BIG-IP Global Traffic Manager : Implementations. Version 11.2

Transcription

1 BIG-IP Global Traffic Manager : Implementations Version 11.2

2

3 Table of Contents Table of Contents Legal Notices...9 Acknowledgments...11 Chapter 1: Upgrading BIG-IP GTM to Version 11.x...13 Converting a statistics collection server to a Prober pool automatically...14 Chapter 2: Delegating DNS Traffic to Wide IPs...15 Overview: Delegating DNS traffic to wide IPs...16 About listeners...16 Task summary...17 Creating a delegated zone on a local DNS server...17 Creating a listener to handle traffic for wide IPs...17 Implementation result...18 Chapter 3: Replacing a DNS Server with BIG-IP GTM...19 Overview: Replacing a DNS server with BIG-IP GTM...20 About listeners...20 Task summary...20 Configuring a back-end DNS server to allow zone file transfers...21 Acquiring zone files from the legacy DNS server...21 Creating a self IP address using the IP address of the legacy DNS server...21 Designating GTM as the primary server for the zone...22 Creating listeners to alert GTM to DNS traffic destined for the system...22 Creating a wide IP...23 Implementation result...23 Chapter 4: Sending Traffic Through BIG-IP GTM...25 Overview: Configuring GTM to screen traffic to an existing DNS server...26 About listeners...26 About wildcard listeners...27 Task summary...27 Placing GTM on your network to forward traffic...27 Creating a listener to forward traffic to a DNS server...27 Creating a wide IP...28 Implementation result...28 Chapter 5: Load Balancing Non-Wide IP DNS Traffic to a Pool of DNS Servers...29 Overview: Screening and forwarding non-wide IP traffic to a pool of DNS servers...30 About listeners

4 Table of Contents Task summary...30 Creating a pool of local DNS servers...31 Creating a listener that alerts GTM to DNS queries for a pool of DNS servers...31 Implementation result...31 Chapter 6: Load Balancing DNS Traffic Between IPv-6 Only and IPv-4 Only Clouds...33 Overview: Handling IPv6-only connection requests to IPv4-only servers...34 Task summary...34 Creating a custom DNS profile...34 Assigning a DNS profile to a virtual server...35 Implementation result...36 Chapter 7: Configuring GTM on a Network with One Route Domain...37 Overview: How do I deploy BIG-IP GTM on a network with one route domain?...38 Task summary...38 Creating VLANs for a route domain on BIG-IP LTM...39 Creating a route domain on a BIG-IP LTM system...39 Creating a self IP address for a route domain on BIG-IP LTM...40 Defining a server for a route domain on BIG-IP GTM...40 Implementation result...41 Chapter 8: Configuring GTM on a Network with Multiple Route Domains...43 Overview: How do I deploy BIG-IP GTM on a network with multiple route domains?...44 Task summary...45 Creating VLANs for a route domain on BIG-IP LTM...46 Creating a route domain on BIG-IP LTM...46 Creating a self IP address for a route domain on BIG-IP LTM...47 Disabling auto-discovery at the global-level on BIG-IP GTM...47 Defining a server for a route domain on BIG-IP GTM...47 Implementation result...48 Chapter 9: Securing Your DNS Infrastructure...49 Overview: Securing your DNS infrastructure...50 How do I prepare for a manual rollover of a DNSSEC key?...50 Task summary...50 Creating listeners to identify DNS traffic...51 Creating DNSSEC key-signing keys...51 Creating DNSSEC zone-signing keys...52 Creating DNSSEC zones...53 Confirm that GTM is signing the DNSSEC records...53 Implementation result

5 Table of Contents Chapter 10: Configuring DNS Express...55 How do I configure DNS Express?...56 What is DNS Express?...56 Task summary...56 Configuring a back-end DNS server to allow zone file transfers...56 Creating a DNS Express TSIG key...56 Creating a DNS Express zone...57 Enabling DNS Express...58 Assigning a DNS profile to a listener...59 Viewing information about DNS Express zones...59 Implementation result...59 Chapter 11: Configuring Fast DNS...61 Overview: Improving DNS performance by caching responses from external resolvers...62 Task summary...62 Creating a transparent DNS cache...63 Creating a custom DNS profile for transparent DNS caching...63 Assigning a custom DNS profile to a GTM listener...64 Creating a custom DNS monitor...64 Creating a pool of local DNS servers...64 Determining DNS cache performance...65 Clearing a DNS cache...66 Implementation result...67 Chapter 12: Resolving DNS Queries and Caching Responses...69 Overview: Improving DNS performance by resolving queries and caching responses...70 Task summary...70 Creating a resolver DNS cache...71 Creating a custom DNS profile for DNS resolving and caching...71 Assigning a custom DNS profile to a GTM listener...72 Determining DNS cache performance...72 Clearing a DNS cache...74 Implementation result...74 Chapter 13: Resolving DNS Queries and Caching Validated Responses...75 Overview: Resolving queries and caching validated responses...76 Task summary...77 Creating a validating resolver DNS cache...77 Creating a custom DNS profile for validating resolver DNS caching...78 Assigning a custom DNS profile to a GTM listener

6 Table of Contents Determining DNS cache performance...79 Clearing a DNS cache...80 Implementation result...81 Chapter 14: Customizing a DNS Cache...83 Overview: Customizing a DNS cache...84 Configuring a DNS cache to answer queries for local zones...84 Configuring a DNS cache to use specific root nameservers...84 Configuring a DNS cache alert for cache poisoning...84 Chapter 15: Configuring IP Anycast (Route Health Injection)...87 Overview: Configuring IP Anycast (Route Health Injection)...88 Task summary...88 Enabling the ZebOS dynamic routing protocol...88 Creating a custom DNS profile...88 Configuring a listener for route advertisement...89 Verifying advertisement of the route...90 Implementation result...90 Chapter 16: Configuring BIG-IP GTM VIPRION Systems...91 Overview: Configuring BIG-IP GTM VIPRION systems...92 Configuring dependency for virtual server status...92 Chapter 17: Ensuring Correct Synchronization When Adding GTM to a Network...93 Overview: Ensuring correct synchronization when adding GTM to a network...94 What is configuration synchronization?...94 About adding an additional BIG-IP GTM to your network...94 Task summary...94 Defining an NTP server on the existing GTM...95 Enabling synchronization on the existing GTM...95 Creating a data center on the existing GTM...95 Defining a server on the existing GTM...96 Running the gtm_add script on the new GTM...97 Implementation result...97 Chapter 18: Integrating BIG-IP GTM with Other BIG-IP Systems...99 Overview: Integrating GTM with older BIG-IP systems on a network About the iquery protocol and the big3d agent Task summary Defining a data center Defining BIG-IP GTM Defining the existing BIG-IP systems Running the big3d_install script

