconds. The latter command is available only when dns use-server-ttl is
configured.
Parameter Description
DURATION Specifies the new TTL value (seconds). Value ranges from 0 to 1000000000 (one billion).
Default 10 seconds.
Example These commands program the device to change TTL for DNS replies to 30 secs.
Example This command programs the device to use TTL from DNS records in DNS replies.
ACOS 4.1.1-P6 Global Server Load Balancing Guide - 27 October 2017 | page 200
A10 Thunder Series and AX Series
Policy Configuration Commands
Example This command programs the device to change TTL for DNS replies to 10 seconds.
For DNS queries, not all requests use a third-party resolver that is in close
topographical proximity to themselves. Some recursive resolvers use an extra
EDNS field in DNS messages to forward details about where a network query is
coming from. ACOS can read the extra EDNS-Client-Subnet field and provide
more specific topological geo-location features for DNS queries in GSLB.
Default Disabled.
Usage This command allows ACOS to read the extra field in DNS messages, and to pro-
vide more specific topological geo-location features for DNS queries, based on
the client’s subnet. The information in the EDNS field is checked against config-
ured geo-location databases first.
Example This example configures a device to read EDNS-Client-Subnet field in DNS que-
ries. In the example, if client traffic comes in with a source IP 11.11.11.11, but the
EDNS-Client-Subnet is 10.10.10.10, the DNS A record vs1 is selected because the
client’s EDNS-Client-Subnet corresponds to the geo-location of site1. The EDNS-
Client-Subnet 10.10.10.10 will be used for all geo-location metric features.
page 201 | ACOS 4.1.1-P6 Global Server Load Balancing Guide - 27 October 2017
A10 Thunder Series and AX Series
Policy Configuration Commands
The following commands configure example GSLB sites and their respective
geo-locations and SLB servers with virtual servers.
geo-location
Description Configure a geographic location. GSLB forwards client requests from IP
addresses within the location’s range to the GSLB site that serves the location.
ACOS 4.1.1-P6 Global Server Load Balancing Guide - 27 October 2017 | page 202
A10 Thunder Series and AX Series
Policy Configuration Commands
This command takes you to the geo-location configuration level within a GSLB
policy, where the following options are available:
Command Description
ip start-ipv4-addr Specify the beginning IP address and subnet mask or ending IP
{mask ipv4-mask | end-ipv4-addr} address for an IPv4 address range.
ipv6 start-ipv6-addr Specify the beginning IP address and subnet mask or ending IP
{mask ipv6-mask | end-ipv6-addr} address for an IPv6 address range.
Default None.
Usage To prefer the location configured with this command over a globally configured
location, use the gslb policy geo-location match-first policy command.
(See “geo-location-match” on page 203.)
geo-location-match
Description Configure the policy to prefer either the globally configured geo-location or the
one configured in this policy. If a client IP address matches the IP ranges in a
globally configured location and in a location configured in this policy, the geo-
location match-first command specifies which matching geo-location to use.
page 203 | ACOS 4.1.1-P6 Global Server Load Balancing Guide - 27 October 2017
A10 Thunder Series and AX Series
Policy Configuration Commands
Parameter Description
match-first {global | policy} Configure policy to prefer either the globally configured geo-location or
the one configured in the policy. If a client IP address matches IP ranges
in a globally configured location and in a location configured in the pol-
icy, the command specifies the geo-location that is used.
• global - GSLB prefers globally configured locations.
• policy - GSLB prefers locations configured in this policy.
The default is global.
overlap [global | policy] Enabled overlap matching mode. If there are overlapping addresses in
the geo-location database, use this option to enable the ACOS device to
find the most precise match.
• global - GSLB prefers globally configured locations.
• policy - GSLB prefers locations configured in this policy..
The default is global.
Usage If you suspect a public IP address in your domain is not unique and the same IP
address may be associated with different hosts, you can enable the geo-location
overlap option. This causes the ACOS device to search the geo-location database
for the match best (or longest matching IP address). Otherwise, the ACOS device
will use its default behavior, which is to scan the specified geo-location database
using the “match first” algorithm, which uses the first IP address-region mapping
discovered. (See “Geo-location Overlap” on page 90.)
Example The following command configures the GSLB controller to prefer locations con-
figured in this policy:
geographic
Description Enable or disable the Geographic metric. The Geographic metric prefers sites
that are within the geographic location of the client.
Default Enabled
ACOS 4.1.1-P6 Global Server Load Balancing Guide - 27 October 2017 | page 204
A10 Thunder Series and AX Series
Policy Configuration Commands
health-check
Description Enable or disable the Health-Check metric. The Health-Check metric prefers sites
that pass their health checks.
