BIG-IP® Global Traffic Manager™: Implementations · Chapter 14: Configuring the Save Interval for GTM Configuration Changes.....81 Overview: Configuring the interval at which GTM

BIG-IP® Global Traffic Manager™:Implementations

Version 11.3

Table of Contents

Legal Notices...................................................................................................11

Acknowledgments...........................................................................................13

Chapter 1: Upgrading BIG-IP GTM to Version 11.x...............................................................17

Converting a statistics collection server to a Prober pool automatically..........................18

Chapter 2: Sending Traffic Through BIG-IP GTM...................................................................19

Overview: Configuring GTM to screen traffic to an existing DNS server..........................20

About listeners.......................................................................................................20

About wildcard listeners........................................................................................20

Task summary..................................................................................................................21

Placing GTM on your network to forward traffic....................................................21

Creating a listener to forward traffic to a DNS server ...........................................21

Creating a wide IP.................................................................................................21

Implementation result.......................................................................................................22

Chapter 3: Replacing a DNS Server with BIG-IP GTM..........................................................23

Overview: Replacing a DNS server with BIG-IP GTM......................................................24

About listeners.......................................................................................................24

Task summary..................................................................................................................24

Configuring a back-end DNS server to allow zone file transfers...........................25

Acquiring zone files from the legacy DNS server..................................................25

Creating a self IP address using the IP address of the legacy DNS server..........25

Designating GTM as the primary server for the zone............................................26

Creating listeners to alert GTM to DNS traffic destined for the system.................26

Creating a wide IP.................................................................................................27


Chapter 4: Load Balancing Non-Wide IP DNS Traffic to a Pool of DNS Servers................29

Overview: Screening and forwarding non-wide IP traffic to a pool of DNS servers..........30

About listeners.......................................................................................................30

Task summary..................................................................................................................30

Creating a pool of local DNS servers....................................................................31

Creating a listener that alerts GTM to DNS queries for a pool of DNS

servers.............................................................................................................31


Chapter 5: Delegating DNS Traffic to Wide IPs......................................................................33

Overview: Delegating DNS traffic to wide IPs..................................................................34

3

Table of Contents

About listeners.......................................................................................................34

Task summary..................................................................................................................34

Creating a delegated zone on a local DNS server................................................35

Creating a listener to handle traffic for wide IPs....................................................35


Chapter 6: Integrating BIG-IP GTM with Other BIG-IP Systems..........................................37

Overview: Integrating GTM with older BIG-IP systems on a network..............................38

About iQuery and communications between BIG-IP systems...............................38

Task summary..................................................................................................................38

Defining a data center...........................................................................................38

Defining BIG-IP GTM systems..............................................................................39

Defining BIG-IP LTM systems...............................................................................40

Running the big3d_install script............................................................................41


Chapter 7: Integrating BIG-IP LTM with BIG-IP GTM Systems.............................................43

Overview: Integrating LTM systems with GTM systems on a network.............................44

Task summary..................................................................................................................44


Defining BIG-IP GTM systems..............................................................................45

Defining BIG-IP LTM systems...............................................................................46

Running the bigip_add utility.................................................................................47


Chapter 8: Ensuring Correct Synchronization When Adding GTM to a Network...............49

Overview: Ensuring correct synchronization when adding GTM to a network.................50

About configuration synchronization.....................................................................50

About adding an additional BIG-IP GTM to your network.....................................50

Task summary..................................................................................................................50

Defining an NTP server on the existing GTM........................................................51

Enabling synchronization on the existing GTM.....................................................51

Creating a data center on the existing GTM..........................................................51

Defining a server on the existing GTM..................................................................52

Running the gtm_add script on the new GTM.......................................................53


Chapter 9: Configuring BIG-IP GTM VIPRION Systems........................................................55

Overview: Configuring BIG-IP GTM VIPRION systems...................................................56

Configuring virtual server status for clusters.........................................................56

Chapter 10: Setting Up a BIG-IP GTM Redundant System Configuration..........................57

Overview: Configuring a BIG-IP GTM redundant system.................................................58

4

Table of Contents

Task summary..................................................................................................................58

Defining an NTP server.........................................................................................58

Creating listeners to identify DNS traffic................................................................59


Defining a server ..................................................................................................60

Enabling global traffic configuration synchronization............................................60

Running the gtm_add script .................................................................................61

Chapter 11: Configuring GTM on a Network with One Route Domain................................63

Overview: How do I deploy BIG-IP GTM on a network with one route domain?..............64

Task summary..................................................................................................................64

Creating VLANs for a route domain on BIG-IP LTM..............................................65

Creating a route domain on the BIG-IP system.....................................................65

Creating a self IP address for a route domain on BIG-IP LTM..............................66

Defining a server for a route domain on BIG-IP GTM...........................................67


Chapter 12: Configuring GTM on a Network with Multiple Route Domains.......................69

Overview: How do I deploy BIG-IP GTM on a network with multiple route domains?......70

Task summary..................................................................................................................71

Creating VLANs for a route domain on BIG-IP LTM..............................................72

Creating a route domain on BIG-IP LTM...............................................................72

Creating a self IP address for a route domain on BIG-IP LTM..............................73

Disabling auto-discovery at the global-level on BIG-IP GTM................................73

Defining a server for a route domain on BIG-IP GTM...........................................73


Chapter 13: Authenticating with SSL Certificates Signed by a Third Party........................75

Overview: Authenticating with SSL certificates signed by a third party............................76

About SSL authentication levels............................................................................76

Configuring Level 1 SSL authentication...........................................................................76

Importing the device certificate.............................................................................76

Importing the root certificate for the gtmd agent...................................................77

Importing the root certificate for the big3d agent...................................................77

Verifying the certificate exchange..........................................................................77

Implementation Results....................................................................................................78

Configuring certificate chain SSL authentication.............................................................78

Creating a certificate chain file .............................................................................78

Importing the device certificate from the last CA server in the chain....................78

Importing a certificate chain file for the gtmd agent..............................................79

Importing a certificate chain for the big3d agent...................................................79

Verifying the certificate chain exchange................................................................79


5

Table of Contents

Chapter 14: Configuring the Save Interval for GTM Configuration Changes.....................81

Overview: Configuring the interval at which GTM saves configuration changes..............82

Task summary..................................................................................................................82

Configuring the GTM save interval........................................................................82


Chapter 15: Configuring a TTL in a DNS NoError Response...............................................83

Overview: Configuring a TTL in an IPv6 DNS NoError Response...................................84

About SOA records and negative caching.......................................................................84

Task summary..................................................................................................................84

Creating a pool......................................................................................................84

Creating a wide IP that provides for negative caching .........................................85


Chapter 16: Configuring DNS64.............................................................................................87

Overview: Configuring DNS64.........................................................................................88

Task summary..................................................................................................................88

Creating a custom DNS profile .............................................................................88

Assigning a DNS profile to a virtual server............................................................89


Chapter 17: Configuring DNSSEC..........................................................................................91

Overview: Configuring DNSSEC......................................................................................92

How do I prepare for a manual rollover of a DNSSEC key?..................................92

About enhancing DNSSEC key security...............................................................92

Task summary..................................................................................................................93

Creating listeners to identify DNS traffic................................................................93

Creating DNSSEC key-signing keys.....................................................................94

Creating DNSSEC zone-signing keys...................................................................95

Creating DNSSEC zones......................................................................................96

Confirming that GTM is signing DNSSEC records ...............................................97

Viewing DNSSEC records in ZoneRunner............................................................97


Chapter 18: Configuring DNS Express..................................................................................99

How do I configure DNS Express?.................................................................................100

What is DNS Express?........................................................................................100

Task summary................................................................................................................100

Configuring a back-end DNS server to allow zone file transfers.........................100

Creating a DNS Express TSIG key.....................................................................100

Creating a DNS Express zone............................................................................101

Enabling DNS Express .......................................................................................102

6

Table of Contents

Assigning a DNS profile to a listener...................................................................103

Viewing information about DNS Express zones..................................................103

Implementation result.....................................................................................................103

Chapter 19: Caching DNS Responses from External Resolvers.......................................105

Overview: Improving DNS performance by caching responses from external

resolvers....................................................................................................................106

Task summary................................................................................................................106

Creating a transparent DNS cache.....................................................................107

Creating a custom DNS profile for transparent DNS caching.............................107

Assigning a custom DNS profile to a GTM listener.............................................108

Creating a custom DNS monitor..........................................................................108

Creating a pool of local DNS servers..................................................................108

Determining DNS cache performance................................................................109

Clearing a DNS cache.........................................................................................110


Chapter 20: Resolving DNS Queries and Caching Responses.........................................113

Overview: Improving DNS performance by resolving queries and caching

responses.................................................................................................................114

Task summary................................................................................................................115

Creating a resolver DNS cache...........................................................................115

Creating a custom DNS profile for DNS resolving and caching..........................115





Chapter 21: Resolving DNS Queries and Caching Validated Responses.........................119

Overview: Resolving queries and caching validated responses....................................120

Task summary................................................................................................................121

Creating a validating resolver DNS cache...........................................................121

Creating a custom DNS profile for validating resolver DNS caching...................122





Chapter 22: Customizing a DNS Cache...............................................................................127

Overview: Customizing a DNS cache............................................................................128

Configuring a DNS cache to answer queries for local zones..............................128

Configuring a DNS cache to use specific root nameservers...............................128

Configuring a DNS cache alert for cache poisoning...........................................128

7

Table of Contents

Chapter 23: Configuring IP Anycast (Route Health Injection)...........................................131

Overview: Configuring IP Anycast (Route Health Injection)...........................................132

Task summary................................................................................................................132

Enabling the ZebOS dynamic routing protocol....................................................132

Creating a custom DNS profile............................................................................132

Configuring a listener for route advertisement....................................................133

Verifying advertisement of the route ...................................................................134


Chapter 24: Redirecting a DNS Query Using a Wide IP with a CNAME Pool....................135

Overview: Redirecting DNS queries using a wide IP with a CNAME pool ....................136

About CNAME records...................................................................................................136

Task summary................................................................................................................136

Creating a pool using a CNAME.........................................................................136

Creating a wide IP with a CNAME pool ..............................................................137


Chapter 25: Monitoring Third-Party Servers with SNMP....................................................139

Overview: SNMP monitoring of third-party servers........................................................140

Task summary................................................................................................................140

Creating an SNMP monitor.................................................................................140

Defining a third-party host server that is running SNMP.....................................140


Chapter 26: Configuring Remote High-Speed DNS Logging.............................................143

Overview: Configuring remote high-speed DNS logging................................................144

Task summary................................................................................................................145

Creating a pool of remote logging servers..........................................................146

Creating a remote high-speed log destination.....................................................146

Creating a formatted remote high-speed log destination....................................147

Creating a publisher ...........................................................................................147

Creating a custom DNS Logging profile for logging DNS queries ......................147

Creating a custom DNS Logging profile for logging DNS responses..................148

Creating a custom DNS Logging profile for logging DNS queries and responses

.......................................................................................................................148

Creating a custom DNS profile to enable DNS logging ......................................149

Configuring a GTM listener for DNS logging.......................................................149

Disabling DNS logging .......................................................................................149


Chapter 27: Configuring Device-Specific Probing and Statistics Collection...................151

Overview: Configuring device-specific probing and statistics collection.........................152

8

Table of Contents

About Prober pools..............................................................................................152

About Prober pool status.....................................................................................153

About Prober pool statistics.................................................................................153

Task summary................................................................................................................154

Creating a Prober pool........................................................................................154

Assigning a Prober pool to a data center............................................................154

Assigning a Prober pool to a server....................................................................155

Viewing Prober pool statistics and status............................................................155

Determining which Prober pool member marked a resource down....................156


Chapter 28: Setting Up and Viewing DNS Statistics...........................................................157

Overview: Setting up and viewing DNS statistics...........................................................158

Task summary................................................................................................................158

Creating a DNS profile for DNS AVR statistics collection....................................159

Configuring a GTM listener for DNS AVR statistics collection.............................159

Viewing DNS AVR statistics................................................................................159

Viewing DNS AVR statistics in tmsh....................................................................160

Viewing DNS global statistics..............................................................................161

Viewing DNS statistics for a specific virtual server..............................................161


Chapter 29: Diagnosing Network Connection Issues.........................................................163

Diagnosing network connection issues..........................................................................164

Viewing iQuery statistics ....................................................................................164

iQuery statistics descriptions...............................................................................164

9

Table of Contents

10

Table of Contents

Legal Notices

Publication Date

This document was published on January 31, 2014.

Publication Number

MAN-0388-02

Copyright

Copyright © 2012-2014, F5 Networks, Inc. All rights reserved.

F5 Networks, Inc. (F5) believes the information it furnishes to be accurate and reliable. However, F5 assumesno responsibility for the use of this information, nor any infringement of patents or other rights of thirdparties which may result from its use. No license is granted by implication or otherwise under any patent,copyright, or other intellectual property right of F5 except as specifically described by applicable userlicenses. F5 reserves the right to change specifications at any time without notice.

Trademarks

Access Policy Manager, Advanced Client Authentication, Advanced Routing, APM, Application SecurityManager, ARX, AskF5, ASM, BIG-IP, BIG-IQ, Cloud Extender, CloudFucious, Cloud Manager, ClusteredMultiprocessing, CMP, COHESION, Data Manager, DevCentral, DevCentral [DESIGN], DNS Express,DSC, DSI, Edge Client, Edge Gateway, Edge Portal, ELEVATE, EM, Enterprise Manager, ENGAGE, F5,F5 [DESIGN], F5Management Pack, F5 Networks, F5World, Fast Application Proxy, Fast Cache, FirePass,Global TrafficManager, GTM,GUARDIAN, IBR, Intelligent Browser Referencing, Intelligent Compression,IPv6 Gateway, iApps, iControl, iHealth, iQuery, iRules, iRules OnDemand, iSession, L7 Rate Shaping,LC, Link Controller, Local Traffic Manager, LTM, Message Security Manager, MSM, OneConnect,OpenBloX, OpenBloX [DESIGN], Packet Velocity, Policy Enforcement Manager, PEM, Protocol SecurityManager, PSM, Real Traffic Policy Builder, Rosetta Diameter Gateway, ScaleN, Signaling DeliveryController, SDC, SSLAcceleration, StrongBox, SuperVIP, SYNCheck, TCP Express, TDR, TMOS, TrafficManagement Operating System, Traffix Diameter Load Balancer, Traffix Systems, Traffix Systems(DESIGN), Transparent Data Reduction, UNITY, VAULT, VIPRION, vCMP, virtual ClusteredMultiprocessing, WA, WAN Optimization Manager, WebAccelerator, WOM, and ZoneRunner, aretrademarks or service marks of F5 Networks, Inc., in the U.S. and other countries, and may not be usedwithout F5's express written consent.

All other product and company names herein may be trademarks of their respective owners.

Patents

This product may be protected by U.S. Patents 6,374,300; 6,473,802; 6,970,733; 7,047,301; 7,707,289.This list is believed to be current as of January 31, 2014.

Export Regulation Notice

This product may include cryptographic software. Under the Export Administration Act, the United Statesgovernment may consider it a criminal offense to export this product from the United States.

RF Interference Warning

This is a Class A product. In a domestic environment this product may cause radio interference, in whichcase the user may be required to take adequate measures.

FCC Compliance

This equipment has been tested and found to comply with the limits for a Class A digital device pursuantto Part 15 of FCC rules. These limits are designed to provide reasonable protection against harmfulinterference when the equipment is operated in a commercial environment. This unit generates, uses, andcan radiate radio frequency energy and, if not installed and used in accordance with the instruction manual,may cause harmful interference to radio communications. Operation of this equipment in a residential areais likely to cause harmful interference, in which case the user, at his own expense, will be required to takewhatever measures may be required to correct the interference.

Anymodifications to this device, unless expressly approved by themanufacturer, can void the user's authorityto operate this equipment under part 15 of the FCC rules.

Canadian Regulatory Compliance

This Class A digital apparatus complies with Canadian ICES-003.

Standards Compliance

This product conforms to the IEC, European Union, ANSI/UL and Canadian CSA standards applicable toInformation Technology products at the time of manufacture.

12

Legal Notices

Acknowledgments

This product includes software developed by Gabriel Forté.

This product includes software developed by Bill Paul.

This product includes software developed by Jonathan Stone.

This product includes software developed by Manuel Bouyer.

This product includes software developed by Paul Richards.

This product includes software developed by the NetBSD Foundation, Inc. and its contributors.

This product includes software developed by the Politecnico di Torino, and its contributors.

This product includes software developed by the Swedish Institute of Computer Science and its contributors.

This product includes software developed by the University of California, Berkeley and its contributors.

This product includes software developed by the Computer Systems Engineering Group at the LawrenceBerkeley Laboratory.

This product includes software developed by Christopher G. Demetriou for the NetBSD Project.

This product includes software developed by Adam Glass.

This product includes software developed by Christian E. Hopps.

This product includes software developed by Dean Huxley.

This product includes software developed by John Kohl.

This product includes software developed by Paul Kranenburg.

This product includes software developed by Terrence R. Lambert.

This product includes software developed by Philip A. Nelson.

This product includes software developed by Herb Peyerl.

This product includes software developed by Jochen Pohl for the NetBSD Project.

This product includes software developed by Chris Provenzano.

This product includes software developed by Theo de Raadt.

This product includes software developed by David Muir Sharnoff.

This product includes software developed by SigmaSoft, Th. Lockert.

This product includes software developed for the NetBSD Project by Jason R. Thorpe.

This product includes software developed by Jason R. Thorpe for AndCommunications, http://www.and.com.

This product includes software developed for the NetBSD Project by Frank Van der Linden.

This product includes software developed for the NetBSD Project by John M. Vinopal.

This product includes software developed by Christos Zoulas.

This product includes software developed by the University of Vermont and State Agricultural College andGarrett A. Wollman.

This product includes software developed by Balazs Scheidler ([email protected]), which is protected underthe GNU Public License.

This product includes software developed by Niels Mueller ([email protected]), which is protected underthe GNU Public License.

In the following statement, This software refers to theMitsumi CD-ROMdriver: This software was developedby Holger Veit and Brian Moore for use with 386BSD and similar operating systems. Similar operatingsystems includes mainly non-profit oriented systems for research and education, including but not restrictedto NetBSD, FreeBSD, Mach (by CMU).

This product includes software developed by the Apache Group for use in the Apache HTTP server project(http://www.apache.org/).

This product includes software licensed from Richard H. Porter under the GNU Library General PublicLicense (© 1998, Red Hat Software), www.gnu.org/copyleft/lgpl.html.

This product includes the standard version of Perl software licensed under the Perl Artistic License (© 1997,1998 TomChristiansen and Nathan Torkington). All rights reserved. Youmay find the most current standardversion of Perl at http://www.perl.com.

This product includes software developed by Jared Minch.

This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit(http://www.openssl.org/).

This product includes cryptographic software written by Eric Young ([email protected]).

This product contains software based on oprofile, which is protected under the GNU Public License.

This product includes RRDtool software developed by Tobi Oetiker (http://www.rrdtool.com/index.html)and licensed under the GNU General Public License.

This product contains software licensed from Dr. Brian Gladman under the GNU General Public License(GPL).

This product includes software developed by the Apache Software Foundation (http://www.apache.org/).

This product includes Hypersonic SQL.

This product contains software developed by the Regents of the University of California, SunMicrosystems,Inc., Scriptics Corporation, and others.

This product includes software developed by the Internet Software Consortium.

This product includes software developed by Nominum, Inc. (http://www.nominum.com).

This product contains software developed by Broadcom Corporation, which is protected under the GNUPublic License.

This product contains software developed byMaxMind LLC, and is protected under the GNULesser GeneralPublic License, as published by the Free Software Foundation.

This product includes Intel QuickAssist kernel module, library, and headers software licensed under theGNU General Public License (GPL).

This product includes software licensed fromGerald Combs ([email protected]) under the GNUGeneralPublic License as published by the Free Software Foundation; either version 2 of the License, or any laterversion. Copyright ©1998 Gerald Combs.

This product includes software developed by Thomas Williams and Colin Kelley. Copyright ©1986 - 1993,1998, 2004, 2007

Permission to use, copy, and distribute this software and its documentation for any purpose with or withoutfee is hereby granted, provided that the above copyright notice appear in all copies and that both thatcopyright notice and this permission notice appear in supporting documentation. Permission to modify thesoftware is granted, but not the right to distribute the complete modified source code. Modifications are tobe distributed as patches to the released version. Permission to distribute binaries produced by compilingmodified sources is granted, provided you

14

Acknowledgments

1. distribute the corresponding source modifications from the released version in the form of a patch filealong with the binaries,

2. add special version identification to distinguish your version in addition to the base release versionnumber,

3. provide your name and address as the primary contact for the support of your modified version, and4. retain our contact information in regard to use of the base software.

Permission to distribute the released version of the source code alongwith corresponding sourcemodificationsin the form of a patch file is granted with same provisions 2 through 4 for binary distributions. This softwareis provided "as is" without express or implied warranty to the extent permitted by applicable law.