7 Table of Contents Implementation result Chapter 19: Setting Up a BIG-IP GTM Redundant System Configuration Overview: Configuring a BIG-IP GTM redundant system Task summary Defining an NTP server Creating listeners to identify DNS traffic Defining a data center Defining a server Enabling global traffic configuration synchronization Running the gtm_add script Chapter 20: Authenticating with SSL Certificates Signed by a Third Party Overview: Authenticating with SSL certificates signed by a third party About SSL authentication levels Configuring Level 1 SSL authentication Importing the device certificate Importing the root certificate for the gtmd agent Importing the root certificate for the big3d agent Verifying the certificate exchange Implementation Results Configuring certificate chain SSL authentication Creating a certificate chain file Importing the device certificate from the last CA server in the chain Importing a certificate chain file for the gtmd agent Importing a certificate chain for the big3d agent Verifying the certificate chain exchange Implementation result Chapter 21: Monitoring Third-Party Servers with SNMP Overview: SNMP monitoring of third-party servers Task summary Creating an SNMP monitor Defining a third-party host server that is running SNMP Implementation result Chapter 22: Configuring Device-Specific Probing and Statistics Collection Overview: Configuring device-specific probing and statistics collection About Prober pools About Prober pool status About Prober pool statistics Task summary Creating a Prober pool

8 Table of Contents Assigning a Prober pool to a data center Assigning a Prober pool to a server Viewing Prober pool statistics and status Determining which Prober pool member marked a resource down Implementation result Chapter 23: Diagnosing Network Connection Issues Diagnosing network connection issues Viewing information about connections between BIG-IP GTM and other BIG-IP systems iquery statistics descriptions

9 Legal Notices Publication Date This document was published on February 3, Publication Number MAN Copyright Copyright , F5 Networks, Inc. All rights reserved. F5 Networks, Inc. (F5) believes the information it furnishes to be accurate and reliable. However, F5 assumes no responsibility for the use of this information, nor any infringement of patents or other rights of third parties which may result from its use. No license is granted by implication or otherwise under any patent, copyright, or other intellectual property right of F5 except as specifically described by applicable user licenses. F5 reserves the right to change specifications at any time without notice. Trademarks 3DNS, Access Policy Manager, Acopia, Acopia Networks, Advanced Client Authentication, Advanced Routing, APM, Application Security Manager, ARX, AskF5, ASM, BIG-IP, Cloud Extender, CloudFucious, CMP, Data Manager, DevCentral, DevCentral [DESIGN], DNS Express, DSC, DSI, Edge Client, Edge Gateway, Edge Portal, EM, Enterprise Manager, F5, F5 [DESIGN], F5 Management Pack, F5 Networks, F5 World, Fast Application Proxy, Fast Cache, FirePass, Global Traffic Manager, GTM, IBR, Intelligent Browser Referencing, Intelligent Compression, IPv6 Gateway, iapps, icontrol, ihealth, iquery, irules, irules OnDemand, isession, IT agility. Your way., L7 Rate Shaping, LC, Link Controller, Local Traffic Manager, LTM, Message Security Module, MSM, Netcelera, OneConnect, Packet Velocity, Protocol Security Module, PSM, Real Traffic Policy Builder, Scale N, SSL Acceleration, StrongBox, SuperVIP, SYN Check, TCP Express, TDR, TMOS, Traffic Management Operating System, TrafficShield, Transparent Data Reduction, VIPRION, vcmp, WA, WAN Optimization Manager, WANJet, WebAccelerator, WOM, and ZoneRunner, are trademarks or service marks of F5 Networks, Inc., in the U.S. and other countries, and may not be used without F5's express written consent. All other product and company names herein may be trademarks of their respective owners. Patents This product may be protected by one or more patents indicated at: Export Regulation Notice This product may include cryptographic software. Under the Export Administration Act, the United States government may consider it a criminal offense to export this product from the United States. RF Interference Warning This is a Class A product. In a domestic environment this product may cause radio interference, in which case the user may be required to take adequate measures.

10 Legal Notices FCC Compliance This equipment has been tested and found to comply with the limits for a Class A digital device pursuant to Part 15 of FCC rules. These limits are designed to provide reasonable protection against harmful interference when the equipment is operated in a commercial environment. This unit generates, uses, and can radiate radio frequency energy and, if not installed and used in accordance with the instruction manual, may cause harmful interference to radio communications. Operation of this equipment in a residential area is likely to cause harmful interference, in which case the user, at his own expense, will be required to take whatever measures may be required to correct the interference. Any modifications to this device, unless expressly approved by the manufacturer, can void the user's authority to operate this equipment under part 15 of the FCC rules. Canadian Regulatory Compliance This Class A digital apparatus complies with Canadian ICES-003. Standards Compliance This product conforms to the IEC, European Union, ANSI/UL and Canadian CSA standards applicable to Information Technology products at the time of manufacture. 10

11 Acknowledgments This product includes software developed by Gabriel Forté. This product includes software developed by Bill Paul. This product includes software developed by Jonathan Stone. This product includes software developed by Manuel Bouyer. This product includes software developed by Paul Richards. This product includes software developed by the NetBSD Foundation, Inc. and its contributors. This product includes software developed by the Politecnico di Torino, and its contributors. This product includes software developed by the Swedish Institute of Computer Science and its contributors. This product includes software developed by the University of California, Berkeley and its contributors. This product includes software developed by the Computer Systems Engineering Group at the Lawrence Berkeley Laboratory. This product includes software developed by Christopher G. Demetriou for the NetBSD Project. This product includes software developed by Adam Glass. This product includes software developed by Christian E. Hopps. This product includes software developed by Dean Huxley. This product includes software developed by John Kohl. This product includes software developed by Paul Kranenburg. This product includes software developed by Terrence R. Lambert. This product includes software developed by Philip A. Nelson. This product includes software developed by Herb Peyerl. This product includes software developed by Jochen Pohl for the NetBSD Project. This product includes software developed by Chris Provenzano. This product includes software developed by Theo de Raadt. This product includes software developed by David Muir Sharnoff. This product includes software developed by SigmaSoft, Th. Lockert. This product includes software developed for the NetBSD Project by Jason R. Thorpe. This product includes software developed by Jason R. Thorpe for And Communications, This product includes software developed for the NetBSD Project by Frank Van der Linden. This product includes software developed for the NetBSD Project by John M. Vinopal. This product includes software developed by Christos Zoulas. This product includes software developed by the University of Vermont and State Agricultural College and Garrett A. Wollman. This product includes software developed by Balazs Scheidler which is protected under the GNU Public License.