Default Enabled
Usage This metric requires the GSLB protocol to be enabled both on the GSLB controller
and site ACOS devices, if the default health checks are used on the service IPs.
If you use a custom health monitor, or you explicitly apply the default Layer 3
health monitor to the service, the GSLB protocol is not used for any of the health
checks. In this case, the GSLB protocol is not required to be enabled on the site
ACOS devices, although use of the protocol is still recommended.
ip-list
Description Use an IP list to exclude a set of IP addresses from aRDT polling.
Default None
Example The following commands configure a GSLB IP list and use the list to exclude IP
addresses from an RDT data collection:
page 205 | ACOS 4.1.1-P6 Global Server Load Balancing Guide - 27 October 2017
A10 Thunder Series and AX Series
Policy Configuration Commands
least-response
Description Enable or disable the Least-Response metric, which prefers VIPs that have the
fewest hits.
Default Disabled
metric-fail-break
Description Enable GSLB to stop if there are no valid service IPs.
Default Disabled
metric-force-check
Description Force the GSLB controller to always check all metrics in the policy.
Default By default, the GSLB controller stops evaluating metrics for a site once a metric
comparison definitively selects or rejects a site.
ACOS 4.1.1-P6 Global Server Load Balancing Guide - 27 October 2017 | page 206
A10 Thunder Series and AX Series
Policy Configuration Commands
metric-order
Description Configure the order in which the GSLB metrics in this policy are used.
Parameter Description
metric [metric ...] One or more of the following metrics:
active-rdt
active-servers
admin-ip
admin-preference
bw-cost
capacity
connection-load
geographic
health-check
least-response
num-session
weighted-ip
weighted-site
page 207 | ACOS 4.1.1-P6 Global Server Load Balancing Guide - 27 October 2017
A10 Thunder Series and AX Series
Policy Configuration Commands
Usage The first metric you specify with this command becomes the primary metric. If
you specify additional parameters, they are used in the priority you specify. All
remaining metrics are prioritized to follow the metrics you specify.
The GSLB Controller uses each metric, in the order specified, to compare the IP
addresses returned in DNS replies to clients. If a metric is disabled, the metric
order does not change. The GSLB Controller skips the metric and continues to
the next enabled metric.
To display the metric order used in a policy, see “show gslb policy” on page 225.
num-session
Description Configure the Num-Session metric, which evaluates a site based on available ses-
sion capacity and tolerance threshold compared to another site. Sites that are at
or below their thresholds of current available sessions are preferred over sites
that are above their thresholds.
When dealing with smaller base numbers, a small fluctuation in the number of
available sessions can cause flapping from one site to another. Thus, when
configuring sites with smaller capacities, it is recommended to use a larger
tolerance number to prevent frequent flapping between preferred sites.
Example Site A has 800,000 sessions available and Site B has 600,000 sessions available. If
Num-Session is enabled, then Site A is preferred because it has a larger number
of available sessions than site B.
If the tolerance option is enabled (with a default value of 10 percent), and if Site
A has 800,000 sessions available and Site B has 600,000 sessions available, then
Site A will continue to be preferred until Site B’s available sessions exceed Site A’s
available sessions by more than 10 percent. In this case, Site A will remain the
preferred site until Site B’s available sessions exceed 800,000 by more than ten
percent (or 80,000 sessions). If Site A’s available sessions remain constant, and
Site B’s available sessions increase to the point that they exceed 880,000
sessions, the Site B would become the preferred site.
The num-session tolerance command has no negative form. To reset the Num-
Session tolerance back to default, enter the following command, which changes
the Num-Session tolerance back to the default percentage:
ACOS 4.1.1-P6 Global Server Load Balancing Guide - 27 October 2017 | page 208
A10 Thunder Series and AX Series
Policy Configuration Commands
num-session tolerance 10
Default Disabled.
Usage The GSLB ACOS device considers site SLB devices to be equal if the difference in
the number of available sessions on each device does not exceed the tolerance
percentage. The tolerance percentage ensures that minor differences in available
sessions do not cause frequent, unnecessary, changes in site preference.
This metric requires the GSLB protocol to be enabled both on the GSLB controller
and on the site ACOS devices.
num-session-enable
Description Enable or disable the Num-Session metric.