This product contains software developed by Google, Inc. Copyright ©2011 Google, Inc.

Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associateddocumentation files (the "Software"), to deal in the Software without restriction, including without limitationthe rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software,and to permit persons to whom the Software is furnished to do so, subject to the following conditions:

The above copyright notice and this permission notice shall be included in all copies or substantial portionsof the Software.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS ORIMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,FITNESS FOR A PARTICULAR PURPOSE ANDNONINFRINGEMENT. IN NO EVENT SHALL THEAUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHERLIABILITY, WHETHER IN ANACTIONOF CONTRACT, TORT OROTHERWISE, ARISING FROM,OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS INTHE SOFTWARE.

This product includes software developed by Digital Envoy, Inc.

15

BIG-IP® Global Traffic Manager™: Implementations

Chapter

1Upgrading BIG-IP GTM to Version 11.x

• Converting a statistics collection server to aProber pool automatically

Converting a statistics collection server to a Prober pool automatically

In version 10.2 of BIG-IP® Global Traffic Manager™ (GTM™), you could assign a single BIG-IP® systemto probe a server to gather health and performance data. You did this by specifying the IP address of theBIG-IP system (which you chose to perform probes of the server) in the Statistics Collection Server fieldof the server. In version 11.0, this feature was replaced by the Prober pool feature.

When you upgrade from version 10.2.x to version 11.x, if a single BIG-IP system was assigned to probe aserver, BIG-IP GTM converts the single server to a Prober pool with one member, and then assigns theProber pool to the server to which the Statistics Collection server was originally assigned. The name of thenew Prober pool is based on the IP address of the original Statistics Collection server. If the original StatisticsCollection server had an IP address of 10.10.2.3, the name of the automatically created Prober pool isprober_pool_10_10_2_3.

18

Upgrading BIG-IP GTM to Version 11.x

Chapter

2Sending Traffic Through BIG-IP GTM

• Overview: Configuring GTM to screen trafficto an existing DNS server

• Task summary• Implementation result

Overview: Configuring GTM to screen traffic to an existing DNS server

You can use BIG-IP® Global Traffic Manager™ (GTM™) as a traffic screener in front of an existing DNSserver. With this setup, all DNS traffic flows through BIG-IP GTM. Listeners that you configure on BIG-IPGTM verify incoming DNS queries. If the query is for a wide IP, BIG-IP GTM resolves the request. If thequery is for a destination that does not match a wide IP or for an IP address that is not configured on BIG-IPGTM, the system forwards the query to the specified DNS server for resolution. When forwarding a query,BIG-IP GTM transforms the source address to a self IP address on BIG-IP GTM.

Figure 1:Traffic flow when BIG-IP GTM screens traffic to a DNS server

About listeners

A listener is a specialized virtual server that uses port 53 and to which you assign a specific IP address.When a DNS name resolution request is sent to the IP address of a listener, BIG-IP GTM either handles therequest locally or forwards the request to the appropriate resource.

About wildcard listeners

A wildcard listener is a special listener that is assigned an IP address of 0.0.0.0 and the DNS query port(port 53). When you want BIG-IP GTM to respond to DNS name resolution requests coming into yournetwork, regardless of the destination IP address of the given request, you create a wildcard listener. BIG-IPGTM responds not only to wide IP requests, but also forwards other DNS name resolution requests to otherDNS servers.

20

Sending Traffic Through BIG-IP GTM

Task summary

Perform these tasks to send traffic through BIG-IP® GTM™.Placing GTM on your network to forward trafficCreating a listener to forward traffic to a DNS serverCreating a wide IP

Placing GTM on your network to forward traffic

Determine to which DNS server you want BIG-IP® GTM™ to forward traffic.

Place GTM on your network between LDNS servers and clients making DNS name resolution requests.

1. Physically connect GTM to your Internet connection.2. Connect the LDNS to an Ethernet port on GTM (optional).3. Connect the LDNS to a switch.

Creating a listener to forward traffic to a DNS server

Determine to which DNS server you want this listener to forward traffic.

Create a listener that alerts the BIG-IP system to traffic destined for a DNS server.

1. On the Main tab, click Global Traffic > Listeners.The Listeners List screen opens.

2. Click Create.The new Listeners screen opens.

3. In the Destination field, type the IP address on which BIG-IP GTM listens for network traffic.The destination is the IP address of a DNS server to which you want the listener to route traffic.

Important: The destination must not match a self IP address on BIG-IP GTM.

4. From the VLAN Traffic list, select All VLANs.5. Click Finished.

Creating a wide IP

Ensure that at least one load balancing pool exists in the configuration before you start creating a wide IP.

Create a wide IP to map a FQDN to one or more pools of virtual servers that host the content of the domain.

1. On the Main tab, click Global Traffic >Wide IPs.The Wide IPs List screen opens.

2. Click Create.The New Wide IP screen opens.

3. In the Name field, type a name for the wide IP.

21


Tip: You can use two different wildcard characters in the wide IP name: asterisk (*) to represent severalcharacters and question mark (?) to represent a single character. This reduces the number of aliasesyou have to add to the configuration.

4. From the Pool list, select the pools that this wide IP uses for load balancing.The system evaluates the pools based on the wide IP load balancing method configured.a) From the Pool list, select a pool.

A pool can belong to more than one wide IP.

b) Click Add.

5. Click Finished.

Implementation result

You now have an implementation in which BIG-IP® GTM™ receives all DNS queries. If the query is for awide IP, BIG-IP GTM load balances the request to the appropriate resource. If the query is for an IP addressof a DNS server, BIG-IP GTM either routes or forwards the query to the DNS server for resolution.

22

Sending Traffic Through BIG-IP GTM

Chapter

3Replacing a DNS Server with BIG-IP GTM

• Overview: Replacing a DNS server withBIG-IP GTM


Overview: Replacing a DNS server with BIG-IP GTM

BIG-IP®Global TrafficManager™ (GTM™) load balances incomingwide IP traffic to your network resources.BIG-IP GTM can also replace a local DNS server as the authoritative nameserver for wide IPs, zones, andall other DNS-related traffic. You can configure BIG-IP GTM to replace the DNS server that currentlymanages www.siterequest.com. BIG-IP GTM becomes the authoritative nameserver forwww.siterequest.com and load balances traffic across the web-based applicationsstore.siterequest.com and checkout.siterequest.com.

Figure 2:Traffic flow when BIG-IP GTM replaces DNS server

About listeners


Task summary

Perform these tasks to replace a DNS server with BIG-IP GTM.Configuring a back-end DNS server to allow zone file transfersAcquiring zone files from the legacy DNS serverCreating a self IP address using the IP address of the legacy DNS serverDesignating GTM as the primary server for the zoneCreating listeners to alert GTM to DNS traffic destined for the systemCreating a wide IP

24

Replacing a DNS Server with BIG-IP GTM

Configuring a back-end DNS server to allow zone file transfers

If you are unfamiliar with how to modify DNS server files, review the fifth edition of DNS and BIND,available from O’Reilly Media.

To configure a back-end DNS server to allow zone file transfers to the BIG-IP® system, add to the DNSserver an allow-transfer statement that specifies a self IP address on the BIG-IP system.

You can modify the following allow-transfer statement to use a self IP address on the BIG-IP system:

allow-transfer { localhost; <self IP address of BIG-IP system>; };

Acquiring zone files from the legacy DNS server

Ensure that you have configured the legacy DNS server with an allow-transfer statement that authorizeszone transfers to BIG-IP® GTM™.

For BIG-IP GTM to acquire zone files from the legacy DNS server, create a new zone.

1. On the Main tab, click Global Traffic > ZoneRunner > Zone List.The Zone List screen opens.

2. Click Create.The New Zone screen opens.

3. From the View Name list, select the view that you want this zone to be a member of.The default view is external.

4. In the Zone Name field, type a name for the zone file in this format, including the trailing dot:db.[viewname].[zonename].For example, db.external.siterequest.com.

5. From the Zone Type list, selectMaster.6. From the Records Creation Method list, select Transfer from Server.7. In the Source Server field, type the IP address of the DNS server (the server from which you want

BIG-IP GTM to acquire zone files).8. Click Finished.

Creating a self IP address using the IP address of the legacy DNS server

To avoid a conflict on your network, unplug BIG-IP® GTM™ from the network.

When you want BIG-IP GTM to handle DNS traffic previously handled by a DNS server, create a self IPaddress on BIG-IP GTM using the IP address of the legacy DNS server.

1. On the Main tab, click Network > Self IPs.The Self IPs screen opens.

2. Click Create.The New Self IP screen opens.

3. In the Name field, type a unique name for the self IP.4. In the IP Address field, type the IP address of the legacy DNS server.

25


The system accepts IPv4 and IPv6 addresses.

5. In the Netmask field, type the network mask for the specified IP address.6. Click Finished.

The screen refreshes, and displays the new self IP address in the list.

Designating GTM as the primary server for the zone

Ensure that you have created a self IP address on BIG-IP® GTM™ using the IP address of the legacy DNSserver.

Add this self IP address to the BIG-IP GTM server object. Then modify the DNS server based on yournetwork configuration.

1. Log on to BIG-IP GTM.2. On the Main tab, click Global Traffic > Servers.

The Server List screen opens.3. Click the name of the BIG-IP GTM system that you want to modify.

The server settings and values display.4. In the Address List area, add the new self IP address.5. Click Update.6. Do one of the following based on your network configuration:

• Modify the IP address of the legacy DNS server so that it becomes a secondary DNS server to BIG-IPGTM. Ensure that the IP address of the DNS server does not conflict with the self IP address thatyou added to the BIG-IP GTM server object.

Note: If you are using BIND servers, and you are unfamiliar with how to change a DNS server froma primary to a secondary, refer to the fifth edition of DNS and BIND, available from O’Reilly Media.

• Remove the legacy DNS server from your network.

BIG-IP GTM is now the primary authoritative name server for the zone. The servers for the zone do notneed to be updated, because the IP address of the legacy DNS server was assigned to BIG-IP GTM.

Creating listeners to alert GTM to DNS traffic destined for the system

To alert the BIG-IP® GTM™ system to DNS traffic (previously handled by the DNS server), create twolisteners: one that uses the UDP protocol, and one that uses the TCP protocol.

Note: DNS zone transfers use TCP port 53. If you do not configure a listener for TCP the client mightreceive the error: connection refused or TCP RSTs.



3. In the Destination field, type the IP address previously used by the legacy DNS server.4. From the VLAN Traffic list, select All VLANs.5. From the Protocol list, select UDP.

26

Replacing a DNS Server with BIG-IP GTM

6. Click Finished.

Create another listener with the same IP address, but select TCP from the Protocol list.

Creating a wide IP

Ensure that at least one load balancing pool exists in the configuration before you start creating a wide IP.

Create a wide IP to map a FQDN to one or more pools of virtual servers that host the content of the domain.







b) Click Add.

5. Click Finished.


BIG-IP® GTM™ replaces the legacy DNS server as the primary authoritative nameserver for the zone.BIG-IP GTM handles all incoming DNS traffic, whether destined for a wide IP or handled by the BINDinstance on the system.

27


Chapter

4Load Balancing Non-Wide IP DNS Traffic to a Pool of DNSServers

• Overview: Screening and forwardingnon-wide IP traffic to a pool of DNS servers


Overview: Screening and forwarding non-wide IP traffic to a pool of DNSservers

BIG-IP® Global Traffic Manager™ (GTM™) can function as a traffic screener in front of a pool of DNSservers. In this situation, BIG-IP GTM checks incoming DNS queries and if the query is for a wide IP,resolves the query. Otherwise, BIG-IP GTM forwards the DNS query to one of the servers in a pool of DNSservers, and that server handles the query.

Figure 3:Traffic flow when BIG-IP GTM screens traffic to a pool of DNS servers

About listeners


Task summary

Perform these tasks to screen non-wide IP traffic and forward the traffic to a pool of DNS servers.Creating a pool of local DNS serversCreating a listener that alerts GTM to DNS queries for a pool of DNS servers

30

Load Balancing Non-Wide IP DNS Traffic to a Pool of DNS Servers

Creating a pool of local DNS servers

Ensure that at least one custom DNS monitor exists on the BIG-IP® system. Gather the IP addresses of theDNS servers that you want to include in a pool to which the BIG-IP® system load balances DNS traffic.

Create a pool of local DNS servers when you want to load balance DNS requests to back end DNS servers.

1. On the Main tab, click Local Traffic > Pools.The Pool List screen opens.

2. Click Create.The New Pool screen opens.

3. In the Name field, type a unique name for the pool.4. For the Health Monitors setting, from the Available list, select the custom DNS monitor you created,

and click << to move the monitor to the Active list.5. Using the New Members setting, add each resource that you want to include in the pool:

a) Either type an IP address in the Address field, or select a node address from the Node List.b) Type a port number in the Service Port field, or select a service name from the list.c) To specify a priority group, type a priority number in the Priority field.d) Click Add.

6. Click Finished.

Creating a listener that alerts GTM to DNS queries for a pool of DNS servers

Configure a listener that alerts BIG-IP® GTM™ to DNS queries destined for DNS servers that are membersof a pool.

1. Log on to the command-line interface of BIG-IP GTM.2. Type tmsh, to access the Traffic Management Shell.3. Run this command sequence to create a listener: create /gtm listener <name of listener>

address <IP address on which you want the listener to alert GTM to DNS traffic>ip-protocol udp pool <name of pool> translate-address enabledThe system creates a listener with the specified name and IP address that alerts BIG-IP GTM to queriesdestined for the members of the specified pool.

4. Run this command sequence to save the listener: save /sys config

5. Run this command sequence to display the listener: list /gtm listenerThe system displays the new listener configuration.


You now have an implementation in which BIG-IP®GTM™ receives DNS queries, handles wide IP requests,and forwards all other DNS queries to members of the pool of DNS servers.

31


Chapter

5Delegating DNS Traffic to Wide IPs

• Overview: Delegating DNS traffic to wide IPs• Task summary• Implementation result

Overview: Delegating DNS traffic to wide IPs

BIG-IP®Global TrafficManager™ (GTM™) resolves DNS queries that match a wide IP name. BIG-IP GTMcan work in conjunction with an existing DNS server on your network. In this situation, you configure theDNS server to delegate wide IP-related requests to BIG-IP GTM for name resolution.

Figure 4:Traffic flow when DNS server delegates traffic to BIG-IP GTM

This implementation focuses on the fictional company SiteRequest that recently purchased BIG-IP GTMto help resolve queries for two web-based applications: store.siterequest.com andcheckout.siterequest.com. These applications are delegated zones of www.siterequest.com.Currently, a DNS server manages www.siterequest.com.

SiteRequest administrators have already configured BIG-IP GTM with two wide IPs,www.store.siterequest.com and www.checkout.siterequest.com. These wide IPs correspondto the two web applications.

About listeners


Task summary

Perform these tasks to delegate DNS traffic to wide IPs.Creating a delegated zone on a local DNS serverCreating a listener to handle traffic for wide IPs

34

Delegating DNS Traffic to Wide IPs

Creating a delegated zone on a local DNS server

Determine which DNS servers will delegate wide IP-related requests to BIG-IP® GTM™.

If you are using BIND servers and you are unfamiliar with how to modify the files on these servers, considerreviewing the fifth edition of DNS and BIND, available from O’Reilly Media.

In order for BIG-IP GTM to manage the web applications of store.siterequest.com andcheckout.siterequest.com, you must create a delegated zone on the DNS server that manageswww.wip.siterequest.com. Perform the following steps on the selected DNS server.

1. Create an address record (A record) that defines the domain name and IP address of each BIG-IP GTMin your network.

2. Create a nameserver record (NS record) that defines the delegated zone for which BIG-IP GTM isresponsible.

3. Create canonical name records (CNAME records) to forward requests for store.siterequest.comand checkout.siterequest.com to the wide IPs store.siterequest.com andcheckout.siterequest.com, respectively.

A delegated zone for store.siterequest.com and checkout.siterequest.com exists on each DNSserver on which you performed this procedure.

Creating a listener to handle traffic for wide IPs

Determine the self IP address of BIG-IP GTM.

Create a listener on BIG-IP® GTM™ that identifies the wide IP traffic for which BIG-IP® GTM™ isresponsible.



3. In the Destination field, type the IP address on which BIG-IP GTM listens for network traffic.The destination is a self IP address on BIG-IP GTM.

4. From the VLAN Traffic list, select All VLANs.5. From the Protocol list, select either UDP or TCP.6. Click Finished.


You now have an implementation of BIG-IP® GTM™ in which the DNS server manages DNS traffic unlessthe query is for store.sitrequest.com or checkout.siterequest.com. When the DNS serverreceives these queries, it delegates them to BIG-IP GTM, which then load balances the queries to theappropriate wide IPs.

35


Chapter

6Integrating BIG-IP GTM with Other BIG-IP Systems

• Overview: Integrating GTM with older BIG-IPsystems on a network


Overview: Integrating GTM with older BIG-IP systems on a network

You can add BIG-IP® Global Traffic Manager™ (GTM™) systems to a network in which BIG-IP® LocalTraffic Manager™ (LTM®) systems are already present. This expands your load balancing and trafficmanagement capabilities beyond the local area network. For this implementation to be successful, you mustauthorize communications between the systems.

Note: The BIG-IP GTM systems in a synchronization group, and the BIG-IP LTM and BIG-IP LinkController™ systems that are configured to communicate with the systems in the synchronization groupmust have TCP port 4353 open through the firewall between the systems. The BIG-IP systems connect andcommunicate through this port.

About iQuery and communications between BIG-IP systems

The gtmd agent on BIG-IP® Global Traffic Manager™ (GTM™) uses the iQuery® protocol to communicatewith the local big3d agent, and the big3d agents installed on other BIG-IP systems. The gtmd agentmonitors both the availability of the BIG-IP systems, and the integrity of the network paths between thesystems that host a domain and the local DNS servers that attempt to connect to that domain.

Figure 5: Communications between big3d and gtmd agents using iQuery

Task summary

To authorize communications between BIG-IP® systems, perform the following tasks on the BIG-IP GTM™

that you are adding to the network.Defining a data centerDefining BIG-IP GTM systemsDefining BIG-IP LTM systemsRunning the big3d_install script

Defining a data center

Create a data center to contain the servers that reside on a subnet of your network.

1. On the Main tab, click Global Traffic > Data Centers.

38

Integrating BIG-IP GTM with Other BIG-IP Systems

The Data Center List screen opens.2. Click Create.

The New Data Center screen opens.3. Type a name for the data center.

Important: The data center name is limited to 63 characters.

4. In the Location field, type the geographic location of the data center.5. In the Contact field, type the name of either the administrator or the department that manages the data

center.6. From the State list, select Enabled.7. Click Finished.

You can now create server objects and assign them to this data center.

Repeat this procedure to create additional data centers.

Defining BIG-IP GTM systems

Ensure that at least one data center exists in the configuration before you start creating a server.

Create a server object for BIG-IP® GTM™.

1. On the Main tab, click Global Traffic > Servers.The Server List screen opens.

2. Click Create.The New Server screen opens.

3. In the Name field, type a name for the server.

Important: Server names are limited to 63 characters.

4. From the Product list, select BIG-IP System (Single).The server type determines the metrics that the system can collect from the server.

5. In the Address List area, add the IP addresses of the server.You can add more than one IP address, depending on how the server interacts with the rest of yournetwork.

Important: You must use a self IP address for a BIG-IP system; you cannot use the management IPaddress.

6. From the Data Center list, select the data center where the server resides.7. In the Health Monitors area, assign the bigipmonitor to the server by moving it from the Available list

to the Selected list.8. From the Virtual Server Discovery list, select how you want virtual servers to be added to the system.

DescriptionOption

The system does not use the discovery feature to automatically add virtual servers.This is the default value. Use this option for a standalone BIG-IP GTM or for a

Disabled

BIG-IP GTM/LTM combo system when you plan to manually add virtual serversto the system.

39


DescriptionOption

The system uses the discovery feature to automatically add virtual servers. Usethis option for a BIG-IP GTM/LTM combo system when you want BIG-IP GTMto discover BIG-IP LTM virtual servers.

Enabled

The system uses the discovery feature to automatically add virtual servers anddoes not delete any virtual servers that already exist. Use this option for a BIG-IP

Enabled (NoDelete)

GTM/LTM combo system when you want BIG-IP GTM to discover BIG-IP LTMvirtual servers.

9. From the Link Discovery list, select how you want links to be added to the system.DescriptionOption

The system does not use the discovery feature to automatically add links. Thisis the default value. Use this option for a standalone BIG-IP GTM or for a BIG-IPGTM/LTM combo system when you plan to manually add links to the system.

Disabled

The system uses the discovery feature to automatically add links. Use this optionfor a BIG-IPGTM/LTM combo systemwhen youwant BIG-IPGTM to discoverlinks.

Enabled

The system uses the discovery feature to automatically add links and does notdelete any links that already exist. Use this option for a BIG-IP GTM/LTMcombo system when you want BIG-IP GTM to discover links.