12 Acknowledgments This product includes software developed by Niels Mueller which is protected under the GNU Public License. In the following statement, This software refers to the Mitsumi CD-ROM driver: This software was developed by Holger Veit and Brian Moore for use with 386BSD and similar operating systems. Similar operating systems includes mainly non-profit oriented systems for research and education, including but not restricted to NetBSD, FreeBSD, Mach (by CMU). This product includes software developed by the Apache Group for use in the Apache HTTP server project ( This product includes software licensed from Richard H. Porter under the GNU Library General Public License ( 1998, Red Hat Software), This product includes the standard version of Perl software licensed under the Perl Artistic License ( 1997, 1998 Tom Christiansen and Nathan Torkington). All rights reserved. You may find the most current standard version of Perl at This product includes software developed by Jared Minch. This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit ( This product includes cryptographic software written by Eric Young (eay@cryptsoft.com). This product contains software based on oprofile, which is protected under the GNU Public License. This product includes RRDtool software developed by Tobi Oetiker ( and licensed under the GNU General Public License. This product contains software licensed from Dr. Brian Gladman under the GNU General Public License (GPL). This product includes software developed by the Apache Software Foundation ( This product includes Hypersonic SQL. This product contains software developed by the Regents of the University of California, Sun Microsystems, Inc., Scriptics Corporation, and others. This product includes software developed by the Internet Software Consortium. This product includes software developed by Nominum, Inc. ( This product contains software developed by Broadcom Corporation, which is protected under the GNU Public License. This product contains software developed by MaxMind LLC, and is protected under the GNU Lesser General Public License, as published by the Free Software Foundation. This product includes the GeoPoint Database developed by Quova, Inc. and its contributors. 12

13 Chapter 1 Upgrading BIG-IP GTM to Version 11.x Converting a statistics collection server to a Prober pool automatically

14 Upgrading BIG-IP GTM to Version 11.x Converting a statistics collection server to a Prober pool automatically In version 10.2 of BIG-IP Global Traffic Manager (GTM ), you could assign a single BIG-IP system to probe a server to gather health and performance data. You did this by specifying the IP address of the BIG-IP system (which you chose to perform probes of the server) in the Statistics Collection Server field of the server. In version 11.0, this feature was replaced by the Prober pool feature. When you upgrade from version 10.2.x to version 11.x, if a single BIG-IP system was assigned to probe a server, BIG-IP GTM converts the single server to a Prober pool with one member, and then assigns the Prober pool to the server to which the Statistics Collection server was originally assigned. The name of the new Prober pool is based on the IP address of the original Statistics Collection server. If the original Statistics Collection server had an IP address of , the name of the automatically created Prober pool is prober_pool_10_10_2_3. 14

15 Chapter 2 Delegating DNS Traffic to Wide IPs Overview: Delegating DNS traffic to wide IPs Task summary Implementation result

16 Delegating DNS Traffic to Wide IPs Overview: Delegating DNS traffic to wide IPs BIG-IP Global Traffic Manager (GTM ) resolves DNS queries that match a wide IP name. BIG-IP GTM can work in conjunction with an existing DNS server on your network. In this situation, you configure the DNS server to delegate wide IP-related requests to BIG-IP GTM for name resolution. Figure 1: Traffic flow when DNS server delegates traffic to BIG-IP GTM This implementation focuses on the fictional company SiteRequest that recently purchased BIG-IP GTM to help resolve queries for two web-based applications: store.siterequest.com and checkout.siterequest.com. These applications are delegated zones of Currently, a DNS server manages SiteRequest administrators have already configured BIG-IP GTM with two wide IPs, and These wide IPs correspond to the two web applications. About listeners A listener is a specialized virtual server that uses port 53 and to which you assign a specific IP address. When traffic is sent to that IP address, the listener alerts BIG-IP GTM and the system either handles the traffic locally or forwards the traffic to the appropriate resource. You control how BIG-IP GTM responds to network traffic on a per-listener basis. The number of listeners you create depends on your network configuration and the destinations to which you want to send specific DNS requests. For example, a single BIG-IP GTM can be the primary authoritative server for one domain, while forwarding other DNS requests to a different DNS server. Regardless of how many listeners you configure, BIG-IP GTM always manages and responds to requests for the wide IPs that you have configured on the system. 16

17 BIG-IP Global Traffic Manager : Implementations Task summary Perform these tasks to delegate DNS traffic to wide IPs. Creating a delegated zone on a local DNS server Creating a listener to handle traffic for wide IPs Creating a delegated zone on a local DNS server Determine which DNS servers will delegate wide IP-related requests to BIG-IP GTM. If you are using BIND servers and you are unfamiliar with how to modify the files on these servers, consider reviewing the fifth edition of DNS and BIND, available from O Reilly Media. In order for BIG-IP GTM to manage the web applications of store.siterequest.com and checkout.siterequest.com, you must create a delegated zone on the DNS server that manages Perform the following steps on the selected DNS server. 1. Create an address record (A record) that defines the domain name and IP address of each BIG-IP GTM in your network. 2. Create a nameserver record (NS record) that defines the delegated zone for which BIG-IP GTM is responsible. 3. Create canonical name records (CNAME records) to forward requests for store.siterequest.com and checkout.siterequest.com to the wide IPs store.siterequest.com and checkout.siterequest.com, respectively. A delegated zone for store.siterequest.com and checkout.siterequest.com exists on each DNS server on which you performed this procedure. Creating a listener to handle traffic for wide IPs Determine the self IP address of BIG-IP GTM. Create a listener on BIG-IP GTM that identifies the wide IP traffic for which BIG-IP GTM is responsible. 1. On the Main tab, click Global Traffic > Listeners. The Listeners List screen opens. 2. Click Create. The new Listeners screen opens. 3. In the Destination field, type the IP address on which BIG-IP GTM listens for network traffic. The destination is a self IP address on BIG-IP GTM. 4. From the VLAN Traffic list, select All VLANs. 5. From the Protocol list, select either UDP or TCP. 6. Click Finished. 17

18 Delegating DNS Traffic to Wide IPs Implementation result You now have an implementation of BIG-IP GTM in which the DNS server manages DNS traffic unless the query is for store.sitrequest.com or checkout.siterequest.com. When the DNS server receives these queries, it delegates them to BIG-IP GTM, which then load balances the queries to the appropriate wide IPs. 18

19 Chapter 3 Replacing a DNS Server with BIG-IP GTM Overview: Replacing a DNS server with BIG-IP GTM Task summary Implementation result

20 Replacing a DNS Server with BIG-IP GTM Overview: Replacing a DNS server with BIG-IP GTM BIG-IP Global Traffic Manager (GTM ) load balances incoming wide IP traffic to your network resources. BIG-IP GTM can also replace a local DNS server as the authoritative nameserver for wide IPs, zones, and all other DNS-related traffic. You can configure BIG-IP GTM to replace the DNS server that currently manages BIG-IP GTM becomes the authoritative nameserver for and load balances traffic across the web-based applications store.siterequest.com and checkout.siterequest.com. Figure 2: Traffic flow when BIG-IP GTM replaces DNS server About listeners A listener is a specialized virtual server that uses port 53 and to which you assign a specific IP address. When traffic is sent to that IP address, the listener alerts BIG-IP GTM and the system either handles the traffic locally or forwards the traffic to the appropriate resource. You control how BIG-IP GTM responds to network traffic on a per-listener basis. The number of listeners you create depends on your network configuration and the destinations to which you want to send specific DNS requests. For example, a single BIG-IP GTM can be the primary authoritative server for one domain, while forwarding other DNS requests to a different DNS server. Regardless of how many listeners you configure, BIG-IP GTM always manages and responds to requests for the wide IPs that you have configured on the system. Task summary Perform these tasks to replace a DNS server with BIG-IP GTM. Configuring a back-end DNS server to allow zone file transfers 20