Default Disabled
round-robin
Description Configure the Round-Robin metric, which selects sites in sequential order.
page 209 | ACOS 4.1.1-P6 Global Server Load Balancing Guide - 27 October 2017
A10 Thunder Series and AX Series
Policy Configuration Commands
Default Enabled
Usage The ACOS device uses Round-Robin to select a site at the end of the policy
parameters evaluation. This is true even if the Round-Robin metric is disabled in
the GSLB policy.
weighted-alias
Description Enable the Weighted Alias metric, which prefers CNAME records with higher
weight values over CNAME records with lower weight values. This metric is simi-
lar to Weighted-IP, but applies only to DNS CNAME records.
Default Disabled
1. At the configuration level for the GSLB service, use the weight command to
assign a weight to the DNS CNAME record for the service. (See “gslb service-
ip” on page 143.)
2. At the configuration level for the GSLB policy: (See “Weighted-Alias” on
page 61.)
• Enable the Weighted Alias metric.
• Enable one or both of the following DNS options, as applicable to your
deployment:
•DNS backup-alias
•DNS geoloc-alias
3. If using the backup-alias option, use the dns-cname-record as-backup
option on the service. (See “gslb service-ip” on page 143.)
ACOS 4.1.1-P6 Global Server Load Balancing Guide - 27 October 2017 | page 210
A10 Thunder Series and AX Series
Policy Configuration Commands
weighted-ip
Description Configure the Weighted-IP metric, which uses service IP addresses with higher
weight values more often than addresses with lower weight values.
The total-hits option will send requests to the service IP addresses that have
fewer hits first. After all service IP addresses have the same number of hits, GSLB
sends requests based on weight. This option is disabled by default.
Default Disabled
Usage As a simple example, assume that the Weighted-IP metric is the only enabled
metric, or at least always ends up being used as the tie breaker. The total-hits
option is disabled. IP address 10.10.10.1 has weight 4 and IP address 10.10.10.2
has weight 2. During a given session aging period, the first 4 requests go to
10.10.10.1, the next 2 requests go to 10.10.10.2, and so on, (4 to 10.10.10.1, then
2 to 10.10.10.2).
Here is an example using the same two servers and weights, with the total-
hits option enabled. IP address 10.10.10.1 has weight 4 and total hits 8, and IP
address 10.10.10.2 has weight 2 and total hits 0. In this case, the first 4 requests
go to 10.10.10.2, then the requests are distributed according to weight. Four
requests go to 10.10.10.1, then two requests go to 10.10.10.2, and so on. To
display the total hits for a service IP address, use the show gslb service-ip
command. (See “gslb service-ip” on page 143.)
page 211 | ACOS 4.1.1-P6 Global Server Load Balancing Guide - 27 October 2017
A10 Thunder Series and AX Series
Policy Configuration Commands
weighted-ip-enable
Description Enable selection of the Service-Ip by weighted preference.
Default Disabled
weighted-site
Description Configure the Weighted-Site metric, which uses sites with higher weight values
more often than sites with lower weight values.
The total-hits option will send requests to the service IP addresses that have
fewer hits first. After all service IP addresses have the same number of hits, GSLB
sends requests based on weight. This option is disabled by default.
Default Disabled. When Weighted-Site metric is enabled, default weight of each site is 1.
Usage As a simple example, assume that the Weighted-Site metric is the only enabled
metric, or at least always ends up being the tie breaker. Site A has weight 4 and
site B has weight 2. During a given session aging period, the first 4 requests go to
site A, the next 2 requests go to site B, and so on, (4 to A, then 2 to B).
This example uses the same two sites and weights, with the total-hits option
enabled: Site A has weight 4 with total hits 8; site B has weight 2 with total hits 0.
In this case, the first 4 requests go to site B, then requests are sent as described
above. Four requests go to site A, then 2 requests go to site B, and so on.
ACOS 4.1.1-P6 Global Server Load Balancing Guide - 27 October 2017 | page 212
A10 Thunder Series and AX Series
Policy Configuration Commands
weighted-site-enable
Description Enable selection of the Service-IP by weighted preference.
Default Disabled
page 213 | ACOS 4.1.1-P6 Global Server Load Balancing Guide - 27 October 2017
A10 Thunder Series and AX Series
Show Commands
Show Commands
This section describes the GSLB show commands.
ACOS 4.1.1-P6 Global Server Load Balancing Guide - 27 October 2017 | page 214
A10 Thunder Series and AX Series
Show Commands
Parameter Description
match domain-name Displays cached DNS messages for the matched
domain.
service-name Displays cached DNS messages for the specified ser-
vice.
zone zone-name Displays cached DNS messages for the specified zone.
Mode All
Example The following command displays cached DNS messages for service
“www.testme.com:http”:
Field Description
Zone GSLB zone name.
Service GSLB service.