Enabled (NoDelete)

10. Click Create.The Server List screen opens displaying the new server in the list.

Defining BIG-IP LTM systems

On BIG-IP® GTM™, define servers that represent the BIG-IP LTM® systems in your network.





4. From the Product list, select either BIG-IP System (Single) or BIG-IP System (Redundant).The server type determines the metrics that the system can collect from the server.




to the Selected list.

40


8. From the Virtual Server Discovery list, select how you want virtual servers to be added to the system.DescriptionOption


Disabled



Enabled


Enabled (NoDelete)




Disabled


Enabled


Enabled (NoDelete)


Running the big3d_install script

Determine the self IP addresses for the existing BIG-IP® systems that you want to upgrade with the latestbig3d agent.

Ensure that port 22 is open.

Run the big3d_install script to upgrade the big3d agents on the BIG-IP systems and instructs thesesystems to authenticate with the other systems through the exchange of SSL certificates. For additionalinformation about running the script, see SOL8195 on AskF5.com (www.askf5.com).

You must perform this task from the command-line interface.

Important: Run the big3d_install script on BIG-IP GTM™ only for target systems that are running thesame or an older version of BIG-IP software.

1. Log on to the command-line interface of the new BIG-IP GTM.2. At the BASH prompt, type tmsh.3. At the tmsh prompt, type run gtm big3d_install

<IP_addresses_of_target_BIG-IP_systems>, and press Enter.The script instructs BIG-IP GTM to connect to each specified BIG-IP system.

41


4. If prompted, supply the root password for each system.

The SSL certificates are exchanged, authorizing communications between the systems. The big3d agenton each system is upgraded to the same version as is installed on BIG-IP GTM from which you ran thescript.


You now have an implementation in which the BIG-IP® systems can communicate with each other. BIG-IPGTM™ can now use the other BIG-IP systems when load balancing DNS requests, and can acquire statisticsand status information for the virtual servers these systems manage.

42


Chapter

7Integrating BIG-IP LTM with BIG-IP GTM Systems

• Overview: Integrating LTM systems withGTM systems on a network


Overview: Integrating LTM systems with GTM systems on a network

You can add BIG-IP® Local Traffic Manager™ (LTM™) systems to a network in which BIG-IP® GlobalTraffic Manager™ (GTM®) systems are already present. This expands your load balancing and trafficmanagement capabilities to include the local area network. For this implementation to be successful, youmust authorize communications between the LTM and GTM systems. When the LTM and GTM systemsuse the same version of the big3d agent, you run the bigip_add utility to authorize communicationsbetween the systems.

Note: The BIG-IP GTM and BIG-IP LTM systems must have TCP port 4353 open through the firewallbetween the systems. The BIG-IP systems connect and communicate through this port.

Task summary

To authorize communications between BIG-IP® GTM and BIG-IP LTM systems, perform the followingtasks on the BIG-IP GTM™.Integrating BIG-IP LTM with BIG-IP GTM SystemsDefining a data centerDefining BIG-IP GTM systemsDefining BIG-IP LTM systemsRunning the bigip_add utility



1. On the Main tab, click Global Traffic > Data Centers.The Data Center List screen opens.

2. Click Create.The New Data Center screen opens.

3. Type a name for the data center.






44

Integrating BIG-IP LTM with BIG-IP GTM Systems

Defining BIG-IP GTM systems

Ensure that at least one data center exists in the configuration before you start creating a server.

Create a server object for BIG-IP® GTM™.










DescriptionOption


Disabled



Enabled


Enabled (NoDelete)




Disabled


Enabled

45


DescriptionOption


Enabled (NoDelete)


Defining BIG-IP LTM systems

On BIG-IP® GTM™, define servers that represent the BIG-IP LTM® systems in your network.










DescriptionOption


Disabled



Enabled


Enabled (NoDelete)


9. From the Link Discovery list, select how you want links to be added to the system.

46

Integrating BIG-IP LTM with BIG-IP GTM Systems

DescriptionOption


Disabled


Enabled


Enabled (NoDelete)


Running the bigip_add utility

Determine the self IP addresses of the BIG-IP LTM® systems that you want to communicate with BIG-IPGTM™.

Run the bigip_add utility on BIG-IP GTM. This utility exchanges SSL certificates so that each system isauthorized to communicate with the other.

You must perform this task from the command-line interface.

1. On BIG-IP GTM, log on to the command-line interface.2. At the command prompt, type: bigip_add <IP_addresses_of_BIG-IP_LTM_systems>, and press

Enter.The utility exchanges SSL certificates so that each system is authorized to communicate with the other.

The specified BIG-IP® systems can now communicate with BIG-IP GTM.


You now have an implementation in which the BIG-IP® systems can communicate with each other. BIG-IPGTM™ can now use the other BIG-IP systems when load balancing DNS requests, and can acquire statisticsand status information for the virtual servers these systems manage.

47


Chapter

8Ensuring Correct Synchronization When Adding GTM to aNetwork

• Overview: Ensuring correct synchronizationwhen adding GTM to a network


Overview: Ensuring correct synchronization when adding GTM to a network

You can configure BIG-IP®Global TrafficManager™ (GTM)™ systems in collections called synchronizationgroups. All BIG-IP GTM systems in the same synchronization group have the same rank, exchange heartbeatmessages, and share probing responsibility.

Figure 6: BIG-IP GTM systems in a synchronization group

About configuration synchronization

Configuration synchronization ensures the rapid distribution of BIG-IP® Global Traffic Manager™ (GTM)settings to other BIG-IP systems that belong to the same synchronization group. A synchronization groupmight contain both BIG-IP GTM and BIG-IP® Link Controller™ systems.

Configuration synchronization occurs in the following manner:

• When a change is made to a BIG-IP GTM configuration, the system broadcasts the change to the othersystems in the configuration synchronization group.

• When a configuration synchronization is in progress, the process must either complete or timeout, beforeanother configuration synchronization can occur.

About adding an additional BIG-IP GTM to your network

BIG-IP GTM systems exchange heartbeat messages when different software versions are installed on thesystems. However, configuration synchronization cannot occur when different software versions are installedon the systems. Therefore, when you upgrade BIG-IP GTM, the configuration of the upgraded system doesnot automatically synchronize with the configuration of the systems in the synchronization group that havean older software version.

Task summary

When adding an additional BIG-IP® GTM™ system to your network, perform the following tasks.Defining an NTP server on the existing GTMEnabling synchronization on the existing GTM

50

Ensuring Correct Synchronization When Adding GTM to a Network

Creating a data center on the existing GTMDefining a server on the existing GTMRunning the gtm_add script on the new GTM

Defining an NTP server on the existing GTM

Define a Network Time Protocol (NTP) server on the existing BIG-IP® GTM™ to ensure that each systemin the synchronization group is referencing the same time when verifying configuration file timestamps.

1. On the Main tab, click System > Configuration > Device > NTP.The NTP Device configuration screen opens.

2. In the Time Server Lookup List area, in the Address field, type the IP address of the NTP that you wantto add. Then, click Add.

Note: If you did not disable DHCP before the first boot of the BIG-IP system, and if the DHCP serverprovides the information about your NTP server, then this field is automatically populated.

3. Click Update.

The NTP server is defined.

Enabling synchronization on the existing GTM

To ensure that this system can share configuration changes with other systems that you add to theconfiguration synchronization group, enable synchronization on the existing BIG-IP® GTM™.

1. On the Main tab, click System > Configuration > Global Traffic > General.The General configuration screen opens.

2. Select the Synchronization check box.3. In the Synchronization Time Tolerance field, type the maximum number of seconds allowed between

the time settings on this system and the other systems in the synchronization group.The lower the value, the more often this system makes a log entry indicating that there is a difference.

Tip: If you are using NTP, leave this setting at the default value of 10. In the event that NTP fails, thesystem uses the time_tolerance variable to maintain synchronization.

4. In the Synchronization Group Name field, type the name of the synchronization group to which youwant this system to belong.

5. Click Update.

Synchronization is enabled on the existing BIG-IP GTM.

Creating a data center on the existing GTM

Create a data center on the existing BIG-IP®GTM™ system to represent the location where the new BIG-IPGTM system resides.


51






center.6. Click Finished.

Defining a server on the existing GTM

Ensure that a data center where the new BIG-IP® GTM™ system resides exists in the configuration of theexisting BIG-IP GTM system.

Define a new server, on the existing BIG-IP GTM, to represent the new BIG-IP GTM system.






5. In the Address List area, add the IP address of the server.

Important: You must use a self IP address for a BIG-IP® system; you cannot use the management IPaddress.

6. From the Data Center list, select the data center where the server resides.7. From the Virtual Server Discovery list, select how you want virtual servers to be added to the system.

DescriptionOption


Disabled



Enabled


Enabled (NoDelete)


8. Click Create.

52

Ensuring Correct Synchronization When Adding GTM to a Network

The Server List screen opens displaying the new server in the list.

The status of the newly defined BIG-IPGTM system is Unknown , because you have not yet run the gtm_addscript.

Running the gtm_add script on the new GTM

Determine the self IP address of the existing BIG-IP® GTM™.

Run the gtm_add script on the new BIG-IP GTM to acquire the configuration settings on the existingBIG-IP GTM.

Note: You must perform this task from the command-line interface.

1. On the new BIG-IP GTM, log in to the command-line interface.2. At the BASH prompt, type tmsh, and press Enter.3. At the tmsh prompt, type run gtm gtm_add, and press Enter.4. Press the y key to start the gtm_add script.5. Type the IP address of the existing BIG-IP GTM, and press Enter.6. If prompted, type the root password, and then press Enter.


The new BIG-IP® GTM™ that you added to the network is a part of a synchronization group. Changes youmake to any system in the synchronization group are automatically propagated to all other systems in thegroup.

53


Chapter

9Configuring BIG-IP GTM VIPRION Systems

• Overview: Configuring BIG-IP GTM VIPRIONsystems

Overview: Configuring BIG-IP GTM VIPRION systems

You configure BIG-IP® Global Traffic Manager™ (GTM™) on VIPRION® systems in the same manner thatyou configure BIG-IP GTM on an appliance, with two notable exceptions.

• You can access BIG-IP® Local Traffic Manager™ (LTM®) iRules® from within BIG-IP GTM iRules.You can also access BIG-IP GTM iRules® from within BIG-IP LTM iRules.

• It is important to change the general system configuration for virtual server status.

Configuring virtual server status for clusters

You can configure virtual server status to be dependent only on the timeout value of the monitor associatedwith the virtual server. This ensures that when the primary blade in a cluster becomes unavailable, the gtmdagent on the new primary blade has time to establish new iQuery® connections with and receive updatedstatus from other BIG-IP® systems.

Tip: The big3d agent on the new primary blade must be up and functioning within 90 seconds (the timeoutvalue of the BIG-IP monitor).


2. Select Depends on Monitors Only from the Virtual Server Status list.3. Click Update.

56

Configuring BIG-IP GTM VIPRION Systems

Chapter

10Setting Up a BIG-IP GTM Redundant System Configuration

• Overview: Configuring a BIG-IP GTMredundant system

• Task summary

Overview: Configuring a BIG-IP GTM redundant system

You can configure BIG-IP® Global Traffic Manager™ (GTM) in a redundant system configuration, whichis a set of two BIG-IP GTM systems: one operating as the active unit, the other operating as the standbyunit. If the active unit goes offline, the standby unit immediately assumes responsibility for managing DNStraffic. The new active unit remains active until another event occurs that would cause the unit to go offline,or you manually reset the status of each unit.

Task summary

Perform the following tasks to configure a BIG-IP® GTM™ redundant system configuration.

Before you begin, ensure that the Setup utility was run on both devices. During the Setup process, you createVLANs internal and external and the associated floating and non-floating IP addresses, and VLANHA andthe associated non-floating self IP address. You also configure the devices to be in an active-standbyredundant system configuration.Defining an NTP serverCreating listeners to identify DNS trafficDefining a data centerDefining a serverEnabling global traffic configuration synchronizationRunning the gtm_add script

Defining an NTP server

Define a Network Time Protocol (NTP) server that both BIG-IP GTM systems use during configurationsynchronization.

Important: Perform the following procedure on both the active and standby systems.

1. On the Main tab, click System > Configuration > Device > NTP.The NTP Device configuration screen opens.

2. In the Time Server Lookup List area, in the Address field, type the IP address of the NTP that you wantto add. Then, click Add.

Note: If you did not disable DHCP before the first boot of the BIG-IP system, and if the DHCP serverprovides the information about your NTP server, then this field is automatically populated.

3. Click Update.

During configuration synchronization, the systems use this time value to see if any newer configurationfiles exist.

58

Setting Up a BIG-IP GTM Redundant System Configuration

Creating listeners to identify DNS traffic

Create two listeners to identify DNS traffic for which BIG-IP GTM is responsible. Create one listener thatuses the UDP protocol and one that uses the TCP protocol.

Important: Perform the following procedure on only the active system.




3. In the Destination field, type the floating IP address of VLAN external. This is the IP address onwhich BIG-IP GTM listens for network traffic.

4. From the VLAN Traffic list, select All VLANs.5. From the Protocol list, select UDP.6. Click Finished.













59


Defining a server

Ensure that the data centers where the BIG-IP GTM systems exist in the configuration.

Using this procedure, create two servers on the active system, one that represents the active system and onethat represents the standby system.

Important: Perform this procedure on only the active system.





4. From the Product list, select BIG-IP System (Redundant).The server type determines the metrics that the system can collect from the server.

5. In the Address List area, add the IP address of the server.

Important: You must use a self IP address for a BIG-IP® system; you cannot use the management IPaddress.

6. In the Address List area, add the IP addresses of the back up system using the Peer Address List setting.a) Type an external (public) IP address in the Address field, and then click Add.b) Type an internal (private) IP address in the Translation field, and then click Add.

You can add more than one IP address, depending on how the server interacts with the rest of yournetwork.

7. From the Data Center list, select the data center where the server resides.8. From the Virtual Server Discovery list, select Disabled.9. From the Link Discovery list, select Disabled.10. Click Create.

The Server List screen opens displaying the new server in the list.

Enabling global traffic configuration synchronization

Enable global traffic configuration synchronization options and assign a name to the global trafficsynchronization group.



2. Select the Synchronization check box.3. Select the Synchronize DNS Files check box.4. In the Synchronization Group Name field, type the name of the synchronization group.

60

Setting Up a BIG-IP GTM Redundant System Configuration

5. Click Update.

The settings you selected will be transferred to the standby system during configuration synchronization.

Running the gtm_add script

You must run the gtm_add script from the standby system.

Note: You must perform this task from the command-line interface.

1. On the new BIG-IP GTM, log in to the command-line interface.2. Type gtm_add, and press Enter.3. Press the y key to start the gtm_add script.4. Type the IP address of the existing BIG-IP GTM, and press Enter.

The gtm_add script acquires configuration data from the active system; Once this process completes, youhave successfully created a redundant system consisting of two BIG-IP GTM systems.

61


Chapter

11Configuring GTM on a Network with One Route Domain

• Overview: How do I deploy BIG-IP GTM ona network with one route domain?


Overview: How do I deploy BIG-IP GTM on a network with one route domain?

You can deploy BIG-IP® Global Traffic Manager™ (GTM™) on a network where BIG-IP Local TrafficManager™ (LTM®) is configured with one route domain and no overlapping IP addresses.

Caution: For BIG-IP systems that include both LTM and GTM, you can configure route domains on internalinterfaces only. F5 Networks does not support the configuration of route domains on a standalone BIG-IPGTM.

Figure 7: BIG-IP GTM deployed on a network in front of a BIG-IP LTM configured with a route domain

Task summary

BIG-IP® GTM™ can gather status and statistics for the virtual servers hosted on BIG-IP Local TrafficManager™ (LTM) systems on your network that are configured on a route domain. The BIG-IP LTM systemsmust contain:

• VLANs through which traffic for the route domain passes.• A self IP address that represents the address space of the route domain.

64

Configuring GTM on a Network with One Route Domain

Additionally, BIG-IP GTM must contain a server object for each route domain. The server objects must beconfigured with a self IP address that represents the address space of the route domain.

Perform the specified tasks to configure BIG-IP LTM systems with a route domain, and then to configureBIG-IP GTM to be able to monitor these systems.Creating VLANs for a route domain on BIG-IP LTMCreating a route domain on the BIG-IP systemCreating a self IP address for a route domain on BIG-IP LTMDefining a server for a route domain on BIG-IP GTM

Creating VLANs for a route domain on BIG-IP LTM

You need to create two VLANs on BIG-IP® Local Traffic Manager™(LTM®) through which traffic can passto a route domain.

1. On the Main tab, click Network > VLANs.The VLAN List screen opens.

2. Click Create.The New VLAN screen opens.

3. In the Name field, type external.4. In the Tag field, type a numeric tag, from 1 - 4094 , for the VLAN, or leave the field blank if you want

the BIG-IP system to automatically assign a VLAN tag.The VLAN tag identifies the traffic from hosts in the associated VLAN.

5. For the Interfaces setting, from the Available list, click an interface number or trunk name and add theselected interface or trunk to the Untagged list. Repeat this step as necessary.

6. Select the Source Check check box if you want the system to verify that the return route to an initialpacket is the same VLAN from which the packet originated.

7. Click Finished.The screen refreshes, and displays the new VLAN in the list.

Repeat this procedure, but in Step 3, name the VLAN internal.

Creating a route domain on the BIG-IP system

Before you create a route domain:

• Ensure that an external and an internal VLAN exist on the BIG-IP® system.• If you intend to assign a static bandwidth controller policy to the route domain, you must first create the

policy. You can do this using the BIG-IP Configuration utility.• Verify that you have set the current partition on the system to the partition in which you want the route

domain to reside.

You can create a route domain on BIG-IP system to segment (isolate) traffic on your network. Route domainsare useful for multi-tenant configurations.

1. On the Main tab, click Network > Route Domains.The Route Domain List screen opens.

2. Click Create.The New Route Domain screen opens.

3. In the Name field, type a name for the route domain.

65


This name must be unique within the administrative partition in which the route domain resides.

4. In the ID field, type an ID number for the route domain.This ID must be unique on the BIG-IP system; that is, no other route domain on the system can havethis ID.

5. In the Description field, type a description of the route domain.For example: This route domain applies to traffic for application MyApp.

6. For the Strict Isolation setting, select the Enabled check box to restrict traffic in this route domainfrom crossing into another route domain.

7. For the Parent Name setting, retain the default value.8. For the VLANs setting, from the Available list, select a VLAN name and move it to theMembers list.

Select the VLAN that processes the application traffic relevant to this route domain.Configuring this setting ensures that the BIG-IP system immediately associates any self IP addressespertaining to the selected VLANs with this route domain.

9. For theDynamic Routing Protocols setting, from theAvailable list, select one or more protocol namesand move them to the Enabled list.You can enable any number of listed protocols for this route domain. This setting is optional.

10. From the Bandwidth Controller list, select a static bandwidth control policy to enforce a throughputlimit on traffic for this route domain.

11. From the Partition Default Route Domain list, select eitherAnother route domain (0) is the PartitionDefault Route Domain orMake this route domain the Partition Default Route Domain.This setting does not appear if the current administrative partition is partition Common.When you configure this setting, either route domain 0 or this route domain becomes the default routedomain for the current administrative partition.

12. Click Finished.The system displays a list of route domains on the BIG-IP system.

You now have another route domain on the BIG-IP system.

Creating a self IP address for a route domain on BIG-IP LTM

Ensure that external and internal VLANs exist on BIG-IP® LTM, before you begin creating a self IP addressfor a route domain.

Create a self IP address on BIG-IP LTM that resides in the address space of the route domain.



3. In the IP Address field, type an IP address.This IP address must represent a self IP address in a route domain. Use the format x.x.x.x%n, wheren is the route domain ID, for example, 10.1.1.1%1.The system accepts IPv4 and IPv6 addresses.

4. In the Netmask field, type the network mask for the specified IP address.5. From the VLAN/Tunnel list, select external.6. From the Port Lockdown list, select Allow Default.7. Click Finished.

66

Configuring GTM on a Network with One Route Domain


Repeat this procedure, but in Step 5, select VLAN internal.

Defining a server for a route domain on BIG-IP GTM

Ensure that at least one data center exists in the configuration.

On a BIG-IP GTM system, define a server that represents the route domain.






5. In the Address List area, add the self IP address that you assigned to the VLAN that you assigned to theroute domain.

Important: Do not include the route domain ID in this IP address. Use the format x.x.x.x, for example,10.10.10.1.



Virtual server discovery is supported when you have only one route domain.

DescriptionOptionUse this option when you plan to manually add virtual servers to thesystem.

Disabled

The system automatically adds virtual servers using the discoveryfeature.

Enabled

The system uses the discovery feature and does not delete any virtualservers that already exist.

Enabled (No Delete)



You now have an implementation in which BIG-IP® GTM™ can monitor virtual servers on BIG-IP LTM®

systems configured with one route domain.