21 BIG-IP Global Traffic Manager : Implementations Acquiring zone files from the legacy DNS server Creating a self IP address using the IP address of the legacy DNS server Designating GTM as the primary server for the zone Creating listeners to alert GTM to DNS traffic destined for the system Creating a wide IP Configuring a back-end DNS server to allow zone file transfers If you are unfamiliar with how to modify DNS server files, review the fifth edition of DNS and BIND, available from O Reilly Media. To configure a back-end DNS server to allow zone file transfers to the BIG-IP system, add to the DNS server an allow-transfer statement that specifies a self IP address on the BIG-IP system. You can modify the following allow-transfer statement to use a self IP address on the BIG-IP system: allow-transfer { localhost; <self IP address of BIG-IP system>; }; Acquiring zone files from the legacy DNS server Ensure that you have configured the legacy DNS server with an allow-transfer statement that authorizes zone transfers to BIG-IP GTM. For BIG-IP GTM to acquire zone files from the legacy DNS server, create a new zone. 1. On the Main tab, click Global Traffic > ZoneRunner > Zone List. The Zone List screen opens. 2. Click Create. The New Zone screen opens. 3. From the View Name list, select the view that you want this zone to be a member of. The default view is external. 4. In the Zone Name field, type a name for the zone file in this format, including the trailing dot: db.[viewname].[zonename]. For example, db.external.siterequest.com. 5. From the Zone Type list, select Master. 6. From the Records Creation Method list, select Transfer from Server. 7. In the Source Server field, type the IP address of the DNS server (the server from which you want BIG-IP GTM to acquire zone files). 8. Click Finished. Creating a self IP address using the IP address of the legacy DNS server To avoid a conflict on your network, unplug BIG-IP GTM from the network. When you want BIG-IP GTM to handle DNS traffic previously handled by a DNS server, create a self IP address on BIG-IP GTM using the IP address of the legacy DNS server. 21

22 Replacing a DNS Server with BIG-IP GTM 1. On the Main tab, click Network > Self IPs. The Self IPs screen opens. 2. Click Create. The New Self IP screen opens. 3. In the IP Address field, type the IP address of the legacy DNS server. The system accepts IP addresses in both the IPv4 and IPv6 formats. 4. In the Netmask field, type the network mask for the specified IP address. 5. Click Finished. The screen refreshes, and displays the new self IP address in the list. Designating GTM as the primary server for the zone Ensure that you have created a self IP address on BIG-IP GTM using the IP address of the legacy DNS server. Add this self IP address to the BIG-IP GTM server object. Then modify the DNS server based on your network configuration. 1. Log on to BIG-IP GTM. 2. On the Main tab, click Global Traffic > Servers. The Server List screen opens. 3. Click the name of the BIG-IP GTM system that you want to modify. The server settings and values display. 4. In the Address List area, add the new self IP address. 5. Click Update. 6. Do one of the following based on your network configuration: Modify the IP address of the legacy DNS server so that it becomes a secondary DNS server to BIG-IP GTM. Ensure that the IP address of the DNS server does not conflict with the self IP address that you added to the BIG-IP GTM server object. Note: If you are using BIND servers, and you are unfamiliar with how to change a DNS server from a primary to a secondary, refer to the fifth edition of DNS and BIND, available from O Reilly Media. Remove the legacy DNS server from your network. BIG-IP GTM is now the primary authoritative name server for the zone. The servers for the zone do not need to be updated, because the IP address of the legacy DNS server was assigned to BIG-IP GTM. Creating listeners to alert GTM to DNS traffic destined for the system To alert the BIG-IP GTM system to DNS traffic (previously handled by the DNS server), create two listeners: one that uses the UDP protocol, and one that uses the TCP protocol. Note: DNS zone transfers use TCP port 53. If you do not configure a listener for TCP the client might receive the error: connection refused or TCP RSTs. 1. On the Main tab, click Global Traffic > Listeners. The Listeners List screen opens. 22

23 BIG-IP Global Traffic Manager : Implementations 2. Click Create. The new Listeners screen opens. 3. In the Destination field, type the IP address previously used by the legacy DNS server. 4. From the VLAN Traffic list, select All VLANs. 5. From the Protocol list, select UDP. 6. Click Finished. Create another listener with the same IP address, but select TCP from the Protocol list. Creating a wide IP Ensure that at least one load balancing pool exists in the configuration before you start creating a wide IP. Create a wide IP to map a FQDN to one or more pools of virtual servers that host the content of the domain. 1. On the Main tab, click Global Traffic > Wide IPs The Wide IPs List screen opens. 2. Click Create. The New Wide IP screen opens. 3. Type a name for the wide IP. Tip: You can use two different wildcard characters in the wide IP name: asterisk (*) to represent several characters and question mark (?) to represent a single character. This reduces the number of aliases you have to add to the configuration. 4. Specify the pools for this wide IP to use for load balancing. The system evaluates the pools in the order in which they are listed, until it finds a matching pool. a) From the Poollist, select a pool. A pool can belong to more than one wide IP. b) Click Add. 5. Click Finished. Implementation result BIG-IP GTM replaces the legacy DNS server as the primary authoritative nameserver for the zone. BIG-IP GTM handles all incoming DNS traffic, whether destined for a wide IP or handled by the BIND instance on the system. 23

24

25 Chapter 4 Sending Traffic Through BIG-IP GTM Overview: Configuring GTM to screen traffic to an existing DNS server Task summary Implementation result

26 Sending Traffic Through BIG-IP GTM Overview: Configuring GTM to screen traffic to an existing DNS server You can use BIG-IP Global Traffic Manager (GTM ) as a traffic screener in front of an existing DNS server. With this setup, all DNS traffic flows through BIG-IP GTM. Listeners that you configure on BIG-IP GTM verify incoming DNS queries. If the query is for a wide IP, BIG-IP GTM resolves the request. If the query is for a destination that does not match a wide IP or for an IP address that is not configured on BIG-IP GTM, the system forwards the query to the specified DNS server for resolution. When forwarding a query, BIG-IP GTM transforms the source address to a self IP address on BIG-IP GTM. Figure 3: Traffic flow when BIG-IP GTM screens traffic to a DNS server About listeners A listener is a specialized virtual server that uses port 53 and to which you assign a specific IP address. When traffic is sent to that IP address, the listener alerts BIG-IP GTM and the system either handles the traffic locally or forwards the traffic to the appropriate resource. You control how BIG-IP GTM responds to network traffic on a per-listener basis. The number of listeners you create depends on your network configuration and the destinations to which you want to send specific DNS requests. For example, a single BIG-IP GTM can be the primary authoritative server for one domain, while forwarding other DNS requests to a different DNS server. Regardless of how many listeners you configure, BIG-IP GTM always manages and responds to requests for the wide IPs that you have configured on the system. 26

