How does the Cisco Global Site Selector pass traffic?

Question

I have reason to believe that the Cisco GSS 4400 Series behaves differently from Cisco ACE NLB's, in regards to the way they pass name references. I would like to know the details of how they differ, specifically the way the GSS deals with hostnames.

I am trying to setup Kerberos authentication with the GSS essentially.

With the ACE load balancer, I'm successful in setting up Kerberos - I have the various services use the FQDN of the ACE load balancer and authenticate based on that FQDN. Clients point to this FQDN, which eventually reaches a service after the ACE load balancer, and they authenticate with this service, still using that same FQDN.

However, with the GSS, the above configuration fails. I'm unable to authenticate based on Kerberos. It seems that the GSS does not merely forward traffic to the servers..

My ACTUAL network setup is: GSS -> 2 ACE NLB's -> 4 HTTP services, but I cannot even get the GSS -> 2 HTTP services to work.

Any information regarding GSS would be helpful. Thank you!

Answer 1

I think your primary misconception is that the GSS is somehow in the flow of traffic. It is not.

The GSS is simply an intelligent DNS-resolution box. It monitors the status of a number of IP addresses and returns answers to DNS queries in a rough effort to balance traffic across multiple geographies.

The traffic flow itself (between the client and the server) never traverses the GSS - the GSS simply tells the client which server to target by resolving a name to an IP address.

So the GSS does not pass name references, or have anything to do with Kerberos. It simply receives a DNS request (UDP port 53), does a bit of analysis, and answers it with an IP address based on how the GSS rule is defined. No HTTP traffic ever hits the GSS.

I'm not sure if that helps address your question?