67


Chapter

12Configuring GTM on a Network with Multiple Route Domains

• Overview: How do I deploy BIG-IP GTM ona network with multiple route domains?


Overview: How do I deploy BIG-IP GTM on a network with multiple routedomains?

You can deploy BIG-IP® Global Traffic Manager™ (GTM) on a network where BIG-IP Local TrafficManager™ (LTM®) systems are configured with multiple route domains and overlapping IP addresses.

Important: On a network with route domains, you must ensure that virtual server discovery (autoconf) isdisabled, because virtual server discovery does not discover translation IP addresses.

Caution: For BIG-IP systems that include both LTM and GTM, you can configure route domains on internalinterfaces only. F5 Networks does not support the configuration of route domains on a standalone BIG-IPGTM.

The following figure shows BIG-IP GTM deployed in a network with multiple BIG-IP Local TrafficManager™ (LTM®) systems configured with the default route domain (zero), and two additional routedomains. BIG-IP GTM can monitor the Application1 and Application2 servers that have overlapping IPaddresses and reside in different route domains. The firewalls perform the required address translationbetween the BIG-IP GTM and BIG-IP LTM addresses; you must configure the firewalls to segment trafficand avoid improperly routing packets between route domain 1 and route domain 2.

70

Configuring GTM on a Network with Multiple Route Domains

Figure 8: BIG-IP GTM deployed on a network with multiple route domains

Task summary

Before BIG-IP® GTM™ can gather status and statistics for the virtual servers hosted on BIG-IP LTM®

systems on your network that are configured with route domains, you must configure the following on eachBIG-IP LTM that handles traffic for route domains:

• VLANs through which traffic for your route domains passes• Route domains that represent each network segment• Self IP addresses that represent the address spaces of the route domains

Additionally, on BIG-IP GTM you must:

• Configure, for each route domain, a server object with virtual server discovery disabled• Disable virtual server discovery globally

71


Perform the following tasks to configure BIG-IPGTM tomonitor BIG-IP LTM systemswith route domains.Creating VLANs for a route domain on BIG-IP LTMCreating a route domain on BIG-IP LTMCreating a self IP address for a route domain on BIG-IP LTMDisabling auto-discovery at the global-level on BIG-IP GTMDefining a server for a route domain on BIG-IP GTM

Creating VLANs for a route domain on BIG-IP LTM

Create two VLANs on BIG-IP LTM through which traffic can pass to a route domain.

1. On the Main tab, click Network > VLANs.The VLAN List screen opens.

2. Click Create.The New VLAN screen opens.

3. In the Name field, type external.4. In the Tag field, type a numeric tag, from 1 - 4094 , for the VLAN, or leave the field blank if you want

the BIG-IP system to automatically assign a VLAN tag.The VLAN tag identifies the traffic from hosts in the associated VLAN.

5. For the Interfaces setting, from the Available list, click an interface number or trunk name and add theselected interface or trunk to the Untagged list. Repeat this step as necessary.

6. Select the Source Check check box if you want the system to verify that the return route to an initialpacket is the same VLAN from which the packet originated.

7. Click Finished.The screen refreshes, and displays the new VLAN in the list.

Repeat this procedure, but in Step 3, name the second VLAN internal.

Creating a route domain on BIG-IP LTM

Ensure that VLANs exist on BIG-IP LTM, before you create a route domain.

You can create a route domain on a BIG-IP system to segment (isolate) network traffic on your network.

1. On the Main tab, click Network > Route Domains.The Route Domain List screen opens.

2. Click Create.The New Route Domain screen opens.

3. In the ID field, type an ID number for the route domain.This ID must be unique on the BIG-IP system; that is, no other route domain on the system can havethis ID.

4. In the Description field, type a description of the route domain.For example: This route domain applies to traffic for application MyApp.

5. For the Strict Isolation setting, select the Enabled check box to restrict traffic in this route domainfrom crossing into another route domain.

6. For the Parent Name setting, retain the default value.7. For theVLANs setting, move the external and internalVLANs from theAvailable list, to theMembers

list.

72


Configuring this setting ensures that the BIG-IP system immediately associates any self IP addressespertaining to the selected VLANs with this route domain.

8. Click Finished.The system displays a list of route domains on the BIG-IP system.

Create additional route domains based on your network configuration.

Creating a self IP address for a route domain on BIG-IP LTM

Ensure that VLANs exist on BIG-IP LTM, before you begin creating a self IP address for a route domain.

Create a self IP address on the BIG-IP system that resides in the address space of the route domain.



3. In the IP Address field, type an IP address.This IP address must represent a self IP address in a route domain. Use the format x.x.x.x%n, wheren is the route domain ID, for example, 10.1.1.1%1.The system accepts IPv4 and IPv6 addresses.

4. In the Netmask field, type the network mask for the specified IP address.5. From the VLAN/Tunnel list, select the VLAN that you assigned to the route domain that contains this

self IP address.6. From the Port Lockdown list, select Allow Default.7. Click Finished.


Create additional self IP addresses based on your network configuration.

Disabling auto-discovery at the global-level on BIG-IP GTM

On BIG-IP GTM, disable auto-discovery at the global-level.

1. On the Main tab, click System > Configuration > Global Traffic > General.The general Configuration screen opens.

2. Clear the Auto-Discovery check box.3. Click Update.

Defining a server for a route domain on BIG-IP GTM

Ensure that at least one data center exists in the configuration.

On BIG-IP GTM, define a server that represents the route domain.


2. Click Create.

73


The New Server screen opens.3. In the Name field, type a name for the server.



5. In the Address List area, add the self IP address that you assigned to the VLAN that you assigned to theroute domain.

Important: Do not include the route domain ID in this IP address. Use the format x.x.x.x, for example,10.10.10.1.

6. From the Data Center list, select the data center where the server resides.7. From the Prober Pool list, select one of the following.

DescriptionOption

By default, a server inherits the Prober pool assigned to the datacenter in which the server resides.

Inherit from Data Center

Select the Prober pool that contains the BIG-IP systems that youwant to perform monitor probes of this server.

Prober pool name

Note: The selected Prober pool must reside in the same route domain as the servers you want the poolmembers to probe.

8. In the Health Monitors area, assign the bigipmonitor to the server by moving it from the Available listto the Selected list.

9. From the Virtual Server Discovery list, select Disabled.10. Click Create.

The New Server screen opens.


You now have an implementation in which BIG-IP GTM monitors BIG-IP LTM virtual servers on thevarious route domains in your network.

74


Chapter

13Authenticating with SSL Certificates Signed by a Third Party

• Overview: Authenticating with SSLcertificates signed by a third party

• Configuring Level 1 SSL authentication• Implementation Results• Configuring certificate chain SSL

authentication• Implementation result

Overview: Authenticating with SSL certificates signed by a third party

BIG-IP® systems use Secure Sockets Layer (SSL) authentication to verify the authenticity of the credentialsof systems with which data exchange is necessary.

BIG-IP software includes a self-signed SSL certificate. If your network includes one or more certificateauthority (CA) servers, you can also install SSL certificates that are signed by a third party. The BIG-IPsystems exchange SSL certificates, and use a CA server to verify the authenticity of the certificates.

The big3d agent on all BIG-IP systems and the gtmd agent on BIG-IP Global Traffic Manager™ (GTM™)systems use the certificates to authenticate communication between the systems.

About SSL authentication levels

SSL supports ten levels of authentication (also known as certificate depth):

• Level 0 certificates (self-signed certificates) are verified by the system to which they belong.• Level 1 certificates are authenticated by a CA server that is separate from the system.• Levels 2 - 9 certificates are authenticated by additional CA servers that verify the authenticity of other

servers. These multiple levels of authentication (referred to as certificate chains) allow for a tieredverification system that ensures that only authorized communications occur between servers.

Configuring Level 1 SSL authentication

You can configure BIG-IP® systems for Level 1 SSL authentication. Before you begin, ensure that thesystems you are configuring include the following:

• A signed certificate/key pair.• The root certificate from the CA server.

Task SummaryImporting the device certificateImporting the root certificate for the gtmd agentImporting the root certificate for the big3d agentVerifying the certificate exchange

Importing the device certificate

To configure the BIG-IP® system for Level 1 SSL authentication, import the device certificate signed bythe CA server.

Note: Perform this procedure on all BIG-IP® systems that you want to handle Level 1 SSL authentication.

1. On the Main tab, click System > Device Certificates.The Device Certificate screen opens.

2. Click Import.

76

Authenticating with SSL Certificates Signed by a Third Party

3. From the Import Type list, select Certificate and Key.4. For the Certificate Source setting, select Upload File and browse to select the certificate signed by the

CA server.5. For the Key Source setting, select Upload File and browse to select the device key file.6. Click Import.

Importing the root certificate for the gtmd agent

Before you start this procedure, ensure that you have the root certificate from your CA server available.

To set up the system to use a third-party certificate signed by a CA server, replace the existing certificatefile for the gtmd agent with the root certificate of your CA server.

Note: Perform this procedure on only one BIG-IP®GTM™ system in the synchronization group. The systemautomatically synchronizes the setting with the other systems in the group.

1. On the Main tab, click Global Traffic > Servers > Trusted Server Certificates.The Trusted Server Certificates screen opens.

2. Click Import.3. From the Import Method list, select Replace.4. For the Certificate Source setting, select Upload File and browse to select the root certificate file.5. Click Import.

Importing the root certificate for the big3d agent

Before you start this procedure, ensure that the root certificate from your CA server is available.

Note: Perform this procedure on all BIG-IP® systems that you want to configure for Level 1 SSLauthentication.

1. On the Main tab, click System > Device Certificates > Trusted Device Certificates.The Trusted Device Certificates screen opens.

2. Click Import.3. From the Import Method list, select Replace.4. For the Certificate Source setting, select Upload File and browse to select the certificate signed by the

CA server.5. Click Import.

Verifying the certificate exchange

You can verify that you installed the certificate correctly, by running the following commands on all BIG-IP®

systems that you configured for Level 1 SSL authentication.

iqdump <IP address of BIG-IP you are testing>iqdump <IP address of BIG-IP peer system, if testing a redundant systemconfiguration>

77


If the certificate was installed correctly, these commands display a continuous stream of information.

Implementation Results

The BIG-IP® systems are now configured for Level 1 SSL authentication.

Configuring certificate chain SSL authentication

You can configure BIG-IP® systems for certificate chain SSL authentication.

Task SummaryCreating a certificate chain fileImporting the device certificate from the last CA server in the chainImporting a certificate chain file for the gtmd agentImporting a certificate chain for the big3d agentVerifying the certificate chain exchange

Creating a certificate chain file

Before you start this procedure, ensure that you have the certificate files from your CA servers available.

Create a certificate chain file that you can use to replace the existing certificate file.

1. Using a text editor, create an empty file for the certificate chain.2. Still using a text editor, copy an individual certificate from its own certificate file and paste the certificate

into the file you created in step 1.3. Repeat step 2 for each certificate that you want to include in the certificate chain.

You now have a certificate chain file.

Importing the device certificate from the last CA server in the chain

Import the device certificate signed by the last CA in the certificate chain.

Note: Perform this procedure on all BIG-IP systems that you want to configure for certificate chain SSLauthentication.

1. On the Main tab, click System > Device Certificates.The Device Certificate screen opens.

2. Click Import.3. From the Import Type list, select Certificate and Key.4. For the Certificate Source setting, select Upload File and browse to select the certificate signed by the

CA server.5. For the Key Source setting, select Upload File and browse to select the device key file.

78


6. Click Import.

Importing a certificate chain file for the gtmd agent

Before you start this procedure, ensure that you have the certificate chain file available.

Replace the existing certificate file on the system with a certificate chain file.

Note: Perform this procedure on only one BIG-IP® GTM™ in a synchronization group. The systemautomatically synchronizes the setting with the other systems in the group.

1. On the Main tab, click Global Traffic > Servers > Trusted Server Certificates.The Trusted Server Certificates screen opens.

2. Click Import.3. From the Import Method list, select Replace.4. For the Certificate Source setting, select Upload File and browse to select the device certificate for

the last CA in the certificate chain.5. Click Import.

Importing a certificate chain for the big3d agent

Before you start this procedure, ensure that the certificate chain file is available.

Note: Perform this procedure on all BIG-IP® systems that you want to configure for certificate chain SSLauthentication.

1. On the Main tab, click System > Device Certificates > Trusted Device Certificates.The Trusted Device Certificates screen opens.

2. Click Import.3. From the Import Method list, select Replace.4. For the Certificate Source setting, select Upload File and browse to select the certificate chain file.5. Click Import.

Verifying the certificate chain exchange

You can verify that you installed the certificate chain correctly, by running the following commands on allthe systems you configure for certificate chain SSL authentication.

iqdump <IP address of BIG-IP you are testing>iqdump <IP address of BIG-IP peer system, if testing a redundant systemconfiguration>

If the certificate chain was installed correctly, these commands display a continuous stream of information.

79



The BIG-IP® systems are now configured for certificate chain SSL authentication. For information abouttroubleshooting BIG-IP device certificates, see SOL8187 on AskF5.com (www.askf5.com).

80


Chapter

14Configuring the Save Interval for GTM ConfigurationChanges

• Overview: Configuring the interval at whichGTM saves configuration changes


Overview: Configuring the interval at which GTM saves configuration changes

By default, configuration changes to the BIG-IP® Global Traffic Manager™ (GTM™) are saved every 15seconds. The changes are saved in the bigip_gtm.conf file. You can change how often GTM savesconfiguration changes.

Task summary

Perform this task to configure the interval at which GTM automatically saves configuration changes.Configuring the Save Interval for GTM Configuration ChangesConfiguring the GTM save interval

Configuring the GTM save interval

Ensure that GTM is provisioned, and that your user role provides access to tmsh.

Configure the BIG-IP®GTM system to automatically save configuration changesmade in the Configurationutility and tmsh at a user-specified interval.

1. Log on to the command-line interface of the BIG-IP system.2. At the BASH prompt, type tmsh.3. At the tmsh prompt, type modify gtm global-settings general

automatic-configuration-save-timeout <desired automatic save interval inseconds> , and then press Enter.The following options are worth noting:

• 0 (zero) = immediately save changes• -1 = never save changes• 86400 = maximum interval between automatic saves• 15 = default interval between automatic saves

Warning: Setting automatic-configuration-save-timeout to less than 10 seconds can impact systemperformance.


You now have an implementation in which the BIG-IP® system automatically saves GTM configurationchanges at an interval you specified.

82

Configuring the Save Interval for GTM Configuration Changes

Chapter

15Configuring a TTL in a DNS NoError Response

• Overview: Configuring a TTL in an IPv6 DNSNoError Response

• About SOA records and negative caching• Task summary• Implementation result

Overview: Configuring a TTL in an IPv6 DNS NoError Response

You can configure BIG-IP® GTM™ to return IPv6 DNS NoError responses that include a TTL. This allowslocal DNS servers to cache the negative response. Negative caching reduces both the response time fornegative DNS responses and the number of messages that must be sent between resolvers and local DNSservers.

About SOA records and negative caching

A start of authority SOA record contains a TTL that allows a local DNS server to cache a DNS NoErrorresponse to an IPv6 query.

Task summary

You can configure GTM™ to provide a negative caching TTL for a domain name by performing thesespecific tasks.Configuring a TTL in a DNS NoError ResponseCreating a poolCreating a wide IP that provides for negative caching

Creating a pool

Ensure that at least one virtual server exists in the configuration before you start to create a load balancingpool.

Create a pool to which the system can load balance global traffic.

1. On the Main tab, click Global Traffic > Pools.The Pools list screen opens.

2. Click Create.3. Type a name for the pool.

Names must begin with a letter, and can contain only letters, numbers, and the underscore (_) character.

Important: The pool name is limited to 63 characters.

4. Add virtual servers as members of this load balancing pool.The system evaluates the virtual servers (pool members) in the order in which they are listed. A virtualserver can belong to more than one pool.a) Select a virtual server from the Virtual Server list.b) Click Add.

5. Click Finished.

84

Configuring a TTL in a DNS NoError Response

Creating a wide IP that provides for negative caching

Ensure that at least one global load balancing pool exists in the configuration before you create a wide IP.

Create a wide IP configured in a manner where GTM™ returns an SOA record, containing a TTL with anIPv6 DNS NoError response. This allows the local DNS servers to cache the negative response, and thusprovide faster responses to DNS queries.



3. From the General Properties list, select Advanced.This selection allows you to modify additional default settings.



5. From the IPv6 NoError Response list, select Enabled.With this option enabled, the system responds faster to IPv6 requests for which it does not have AAAArecords configured.

6. In the IPv6 NoError TTL field, type the number of seconds that the local DNS servers consider theIPv6NoError response to be valid.When you set this value, youmust enable the IPv6NoError Responsesetting as well.



b) Click Add.

8. Click Finished.


You now have an implementation in which GTM™ returns a TTL in an IPv6 DNS NoError response for aweb site represented by a wide IP in the GTM configuration.

85


Chapter

16Configuring DNS64

• Overview: Configuring DNS64• Task summary• Implementation result

Overview: Configuring DNS64

You can configure BIG-IP® Local Traffic Manager™ (LTM) and BIG-IP® Global Traffic Manager™ (GTM)systems to handle IPv6-only client connection requests to IPv4-only servers on your network by returningan AAAA record response to the client.

Figure 9: Mapping IPv6 addresses to IPv4 addresses

Task summary

Perform these tasks to configure DNS64 on a BIG-IP system.Creating a custom DNS profileAssigning a DNS profile to a virtual server

Creating a custom DNS profile

You can create a custom DNS profile to configure how the BIG-IP® system handles DNS connectionrequests.

1. On the Main tab, click Local Traffic > Profiles > Services > DNS.The DNS profile list screen opens.

2. Click Create.The New DNS profile screen opens.

3. In the Name field, type a unique name for the profile.4. In the Parent Profile list, accept the default dns profile.5. Select the Custom check box.6. In the Global Traffic Management list, accept the default value Enabled.7. From theDNS IPv6 to IPv4 list, select how you want the system to handle IPv6 to IPv4 address mapping

in DNS queries and responses.

88

Configuring DNS64

DescriptionOption

The BIG-IP system does not map IPv4 addresses to IPv6 addresses.Disabled

The BIG-IP system receives an AAAA query and forwards the query to a DNS server. TheBIG-IP system then forwards the first good response from the DNS server to the client. If

Immediate

the system receives an A response first, it appends a 96-bit prefix to the record and forwardsit to the client. If the system receives an AAAA response first, it simply forwards theresponse to the client. The system disregards the second response from the DNS server.

The BIG-IP system receives an AAAA query and forwards the query to a DNS server.Only if the server fails to return a response does the BIG-IP system send an A query. If the

Secondary

BIG-IP system receives an A response, it appends a 96-bit user-configured prefix to therecord and forwards it to the client.

The BIG-IP system receives an AAAA query, but forwards an A query to a DNS server.After receiving an A response from the server, the BIG-IP system appends a 96-bituser-configured prefix to the record and forwards it to the client.

Important: Select this option only if you know that all your DNS servers are IPv4 onlyservers.

v4 Only

If you selected Immediate, Secondary, or V4 Only two new fields display.8. In the IPv6 to IPv4 Prefix field, specify the prefix the BIG-IP system appends to all A query responses

to an IPv6 request.9. From the IPv6 to IPv4 Additional Section Rewrite list, select an option to allow improved network

efficiency for both Unicast and Multicast DNS-SD responses.DescriptionOption

The BIG-IP system does not perform additional rewrite.Disabled

The BIG-IP system accepts only A records. The system appends the 96-bituser-configured prefix to a record and returns an IPv6 response to the client.

v4 Only

The BIG-IP system accepts only AAAA records and returns an IPv6 response tothe client.

v6 Only

The BIG-IP system accepts and returns both A and AAAA records. If the DNSserver returns an A record in the Additional section of a DNSmessage, the BIG-IP

Any

system appends the 96-bit user-configured prefix to the record and returns an IPv6response to the client.

10. From the Use BIND Server on BIG-IP list, select Enabled.

Note: Enable this setting only when you want the system to forward non-wide IP queries to the localBIND server on BIG-IP GTM.

11. Click Finished.

Assigning a DNS profile to a virtual server

1. On the Main tab, click Local Traffic > Virtual Servers.The Virtual Server List screen opens.

2. Click the name of the virtual server you want to modify.

89


3. From the DNS Profile list, select the profile you created to manage IPv6 to IPv4 address mapping.4. Click Update.

This virtual server can now pass traffic between an IPv6-only client and an IPv4-only DNS server.


You now have an implementation of DNS64 on the BIG-IP® system.

90

Configuring DNS64

Chapter

17Configuring DNSSEC

• Overview: Configuring DNSSEC• Task summary• Implementation result

Overview: Configuring DNSSEC

You can use BIG-IP® Global Traffic Manager™ (GTM™) to ensure that all responses to DNS-related trafficcomply with the DNSSEC security protocol. To configure DNSSEC compliance, you create DNSSECkey-signing and zone-signing keys and a DNSSEC zone. Then you assign at least one enabled key-signingkey and one enabled zone-signing key to the zone.