27 BIG-IP Global Traffic Manager : Implementations About wildcard listeners A wildcard listener is a special listener that is assigned an IP address of and the DNS query port (port 53). When you want BIG-IP GTM to handle all DNS traffic coming into your network, regardless of the destination IP address of the given DNS request, you create a wildcard listener. BIG-IP GTM responds not only to wide IP requests, but also forwards other DNS requests to other DNS servers. Task summary Perform these tasks to send traffic through BIG-IP GTM. Placing GTM on your network to forward traffic Creating a listener to forward traffic to a DNS server Creating a wide IP Placing GTM on your network to forward traffic You need to determine to which DNS server you want this BIG-IP GTM system to forward traffic. To forward traffic, you need to place BIG-IP GTM on your network between the existing DNS server and the clients. 1. Physically connect BIG-IP GTM to your Internet connection. 2. Connect the DNS server to an Ethernet port on BIG-IP GTM (optional). 3. Connect the DNS server to a switch. Creating a listener to forward traffic to a DNS server Determine to which DNS server you want this listener to forward traffic. Create a listener that alerts the BIG-IP system to traffic destined for a DNS server. 1. On the Main tab, click Global Traffic > Listeners. The Listeners List screen opens. 2. Click Create. The new Listeners screen opens. 3. In the Destination field, type the IP address on which BIG-IP GTM listens for network traffic. The destination is the IP address of a DNS server to which you want the listener to route traffic. Important: The destination must not match a self IP address on BIG-IP GTM. 4. From the VLAN Traffic list, select All VLANs. 5. Click Finished. 27

28 Sending Traffic Through BIG-IP GTM Creating a wide IP Ensure that at least one load balancing pool exists in the configuration before you start creating a wide IP. Create a wide IP to map a FQDN to one or more pools of virtual servers that host the content of the domain. 1. On the Main tab, click Global Traffic > Wide IPs The Wide IPs List screen opens. 2. Click Create. The New Wide IP screen opens. 3. Type a name for the wide IP. Tip: You can use two different wildcard characters in the wide IP name: asterisk (*) to represent several characters and question mark (?) to represent a single character. This reduces the number of aliases you have to add to the configuration. 4. Specify the pools for this wide IP to use for load balancing. The system evaluates the pools in the order in which they are listed, until it finds a matching pool. a) From the Poollist, select a pool. A pool can belong to more than one wide IP. b) Click Add. 5. Click Finished. Implementation result You now have an implementation in which BIG-IP GTM receives all DNS queries. If the query is for a wide IP, BIG-IP GTM load balances the request to the appropriate resource. If the query is for an IP address of a DNS server, BIG-IP GTM either routes or forwards the query to the DNS server for resolution. 28

29 Chapter 5 Load Balancing Non-Wide IP DNS Traffic to a Pool of DNS Servers Overview: Screening and forwarding non-wide IP traffic to a pool of DNS servers Task summary Implementation result

30 Load Balancing Non-Wide IP DNS Traffic to a Pool of DNS Servers Overview: Screening and forwarding non-wide IP traffic to a pool of DNS servers BIG-IP Global Traffic Manager (GTM ) can function as a traffic screener in front of a pool of DNS servers. In this situation, BIG-IP GTM checks incoming DNS queries and if the query is for a wide IP, resolves the query. Otherwise, BIG-IP GTM forwards the DNS query to one of the servers in a pool of DNS servers, and that server handles the query. Figure 4: Traffic flow when BIG-IP GTM screens traffic to a pool of DNS servers About listeners A listener is a specialized virtual server that uses port 53 and to which you assign a specific IP address. When traffic is sent to that IP address, the listener alerts BIG-IP GTM and the system either handles the traffic locally or forwards the traffic to the appropriate resource. You control how BIG-IP GTM responds to network traffic on a per-listener basis. The number of listeners you create depends on your network configuration and the destinations to which you want to send specific DNS requests. For example, a single BIG-IP GTM can be the primary authoritative server for one domain, while forwarding other DNS requests to a different DNS server. Regardless of how many listeners you configure, BIG-IP GTM always manages and responds to requests for the wide IPs that you have configured on the system. Task summary Perform these tasks to screen non-wide IP traffic and forward the traffic to a pool of DNS servers. 30

31 BIG-IP Global Traffic Manager : Implementations Creating a pool of local DNS servers Creating a listener that alerts GTM to DNS queries for a pool of DNS servers Creating a pool of local DNS servers Ensure that you have created a custom DNS monitor to assign to the pool of DNS servers. Gather the IP addresses of the DNS servers that you want to include in a pool to which the BIG-IP system load balances DNS traffic. 1. Log in to the command-line interface of the BIG-IP system. 2. Type tmsh, to access the Traffic Management Shell. 3. Run a variation on this command sequence to create a pool using the IP addresses of the DNS servers on your network: create /ltm pool DNS_pool members add { :domain :domain :domain } monitor my_custom_dns_monitor Note: :domain indicates the DNS port. When you run this example command, the system creates a pool named DNS_pool that includes three DNS servers with the following IP addresses: , , and The custom DNS monitor you created to monitor DNS servers is assigned to the pool. The monitor sends DNS requests to the pool of DNS servers and validates the DNS responses. 4. Run this command sequence to save the pool: save /sys config 5. Run this command sequence to display the pool: list /ltm pool 6. Verify that the pool is configured correctly. Creating a listener that alerts GTM to DNS queries for a pool of DNS servers Configure a listener that alerts BIG-IP GTM to DNS queries destined for DNS servers that are members of a pool. 1. Log on to the command-line interface of BIG-IP GTM. 2. Type tmsh, to access the Traffic Management Shell. 3. Run this command sequence to create a listener: create /gtm listener <name of listener> address <IP address on which you want the listener to alert GTM to DNS traffic> ip-protocol udp pool <name of pool> translate-address enabled The system creates a listener with the specified name and IP address that alerts BIG-IP GTM to queries destined for the members of the specified pool. 4. Run this command sequence to save the listener: save /sys config 5. Run this command sequence to display the listener: list /gtm listener The system displays the new listener configuration. Implementation result You now have an implementation in which BIG-IP GTM receives DNS queries, handles wide IP requests, and forwards all other DNS queries to members of the pool of DNS servers. 31

32

33 Chapter 6 Load Balancing DNS Traffic Between IPv-6 Only and IPv-4 Only Clouds Overview: Handling IPv6-only connection requests to IPv4-only servers Task summary Implementation result

34 Load Balancing DNS Traffic Between IPv-6 Only and IPv-4 Only Clouds Overview: Handling IPv6-only connection requests to IPv4-only servers You can configure BIG-IP Local Traffic Manager (LTM) and BIG-IP Global Traffic Manager (GTM) systems to handle IPv6-only client connection requests to IPv4-only servers on your network by returning an AAAA record response to the client. Figure 5: Mapping IPv6 addresses to IPv4 addresses Task summary Perform these tasks to configure BIG-IP systems to handle DNS queries from IPv6-only clients to IPv4-only servers on your network. Creating a custom DNS profile Assigning a DNS profile to a virtual server Creating a custom DNS profile You can create a custom DNS profile to configure how the BIG-IP system handles DNS connection requests. 1. On the Main tab, click Local Traffic > Profiles > Services > DNS. The DNS profile list screen opens. 2. Click Create. The New DNS Profile screen opens. 3. In the Name field, type a name for the profile. 4. In the Parent Profile list, accept the default dns profile. 5. Select the Custom check box. The fields in the Settings area become available for revision. 6. In the Global Traffic Management list, accept the default value Enabled. 34