Alias Alias, if configured, that maps to the DNS Canonical Name (CNAME) for
the service.
page 215 | ACOS 4.1.1-P6 Global Server Load Balancing Guide - 27 October 2017
A10 Thunder Series and AX Series
Show Commands
Field Description
Len Length of the DNS message, in bytes.
TTL Number of seconds for which the cached message is still valid.
Mode All
Usage The show gslb config command can be used in shared partitions, L3V partitions,
and GSLB view.
When used within a shared partition, the show gslb config command can
include the following:
ACOS 4.1.1-P6 Global Server Load Balancing Guide - 27 October 2017 | page 216
A10 Thunder Series and AX Series
Show Commands
When used within a L3V partition, the show gslb config command can include
the following:
NOTE: When the show gslb config command is used within a L3V partition,
the following command completions are not supported: active-rdt, dns,
geo-location, protocol, system, and view.
When used in gslb-view, the show gslb config command can include the
following:
NOTE: When the show gslb config command is used in gslb-view, the follow-
ing command completions are not supported: active-rdt, dns, geo-loca-
tion, protocol, service-ip, system, and view.
When using the new show gslb config command filters in L3V partitions, only
the following command completions are supported: group, ip-list, policy,
service-ip, site, template, and zone.
The following show gslb config command options are not supported in L3V
deployments, and by extension, not supported by the new gslb show command
enhancements: active-rdt, dns, geo-location, protocol, system and view.
page 217 | ACOS 4.1.1-P6 Global Server Load Balancing Guide - 27 October 2017
A10 Thunder Series and AX Series
Show Commands
CLI Example
Mode All
ACOS 4.1.1-P6 Global Server Load Balancing Guide - 27 October 2017 | page 218
A10 Thunder Series and AX Series
Show Commands
[file [file-name]]
[rdt
[active [geo-location-name ...]
[site site-name] [depth num]]
Parameter Description
db [options] Displays the geo-location database. If you specify a geo-location name, only the
entries for that geo-location are shown. Otherwise, entries for all geo-locations are
shown.
• ip-range – Displays entries for the specified IP address range.
• depth num – Specifies how many nodes within the geo-location data tree to dis-
play. For example, to display only continent and country entries and hide individ-
ual state and city entries, specify depth 2. By default, the full tree (all nodes) is
displayed.
• directory num – Displays entries for the specific geo-location database direc-
tory.
• top num [percent [global]] – Display the top statistics for the selected geo-
location database.
• statistics – Displays client statistics for the specified geo-location.
file Displays the geo-location database files on the ACOS device, and their load status.
[file-name] (Data from a geo-location database file does not enter the geo-location database
until you load the file. See “gslb system geo-location load” on page 149.)
ip ipaddr Displays geo-location database entries for the specified IP address.
• statistics – Displays client statistics for the specified geo-location.
• policy policy-name – Filter output by policy.
ipv6 ipv6addr Displays geo-location database entries for the specified IPv6 address.
• statistics – Displays client statistics for the specified geo-location.
• policy policy-name – Filter output by policy.
page 219 | ACOS 4.1.1-P6 Global Server Load Balancing Guide - 27 October 2017
A10 Thunder Series and AX Series
Show Commands
Parameter Description
rdt [options] Displays aRDT data for geo-locations. You can use the following options:
• active – Displays data for aRDT.
• geo-location-name – Displays aRDT data only for the specified GSLB geo-
location.
• site site-name – Displays aRDT data only for the specified GSLB site.
• depth num – Specifies how many nodes within the geo-location data tree to
display. For example, to display only continent and country entries and hide
individual state and city entries, specify depth 2.
By default, the full tree (all nodes) is displayed.
Mode All
Usage The matched client IP address and the hits counter indicate the working status of
the geo-location configuration.
Example The following command shows the status of a geo-location db named “pc”:
Geo-location: arin
From To/Mask Last Hits Sub T P-Name
--------------------------------------------------------------------------------
0 21 G
ACOS#
Field Description
Geo-location Name of the geo-location.
From Beginning address in the address range assigned to the geo-loca-
tion.
To Ending address in the address range assigned to the geo-location.
Last Client IP address that most recently matched the geo-location. If the
value is “empty”, no client addresses have matched.
Hits Total number of client IP addresses that have matched the geo-loca-
tion.