Figure 10:Traffic flow when BIG-IP GTM is DNSSEC authoritative nameserver

How do I prepare for a manual rollover of a DNSSEC key?

When you create DNSSEC key-signing keys and DNSSEC zone-signing keys, it is important to create adisabled standby version of each key that has a similar name. To do so, associate both pairs of keys withthe same zone. This prepares you to easily perform a manual rollover of the keys should an enabled keybecome compromised.

About enhancing DNSSEC key security

To enhance DNSSEC key security, BIG-IP® Global Traffic Manager™ (GTM™) uses an automatic keyrollover process that uses overlapping generations of a key to ensure that BIG-IP GTM can always respondto queries with DNSSEC-compliant responses. BIG-IP GTM dynamically creates new generations of eachkey based on the values of the Rollover Period and Expiration Period of the key.

The first generation of a key has an ID of 0 (zero). Each time BIG-IP GTM dynamically creates a newgeneration of a key, the ID increments by one. Over time, each generation of a key overlaps the previousgeneration of the key. When a generation of a key expires, BIG-IP GTM automatically removes thatgeneration of the key from the configuration. The value of the TTL (time-to-live) of a key specifies howlong a client resolver can cache the key.

92

Configuring DNSSEC

Figure 11: Overlapping generations of a key

Task summary

Perform these tasks on BIG-IP® GTM™ to secure your DNS infrastructure.Creating listeners to identify DNS trafficCreating DNSSEC key-signing keysCreating DNSSEC zone-signing keysCreating DNSSEC zonesConfirming that GTM is signing DNSSEC recordsViewing DNSSEC records in ZoneRunner

Creating listeners to identify DNS traffic

Create two listeners to identify DNS traffic for which BIG-IP GTM is responsible. Create one listener thatuses the UDP protocol and one that uses the TCP protocol.




93


3. In the Destination field, type the IP address on which BIG-IP GTM listens for network traffic.The destination is a self IP address on BIG-IP GTM.

4. Click Finished.


Creating DNSSEC key-signing keys

Ensure that the time setting on GTM™ is synchronized with the NTP servers on your network. This ensuresthat each GTM in a synchronization group is referencing the same time when generating keys.

Determine the values you want to configure for the rollover period, expiration period, and TTL of the key,using the following criteria:

• The amount of time required to send the DS records for the zone to which this key is associated to theorganization that manages the parent zone.

• The value of the rollover period must be greater than half the value of the expiration period, as well asless than the value of the expiration period.

• The difference between the values of the rollover and expiration periods must be more than the valueof the TTL.

Note: The values recommended in this procedure are based on the values in the NIST Secure Domain NameSystem (DNS) Deployment Guide.

Create key-signing keys for BIG-IP® GTM™ to use in the DNSSEC authentication process.

1. On the Main tab, click Global Traffic > DNSSEC Key List.The DNSSEC Key List screen opens.

2. Click Create.The New DNSSEC Key screen opens.

3. In the Name field, type a name for the key.Zone names are limited to 63 characters.

4. From the Algorithm list, select the algorithm the system uses to create the key. Your options areRSA/SHA1, RSA/SHA256, and RSA/SHA512.

5. In the Bit Width field, type 2048.6. From the Use FIPS list, if your system has a FIPS hardware security module (HSM), select Enabled.7. From the Type list, select Key Signing Key.8. From the State list, select Enabled.9. In the TTL field, accept the default value of 86400 (the number of seconds in one day.)

This value specifies how long a client resolver can cache the key. This value must be less than thedifference between the values of the rollover and expiration periods of the key; otherwise, a client canmake a query and the system can send a valid key that the client cannot recognize.

10. For the Rollover Period setting, in the Days field, type 340.11. For the Expiration Period setting, in the Days field, type 365.

Zero seconds indicates not set, and thus the key does not expire.

Tip: The National Institute of Standards and Technology (NIST) recommends that a key-signing keyexpire once a year.

12. For the Signature Validity Period setting, accept the default value of seven days.

94

Configuring DNSSEC

This value must be greater than the value of the signature publication period.Zero seconds indicates not set, and thus the server verifying the signature never succeeds, because thesignature is always expired.

13. For the Signature Publication Period setting, accept the default value of four days and 16 hours.This value must be less than the value of the signature validity period.Zero seconds indicates not set, and thus the signature is not cached.

14. Click Finished.15. To create a standby key for emergency rollover purposes, repeat this procedure using a similar name,

and select Disabled from the State list.

Creating DNSSEC zone-signing keys

Ensure that the time setting on GTM™ is synchronized with the NTP servers on your network. This ensuresthat each GTM in a synchronization group is referencing the same time when generating keys.

Determine the values you want to configure for the rollover period, expiration period, and TTL of the key,using the following criteria:

• The amount of time required to send the DS records for the zone to which this key is associated to theorganization that manages the parent zone.

• The value of the rollover period must be greater than half the value of the expiration period, as well asless than the value of the expiration period.

• The difference between the values of the rollover and expiration periods must be more than the valueof the TTL.

Note: The values recommended in this procedure are based on the values in the NIST Secure Domain NameSystem (DNS) Deployment Guide.

Create zone-signing keys for BIG-IP® GTM™ to use in the DNSSEC authentication process.

1. On the Main tab, click Global Traffic > DNSSEC Key List.The DNSSEC Key List screen opens.

2. Click Create.The New DNSSEC Key screen opens.

3. In the Name field, type a name for the key.Zone names are limited to 63 characters.

4. In the Bit Width field, type 1024.5. From the Use FIPS list, if your system has a FIPS hardware security module (HSM), select Enabled.6. From the Type list, select Zone Signing Key.7. From the State list, select Enabled.8. In the TTL field, accept the default value of 86400 (the number of seconds in one day.)

This value specifies how long a client resolver can cache the key. This value must be less than thedifference between the values of the rollover and expiration periods of the key; otherwise, a client canmake a query and the system can send a valid key that the client cannot recognize.

9. For the Rollover Period setting, in the Days field, type 21.10. For the Expiration Period setting, in the Days field, type 30.

Zero seconds indicates not set, and thus the key does not expire.

11. For the Signature Validity Period setting, accept the default value of seven days.

95


This value must be greater than the value of the signature publication period.Zero seconds indicates not set, and thus the server verifying the signature never succeeds, because thesignature is always expired.

12. For the Signature Publication Period setting, accept the default value of four days and 16 hours.This value must be less than the value of the signature validity period.Zero seconds indicates not set, and thus the signature is not cached.

13. Click Finished.14. To create a standby key for emergency rollover purposes, repeat this procedure using a similar name,

and select Disabled from the State list.

Creating DNSSEC zones

Before BIG-IP® GTM™ can sign zone requests, you must assign at least one enabled zone-signing and oneenabled key-signing key to the zone.

1. On the Main tab, click Global Traffic > DNSSEC Zone List.The DNSSEC Zone List screen opens.

2. Click Create.The New DNSSEC Zone screen opens.

3. In the Name field, type a domain name.For example, use a zone name of siterequest.com to handle DNSSEC requests forwww.siterequest.com and *.www.sitrequest.com.

4. From the State list, select Enabled.5. For the Zone Signing Key setting, assign at least one enabled zone-signing key to the zone.

You can associate the same zone-signing key with multiple zones.

6. For the Key Signing Key setting, assign at least one enabled key-signing key to the zone.You can associate the same key-signing key with multiple zones.

7. Click Finished.Even if you selected Enabled from the State list, if there are not at least one zone-signing and onekey-signing key in the Active column, the status of the zone changes to offline.

8. Upload the DS records for this zone to the organization that manages the parent zone. The administratorsof the parent zone sign the DS record with their own key and upload it to their zone.You can find the DS records in the file /config/gtm/dsset-[dnssec.zone.name] (where zone isthe name of the zone you are configuring).

9. Upload the DS records for this zone to the organization that manages the parent zone. The administratorsof the parent zone sign the DS record with their own key and upload it to their zone.You can find the DS records in the file /config/gtm/dsset-[dnssec.zone.name] (where zone isthe name of the zone you are configuring).

Upload the DS records for this zone to the organization that manages the parent zone. The administratorsof the parent zone sign the DS record with their own key and upload it to their zone. You can find the DSrecords in the file /config/gtm/dsset-[dnssec.zone.name] (where zone is the name of the zone youare configuring).

96

Configuring DNSSEC

Confirming that GTM is signing DNSSEC records

After you create DNSSEC zones and zone-signing keys, you can confirm that GTM™ is signing the DNSSECrecords.

1. Log on to the command-line interface of a client.2. At the prompt, type: dig @<IP address of GTM listener> +dnssec siterequest.com

GTM returns the signed RRSIG records for the zone.

Viewing DNSSEC records in ZoneRunner

Ensure that all DNSSEC records are added to the BIND configuration.

View the DNSSEC records using ZoneRunner™.

1. On the Main tab, click Global Traffic > ZoneRunner > Resource Record List.The Resource Record List screen opens.

2. From the View Name list, select the name of the view that contains the resource records you want toview.

3. From the Zone Name list, select the zone for which you want to view resource records.4. From the Type list, select the type of resource records you want to view.5. Click Search.

View the resource records that display.


BIG-IP® GTM™ is now configured to respond to DNS queries with DNSSEC-compliant responses.

97


Chapter

18Configuring DNS Express

• How do I configure DNS Express?• Task summary• Implementation result

How do I configure DNS Express?

You can configure DNS Express™ on BIG-IP® systems to mitigate distributed denial-of-service attacks(DDoS) and increase the volume of DNS request resolutions on both the local BIND server on the BIG-IPsystem and any back-end DNS servers.

What is DNS Express?

DNS Express™ provides the ability for a BIG-IP® system to act as a high-speed, authoritative secondaryDNS server. This makes if possible for the system to:

• Perform zone transfers from multiple primary DNS servers that are responsible for different zones.• Perform a zone transfer from the local BIND server on the BIG-IP system.• Serve DNS records faster than the primary DNS servers.

Task summary

Perform these tasks to configure DNS Express™ on your BIG-IP® system.Configuring a back-end DNS server to allow zone file transfersCreating a DNS Express TSIG keyCreating a DNS Express zoneEnabling DNS ExpressAssigning a DNS profile to a listenerViewing information about DNS Express zones

Configuring a back-end DNS server to allow zone file transfers

If you are unfamiliar with how to modify DNS server files, review the fifth edition of DNS and BIND,available from O’Reilly Media.

To configure a back-end DNS server to allow zone file transfers to the BIG-IP® system, add to the DNSserver an allow-transfer statement that specifies a self IP address on the BIG-IP system.

You can modify the following allow-transfer statement to use a self IP address on the BIG-IP system:

allow-transfer { localhost; <self IP address of BIG-IP system>; };

Creating a DNS Express TSIG key

Ensure that your back-end DNS servers are configured for zone file transfers using TSIG keys.

100

Configuring DNS Express

When you want to verify the identity of the authoritative server that is sending information about the zone,create a DNS Express™ TSIG key.

Note: This step is optional.

1. On the Main tab, click Local Traffic > DNS Express Zones > DNS Express TSIG Key List.The DNS Express TSIG Key List screen opens.

2. Click Create.The New DNS Express TSIG Key screen opens.

3. In the Name field, type a name for the key.4. From the Algorithm list, select one of the following.

The system uses the algorithm that you select to authenticate updates from an approved client andresponses from an approved recursive nameserver. The algorithm is a hash function in combination withthe secret key.

DescriptionAlgorithm NameProduces a 128-bit hash sequenceHMACMD5

Produces a 160-bit hash sequenceHMAC SHA-1

Produces a 256-bit hash sequenceHMAC SHA-256

5. In the Secret field, type the phrase required for authentication of the key.

Note: The secret key is created by a third party tool such as BIND’s keygen utility.

6. Click Finished.

Creating a DNS Express zone

If you are using back-end DNS servers, ensure that those servers are configured for zone transfers.

To implement DNS Express™ on a BIG-IP® system, create a DNS Express zone.

1. On the Main tab, click Local Traffic > DNS Express Zones > DNS Express Zone List.The DNS Express Zone List screen opens.

2. Click Create.The New DNS Express Zone screen opens.

3. In the Name field, type a name for the DNS Express zone.

4. In the Target IP Address field, type the IP address of the current master DNS server for the zone fromwhich you want to transfer records.The default value 127.0.0.1 is for the BIND server on the BIG-IP system.

5. To configure the system to verify the identity of the authoritative server that is sending informationabout the zone, from the TSIG Key list, select a key.

6. To specify an action for the BIG-IP system to take when it receives a NOTIFY message from a DNSserver on which a zone has been updated, from the Notify Action list, select one of the following.

DescriptionAction

The BIG-IP system processes the NOTIFY message and does not pass theNOTIFY message to the back end DNS server.

Consume

101


DescriptionAction

The BIG-IP system does not process the NOTIFY message, but instead sendsthe NOTIFY message to a back end DNS server (subject to DNS profileunhandled-query-action).

Bypass

The BIG-IP system processes the NOTIFY message and sends the NOTIFYmessage to a back end DNS server.

Repeat

Tip: If a TSIG Key is configured, the signature is only validated for Consume and Repeat actions.NOTIFY responses are assumed to be sent by a backend DNS resource, except when the action isConsume and DNS Express generates a response.

7. Click Finished.

Enabling DNS Express

Create a custom DNS profile that enables DNS Express™, only if you want to use a back-end DNS serverfor name resolution while the BIG-IP system handles queries for wide IPs and DNS Express zones.

Note: If you plan to use the BIND server on BIG-IP GTM™, you can use the default dns profile.



3. Name the profile dns_express.4. In the Parent Profile list, accept the default dns profile.5. Select the Custom check box.6. In the Global Traffic Management list, accept the default value Enabled.7. From the DNS Express list, select Enabled.8. From the Unhandled Query Actions list, select how you want the BIG-IP system to handle a query

that is not for a wide IP or DNS Express zone.DescriptionOption

The BIG-IP system forwards the connection request to another DNS server orDNS server pool. Note that if a DNS server pool is not associated with a listener

Allow

and theUse BINDServer onBIG-IP option is set to enabled, connection requestsare forwarded to the local BIND server. (Allow is the default value.)

The BIG-IP system does not respond to the query.Drop

The BIG-IP system returns the query with the REFUSED return code.Reject

The BIG-IP system returns the query with a list of root name servers.Hint

The BIG-IP system returns the query with the NOERROR return code.No Error

9. From the Use BIND Server on BIG-IP list, select Disabled.10. Click Finished.

Assign the profile to virtual servers or listeners.

102

Configuring DNS Express

Assigning a DNS profile to a listener

If you plan to use the BIND server on the BIG-IP® system, you can assign the default DNS profile (dns) tothe listener. If you plan to use a back-end DNS server and you created a custom DNS Express™ profile, youcan assign it to the listener.


2. Click the name of the listener you want to modify.3. From the DNS Profile list, select either dns or a custom DNS profile configured for DNS Express.4. Click Finished.

Viewing information about DNS Express zones

You can view information about the zones that are protected by DNS Express™.

1. On the Main tab, click Statistics >Module Statistics > Local Traffic.The Local Traffic statistics screen opens.

2. From the Statistics Type list, select DNS Express Zones.Information displays about the DNS Express zones.

DescriptionRecord type

Displays start of authority record information.SOA Records

Displays the number of resource records for thezone.

Resource Records


You now have an implementation in which the BIG-IP® system helps to mitigate DDoS attacks on yournetwork and to resolve more DNS queries faster.

103


Chapter

19Caching DNS Responses from External Resolvers

• Overview: Improving DNS performance bycaching responses from external resolvers


Overview: Improving DNS performance by caching responses from externalresolvers

You can configure a transparent cache on the BIG-IP® system to use external DNS resolvers to resolvequeries, and then cache the responses from the resolvers. The next time the system receives a query for aresponse that exists in the cache, the system immediately returns the response from the cache. The transparentcache contains messages and resource records.

A transparent cache in the BIG-IP system consolidates content that would otherwise be cached acrossmultiple external resolvers. When a consolidated cache is in front of external resolvers (each with their owncache), it can produce a much higher cache hit percentage.

F5 Networks recommends that you configure the BIG-IP system to forward queries, which cannot beanswered from the cache, to a pool of local DNS servers rather than the local BIND instance because BINDperformance is slower than using multiple external resolvers.

Note: For systems using the DNS Express™ feature, the BIG-IP system first processes the requests throughDNS Express, and then caches the responses.

Important: The DNS Cache feature is available only when the BIG-IP system is licensed for DNS Services.

Figure 12: BIG-IP system using transparent cache

Task summary

Perform these tasks to configure a transparent cache on the BIG-IP® system.

106

Caching DNS Responses from External Resolvers

Caching DNS Responses from External ResolversCreating a transparent DNS cacheCreating a custom DNS profile for transparent DNS cachingAssigning a custom DNS profile to a GTM listenerCreating a custom DNS monitorCreating a pool of local DNS serversDetermining DNS cache performanceClearing a DNS cache

Creating a transparent DNS cache

Ensure that the BIG-IP system is licensed for DNS Services.

Create a transparent cache on the BIG-IP® system when you want the system to cache DNS responses fromexternal DNS resolvers.

1. On the Main tab, click Local Traffic > DNS Caches > DNS Cache List.The DNS Cache List screen opens.

2. Click Create.The New DNS Cache screen opens.

3. In the Name field, type a name for the cache.4. From the Resolver Type list, select Transparent.

5. Click Finished.

Associate the DNS cache with a custom DNS profile.

Creating a custom DNS profile for transparent DNS caching

Ensure that at least one transparent cache exists on the BIG-IP® system.

You can create a custom DNS profile to configure the BIG-IP system to cache responses to DNS queries.



3. In the Name field, type a unique name for the profile.4. In the Parent Profile list, accept the default dns profile.5. Select the Custom check box.6. From the Use BIND Server on BIG-IP list, select Disabled.7. From the DNS Cache list, select Enabled.

When you enable theDNSCache option, youmust also select a DNS cache from theDNSCache Namelist.

8. From the DNS Cache Name list, select the DNS cache that you want to associate with this profile.You can associate a DNS cache with a profile, even when the DNS Cache option, is Disabled. Use thisoption to enable and disable the cache for debugging purposes.

9. Click Finished.

107


Assign the custom DNS profile to the virtual server that handles the DNS traffic from which you want tocache responses.

Assigning a custom DNS profile to a GTM listener

Ensure that at least one custom DNS profile that is configured for DNS caching exists on the BIG-IP®

system.

Assign a custom DNS profile to a listener when you want the BIG-IP system to perform DNS caching ontraffic that the listener handles.

Note: This task applies only to GTM™-provisioned systems.


2. Click the name of the listener you want to modify.3. From the DNS Profile list, select a custom DNS profile configured for DNS caching.4. Click Update.

Creating a custom DNS monitor

Create a custom DNS monitor to send DNS requests, generated using the settings you specify, to a pool ofDNS servers and validate the DNS responses.

Important: When defining values for custom monitors, make sure you avoid using any values that are onthe list of reserved keywords. For more information, see solution number 3653 (for version 9.0 systems andlater) on the AskF5™ technical support web site.

1. On the Main tab, click Local Traffic >Monitors.The Monitor List screen opens.

2. Click Create.The New Monitor screen opens.

3. Type a name for the monitor in the Name field.4. From the Type list, select DNS.5. In the Query Name field, type the domain name that you want the monitor to query.6. From the Configuration list, select Advanced.

This selection makes it possible for you to modify additional default settings.

7. Configure settings based on your network requirements.8. Click Finished.

Creating a pool of local DNS servers

Ensure that at least one custom DNS monitor exists on the BIG-IP® system. Gather the IP addresses of theDNS servers that you want to include in a pool to which the BIG-IP® system load balances DNS traffic.

Create a pool of local DNS servers when you want to load balance DNS requests to back end DNS servers.

108




3. In the Name field, type a unique name for the pool.4. For the Health Monitors setting, from the Available list, select the custom DNS monitor you created,

and click << to move the monitor to the Active list.5. Using the New Members setting, add each resource that you want to include in the pool:

a) Either type an IP address in the Address field, or select a node address from the Node List.b) Type a port number in the Service Port field, or select a service name from the list.c) To specify a priority group, type a priority number in the Priority field.d) Click Add.

6. Click Finished.

Determining DNS cache performance

You can view statistics to determine how well a DNS cache on the BIG-IP® system is performing.


2. From the Statistics Type list, select DNS Cache.3. In the Details column for a cache, click View, to display detailed information about the cache.4. To return to the Local Traffic Statistics screen, click Back.

Viewing records in a DNS cache

You can view records in a DNS cache to determine how well a specific cache on the BIG-IP® system isperforming.

1. Log in to the command-line interface of the BIG-IP system.2. At the BASH prompt, type: tmsh.3. At the tmsh prompt, type: show ltm dns cache records rrset cache <cache name>, and

press Enter.For example, the command sequence: show ltm dns cache records rrset cachemy_transparent_cache, displays the resource records in the cache named my_transparent_cache.