35 BIG-IP Global Traffic Manager : Implementations 7. From the DNS IPv6 to IPv4 list, select how you want the system to handle IPv6 to IPv4 address mapping in DNS queries and responses. Option Disabled Description The BIG-IP system does not map IPv4 addresses to IPv6 addresses. Immediate The BIG-IP system receives an AAAA query and forwards the query to a DNS server. The BIG-IP system then forwards the first good response from the DNS server to the client. If the system receives an A response first, it appends a 96-bit prefix to the record and forwards it to the client. If the system receives an AAAA response first, it simply forwards the response to the client. The system disregards the second response from the DNS server. Secondary The BIG-IP system receives an AAAA query and forwards the query to a DNS server. Only if the server fails to return a response does the BIG-IP system send an A query. If the BIG-IP system receives an A response, it appends a 96-bit user-configured prefix to the record and forwards it to the client. v4 Only The BIG-IP system receives an AAAA query, but forwards an A query to a DNS server. After receiving an A response from the server, the BIG-IP system appends a 96-bit user-configured prefix to the record and forwards it to the client. Important: Select this option only if you know that all your DNS servers are IPv4 only servers. If you selected Immediate, Secondary, or V4 Only two new fields display. 8. In the IPv6 to IPv4 Prefix field, specify the prefix the BIG-IP system appends to all A query responses to an IPv6 request. 9. From the IPv6 to IPv4 Additional Section Rewrite list, select an option to allow improved network efficiency for both Unicast and Multicast DNS-SD responses. Option Disabled v4 Only v6 Only Any Description The BIG-IP system does not perform additional rewrite. The BIG-IP system accepts only A records. The system appends the 96-bit user-configured prefix to a record and returns an IPv6 response to the client. The BIG-IP system accepts only AAAA records and returns an IPv6 response to the client. The BIG-IP system accepts and returns both A and AAAA records. If the DNS server returns an A record in the Additional section of a DNS message, the BIG-IP system appends the 96-bit user-configured prefix to the record and returns an IPv6 response to the client. 10. From the Use BIND Server on BIG-IP list, select Enabled. Note: Enable this setting only when you want the system to forward non-wide IP queries to the local BIND server on BIG-IP GTM. 11. Click Finished. Assigning a DNS profile to a virtual server 1. On the Main tab, click Local Traffic > Virtual Servers. The Virtual Server List screen displays a list of existing virtual servers. 35

36 Load Balancing DNS Traffic Between IPv-6 Only and IPv-4 Only Clouds 2. Click the name of the virtual server you want to modify. 3. From the DNS Profile list, select the profile you created to manage IPv6 to IPv4 address mapping. 4. Click Update. This virtual server can now pass traffic between an IPv6-only client and an IPv4-only DNS server. Implementation result You now have an implementation in which the BIG-IP system handles connection requests from an IPv6-only client to an IPv4-only server. 36

37 Chapter 7 Configuring GTM on a Network with One Route Domain Overview: How do I deploy BIG-IP GTM on a network with one route domain? Task summary Implementation result

38 Configuring GTM on a Network with One Route Domain Overview: How do I deploy BIG-IP GTM on a network with one route domain? You can deploy BIG-IP Global Traffic Manager (GTM ) on a network where BIG-IP Local Traffic Manager (LTM ) is configured with one route domain and no overlapping IP addresses. Caution: For BIG-IP systems that include both LTM and GTM, you can configure route domains on internal interfaces only. F5 Networks does not support the configuration of route domains on a standalone BIG-IP GTM. Figure 6: BIG-IP GTM deployed on a network in front of a BIG-IP LTM configured with a route domain Task summary BIG-IP GTM can gather status and statistics for the virtual servers hosted on BIG-IP Local Traffic Manager (LTM) systems on your network that are configured on a route domain. The BIG-IP LTM systems must contain: VLANs through which traffic for the route domain passes. A self IP address that represents the address space of the route domain. 38

39 BIG-IP Global Traffic Manager : Implementations Additionally, BIG-IP GTM must contain a server object for each route domain. The server objects must be configured with a self IP address that represents the address space of the route domain. Perform the specified tasks to configure BIG-IP LTM systems with a route domain, and then to configure BIG-IP GTM to be able to monitor these systems. Creating VLANs for a route domain on BIG-IP LTM Creating a route domain on a BIG-IP LTM system Creating a self IP address for a route domain on BIG-IP LTM Defining a server for a route domain on BIG-IP GTM Creating VLANs for a route domain on BIG-IP LTM You need to create two VLANs on BIG-IP Local Traffic Manager (LTM ) through which traffic can pass to a route domain. 1. On the Main tab, click Network > VLANs. The VLAN List screen opens. 2. Click Create. The New VLAN screen opens. 3. In the Name field, type external. 4. In the Tag field, type a numeric tag, from 1 to 4094, for the VLAN. Leave the field blank if you want the BIG-IP system to automatically assign a VLAN tag. The VLAN tag identifies the traffic from hosts in the associated VLAN. 5. For the Interfaces setting, from the Available list, click an interface number or trunk name and add the selected interface or trunk to the Untagged list. Repeat this step as necessary. 6. Select the Source Check check box if you want the system to verify that the return route to an initial packet is the same VLAN from which the packet originated. 7. Click Finished. The screen refreshes, and displays the new VLAN in the list. Repeat this procedure, but in Step 3, name the VLAN internal. Creating a route domain on a BIG-IP LTM system Before you create a route domain, ensure that an external and internal VLAN exist on a BIG-IP LTM system. You can create a route domain on BIG-IP LTM to segment (isolate) network traffic on your network. 1. On the Main tab, click Network > Route Domains. The Route Domain List screen opens. 2. Click Create. The New Route Domain screen opens. 3. In the Name field, type a name for the route domain. This name must be unique within the administrative partition in which the route domain resides. 4. In the ID field, type an ID number for the route domain. This ID must be unique on the BIG-IP system; that is, no other route domain on the system can have this ID. 5. In the Description field, type a description of the route domain. 39

40 Configuring GTM on a Network with One Route Domain For example: This route domain applies to traffic for application MyApp. 6. For the Strict Isolation setting, select the Enabled check box to restrict traffic in this route domain from crossing into another route domain. 7. For the Parent Name setting, retain the default value. 8. For the VLANs setting, from the Available list, select a VLAN name and move it to the Members list. Select the VLAN that processes the application traffic relevant to this route domain. Configuring this setting ensures that the BIG-IP system immediately associates any self IP addresses pertaining to the selected VLANs with this route domain. 9. For the Dynamic Routing Protocols setting, from the Available list, select one or more protocol names and move them to the Enabled list. You can enable any number of listed protocols for this route domain. This setting is optional. 10. From the Partition Default Route Domain list, select either Another route domain (0) is the Partition Default Route Domain or Make this route domain the Partition Default Route Domain. This setting does not appear if the current administrative partition is partition Common. When you configure this setting, either route domain 0 or this route domain becomes the default route domain for the current administrative partition. 11. Click Finished. The system displays a list of route domains on the BIG-IP system. You now have another route domain on the BIG-IP system. Creating a self IP address for a route domain on BIG-IP LTM Ensure that external and internal VLANs exist on BIG-IP LTM, before you begin creating a self IP address for a route domain. Create a self IP address on BIG-IP LTM that resides in the address space of the route domain. 1. On the Main tab, click Network > Self IPs. The Self IPs screen opens. 2. Click Create. The New Self IP screen opens. 3. In the IP Address field, type an IP address. This IP address must represent a self IP address in a route domain. Use the format x.x.x.x%n, where n is the route domain ID, for example, %1. The system accepts IP addresses in both the IPv4 and IPv6 formats. 4. In the Netmask field, type the network mask for the specified IP address. 5. From the VLAN/Tunnel list, select external. 6. From the Port Lockdown list, select Allow Default. 7. Click Finished. The screen refreshes, and displays the new self IP address in the list. Repeat this procedure, but in Step 5, select VLAN internal. Defining a server for a route domain on BIG-IP GTM On a BIG-IP GTM system, define a server that represents the route domain. 40