ACOS 4.1.1-P6 Global Server Load Balancing Guide - 27 October 2017 | page 220
A10 Thunder Series and AX Series
Show Commands
Field Description
Sub Number of sublocations within the geo-location. For example, if you
configure the following geo-locations, geo-location “pc” has two
sublocations, “pc.office” and “pc.lab”.
geo-location pc 10.1.0.0 mask /16
geo-location pc.office 10.1.1.0 mask /24
geo-location pc.lab 10.1.2.0 mask /24
T Type of geo-location:
• G – The geo-location is configured at the global level in the ACOS
device configuration.
• P – The geo-location is configured within a GSLB policy.
P-Name Name of the GSLB policy where the geo-location is configured.
Example The following command shows the load status information for a geo-location
database file:
Global
Name From To/Mask Last Hits Sub T
------------------------------------------------------------------------------
NA (empty) (empty) (empty) 0 1 G
page 221 | ACOS 4.1.1-P6 Global Server Load Balancing Guide - 27 October 2017
A10 Thunder Series and AX Series
Show Commands
Mode All
Example The following commands add a GSLB controller to the default GSLB group,
enable the device’s membership in the group, and display group information:
Field Description
Name Name of the GSLB controller group.
Pri Priority of the master controller.
ACOS 4.1.1-P6 Global Server Load Balancing Guide - 27 October 2017 | page 222
A10 Thunder Series and AX Series
Show Commands
Field Description
Attrs GSLB group attributes of this member:
• D – Member is disabled.
• L – Group learning is enabled on this member.
• P – Member’s connection with this member (the member on
which you enter the show gslb group command) is passive.
Field Description
Member GSLB controllers currently in the group.
The “local” member is the GSLB controller on which you entered this show command.
ID Group member ID assigned by the controller group feature.
Pri Priority of the GSLB controller.
page 223 | ACOS 4.1.1-P6 Global Server Load Balancing Guide - 27 October 2017
A10 Thunder Series and AX Series
Show Commands
Field Description
Attrs GSLB group attributes of the member:
• D – Member is disabled.
• L – Group learning is enabled on this member.
• P – Member’s connection with this member (the member on which you enter the show gslb
group command) is passive.
The group connection between any two controller group members is a client-server connection.
The group member that initiates the connection is the client, and has the passive side of the con-
nection. The other member is the server.
• * – Member is the current master for the group.
Note: Attributes are displayed only when at least two group members are connected.
Status When the GSLB group is starting up, this column shows the protocol status. After the group is estab-
lished, this column shows the group status.
Protocol status:
• Idle
• Active
• OpenSent
• OpenConfirm
• Established
Note: If the group status of the member is OK, this ACOS device (the one on which you entered the
command) knows of the member, but no connection between this ACOS device and the member is
required.
Mode All
ACOS 4.1.1-P6 Global Server Load Balancing Guide - 27 October 2017 | page 224
A10 Thunder Series and AX Series
Show Commands
Mode All
Mode All
Field Description
Policy name Name of the GSLB policy.
Type Name of the GSLB metric.
MO For GSLB metrics, indicates the order in which the metrics are used.
Option Metric or option name.
En-Value For metric, indicates whether they are enabled (yes or no). For
options, indicates the value.
Description Description of the metric or option.
Mode All
Example The following command shows GSLB protocol status information on an ACOS
device acting as a GSLB controller:
page 225 | ACOS 4.1.1-P6 Global Server Load Balancing Guide - 27 October 2017
A10 Thunder Series and AX Series
Show Commands
[geo-location
[active [geo-location-name ...]
[site site-name] [depth num]]
[slb-device
[active [geo-location-name ...]
[ip ipaddr [...]]] |
Parameter Description
geo-location Displays aRDT data based on geo-location. Optional parameter includes:
• active – Displays data for aRDT. Optional parameter modifiers include:
• geo-location-name – Displays aRDT data only for the specified GSLB geo-location.
• site site-name – Displays aRDT data only for the specified GSLB site.
• depth num – Specifies how many nodes within the geo-location data tree to display.
For example, to display only continent and country entries and hide individual state
and city entries, specify depth 2.
By default, the full tree (all nodes) is displayed.
slb-device Displays aRDT data based on SLB device. Optional parameter includes:
• active – Displays data for aRDT. Optional parameter modifiers include:
• device-name – Displays aRDT data only for the specified device.
• ip ipaddr [...] – Displays aRDT data only for the specified clients.
By default, the full tree (all nodes) is displayed.
ACOS 4.1.1-P6 Global Server Load Balancing Guide - 27 October 2017 | page 226
A10 Thunder Series and AX Series
Show Commands
Mode All
Usage All of the options except local-info are applicable when you enter the com-
mand on a GSLB ACOS device. To display local aRDT data on a site ACOS device,
enter the command on the site ACOS device and use the local-info option.