Viewing DNS cache statistics using tmsh

You can view DNS cache statistics using tmsh to determine how well a specific cache on the BIG-IP®

system is performing.

1. Log in to the command-line interface of the BIG-IP system.2. At the BASH prompt, type tmsh.3. At the tmsh prompt, type show ltm dns cache, and press Enter.

Statistics for all of the DNS caches on the BIG-IP system display.4. At the tmsh prompt, type show ltm dns cache <cache-type>, and press Enter.

109


For example, the command sequence show ltm dns cache transparent, displays statistics foreach of the transparent caches on the system.

5. At the tmsh prompt, type show ltm dns cache <cache type> <cache name>, and press Enter.For example, the command sequence, show ltm dns cache transparent my_t1, displays statisticsfor the transparent cache on the system named my_t1.

Managing transparent cache size

Determine the amount of memory the BIG-IP® system has and how much of that memory you want tocommit to DNS caching. View the statistics for a cache to determine how well the cache is working.

You can change the size of a DNS cache to fix cache performance issues.


2. Click the name of the cache you want to modify.The Properties screen opens.

3. In theMessage Cache Size field, type the maximum size in bytes for the DNS message cache.The BIG-IP system caches the messages in a DNS response in the message cache. A higher maximumsize makes it possible for more DNS responses to be cached and increases the cache hit percentage. Alower maximum size forces earlier eviction of cached content, but can lower the cache hit percentage.

Important: The message cache size includes all tmms on the BIG-IP system; therefore, if there areeight tmms, multiply the size by eight and put that value in this field.

4. In theResource Record Cache Size field, type the maximum size in bytes for the DNS resource recordcache.The BIG-IP system caches the supporting records in a DNS response in the Resource Record cache. Ahigher maximum size makes it possible for more DNS responses to be cached and increases the cachehit percentage. A lower maximum size forces earlier eviction of cached content, but can lower the cachehit percentage.

Important: The resource record cache size includes all tmms on the BIG-IP system; therefore, if thereare eight tmms, multiply the size by eight and put that value in this field.

5. Click Finished.

Clearing a DNS cache

You can clear all records from a specific DNS cache on the BIG-IP® system.


2. On the menu bar, click Statistics.The Local Traffic Statistics screen opens.

3. Select the check box next to the cache you want to clear, and then click Clear Cache.

110


Clearing specific records from a DNS cache

You can clear specific records from a DNS cache using tmsh. For example, you can delete all RRSETrecords or only the A records in the specified cache.

Tip: In tmsh, you can use the command completion feature to discover the types of records that are availablefor deletion.

1. Log in to the command-line interface of the BIG-IP® system.2. At the BASH prompt, type tmsh.3. At the tmsh prompt, type ltm dns cache records, and press Enter to navigate to the dns cache

records module.4. Type delete <cache-type> type <record-type> cache <cache-name>, and press Enter.

For example, the command sequence delete rrset type a cache my_resolver_cache, deletesthe A records from the resource record cache of the resolver cache named my_resolver_cache.


You now have an implementation in which the BIG-IP® system caches DNS responses from external DNSresolvers, and answers queries for a cached response. Additionally, the system forwards DNS queries thatcannot be answered from the cache to a pool of local DNS servers.

111


Chapter

20Resolving DNS Queries and Caching Responses

• Overview: Improving DNS performance byresolving queries and caching responses


Overview: Improving DNS performance by resolving queries and cachingresponses

You can configure a resolver cache on the BIG-IP® system to resolve DNS queries and cache the responses.The next time the system receives a query for a response that exists in the cache, the system returns theresponse from the cache. The resolver cache contains messages, resource records, and the nameservers thesystem queries to resolve DNS queries.


Figure 13: BIG-IP system using resolver cache

114

Resolving DNS Queries and Caching Responses

Task summary

Perform these tasks to configure a resolver cache on the BIG-IP® system.Creating a resolver DNS cacheCreating a custom DNS profile for DNS resolving and cachingAssigning a custom DNS profile to a GTM listenerDetermining DNS cache performanceClearing a DNS cache

Creating a resolver DNS cache


Create a resolver cache on the BIG-IP® systemwhen you want the system to resolve DNS queries and cacheresponses.



3. In the Name field, type a name for the cache.4. From the Resolver Type list, select Resolver.5. Click Finished.


Creating a custom DNS profile for DNS resolving and caching

Ensure that at least one DNS cache exists on the BIG-IP® system.

You can create a customDNS profile to configure the BIG-IP® system to cache responses to DNS connectionrequests.



3. In the Name field, type a unique name for the profile.4. Select the Custom check box.5. From the Use BIND Server on BIG-IP list, select Disabled.6. From the DNS Cache list, select Enabled.



115


8. Click Finished.

Assign the custom DNS profile to the virtual server handling the DNS traffic, which includes the responsesto queries that you want to cache.



system.











1. Log in to the command-line interface of the BIG-IP system.2. At the BASH prompt, type: tmsh.3. At the tmsh prompt, type: show ltm dns cache records rrset cache <cache name>, and





116






Managing cache size

Determine the amount of memory the BIG-IP® system has and how much you want to commit to DNScaching. View the statistics for a cache to determine how well the cache is working.




3. In theMessage Cache Size field, type the maximum size in bytes for the DNS message cache.The BIG-IP system caches the messages in a DNS response in the message cache. A higher maximumsize makes it possible for more DNS responses to be cached and increases the cache hit percentage. Alower maximum size forces earlier eviction of cached content, but can lower the cache hit percentage.




5. In the Nameserver Cache Count field, type the maximum number of DNS nameservers for which theBIG-IP® system caches connection and capability data.

Important: The nameserver cache count includes all tmms on the BIG-IP system; therefore, if thereare eight tmms, multiply the count by eight and put that value in this field.

6. In theUnsolicited Reply Threshold field, change the default value if you are using the BIG-IP® systemto monitor for unsolicited replies using SNMP.The system always rejects unsolicited replies. The default value of 0 (off) indicates the system does notgenerate SNMP traps or log messages when rejecting unsolicited replies. Changing the default valuealerts you to a potential security attack, such as cache poisoning or DOS. For example, if you specify

117


1,000,000 unsolicited replies, each time the system receives 1,000,000 unsolicited replies, it generatesan SNMP trap and log message.

7. Click Update.













You now have an implementation in which the BIG-IP® system acts as a DNS resolver, caches DNSresponses, and answers queries for a cached response from the cache.

118


Chapter

21Resolving DNS Queries and Caching Validated Responses

• Overview: Resolving queries and cachingvalidated responses


Overview: Resolving queries and caching validated responses

You can configure a validating resolver cache on the BIG-IP® system to recursively query public DNSservers, validate the identity of the DNS server sending the responses, and then cache the responses. Thenext time the system receives a query for a response that exists in the cache, the system returns theDNSSEC-compliant response from the cache. The validating resolver cache contains messages, resourcerecords, the nameservers the system queries to resolve DNS queries, and DNSSEC keys.

Using the validating resolver cache, the BIG-IP system mitigates cache poisoning by validating DNSresponses using DNSSEC validation. This is important, because attackers can attempt to populate a DNScache with erroneous data that redirects clients to fake web sites, or downloads malware and viruses toclient computers. When an authoritative server signs a DNS response, the validating resolver verifies thedata before entering the data into the cache. Additionally, the validating resolver cache includes a built-infilter and detection mechanism that rejects unsolicited DNS responses.


Figure 14: BIG-IP system using validating resolver cache

120

Resolving DNS Queries and Caching Validated Responses

Task summary

Perform these tasks to configure a validating resolver cache on the BIG-IP® system.Creating a validating resolver DNS cacheCreating a custom DNS profile for validating resolver DNS cachingAssigning a custom DNS profile to a GTM listenerDetermining DNS cache performanceClearing a DNS cache

Creating a validating resolver DNS cache


Create a validating resolver cache on the BIG-IP® systemwhen you want the system to resolve DNS queries,use DNSSEC to validate the responses, and cache the responses.



3. In the Name field, type a name for the cache.4. From the Resolver Type list, select Validating Resolver.5. Click Finished.


Obtaining a trust or DLV anchor

Gather the IP addresses of the resources that are authoritative name servers for the signed zones from whichyou want to obtain a trust or DLV anchors.

Obtain a trust or DLV anchor for the signed zones for which you want the BIG-IP® system to cache avalidated response.

1. From theBASHprompt of a BIG-IP system, type dig @<IP address of resource that containsthe trust or DLV anchor> . DNSKEYThe system returns a trust anchor.

2. Copy the anchor.

Adding a trust anchor to a validating resolver DNS cache

Ensure that you have copied trust anchors in the format required by the BIG-IP® system, for any signedzones that you want to add to a validating resolver.

A validating resolver uses at least one trust anchor to validate DNS responses.


121



3. On the menu bar, click Trust Anchors.The Trust Anchors screen opens.

4. Click Add.5. In the Trust Anchor field, paste the trust anchor that you copied from the signed zone.

Important: The trust anchor must be in the format required by the BIG-IP system.

6. Click Finished.7. For each additional trust anchor that you want to add to the validating resolver, repeat steps 4-6.

The validating resolver can now validate the content of DNS responses from the zones for which you addedtrust anchors.

Adding a DLV anchor to a validating resolver DNS cache

A validating resolver needs a DLV anchor to validate DNS responses from outside a zone.

Note: Ensure that you have copied trust anchors in the format required by the BIG-IP® system, for anysigned zones that you add to a validating resolver.



3. On the menu bar, click DLV Anchors.The DLV Anchors screen opens.

4. Click Add.5. In the DLV Anchor field, paste the DLV anchor that you want to add to the validating resolver.

Important: The DLV anchor must be in the format required by the BIG-IP system.

6. Click Finished.7. For each additional DLV anchor that you want to add to the validating resolver, repeat steps 4 - 6.

The validating resolver can now validate the content of DNS responses from the zones for which you addedDLV anchors.

Creating a custom DNS profile for validating resolver DNS caching

Ensure that at least one DNS cache exists on the BIG-IP® system.

You can create a customDNS profile to configure the BIG-IP® system to cache responses to DNS connectionrequests.



122


3. In the Name field, type a unique name for the profile.4. In the Parent Profile list, accept the default dns profile.5. Select the Custom check box.6. From the Use BIND Server on BIG-IP list, select Disabled.7. From the DNS Cache list, select Enabled.



9. Click Finished.

Assign the custom DNS profile to the virtual server that handles the DNS traffic that includes the responsesto queries that you want to cache.



system.











1. Log in to the command-line interface of the BIG-IP system.

123


2. At the BASH prompt, type: tmsh.3. At the tmsh prompt, type: show ltm dns cache records rrset cache <cache name>, and









Viewing DNS cache statistics in the Configuration utility

Ensure that you have created a DNS cache and a DNS profile and have assigned the profile to either anLTM virtual server or a GTM listener.

You can view DNS cache statistics to determine how well a specific cache on the BIG-IP® system isperforming.


2. From the Statistics Type list, select DNS Cache.3. In the Details column for a cache, click View, to display detailed information about the cache.4. To determine if the cache is too small, view the number in the Evictions column.5. To return to the Local Traffic Statistics screen, click Back.

Managing cache size

Determine the amount of memory the BIG-IP® system has and how much you want to commit to DNScaching. View the statistics for a cache to determine how well the cache is working.




3. In theMessage Cache Size field, type the maximum size in bytes for the DNS message cache.

124


The BIG-IP system caches the messages in a DNS response in the message cache. A higher maximumsize makes it possible for more DNS responses to be cached and increases the cache hit percentage. Alower maximum size forces earlier eviction of cached content, but can lower the cache hit percentage.




5. In the Nameserver Cache Count field, type the maximum number of DNS nameservers for which theBIG-IP® system caches connection and capability data.

Important: The nameserver cache count includes all tmms on the BIG-IP system; therefore, if thereare eight tmms, multiply the count by eight and put that value in this field.

6. In theUnsolicited Reply Threshold field, change the default value if you are using the BIG-IP® systemto monitor for unsolicited replies using SNMP.The system always rejects unsolicited replies. The default value of 0 (off) indicates the system does notgenerate SNMP traps or log messages when rejecting unsolicited replies. Changing the default valuealerts you to a potential security attack, such as cache poisoning or DOS. For example, if you specify1,000,000 unsolicited replies, each time the system receives 1,000,000 unsolicited replies, it generatesan SNMP trap and log message.

7. Click Update.









125






You now have an implementation in which the BIG-IP® system acts as a DNS resolver, verifies the validityof the responses, caches DNSSEC-compliant responses, and answers queries for a cached response with aDNSSEC-compliant response from the cache.

126


Chapter

22Customizing a DNS Cache

• Overview: Customizing a DNS cache

Overview: Customizing a DNS cache

You can customize a DNS cache on the BIG-IP® system to meet specific network needs by changing thedefault values on the DNS cache settings.

Configuring a DNS cache to answer queries for local zones

You can configure a DNS cache on the BIG-IP® system to answer client requests for local zones.



3. Select the Enabled check box for the Answer Default Zones setting, when you want the BIG-IP®

system to answer queries for the default zones: localhost, reverse 127.0.0.1 and ::1, and AS112 zones.4. Click Update.

Configuring a DNS cache to use specific root nameservers

You can configure a resolver or validating resolver DNS cache on the BIG-IP® system to use a specificserver as an authoritative nameserver for the DNS root nameservers.



3. In the Root Hints area, in the IP address field, type the IP address of a DNS server that the systemconsiders authoritative for the DNS root nameservers, and then click Add.

Caution: By default, the system uses the DNS root nameservers published by InterNIC. When you addDNS root nameservers, the BIG-IP system no longer uses the default nameservers published by InterNIC,but uses the nameservers you add as authoritative for the DNS root nameservers.

Based on your network configuration, add IPv4 or IPv6 addresses or both.

4. Click Update.

Configuring a DNS cache alert for cache poisoning

You can configure a resolver or validating resolver DNS cache on the BIG-IP® system to generate SNMPalerts and log messages when the cache receives unsolicited replies. This is helpful as an alert to a potentialsecurity attack, such as cache poisoning or DDoS.


2. Click the name of the cache you want to modify.

128

Customizing a DNS Cache

The Properties screen opens.3. In theUnsolicited Reply Threshold field, change the default value if you are using the BIG-IP® system

to monitor for unsolicited replies using SNMP.The system always rejects unsolicited replies. The default value of 0 (off) indicates the system does notgenerate SNMP traps or log messages when rejecting unsolicited replies. Changing the default valuealerts you to a potential security attack, such as cache poisoning or DOS. For example, if you specify1,000,000 unsolicited replies, each time the system receives 1,000,000 unsolicited replies, it generatesan SNMP trap and log message.

4. Click Update.

129


Chapter

23Configuring IP Anycast (Route Health Injection)

• Overview: Configuring IP Anycast (RouteHealth Injection)


Overview: Configuring IP Anycast (Route Health Injection)

You can configure IP Anycast for DNS services on the BIG-IP® system to help mitigate distributeddenial-of-service attacks (DDoS), reduce DNS latency, improve the scalability of your network, and assistwith traffic management. This configuration adds routes to and removes routes from the routing table basedon availability. Advertising routes to virtual addresses based on the status of attached listeners is known asRoute Health Injection (RHI).

Task summary

Perform these tasks to configure the BIG-IP® system for IP Anycast.Enabling the ZebOS dynamic routing protocolCreating a custom DNS profileConfiguring a listener for route advertisementVerifying advertisement of the route

Enabling the ZebOS dynamic routing protocol

Before you enable ZebOS® dynamic routing on the BIG-IP® system:

• Ensure that the system license includes the Routing Bundle add-on.• Ensure that ZebOS is configured correctly. If you need help, refer to the following resources on AskF5®:

• TMOS® Management Guide for BIG-IP® Systems• Configuration Guide for the VIPRION® System• ZebOS® Advanced Routing Suite Configuration Guide

Enable ZebOS protocols to allow the BIG-IP system to dynamically learn routes.

1. Log on to the command-line interface of the BIG-IP system.2. At the command prompt, type zebos enable <protocol_type> and press Enter.

The system returns an enabled response.3. To verify that the ZebOS dynamic routing protocol is enabled, at the command prompt, type zebos

check and press Enter.The system returns a list of all enabled protocols.

Creating a custom DNS profile

Create a custom DNS profile based on your network configuration, to specify how you want the BIG-IP®

system to handle non-wide IP DNS queries.



132

Configuring IP Anycast (Route Health Injection)

3. In the Name field, type a unique name for the profile.4. In the Parent Profile list, accept the default dns profile.5. Select the Custom check box.6. In the Global Traffic Management list, accept the default value Enabled.7. From the Unhandled Query Actions list, select how you want the BIG-IP system to handle a query

that is not for a wide IP or DNS Express zone.DescriptionOption

The BIG-IP system forwards the connection request to another DNS server orDNS server pool. Note that if a DNS server pool is not associated with a listener

Allow

and theUse BINDServer onBIG-IP option is set to enabled, connection requestsare forwarded to the local BIND server. (Allow is the default value.)

The BIG-IP system does not respond to the query.Drop

The BIG-IP system returns the query with the REFUSED return code.Reject

The BIG-IP system returns the query with a list of root name servers.Hint

The BIG-IP system returns the query with the NOERROR return code.No Error

8. From the Use BIND Server on BIG-IP list, select Enabled.

Note: Enable this setting only when you want the system to forward non-wide IP queries to the localBIND server on BIG-IP GTM.

9. Click Finished.

Configuring a listener for route advertisement

Ensure that ZebOS® dynamic routing is enabled on BIG-IP® Global Traffic Manager™ (GTM)™.

To allow BIG-IP GTM to advertise the virtual address of a listener to the routers on your network, configurethe listener for route advertisement.



3. In the Destination field, type the IP address on which BIG-IP GTM listens for network traffic.

Caution: The destination cannot be a self IP address on the system, because a listener with the sameIP address as a self IP address cannot be advertised.

4. From the VLAN/Tunnel Traffic list, select one of the following options:DescriptionOption

When you want this listener to handle traffic from VLANs within the networksegment.

Note: Use this option if BIG-IP GTM is handling traffic for the destination IPaddress locally. This option also applies when the system resides on a networksegment that does not use VLANs.

All VLANs

133


DescriptionOption

When you want this listener to handle traffic from only the VLANs that youmove from the Available list to the Selected list.

Enabled on

When you want this listener to exclude the traffic from the VLANs that youmove from the Available list to the Selected list.

Disabled on

5. From the Protocol list, select either UDP or TCP.6. From the DNS Profile list, select:

DescriptionOption

This is the default DNS profile. With the default dns profile, BIG-IP GTMforwards non-wide IP queries to the BIND server on the BIG-IP GTM systemitself.

dns

If you have created a custom DNS profile to handle non-wide IP queries in away that works for your network configuration, select it.

<custom profile>

7. For Route Advertisement, select the Enabled check box.8. Click Finished.

Configure other listeners for route advertisement.

Verifying advertisement of the route

Ensure that ZebOS® dynamic routing is enabled on the BIG-IP® system.

Run a command to verify that the BIG-IP system is advertising the virtual address.

1. Log on to the command-line interface of the BIG-IP system.2. At the command prompt, type zebos cmd sh ip route | grep <listener IP address> and

press Enter.An advertised route displays with a code of K and a 32 bit kernel, for example: K 127.0.0.1/32


You now have an implementation in which the BIG-IP® system broadcasts virtual IP addresses that youconfigured for route advertisement.

134

Configuring IP Anycast (Route Health Injection)

Chapter

24Redirecting a DNS Query Using a Wide IP with a CNAMEPool

• Overview: Redirecting DNS queries using awide IP with a CNAME pool

• About CNAME records• Task summary• Implementation result

Overview: Redirecting DNS queries using a wide IP with a CNAME pool

When you want to redirect DNS queries for a web site to a different web site, create a wide IP that representsthe original web site and add a CNAME pool to the wide IP to redirect the queries to the new destination.

The executives at siterequest.com recently purchased a competitor. Site Request's administrator wantsto redirect DNS queries for competitor.com to a rebranded web site namedcompetitor.siterequest.com.

About CNAME records

A CNAME record specifies that a domain name is an alias of another domain. When you create a pool witha canonical name, BIG-IP® GTM™ responds to DNS queries for the CNAME with the real fully qualifieddomain name (FQDN).

Task summary

Perform these tasks to redirect a DNS query using a wide IP with a CNAME pool.Redirecting a DNS Query Using a Wide IP with a CNAME PoolCreating a pool using a CNAMECreating a wide IP with a CNAME pool

Creating a pool using a CNAME

Create a pool to which the system can load balance DNS queries using a CNAME record, rather than poolmembers. For our example, name the pool competitor_redirect and use a CNAME ofcompetitor.siterequest.com.

1. On the Main tab, click Global Traffic > Pools.The Pools list screen opens.

2. Click Create.3. Type a name for the pool.

Names must begin with a letter, and can contain only letters, numbers, and the underscore (_) character.