41 BIG-IP Global Traffic Manager : Implementations 1. On the Main tab, click Global Traffic > Servers. The Server List screen opens. 2. Click Create. The New Server screen opens. 3. In the Name field, type a name for the server. Important: Server names are limited to 63 characters. 4. From the Product list, select either BIG-IP System (Single) or BIG-IP System (Redundant). The server type determines the metrics that the system can collect from the server. 5. In the Address List area, add the self IP address that you assigned to the VLAN that you assigned to the route domain. Important: Do not include the route domain ID in this IP address. Use the format x.x.x.x, for example, From the Data Center list, select the data center where the server resides. 7. In the Health Monitors area, assign the bigip monitor to the server by moving it from the Available list to the Selected list. 8. From the Virtual Server Discovery list, select how you want virtual servers to be added to the system. Virtual server discovery is supported when you have only one route domain. Option Disabled Enabled Enabled (No Delete) Description Use this option when you plan to manually add virtual servers to the system. The system automatically adds virtual servers using the discovery feature. The system uses the discovery feature and does not delete any virtual servers that already exist. 9. Click Create. The Server List screen opens displaying the new server in the list. Implementation result You now have an implementation in which BIG-IP GTM can monitor virtual servers on BIG-IP LTM systems configured with one route domain. 41

42

43 Chapter 8 Configuring GTM on a Network with Multiple Route Domains Overview: How do I deploy BIG-IP GTM on a network with multiple route domains? Task summary Implementation result

44 Configuring GTM on a Network with Multiple Route Domains Overview: How do I deploy BIG-IP GTM on a network with multiple route domains? You can deploy BIG-IP Global Traffic Manager (GTM) on a network where BIG-IP Local Traffic Manager (LTM ) systems are configured with multiple route domains and overlapping IP addresses. Important: On a network with route domains, you must ensure that virtual server discovery (autoconf) is disabled, because virtual server discovery does not discover translation IP addresses. Caution: For BIG-IP systems that include both LTM and GTM, you can configure route domains on internal interfaces only. F5 Networks does not support the configuration of route domains on a standalone BIG-IP GTM. The following figure shows BIG-IP GTM deployed in a network with multiple BIG-IP Local Traffic Manager (LTM ) systems configured with the default route domain (zero), and two additional route domains. BIG-IP GTM can monitor the Application1 and Application2 servers that have overlapping IP addresses and reside in different route domains. The firewalls perform the required address translation between the BIG-IP GTM and BIG-IP LTM addresses; you must configure the firewalls to segment traffic and avoid improperly routing packets between route domain 1 and route domain 2. 44

45 BIG-IP Global Traffic Manager : Implementations Figure 7: BIG-IP GTM deployed on a network with multiple route domains Task summary Before BIG-IP GTM can gather status and statistics for the virtual servers hosted on BIG-IP LTM systems on your network that are configured with route domains, you must configure the following on each BIG-IP LTM that handles traffic for route domains: VLANs through which traffic for your route domains passes Route domains that represent each network segment Self IP addresses that represent the address spaces of the route domains Additionally, on BIG-IP GTM you must: Configure, for each route domain, a server object with virtual server discovery disabled Disable virtual server discovery globally 45

46 Configuring GTM on a Network with Multiple Route Domains Perform the following tasks to configure BIG-IP GTM to monitor BIG-IP LTM systems with route domains. Creating VLANs for a route domain on BIG-IP LTM Creating a route domain on BIG-IP LTM Creating a self IP address for a route domain on BIG-IP LTM Disabling auto-discovery at the global-level on BIG-IP GTM Defining a server for a route domain on BIG-IP GTM Creating VLANs for a route domain on BIG-IP LTM Create two VLANs on BIG-IP LTM through which traffic can pass to a route domain. 1. On the Main tab, click Network > VLANs. The VLAN List screen opens. 2. Click Create. The New VLAN screen opens. 3. In the Name field, type external. 4. In the Tag field, type a numeric tag, from 1 to 4094, for the VLAN. Leave the field blank if you want the BIG-IP system to automatically assign a VLAN tag. The VLAN tag identifies the traffic from hosts in the associated VLAN. 5. For the Interfaces setting, from the Available list, click an interface number or trunk name and add the selected interface or trunk to the Untagged list. Repeat this step as necessary. 6. Select the Source Check check box if you want the system to verify that the return route to an initial packet is the same VLAN from which the packet originated. 7. Click Finished. The screen refreshes, and displays the new VLAN in the list. Repeat this procedure, but in Step 3, name the second VLAN internal. Creating a route domain on BIG-IP LTM Ensure that VLANs exist on BIG-IP LTM, before you create a route domain. You can create a route domain on a BIG-IP system to segment (isolate) network traffic on your network. 1. On the Main tab, click Network > Route Domains. The Route Domain List screen opens. 2. Click Create. The New Route Domain screen opens. 3. In the ID field, type an ID number for the route domain. This ID must be unique on the BIG-IP system; that is, no other route domain on the system can have this ID. 4. In the Description field, type a description of the route domain. For example: This route domain applies to traffic for application MyApp. 5. For the Strict Isolation setting, select the Enabled check box to restrict traffic in this route domain from crossing into another route domain. 6. For the Parent Name setting, retain the default value. 7. For the VLANs setting, move the external and internal VLANs from the Available list, to the Members list. 46

47 BIG-IP Global Traffic Manager : Implementations Configuring this setting ensures that the BIG-IP system immediately associates any self IP addresses pertaining to the selected VLANs with this route domain. 8. Click Finished. The system displays a list of route domains on the BIG-IP system. Create additional route domains based on your network configuration. Creating a self IP address for a route domain on BIG-IP LTM Ensure that VLANs exist on BIG-IP LTM, before you begin creating a self IP address for a route domain. Create a self IP address on the BIG-IP system that resides in the address space of the route domain. 1. On the Main tab, click Network > Self IPs. The Self IPs screen opens. 2. Click Create. The New Self IP screen opens. 3. In the IP Address field, type an IP address. This IP address must represent a self IP address in a route domain. Use the format x.x.x.x%n, where n is the route domain ID, for example, %1. The system accepts IP addresses in both the IPv4 and IPv6 formats. 4. In the Netmask field, type the network mask for the specified IP address. 5. From the VLAN/Tunnel list, select the VLAN that you assigned to the route domain that contains this self IP address. 6. From the Port Lockdown list, select Allow Default. 7. Click Finished. The screen refreshes, and displays the new self IP address in the list. Create additional self IP addresses based on your network configuration. Disabling auto-discovery at the global-level on BIG-IP GTM On BIG-IP GTM, disable auto-discovery at the global-level. 1. On the Main tab, click System > Configuration > Global Traffic > General. The general Configuration screen opens. 2. Clear the Auto-Discovery check box. 3. Click Update. Defining a server for a route domain on BIG-IP GTM On BIG-IP GTM, define a server that represents the route domain. 1. On the Main tab, click Global Traffic > Servers. The Server List screen opens. 2. Click Create. The New Server screen opens. 47