Example Here is an example of the output for this command when entered on the GSLB
ACOS device:
Device: site2/local
IP TTL T| 1 2 3 4 5 6 7 8
------------------------------------------------------------------------------
10.10.10.2 10 A| 35 52 35 40 54 56 44 48
20.20.20.21 10 A| 20 20 16 16 20 16 20 18
192.168.217.1 10 A| 16 44 20 16 20 18
192.168.217.11 10 A| 20 20 16 16 20 16 20 18
This example shows the default display (with no additional options). The TTL
results are organized by site ACOS device, then by geo-location.
page 227 | ACOS 4.1.1-P6 Global Server Load Balancing Guide - 27 October 2017
A10 Thunder Series and AX Series
Show Commands
Field Description
Device Site ACOS device.
IP IP address at the other end of the aRDT exchange.
TTL Time-to-live for the Active-TT entry.
T RDT type, which can be A (aRDT).
1-8 Individual aRDT measurements (in units of seconds).
Geo-location Geo-location name for which aRDT measurements have been
taken.
Site GSLB site name within the geo-location.
T RDT type. (See descriptions above.)
RDT Individual aRDT measurements (in units of seconds).
TS System time stamp of the aRDT measurement.
Parameter Description
service-name | vipaddr Specifies the service name or service IP.
port-num Specifies the virtual port.
range-start Specifies the range start.
range Collects samples only for the specified range of service
range-start range-end port numbers.
Mode All
Usage The number of connections on the site is sampled based on the GSLB status
interval. (This is configurable using the gslb protocol command. See “gslb proto-
col” on page 139.) Samples are listed row by row. The first 7 samples appear on
row 1, the second 7 samples appear on row 2, and so on.
ACOS 4.1.1-P6 Global Server Load Balancing Guide - 27 October 2017 | page 228
A10 Thunder Series and AX Series
Show Commands
Example The following example shows connection activity for virtual port 80 on virtual
server “china”.
Parameter Description
num-samples Number of connection-load samples to collect and display.
num-samples Number of seconds to wait between collection of each sam-
ple.
service-name | Collects samples only for the specified service IP.
vipaddr
port-num Collects samples only for the specified service port number.
Mode All
page 229 | ACOS 4.1.1-P6 Global Server Load Balancing Guide - 27 October 2017
A10 Thunder Series and AX Series
Show Commands
----------------------------------------------------------------------------
1 | 120 0 0 0 180
In this example, five samples, taken at 5-second intervals, are shown for each of
four services (ip1:80 to ip4:80). Services are listed by service IP and service port.
In each section, the numbers across the top are column numbers. The numbers
along the leftmost column are row numbers. The other numbers are the actual
connection load data. For example, for ip1:80 (service port 80 on service IP “ip1”),
there were no connections during the first or second data samples, and 11
connections during the third sample.
ACOS 4.1.1-P6 Global Server Load Balancing Guide - 27 October 2017 | page 230
A10 Thunder Series and AX Series
Show Commands
[geo-location
[active [geo-location-name ...]
[site site-name] [depth num]]
[slb-device
[active [geo-location-name ...]
[device-name] [ip A.B.C.D ...]]
[controller
[active [geo-location-name ...]
[device-name] [ip A.B.C.D ...]]
Parameter Description
geo-location Displays aRDT data based on geo-location. Optional parameter includes:
• active – Displays data for aRDT. Optional parameter modifiers include:
• geo-location-name – Displays aRDT data only for the specified GSLB geo-location.
• site site-name – Displays aRDT data only for the specified GSLB site.
• depth num – Specifies how many nodes within the geo-location data tree to display.
For example, to display only continent and country entries and hide individual state
and city entries, specify depth 2.
By default, the full tree (all nodes) is displayed.
slb-device Displays aRDT data based on SLB device. Optional parameter includes:
• active – Displays data for aRDT. Optional parameter modifiers include:
• device-name – Displays aRDT data only for the specified device.
• ip ipaddr [...] – Displays aRDT data only for the specified clients.
By default, the full tree (all nodes) is displayed.
Mode All
Usage Eight aRDT samples are displayed for each device. Times are shown in 10-milli-
second (ms) increments. In the example below, the first aRDT time for Device1 is
50 ms.
page 231 | ACOS 4.1.1-P6 Global Server Load Balancing Guide - 27 October 2017
A10 Thunder Series and AX Series
Show Commands
Parameter Description
cache Displays service information in the GSLB DNS cache.
dns-a-record Displays Address records for GSLB services.
dns-cname-record Displays CNAME records for GSLB services.
dns-mx-record Displays MX records for GSLB services.
dns-ns-record Displays name server records for GSLB services.
dns-ptr-record Displays pointer records for GSLB services.
dns-srv-record Displays service records for GSLB services.
dns-txt-record Displays service records for GSLB services.
session Displays current GSLB sessions for services.
service-name Specifies a service name.
zone zone-name Specifies a zone name.
ip ipaddr Specifies a client host or subnet address. (This option
{subnet-mask | applies only to the session option.)