Important: The pool name is limited to 63 characters.

4. From the Configuration list, select Advanced.5. In the CNAME field, type the canonical name of the zone to which you want BIG-IP GTM to send

DNS queries.

136

Redirecting a DNS Query Using a Wide IP with a CNAME Pool

Tip: When you provide a canonical name, you do not add members to the pool, because the CNAMErecord always takes precedence over pool members. Additionally, a pool with a CNAME is not monitoredfor availability.

6. Click Finished.

Creating a wide IP with a CNAME pool

Create a wide IP with a CNAME pool to redirect DNS queries for a web site to a different web site. Forour example, create a wide IP named www.competitor.siterequest.com and add the CNAME poolcompetitor_redirect.





4. From the Pool list, select the CNAME pool, and then click Add.5. Click Finished.


You now have an implementation in which when a client sends a DNS query forwww.siterequest_competitor.com, the CNAME record redirects the LDNS tositerequest2.com. The LDNS performs an IP address lookup for siterequest2.com, and the BIG-IPGTM returns the correct IP address, which is forwarded to the client.

137


Chapter

25Monitoring Third-Party Servers with SNMP

• Overview: SNMP monitoring of third-partyservers


Overview: SNMP monitoring of third-party servers

You can configure the BIG-IP® Global Traffic Manager™ (GTM™) to acquire information about the healthof a third-party server using SNMP. The server must be running an SNMP agent.

Task summary

To configure BIG-IP® GTM™ to acquire information about the health of a third-party server using SNMP,perform the following tasks.Creating an SNMP monitorDefining a third-party host server that is running SNMP

Creating an SNMP monitor

Create an SNMP monitor that BIG-IP® Global Traffic Manager™ can use to monitor a third-party serverrunning SNMP.

1. On the Main tab, click Global Traffic >Monitors.The Monitor List screen opens.

2. Click Create.The New Monitor screen opens.

3. Type a name for the monitor.

Important: Monitor names are limited to 63 characters.

4. From the Type list, select one of the following:DescriptionOption

Use this monitor to specify new values for CPU, memory, and diskmetrics.

SNMP DCA

Use this monitor to specify values for metrics other than CPU,memory, and disk usage.

SNMP DCA Base

5. Click Finished.

Defining a third-party host server that is running SNMP

Ensure that the third-party host server is running SNMP. During this procedure, you assign a virtual serverto the server; therefore, determine the IP address that you want to assign to the virtual server.

Define the third-party host server.


140

Monitoring Third-Party Servers with SNMP




4. From the Product list, select a third-party host server or select Generic Host.The server type determines the metrics that the system can collect from the server.

5. In the Address List area, add the IP addresses of the server.a) Type an external (public) IP address in the Address field, and then click Add.b) If you use NAT, type an internal (private) IP address in the Translation field, and then click Add.

You can add more than one IP address, depending on how the server interacts with the rest of yournetwork.

6. From the Data Center list, select the data center where the server resides.7. From the Prober Pool list, select one of the following.

DescriptionOption




Prober pool name

8. In the Health Monitors area, assign an SNMP monitor to the server by moving it from the Availablelist to the Selected list.

9. From the Virtual Server Discovery list, select Disabled.10. Click Create.11. In the Server List, click a server name.

The server settings and values display.12. On the menu bar, click Virtual Servers.

A list of the virtual servers configured on the server displays.13. Click Add.

The IP addresses display in the list.14. In the Virtual Server List area, specify the virtual servers that are resources on this server.

a) In the Name field, type the name of the virtual server.b) In the Address field, type the IP address of the virtual server.



BIG-IP® GTM™ can now use the SNMP monitor to verify the availability of and to collect statistics aboutthe generic host.

141


Chapter

26Configuring Remote High-Speed DNS Logging

• Overview: Configuring remote high-speedDNS logging


Overview: Configuring remote high-speed DNS logging

You can configure the BIG-IP® system to log information about DNS traffic and send the log messages toremote high-speed log servers. You can choose to log either DNS queries or DNS responses, or both. Inaddition, you can configure the system to perform logging on DNS traffic differently for specific resources.For example, you can configure logging for a specific resource, and then disable and re-enable logging forthe resource based on your network administration needs.

When configuring remote high-speed DNS logging, it is helpful to understand the objects you need to createand why, as described here:

ReasonObject to create in implementation

Create a pool of remote log servers to which theBIG-IP system can send log messages.

Pool of remote log servers

Create a log destination of Remote High-Speed Logtype that specifies a pool of remote log servers.

Destination (unformatted)

If your remote log servers are the ArcSight, Splunk,or Remote Syslog type, create an additional log

Destination (formatted)

destination to format the logs in the required formatand forward the logs to a remote high-speed logdestination.

Create a log publisher to send logs to a set ofspecified log destinations.

Publisher

Create a custom DNS Logging profile to define thedata you want the BIG-IP system to include in the

DNS Logging profile

DNS logs and associate a log publisher with theprofile.

Create a customDNS profile to enable DNS logging,and associate a DNS Logging profile with the DNSprofile.

DNS profile

Associate a customDNS profile with a virtual serverto define how the BIG-IP system logs the DNS trafficthat the virtual server processes.

LTM® virtual server

Associate a custom DNS profile with a listener todefine how the BIG-IP system logs the DNS trafficthat the listener processes.

GTM™ listener

144

Configuring Remote High-Speed DNS Logging

Figure 15: Association of remote high-speed logging configuration objects

Task summary

Perform these tasks to configure DNS logging on the BIG-IP® system.

Note: Enabling either DNS query logging or DNS response logging, or both, impacts BIG-IP systemperformance.

Configuring Remote High-Speed DNS LoggingCreating a pool of remote logging serversCreating a remote high-speed log destinationCreating a formatted remote high-speed log destinationCreating a publisherCreating a custom DNS Logging profile for logging DNS queriesCreating a custom DNS Logging profile for logging DNS responsesCreating a custom DNS Logging profile for logging DNS queries and responsesCreating a custom DNS profile to enable DNS loggingConfiguring a GTM listener for DNS loggingDisabling DNS logging

145


Creating a pool of remote logging servers

Before creating a pool of log servers, gather the IP addresses of the servers that you want to include in thepool. Ensure that the remote log servers are configured to listen to and receive log messages from theBIG-IP® system.

Create a pool of remote log servers to which the BIG-IP system can send log messages.



3. In the Name field, type a unique name for the pool.4. Using the New Members setting, add the IP address for each remote logging server that you want to

include in the pool:a) Type an IP address in the Address field, or select a node address from the Node List.b) Type a service number in the Service Port field, or select a service name from the list.

Note: Typical remote logging servers require port 514.

c) Click Add.

5. Click Finished.

Creating a remote high-speed log destination

Before creating a remote high-speed log destination, ensure that at least one pool of remote log serversexists on the BIG-IP® system.

Create a log destination of theRemote High-Speed Log type to specify that log messages are sent to a poolof remote log servers.

1. On the Main tab, click System > Logs > Configuration > Log Destinations.The Log Destinations screen opens.

2. Click Create.3. In the Name field, type a unique, identifiable name for this destination.4. From the Type list, select Remote High-Speed Log.

Important: If you use log servers such as Remote Syslog, Splunk, or ArcSight, which require data besent to the servers in a specific format, you must create an additional log destination of the requiredtype, and associate it with a log destination of theRemote High-Speed Log type. This allows the BIG-IPsystem to send data to the servers in the required format.

The BIG-IP system is configured to send an unformatted string of text to the log servers.5. From the Pool Name list, select the pool of remote log servers to which you want the BIG-IP system

to send log messages.6. From the Protocol list, select the protocol used by the high-speed logging pool members.7. Click Finished.

146


Creating a formatted remote high-speed log destination

Ensure that at least one remote high-speed log destination exists on the BIG-IP® system.

Create a formatted logging destination to specify that log messages are sent to a pool of remote log servers,such as Remote Syslog, Splunk, or ArcSight servers.

1. On the Main tab, click System > Logs > Configuration > Log Destinations.The Log Destinations screen opens.

2. Click Create.3. In the Name field, type a unique, identifiable name for this destination.4. From theType list, select a formatted logging destination, such asRemote Syslog, Splunk, orArcSight.

Important: ArcSight formatting is only available for logs coming from the network Application FirewallModule (AFM) and the Application Security Manager (ASM™).

The BIG-IP system is configured to send a formatted string of text to the log servers.5. From the Forward To list:

• For ArcSight or Splunk, from the Forward To list, select the destination that points to a pool ofhigh-speed log servers to which you want the BIG-IP system to send log messages.

• For Remote Syslog, from the Syslog Format list, select a format for the logs, and then from theHigh-Speed Log Destination list, select the destination that points to a pool of remote Syslog serversto which you want the BIG-IP system to send log messages.

6. Click Finished.

Creating a publisher

Ensure that at least one destination associated with a pool of remote log servers exists on the BIG-IP®

system.

Create a publisher to specify where the BIG-IP system sends log messages for specific resources.

1. On the Main tab, click System > Logs > Configuration > Log Publishers.The Log Publishers screen opens.

2. Click Create.3. In the Name field, type a unique, identifiable name for this publisher.4. For theDestinations setting, in the Available list, select a destination, and click << to move the destination

to the Selected list.

Note: If you are using a formatted destination, select the destination that matches your log servers,such as Remote Syslog, Splunk, or ArcSight.

5. Click Finished.

Creating a custom DNS Logging profile for logging DNS queries

Create a custom DNS logging profile to log DNS queries, when you want to log only DNS queries.

147


1. On the Main tab, click Local Traffic > Profiles > Other > DNS Logging.The DNS Logging profile list screen opens.

2. Click Create.The New DNS Logging profile screen opens.

3. In the Name field, type a unique name for the profile.4. From the Log Publisher list, select a destination to which the BIG-IP system sends DNS log entries.5. For the Log Queries setting, ensure that the Enabled check box is selected, if you want the BIG-IP

system to log all DNS queries.6. For the Include Query ID setting, select the Enabled check box, if you want the BIG-IP system to

include the query ID sent by the client in the log messages.7. Click Finished.

Assign this custom DNS Logging profile to a custom DNS profile.

Creating a custom DNS Logging profile for logging DNS responses

Create a custom DNS logging profile to log DNS responses when you want to determine how the BIG-IPsystem is responding to a given query.



3. In the Name field, type a unique name for the profile.4. From the Log Publisher list, select a destination to which the BIG-IP system sends DNS log entries.5. For the Log Responses setting, select the Enabled check box, if you want the BIG-IP system to log all

DNS responses.6. For the Include Query ID setting, select the Enabled check box, if you want the BIG-IP system to

include the query ID sent by the client in the log messages.7. Click Finished.


Creating a custom DNS Logging profile for logging DNS queries and responses

Create a custom DNS logging profile to log both DNS queries and responses when troubleshooting a DDoSattack.

Note: Logging both DNS queries and responses has an impact on the BIG-IP system performance.



3. In the Name field, type a unique name for the profile.4. From the Log Publisher list, select a destination to which the BIG-IP system sends DNS log entries.5. For the Log Queries setting, ensure that the Enabled check box is selected, if you want the BIG-IP

system to log all DNS queries.

148


6. For the Log Responses setting, select the Enabled check box, if you want the BIG-IP system to log allDNS responses.

7. For the Include Query ID setting, select the Enabled check box, if you want the BIG-IP system toinclude the query ID sent by the client in the log messages.

8. Click Finished.


Creating a custom DNS profile to enable DNS logging

Ensure that at least one custom DNS Logging profile exists on the BIG-IP system.

Create a custom DNS profile to log specific information about DNS traffic processed by the resources towhich the DNS profile is assigned. Depending upon what information you want the BIG-IP system to log,attach a custom DNS Logging profile configured to log DNS queries, to log DNS responses, or to log both.



3. In the Name field, type a unique name for the profile.4. Select the Custom check box.5. From the Logging list, select Enabled.6. From the Logging Profile list, select a custom DNS Logging profile.7. Click Finished.

You must assign this custom DNS profile to a resource before the BIG-IP system can log information aboutthe DNS traffic handled by the resource.

Configuring a GTM listener for DNS logging

Ensure that at least one custom DNS profile with logging configured exists on the BIG-IP® system.

Assign a custom DNS profile to a listener when you want the BIG-IP system to log the DNS traffic thelistener handles.



2. Click the name of the listener you want to modify.3. From the DNS Profile list, select a custom DNS profile that is associated with a DNS Logging profile.4. Click Update.

Disabling DNS logging

Disable DNS logging on a customDNS profile when you no longer want the BIG-IP system to log informationabout the DNS traffic handled by the resources to which the profile is assigned.

149


Note: You can disable and re-enable DNS logging for a specific resource based on your networkadministration needs.


2. Click the name of a profile.3. Select the Custom check box.4. From the Logging list, select Disabled.5. Click Update.

The BIG-IP system does not perform DNS logging on the DNS traffic handled by the resources to whichthis profile is assigned.


You now have an implementation in which the BIG-IP® system performs DNS logging on specific DNStraffic and sends the log messages to a pool of remote log servers.

150


Chapter

27Configuring Device-Specific Probing and StatisticsCollection

• Overview: Configuring device-specificprobing and statistics collection


Overview: Configuring device-specific probing and statistics collection

BIG-IP® Global Traffic Manager™ (GTM) performs intelligent probing of your network resources todetermine whether the resources are up or down. In some circumstances, for example, if your networkcontains firewalls, you might want to set up device-specific probing to specify which BIG-IP® systemsprobe specific servers for health and performance data.

About Prober pools

A Prober pool is an ordered collection of one or more BIG-IP® systems. BIG-IP Global Traffic Manager™

(GTM™) can be a member of more than one Prober pool, and a Prober pool can be assigned to an individualserver or a data center. When you assign a Prober pool to a data center, by default, the servers in that datacenter inherit that Prober pool.

The members of a Prober pool perform monitor probes of servers to gather data about the health andperformance of the resources on the servers. BIG-IP GTM makes load balancing decisions based on thegathered data. If all of the members of a Prober pool are marked down, or if a server has no Prober poolassigned, BIG-IP GTM reverts to a default intelligent probing algorithm to gather data about the resourceson the server.

This figure illustrates how Prober pools work. BIG-IP GTM contains two BIG-IP Local Traffic Manager™

(LTM™) systems that are assigned Prober pools and one BIG-IP LTM system that is not assigned a Proberpool:

Figure 16: BIG-IP systems with prober pools

Prober Pool 1 is assigned to a generic host serverBIG-IP LTM3 is the only member of Prober Pool 1, and performs all HTTPS monitor probes of theserver.

Prober Pool 2 is assigned to generic load balancersBIG-IP LTM1 and BIG-IP LTM2 are members of Prober Pool 2. These two systems perform HTTPmonitor probes of generic load balancers based on the load balancing method assigned to Prober Pool2.

The generic load balancers on the left side of the graphic are not assigned a Prober poolBIG-IP GTM can solicit any BIG-IP system to perform FTP monitor probes of these load balancers,including systems that are Prober pool members.

152

Configuring Device-Specific Probing and Statistics Collection

About Prober pool status

The status of a Prober pool also indicates the status of the members of the pool. If at least one member ofa Prober pool has green status (Available), the Prober pool has green status.

The status of a Prober pool member indicates whether the BIG-IP GTM system, on which you are viewingstatus, can establish an iQuery connection with the member.

Note: If a Prober pool member has red status (Offline), no iQuery connection exists between the memberand the BIG-IP GTM system on which you are viewing status. Therefore, that BIG-IP GTM system cannotrequest that member to perform probes, and the Prober pool will not select the member for load balancing.

About Prober pool statistics

You can view the number of successful and failed probe requests that the BIG-IP®GTM™ system (on whichyou are viewing statistics) made to the Prober pools. These statistics reflect only the number of Proberequests and their success or failure. These statistics do not reflect the actual probes that the pool membersmade to servers on your network.

Prober pool statistics are not aggregated among the BIG-IP GTM systems in a synchronization group. Thestatistics on one BIG-IP GTM include only the requests made from that BIG-IP GTM system.

In this figure, the Prober pool statistics that display on BIG-IP GTM1 are the probe requests made only bythat system.

Figure 17: Prober pool statistics displayed per system

153


Task summary

Perform these tasks to configure device-specific probing and statistics collection.Creating a Prober poolAssigning a Prober pool to a data centerAssigning a Prober pool to a serverViewing Prober pool statistics and statusDetermining which Prober pool member marked a resource down

Creating a Prober pool

Obtain a list of the BIG-IP® systems in your network and ensure that a server object is configured on theBIG-IP GTM™for each system.

Create a Prober pool that contains the BIG-IP systems that you want to performmonitor probes of a specificserver or the servers in a data center.

1. On the Main tab, click Global Traffic > Prober Pools.The Prober Pool List screen opens.

2. Click Create.The New Prober Pool screen opens.

3. In the Name field, type a name for the Prober pool.

Important: Prober pool names are limited to 63 characters.

4. Select a method from the Load Balancing Method list.DescriptionOption

BIG-IP GTM load balances monitor probes among the members of aProber pool in a circular and sequential pattern.

Round Robin

BIG-IP GTM selects the first available Prober pool member to performa monitor probe.

Global Availability

5. Assign members to the pool by moving servers from the Available list to the Selected list.6. To reorder the members in the Selected list, choose a server and use the Up and Down buttons to move

the server to a different location in the list.The order of the servers in the list is important in relation to the load balancing method you selected.

7. Click Finished.

Assign the Prober pool to a data center or a server.

Assigning a Prober pool to a data center

Ensure that a Prober pool is available on the system.

To make a specific collection of BIG-IP® systems available to probe the servers in a data center, assign aProber pool to the data center.

154



2. Click a data center name in the list.The data center settings and values display.

3. From the Prober Pool list, select the Prober pool that contains the BIG-IP® systems that you want toperform monitor probes of the servers in this data center.By default, all of the servers in the data center inherit this Prober pool.

4. Click Update.

Assigning a Prober pool to a server

Ensure that a Prober pool is available on the system.

To specify which BIG-IP® systems perform monitor probes of a server, assign a Prober pool to the server.


2. In the Server List, click a server name.The server settings and values display.

3. From the Prober Pool list, select one of the following.DescriptionOption




Prober pool name

4. Click Update.

Viewing Prober pool statistics and status

You can view status and statistics for Prober pools and the members of the pools.

1. On the Main tab, click Global Traffic > Prober Pools.The Prober Pool List screen opens.

2. On the menu bar, click Statistics.The Global Traffic Statistics screen opens.

3. Click the Refresh button.The statistics are updated.

4. To view additional information about the status of a Prober pool, place your cursor over the icon in theStatus column.

5. To view additional information about the status of a Prober pool member, click View in the Memberscolumn, and then place your cursor over the icon in the Status column of a specific member.

155


Determining which Prober pool member marked a resource down

When a resource is marked down, you can open the BIG-IP GTM log to view the SNMP trap and determinewhich member of a Prober pool marked the resource down.

1. On the Main tab, click System > Logs.The System logs screen opens.

2. On the menu bar, click Local Traffic.The Local Traffic logs screen opens.

3. You can either scroll through the log or search for a log entry about a specific event.


You now have an implementation in which a specific BIG-IP® system probes the resources on a specificserver, or the servers in a specific data center.

156


Chapter

28Setting Up and Viewing DNS Statistics

• Overview: Setting up and viewing DNSstatistics


Overview: Setting up and viewing DNS statistics

You can view DNS AVR and DNS global statistics on the BIG-IP® system to help you manage and reporton the DNS traffic on your network.

DNS AVR StatisticsYou must configure an AVR sampling rate on a DNS profile and assign it to a virtual server before theBIG-IP system can gather DNS AVR statistics. An AVRAnalytics profile is not required for the BIG-IPsystem to gather and display DNS AVR statistics.

Important: When the Protocol Security module is licensed and provisioned, the DNS AVR statisticsthat display include Protocol Security statistics.

The DNS AVR statistics include DNS requests per:

• Virtual server• Query name• Query type• Client IP address• (You can also filter the statistics by time period.)

DNS Global StatisticsThe BIG-IP system automatically collects DNS global statistics about the DNS traffic the systemprocesses. The DNS global statistics include:

• Total DNS requests and responses• Details about the DNS queries and responses• The number of wide IP requests• The number of DNS Express™ requests and NOTIFY announcements and messages• The number of DNS cache requests• The number of DNS IPv6 to IPv4 requests, rewrites, and failures• The number of unhandled query actions per specific actions

Task summary

Perform these tasks to set up DNS AVR statistics and to view DNS AVR and DNS global statistics on theBIG-IP® system.Setting Up and Viewing DNS StatisticsCreating a DNS profile for DNS AVR statistics collectionConfiguring a GTM listener for DNS AVR statistics collectionViewing DNS AVR statisticsViewing DNS AVR statistics in tmshViewing DNS global statisticsViewing DNS statistics for a specific virtual server

158

Setting Up and Viewing DNS Statistics

Creating a DNS profile for DNS AVR statistics collection

Ensure that Application Visibility and Reporting (AVR) is provisioned.