/mask-length}
Mode All
Example The following example shows CNAME information for zone “example.com”:
ACOS 4.1.1-P6 Global Server Load Balancing Guide - 27 October 2017 | page 232
A10 Thunder Series and AX Series
Show Commands
dns-ns-record |
dns-ptr-record |
dns-srv-record |
dns-txt-record |
session [ip ipaddr | ipv6 ipv6addr] |
site-stat
]
Mode All
Parameter Description
service-name | vipaddr Specifies the service name or VIP address.
local-info Shows local SLB virtual-server information.
statistics Shows GSLB statistics for the service-IP.
Example The following command shows information for the “beijing” service:
Field Description
Service-IP Device name and service IP name.
IP IP address of the service.
V Indicates whether the service IP is a virtual server IP address (Y) or
a real server IP address (N).
E Indicates whether the service IP is enabled.
State Indicates the service IP state: UP or DOWN.
P-Cnt Number of service ports on the service IP.
Hits Number of times the service IP has been selected.
page 233 | ACOS 4.1.1-P6 Global Server Load Balancing Guide - 27 October 2017
A10 Thunder Series and AX Series
Show Commands
Mode All
Example The following command shows information about all the configured GSLB ser-
vice ports.
Field Description
Service-Port Service IP address and service port number.
Attrs Indicates whether the service port is reached using the GSLB pro-
tocol or the local (SLB) protocol.
State Indicates the service state: IP or DOWN.
Act-Svrs Number of active real servers for the service.
Curr-Conn Current number of connections to the service.
ACOS 4.1.1-P6 Global Server Load Balancing Guide - 27 October 2017 | page 234
A10 Thunder Series and AX Series
Show Commands
Parameter Description
service-name Specifies a service name.
ip ipaddr {subnet-mask Specifies a client host or subnet address.
| /mask-length}
match Specifies a domain name to match to when displaying
session information.
zone zone-name Specifies a zone name.
Mode All
Parameter Description
site-name Displays information only for the specified site.
bw-cost Displays BW-Cost information.
statistics Displays statistics.
Mode All
Example The following command shows information for GSLB site “Site1”:
page 235 | ACOS 4.1.1-P6 Global Server Load Balancing Guide - 27 October 2017
A10 Thunder Series and AX Series
Show Commands
23 Up
80 Up
serverB (server) Up 0
3.1.1.10 80 Up
Field Description
Site GSLB site name.
Device/server Device name and device IP address or real server name and real
server IP address.
VIP Virtual IP address for the service.
Vport Virtual port number.
State Virtual port state.
Hits Number of times the service IP was selected.
The following table describes the fields in the command output when the bw-
cost option is used.
Field Description
Site GSLB site name.
Template SNMP template name.
Current Current value of the SNMP object used for measurement.
Highest Highest value of the SNMP object used for measurement.
Limit Limit configured for the BW-Cost metric.
U Indicates whether the site is usable, based on the BW-Cost measure-
ment.
Type Data type of the SNMP object.
Len Data length of the SNMP object.
Value Value of the SNMP object.
TI Time interval between measurements.
ACOS 4.1.1-P6 Global Server Load Balancing Guide - 27 October 2017 | page 236
A10 Thunder Series and AX Series
Show Commands
site3 0 (empty)
site4 0 (empty)
The following table describes the fields in the command output when the
statistics option is used.
Field Description
Site GSLB site name.
Hits Number of times the site was selected.
Last Site that was most recently selected.
Parameter Description
device-name Displays information only for the specified SLB device.
local-info Displays local SLB device information on a site SLB device.
rdt options Displays aRDT data based on SLB device. Optional parameter includes:
• active – Displays data for aRDT. Optional parameter modifiers include:
• device-name – Displays aRDT data only for the specified device.
• ip ipaddr [...] – Displays aRDT data only for the specified clients.
By default, the full tree (all nodes) is displayed.
Mode All
Example The following command shows information about SLB device “Device1”:
page 237 | ACOS 4.1.1-P6 Global Server Load Balancing Guide - 27 October 2017
A10 Thunder Series and AX Series
Show Commands
-------------------------------------------------------------------
-----------
site1:Device1 1.2.2.2 200 0% 0 3
Field Description
Device Site name and device name.
IP SLB device’s IP address.
APF Administrative preference for the device.
Sesn-Uzn Current session utilization on the device.
Sesn-Num Number of sessions available on the device.
Sub-Cnt Number of service IPs on the device.
Mode All
Usage To collect state information, enable GSLB debugging and use the state option.
(See the example below.)
Example The following commands enable GSBL debugging with retention of state infor-
mation, and initiate display of the state information:
Mode All
Usage The show gslb statistics message command shows the same output as the
show gslb protocol command. Similarly, the show gslb statistics site
command shows the same output as the show gslb site statistics com-
mand, and the show gslb statistics zone command shows the same output
as the show gslb zone statistics command.
Example The following command shows statistics for the GSLB protocol:
ACOS 4.1.1-P6 Global Server Load Balancing Guide - 27 October 2017 | page 238
A10 Thunder Series and AX Series
Show Commands
page 239 | ACOS 4.1.1-P6 Global Server Load Balancing Guide - 27 October 2017
A10 Thunder Series and AX Series
Show Commands
[site]
[statistics]
Parameter Description
zone-name Displays information only for the specified zone.
dns-info Displays the DNS information for the zone.
dns-mx-record Displays the MX records for the zone(s).
dns-ns-record Displays the name server records for the zone(s).
dns-soa-record Displays the start-of-authority records for the zone(s).
site Displays statistics for the zone(s) by related site.
statistics Displays statistics for the zone(s).
Mode All
ACOS 4.1.1-P6 Global Server Load Balancing Guide - 27 October 2017 | page 240
A10 Thunder Series and AX Series
Show Commands
Field Description
Zone Zone name.
Service Service type and service name.
Policy GSLB policy name.
TTL DNS TTL value set by GSLB in DNS replies to queries for the zone
address.
Field Description
Owner Zone and service name to which the MX record belongs.
MX-Record Name of the MX record.
Pri Priority (preference) set for the MX record.
Hits Number of times the record has been used.
Last Most recent time the record was used.
page 241 | ACOS 4.1.1-P6 Global Server Load Balancing Guide - 27 October 2017
A10 Thunder Series and AX Series
Show Commands
Field Description
GSLB Zone Zone name.
Total Number of Services configured Number of GSLB services configured for the zone.
Service Service type and service name.
Rcv-query Number of DNS queries received for the service.
Sent-resp Number of DNS replies sent to clients for the service.
M-Proxy Number of DNS replies sent to clients by the ACOS device as a DNS proxy
for the service.
M-Cache Number of cached DNS replies sent to clients by the ACOS device for the
service. (applies only if the DNS cache option is enabled in the policy.)
M-Svr Number of DNS replies sent to clients by the ACOS device as a DNS server
for the service. (This statistic applies only if the DNS server option is
enabled in the policy.)
M-Sticky Number of DNS replies sent to clients by the ACOS device to keep the cli-
ents on the same site. (This statistic applies only if the DNS sticky option is
enabled in the policy.)
M-Backup Number of DNS replies sent to clients by the ACOS device using a backup
record.
ACOS 4.1.1-P6 Global Server Load Balancing Guide - 27 October 2017 | page 242
A10 Thunder Series and AX Series
Clear Command
Clear Command
The following GSLB clear command is available:
• clear gslb
clear gslb
Description Clear statistics or reset functions. Sub-command parameters are required for
specific sub-commands.
Options Description
all Clears all GSLB statistics.
cache Clears the GSLB DNS cache.
debug Clears debug statistics.
fqdn Clears FQDN statistics.
geo-location Clears geo-location statistics.
group Clears GSLB group statistics.
ip-list Clears IP-list statistics.
memory Clears memory statistics.
protocol Clears GSLB protocol statistics.
rdt Clears RDT samples.
samples Clears aRDT samples.
server Clears server statistics.
service Clears service statistics.
service-group Clears service group statistics
service-group-session Clears service-group-session statistics
session Clears GSLB sessions.
site Clears site statistics.
slb-device Clears SLB device samples.
statistics options Clears message, site, or zone statistics.
zone Clears zone statistics.
page 243 | ACOS 4.1.1-P6 Global Server Load Balancing Guide - 27 October 2017
A10 Thunder Series and AX Series
Clear Command
ACOS 4.1.1-P6 Global Server Load Balancing Guide - 27 October 2017 | page 244
A10 Thunder Series and AX Series
page 245 | ACOS 4.1.1-P6 Global Server Load Balancing Guide - 27 October 2017
2