Configure the BIG-IP® system to collect DNS statistics on a sampling of the DNS traffic that the BIG-IPsystem handles. You must use tmsh to configure the AVR sampling rate for DNS statistics collection.

1. Log on to the command-line interface of the BIG-IP system.2. At the BASH prompt, type: tmsh.3. At the tmsh prompt, to create a DNS profile that enables DNS AVR statistics collection, type: create

ltm profile dns [my_dns_profile_name] avr-dnsstat-sample-rate [sampling rate],and then press Enter.

DescriptionOption

A unique name for this profile.my_dns_profile_name

Specifies the number of DNS queries the BIG-IP system stores in theAnalytics database. The default value of zero (0) indicates that no DNS

sampling_rate

queries are stored. A value of one (1) indicates that all DNS queries arestored. A value of N, where N>1, indicates that every Nth query is stored.

Important: The BIG-IP system samples one query out of the number you set for the sampling rate, andthen records that the number of queries that have passed through the BIG-IP are the sampling rate timesone.

Configuring a GTM listener for DNS AVR statistics collection

Ensure that at least one custom DNS profile configured with an AVR sampling rate exists on the BIG-IP®

system.

Assign a custom DNS profile to a listener when you want the BIG-IP system to collect AVR statistics ona sampling of the DNS traffic the listener handles.



2. Click the name of the listener you want to modify.3. From the DNS Profile list, select a custom DNS profile configured with an AVR sampling rate.4. Click Update.

Viewing DNS AVR statistics

Ensure that Application Visibility and Reporting (AVR) is provisioned. Ensure that the BIG-IP® system isconfigured to collect DNS statistics on a sampling of the DNS traffic that the BIG-IP system handles.

View DNS AVR statistics to help you manage the DNS traffic on your network.

1. On the Main tab, click Statistics > Analytics > DNS.

159


The DNS Analytics screen opens.

Important: When the Protocol Security Module is licensed and provisioned, the DNS AVR statisticsthat display include Protocol Security statistics.

2. From the View By list, select the specific network object type for which you want to display statistics.You can also click Expand Advanced Filters to filter the information that displays.

3. From the Time Period list, select the amount of time for which you want to view statistics.

Tip: To display reports for a specific time period, select Custom and specify beginning and end dates.

4. Click Export to create a report of this information.

Note: The timestamp on the report reflects a publishing interval of five minutes; therefore, a time periodrequest of 12:40-13:40 actually displays data between 12:35-13:35. By default, the BIG-IP systemdisplays one hour of data.

Viewing DNS AVR statistics in tmsh

Ensure that Application Visibility and Reporting (AVR) is provisioned. Ensure that the BIG-IP® system isconfigured to collect DNS statistics on a sampling of the DNS traffic that the BIG-IP system handles.

View DNS analytics statistics to help you manage the DNS traffic on your network.

Important: When the Protocol Security module is licensed and provisioned, the DNS AVR statistics thatdisplay include Protocol Security statistics.

1. Log on to the command-line interface of the BIG-IP system.2. At the BASH prompt, type tmsh.3. At the tmsh prompt, type one of these commands and then press Enter.

DescriptionOption

Displays the three most common query names.show analytics dns report view-byquery-name limit 3

Displays the three most common query types.show analytics dns report view-byquery-type limit 3

Displays the three client IP addresses fromwhich the most DNS queries originate.

show analytics dns report view-byclient-ip limit 3

Displays the three most common query namesfor query type A records.

show analytics dns report view-byquery-name drilldown { { entityquery-type values {A}}} limit 3

Displays the three most common query typesfor query name www.f5.com.

show analytics dns report view-byquery-type drilldown { { entityquery-name values {www.f5.com}}} limit3

Displays the three most common client IPaddresses requesting query type A records.

show analytics dns report view-byclient-ip drilldown { { entityquery-type values {A}}} limit 3

160

Setting Up and Viewing DNS Statistics

Viewing DNS global statistics

Ensure that at least one DNS profile exists on the BIG-IP system and that this profile is assigned to an LTMvirtual server or a GTM listener that is configured to use the TCP protocol.

Note: If you want to view AXFR and IXFR statistics, the listener or virtual server must be configured touse the TCP protocol. This is because zone transfers occur over the TCP protocol.

View DNS global statistics to determine how to fine tune your network configuration or troubleshoot DNStraffic processing problems.


2. From the Statistics Type list, select Profiles Summary.3. In the Details column for the DNS profile, click View.

Viewing DNS statistics for a specific virtual server

Ensure that at least one virtual server associated with a DNS profile exists on the BIG-IP system.

Note: If you want to view AXFR and IXFR statistics, the virtual server must be configured to use the TCPprotocol. This is because zone transfers occur over the TCP protocol.

You can viewDNS statistics per virtual server when you want to analyze how the BIG-IP system is handlingspecific DNS traffic.


2. From the Statistics Type list, select Virtual Servers.3. In the Details column for the virtual server, click View.


You now have an implementation in which the BIG-IP® system gathers both DNS AVR and DNS globalstatistics. You can view these statistics to help you understand DNS traffic patterns and manage the flowof your DNS traffic, especially when your network is under a DDoS attack.

161


Chapter

29Diagnosing Network Connection Issues

• Diagnosing network connection issues

Diagnosing network connection issues

To help you diagnose network connection issues, you can view the status of and statistics about the iQuery®

connections between BIG-IP®Global TrafficManager™ (GTM) and other BIG-IP systems on your network.iQuery connection information displays for IP addresses that are configured on BIG-IP server objects.

Viewing iQuery statistics

Ensure that the BIG-IP® GTM™ configuration contains at least one BIG-IP server object with a self IPaddress.

To view information about the connections between BIG-IP GTM and other BIG-IP systems, view iQuery®

statistics.

1. On the Main tab, click Statistics >Module Statistics > Global Traffic.The Global Traffic statistics screen opens.

2. From the Statistics Type list, select iQuery.Information about the iQuery connections between this system and other BIG-IP systems in your networkdisplays.

3. When you want to estimate iQuery traffic throughput, click Reset.The following statistics are reset to zero:

• iQuery Reconnects• Bytes In• Bytes Out• Backlogs• Bytes Dropped

To view information about the iQuery® connections between a different BIG-IP GTM and the BIG-IPsystems in your network, log in to that BIG-IP GTM and repeat this procedure.

iQuery statistics descriptions

The information in the table describes the iQuery statistics.

DescriptioniQuery Statistics

Displays the IP addresses of the servers that have aniQuery connection with this BIG-IP GTM.

IP Address

Displays the name of the server with the specifiedIP address.

Server

Displays the data center to which the specified serverbelongs.

Data Center

Displays the state of the iQuery connection betweenthe specified server and the BIG-IP GTM. Possiblestates are:

iQuery State

• Not Connected• Connecting

164

Diagnosing Network Connection Issues

DescriptioniQuery Statistics• Connected• Backlogged (indicates messages are queued and

waiting to be sent)

Displays the number of times the BIG-IP GTMre-established an iQuery connection with thespecified server.

iQuery Reconnects

Displays the amount of data in bytes received by theBIG-IP GTM over the iQuery connection from thespecified server.

Bytes In

Displays the amount of data in bytes sent from theBIG-IP GTM over the iQuery connection to thespecified server.

Bytes Out

Displays the number of times the iQuery connectionbetween the BIG-IP GTM and the specified server

Backlogs

was blocked, because iQuery had to send out moremessages than the connection could handle.

Displays the amount of data in bytes that the iQueryconnection dropped.

Bytes Dropped

Displays the date the SSL certificate expires.SSL Certificate Expiration

Displays the date and time that the BIG-IP GTMconfiguration was last modified. The timestamps

Configuration Time

should be the same for all devices in a configurationsynchronization group.

165


Index

A

address mapping, about IPv6 to IPv4 88allow-transfer statement, modifying for zone file transfers 25, 100Analytics

and viewing DNS statistics 159and viewing DNS statistics in tmsh 160creating profile for DNS AVR statistics collection 159

Anycast, See IP Anycast. 132–133Application Visibility and Reporting (AVR)

and DNS statistics collection 159and viewing DNS statistics 159

authenticationand SSL certificate chains 80and SSL certificates 76

authoritative name server, designating GTM 26authorizing BIG-IP communications 38, 44auto-discovery, disabling at the global-level 73automatic save interval for GTM, configuring 82AVR, and viewing DNS statistics 159

B

big3d_install script, running 41big3d agent

and iQuery 38and monitor timeout values 56and SSL certificates 76importing certificate chains 79importing root certificate 77upgrading 41

bigip_add utilityand integrating LTM with GTM 44running 47

BIG-IP communications 38, 44BIG-IP LTM

and route domains 64and server definition 40, 46

BIG-IP systems, and iQuery connections 164BIND server

and default DNS profiles 103and GTM 103

Bridge mode, and global traffic management 21

C

cache clearing 110, 118, 125cache poisoning, and configuring SNMP alerts 128cache size, managing 117, 124caching, and DNS profiles 107, 115, 122canonical names, and creating pools 136canonical pool names 136CA servers, and device certificates 78certificate chains

and SSL authentication 78creating 78verifying exchange 79

certificate exchange, verifying 77certificates

importing device 76certificates, importing device 78clusters, configuring 56CNAME, and redirecting DNS queries 136configuration changes in GTM, and configuring automatic saveinterval 82configuration files, acquiring 53configuration synchronization

enabling for GTM 60configuration synchronization, about 50connection refused error

and listeners 26and TCP protocol 26

connectionsviewing iQuery statistics 164viewing status 164

custom DNS profilesand disabling DNS logging 149and enabling DNS Express 102and enabling high-speed DNS logging 149and logging DNS querieis and responses 148and logging DNS queries and responses 147and logging DNS responses 148creating 132

custom DNS profiles, and caching DNS responses 107custom monitors, creating DNS 108

D

data centersassigning Prober pools 154creating 51defining 38, 44, 59

DDoS attacks, about mitigating 100default DNS profiles, and listeners 103delegated zones

and listeners 35creating on local DNS servers 35

destinationsfor logging 147for remote high-speed logging 146

deterministic probing, implementing 152device certificates

and CA servers 76importing 76, 78

DLV anchorsand adding to validating resolvers 122obtaining for validating resolvers 121

DNS64, configuring 88DNS AVR statistics

and listeners 159overview 82, 158

DNS cacheabout configuring for specific needs 128about resolver 114about transparent 106

167

Index

DNS cache (continued)about validating resolver 120and adding DLV anchors to validating resolvers 122and adding trust anchors to validating resolvers 121and creating validating resolvers 121and obtaining trust and DLV anchors for validatingresolvers 121clearing 110, 118, 125configuring to alert for cache poisoning 128configuring to answer queries for local zones 128configuring to generate SNMP alerts 128configuring to use specific root nameservers 128creating resolver 115creating transparent 107managing cache size 117, 124managing transparent cache size 110viewing 109, 116, 123viewing statistics 109, 111, 116, 118, 123–125viewing statistics using tmsh 109, 116, 124

DNS cache profilescustomizing to cache DNS responses 107, 115, 122

DNS cache profiles, assigning to listeners 108, 116, 123DNS Express

about 100enabling 102

DNS Express profilesassigning to listener 103

DNS Express TSIG key, creating 100DNS Express zones

and statistics 103creating 101

DNS global statistics, overview 82, 158DNS high-speed logging, overview 144DNS Logging

disabling 149enabling 149

DNS Logging profileassigning to listener 149

DNS logging profiles, customizing 147–148DNS monitor, creating 108DNS profiles

and disabling DNS logging 149and enabling high-speed DNS logging 149and global statistics 161and IPv6 to IPv4 mapping 89and listeners configured for route advertisement 132assigning to listener 159assigning to listeners 108, 116, 123assigning to virtual servers 89creating 132customizing to cache DNS responses 107, 115, 122customizing to handle IPV6 to IPv4 address mapping 88enabling DNS Express 102handling non-wide IP queries 132

DNS requests for GTM, load balancing 42DNSSEC

about manual rollover of keys 92and DNS infrastructure illustrated 92configuring compliance 92

DNSSEC keysabout manual rollover 92creating for emergency rollover 94–95

DNSSEC keys (continued)creating for key signing 94creating for zone signing 95

DNSSEC keys, about 92DNSSEC records, viewing 97DNSSEC zones

and signature validation 97assigning keys 96creating 96

DNS server pools, and listeners 31DNS servers

and creating pools 31, 108and GTM 20and pools 30and wide IPs 34configuring to allow zone file transfers 25, 100delegating wide IP requests 34identifying legacy 25modifying 26replacing with GTM 24

DNS services, about IP Anycast 132DNS statistics

collecting AVR statistics 159viewing analytics in tmsh 160viewing global 161viewing in AVR 159viewing per virtual server 161

DNS trafficand GTM 20and statistics per virtual server 161and wide IPs 20creating listeners to forward 21creating listeners to identify 26forwarding 20identifying 35routing 20

E

emergency rolloverand DNSSEC key-signing keys 94and DNSSEC zone-signing keys 95

F

file transfers, See zone file transfers. 25, 100forwarding traffic to DNS servers 20

G

global traffic managementand wildcard listeners 20load balancing to a pool of DNS servers 30

global traffic management, and Bridge mode 21GTM

and bigip_add utility 47integrating with LTM 44

gtm_add scriptand server status 52running 53using 61

168

Index

gtmd agentand importing root certificates 77and SSL certificates 76importing certificate chains 79

gtmd agent, and iQuery 38

H

high-speed loggingand DNS 144and server pools 146

hosts, defining 140

I

important considerations, adding GTM to network 50integrating with existing DNS servers 34integration of GTM with older systems 38integration of LTM and GTM systems 44intelligent probing, about 152IP Anycast

about 132and listeners 133

IPv4-only serversand mapping to IPv6-only clients 88passing traffic from IPv6-only clients 89

IPv6-only clientsabout mapping to IPv4-only servers 88passing traffic to IPv4-only DNS servers 89

IPv6 to IPv4 mappingand DNS profiles 88–89configuring virtual servers 89

iQueryand big3d agent 38and gtmd agent 38and statistics 164viewing statistics about connections 164viewing status of connections 164

iQuery connectionsand statistics 164and status 164

iRules, accessing 56

K

key-signing keysabout manual rollover 92creating 94

L

LDNS, creating delegated zones 35legacy DNS servers

and zone files 25identifying by self IP addresses on BIG-IP GTM 25

Level 1, about SSL authentication 76listeners

about wildcard 20advertising virtual addresses 134and pools of DNS servers 31and refused connection error 26

listeners (continued)and route advertisement 134and TCP protocol 26and UDP protocol 26and ZebOS 132assigning a DNS Express profile 103assigning custom DNS profile for DNS caching 108, 116, 123assigning DNS Logging profile 149assigning DNS profile 159configuring for route advertisement 133creating to forward DNS traffic 21creating to handle wide IP traffic locally 35creating to identify DNS traffic 26, 59, 93dynamic routing protocol 132

listeners, defined 20, 24, 30, 34load balancing DNS requests for GTM 42load balancing process

about Prober pool status 153about traffic management capabilities 38and non-wide IP traffic 30and Prober pools 152

load balancing traffic to a pool of DNS servers 30local BIND servers, and DNS profiles 132local DNS servers, and replacing with GTM 24local zones, and configuring cache to answer queries 128logging

and destinations 146–147and pools 146and publishers 147DNS queries and responses 147–148DNS responses 148

logical network components, and creating wide IPs 21, 27logs, and Prober pool data 156LTM

and bigip_add utility 47and route domains 64, 70and server definition 40, 46integrating with GTM 44

M

manual rollover, and DNSSEC keys 92message cache

managing size 117, 124managing size for transparent cache 110

mitigation of DDoS attacks 100monitor timeout, and virtual server status 56

N

nameserver cache, managing size 117, 124negative DNS responses, and GTM 84network, deploying GTM for single route domain 64network connection issues, diagnosing 164network placement of GTM forwarding traffic 21network traffic, and listeners 20, 24, 30, 34non-wide IP queries, and custom DNS profiles 132NTP servers, defining 51, 58

169

Index

P

placement of GTM on network to forward traffic 21pools

and canonical names 136and CNAME 136and DNS servers 30–31, 108creating 84creating with canonical name 136for high-speed logging 146

primary servers, defining for zones 26Prober pools

about 152about statistics 153about status 153and data centers 154and deterministic probing 152and logs 156and servers 155and statistics 155and upgrading to version 11.x 18creating 154

profilesand disabling DNS logging 149creating custom DNS 107, 115, 122creating custom DNS logging 147creating custom DNS query and response logging 148creating custom DNS response logging 148creating DNS 88creating for DNS AVR statistics collection 159creating for DNS Express 102creating for DNS logging 149

publishers, and logging 147

R

redirect using CNAME pool, overview 136redundant system configurations

and GTM 58defining servers 60

refused connection error 26remote servers

and destinations for log messages 146–147and publishers for log messages 147for high-speed logging 146

replacing local DNS servers 24resolver cache

about 114creating 115

resource record cachemanaging size 117, 124managing size for transparent cache 110

rollover, See emergency rollover. 58root certificates, importing 77root nameservers, and DNS cache 128root servers, and zones 26route advertisement, and listeners 133–134route domains

and GTM 64and LTM 64, 70and self IP addresses 66, 73and server definition 67, 73

route domains (continued)and VLANs 65, 72creating 65, 72deploying GTM on network with multiple route domains70

route health injectionabout 132

routing traffic to DNS servers 20

S

saving changes, and GTM 82scripts

running big3d_install script 41running gtm_add script 52

self IP addressesand route domains 73creating for route domains 66creating on GTM for legacy DNS servers 25

self-signed SSL certificates, about 76server pools, and listeners 31servers

and destinations for log messages 146–147and publishers for log messages 147assigning Prober pools 155defining BIG-IP LTM systems 40, 46defining for BIG-IP GTM 39, 45defining for route domains 67, 73defining GTM redundant system configurations 60defining new BIG-IP GTM 52defining third-party host servers 140for high-speed logging 146

signature validation, of DNSSEC zones 97single route domain, deploying GTM on network 64SNMP alerts

and cache poisoning 128configuring cache to generate 117, 124

SNMP monitoringand third-party host servers 140creating monitors 140

SOA recordsabout 84and wide IPs 84

SSL authenticationabout 76and certificate chains 80defined 76

SSL certificatesabout Level 1 SSL authentication 76about self-signed 76and big3d agent 77, 79and CA servers 76and certificate chain authentication 78and gtmd agent 77, 79and verifying chain exchange 79creating chains 78signed by third party 76verifying exchange 77

statisticsabout iQuery 164viewing DNS global 161viewing for cache 109, 116, 123

170

Index

statistics (continued)viewing for DNS cache 109, 116, 124viewing for DNS Express zones 103viewing for DNS traffic per virtual server 161viewing for Prober pools 155viewing per virtual server 161

statistics, and Prober pools 153status, and Prober pools 153synchronization

about 50enabling 51enabling for GTM 60

synchronization groupsabout 50adding new GTM 50illustrated 50

system upgrades, and Prober pools 18

T

TCP protocoland connection refused error 26and listeners 26

third-party servers, and SNMP monitoring 140tmsh, and viewing cache statistics 109, 116, 124traffic forwarding, placement of GTM 21transparent cache

about 106creating 107managing size 110

trust anchorsadding to validating resolvers 121obtaining for validating resolvers 121

TSIG key, creating for DNS Express 100

U

UDP protocol, and listeners 26Unsolicited Replies Threshold setting, modifying 117, 124upgrades, and Prober pools 18

V

validating resolver cachesabout 120and adding DLV anchors 122

validating resolver caches (continued)and adding trust anchors 121and obtaining trust and DLV anchors 121creating 121

VIPRION systems, and GTM 56virtual addresses, advertising 134virtual servers

and IPv6 to IPv4 mapping 89assigning DNS profiles 89configuring status dependency 56disabling auto-discovery at the global-level 73passing traffic between IPv6-only clients and IPv4-onlyDNS servers 89

virtual server status, setting for clusters 56VLANs

creating for a route domain on BIG-IP LTM 72creating for route domains 65

W

wide IPsand DNS servers 20, 34and DNS traffic 35and SOA records 84creating 21, 27

wildcard listeners, defined 20

Z

ZebOS dynamic routing protocoland listeners 133enabling 132verifying route advertisement 134

zone files, acquiring from legacy DNS servers 25zone file transfers, and configuring DNS servers 25, 100ZoneRunner

and viewing DNSSEC records 97zones

and GTM as primary server 26and root servers 26

zones creating DNSSEC 96See also DNSSEC zones.

zone-signing keysabout manual rollover 92creating 95

zones protecting from DDoS attackscreating for DNS Express 101

171

Index

172

Index

Documents

BIG-IP® Global Traffic Manager™: Implementations · Chapter 14: Configuring the Save Interval for GTM Configuration Changes.....81 Overview: Configuring the interval at which GTM