48 Configuring GTM on a Network with Multiple Route Domains 3. In the Name field, type a name for the server. Important: Server names are limited to 63 characters. 4. From the Product list, select either BIG-IP System (Single) or BIG-IP System (Redundant). The server type determines the metrics that the system can collect from the server. 5. In the Address List area, add the self IP address that you assigned to the VLAN that you assigned to the route domain. Important: Do not include the route domain ID in this IP address. Use the format x.x.x.x, for example, From the Data Center list, select the data center where the server resides. 7. From the Prober Pool list, select one of the following. Option Description Inherit from Data Center Prober pool name By default, a server inherits the Prober pool assigned to the data center in which the server resides. Select the Prober pool that contains the BIG-IP systems that you want to perform monitor probes of this server. Note: The selected Prober pool must reside in the same route domain as the servers you want the pool members to probe. 8. In the Health Monitors area, assign the bigip monitor to the server by moving it from the Available list to the Selected list. 9. From the Virtual Server Discovery list, select Disabled. 10. Click Create. The New Server screen opens. Implementation result You now have an implementation in which BIG-IP GTM monitors BIG-IP LTM virtual servers on the various route domains in your network. 48

49 Chapter 9 Securing Your DNS Infrastructure Overview: Securing your DNS infrastructure Task summary Implementation result

50 Securing Your DNS Infrastructure Overview: Securing your DNS infrastructure You can use BIG-IP Global Traffic Manager (GTM ) to ensure that all responses to DNS-related traffic comply with the DNSSEC security protocol. To configure DNSSEC compliance, you create DNSSEC key-signing and zone-signing keys and a DNSSEC zone. Then you assign at least one enabled key-signing key and one enabled zone-signing key to the zone. Figure 8: Traffic flow when BIG-IP GTM is DNSSEC authoritative nameserver How do I prepare for a manual rollover of a DNSSEC key? When you create DNSSEC key-signing keys and DNSSEC zone-signing keys, it is important to create a disabled standby version of each key that has a similar name. To do so, associate both pairs of keys with the same zone. This prepares you to easily perform a manual rollover of the keys should an enabled key become compromised. Task summary Perform these tasks on BIG-IP GTM to secure your DNS infrastructure. Creating listeners to identify DNS traffic Creating DNSSEC key-signing keys Creating DNSSEC zone-signing keys Creating DNSSEC zones Confirm that GTM is signing the DNSSEC records 50

51 BIG-IP Global Traffic Manager : Implementations Creating listeners to identify DNS traffic Create two listeners to identify DNS traffic for which BIG-IP GTM is responsible. Create one listener that uses the UDP protocol and one that uses the TCP protocol. Note: DNS zone transfers use TCP port 53. If you do not configure a listener for TCP the client might receive the error: connection refused or TCP RSTs. 1. On the Main tab, click Global Traffic > Listeners. The Listeners List screen opens. 2. Click Create. The new Listeners screen opens. 3. In the Destination field, type the IP address on which BIG-IP GTM listens for network traffic. The destination is a self IP address on BIG-IP GTM. 4. Click Finished. Create another listener with the same IP address, but select TCP from the Protocol list. Task summary Task summary Creating DNSSEC key-signing keys Creating DNSSEC key-signing keys Determine the values you want to configure for the rollover period, expiration period, and TTL of the key, using the following criteria: The amount of time required to send the DS records for the zone to which this key is associated to the organization that manages the parent zone. The value of the rollover period must be greater than half the value of the expiration period, as well as less than the value of the expiration period. The difference between the values of the rollover and expiration periods must be more than the value of the TTL. Note: The values recommended in this procedure are based on the values in the NIST Secure Domain Name System (DNS) Deployment Guide. Create key-signing keys for BIG-IP GTM to use in the DNSSEC authentication process. 1. On the Main tab, click Global Traffic > DNSSEC Key List. The DNSSEC Key List screen opens. 2. Click Create. The New DNSSEC Key screen opens. 3. In the Name field, type a name for the key. Zone names are limited to 63 characters. 4. From the Algorithm list, select the algorithm the system uses to create the key. Your options are RSA/SHA1, RSA/SHA256, and RSA/SHA In the Bit Width field, type From the Use FIPS list, if your system has a FIPS hardware security module (HSM), select Enabled. 7. From the Type list, select Key Signing Key. 51

52 Securing Your DNS Infrastructure 8. From the State list, select Enabled. 9. In the TTL field, accept the default value of (the number of seconds in one day.) This value specifies how long a client resolver can cache the key. This value must be less than the difference between the values of the rollover and expiration periods of the key; otherwise, a client can make a query and the system can send a valid key that the client cannot recognize. 10. For the Rollover Period setting, in the Days field, type For the Expiration Period setting, in the Days field, type For the Signature Validity Period setting, accept the default value of seven days. This value must be greater than the value of the signature publication period. 13. For the Signature Publication Period setting, accept the default value of four days and 16 hours. This value must be less than the value of the signature validity period. 14. Click Finished. 15. To create a standby key for emergency rollover purposes, repeat this procedure using a similar name, and select Disabled from the State list. Creating DNSSEC zone-signing keys Determine the values you want to configure for the rollover period, expiration period, and TTL of the key, using the following criteria: The amount of time required to send the DS records for the zone to which this key is associated to the organization that manages the parent zone. The value of the rollover period must be greater than half the value of the expiration period, as well as less than the value of the expiration period. The difference between the values of the rollover and expiration periods must be more than the value of the TTL. Note: The values recommended in this procedure are based on the values in the NIST Secure Domain Name System (DNS) Deployment Guide. Create zone-signing keys for BIG-IP GTM to use in the DNSSEC authentication process. 1. On the Main tab, click Global Traffic > DNSSEC Key List. The DNSSEC Key List screen opens. 2. Click Create. The New DNSSEC Key screen opens. 3. In the Name field, type a name for the key. Zone names are limited to 63 characters. 4. In the Bit Width field, type From the Use FIPS list, if your system has a FIPS hardware security module (HSM), select Enabled. 6. From the Type list, select Zone Signing Key. 7. From the State list, select Enabled. 8. In the TTL field, accept the default value of (the number of seconds in one day.) This value specifies how long a client resolver can cache the key. This value must be less than the difference between the values of the rollover and expiration periods of the key; otherwise, a client can make a query and the system can send a valid key that the client cannot recognize. 9. For the Rollover Period setting, in the Days field, type

53 BIG-IP Global Traffic Manager : Implementations 10. For the Expiration Period setting, in the Days field, type For the Signature Validity Period setting, accept the default value of seven days. This value must be greater than the value of the signature publication period. 12. For the Signature Publication Period setting, accept the default value of four days and 16 hours. This value must be less than the value of the signature validity period. 13. Click Finished. 14. To create a standby key for emergency rollover purposes, repeat this procedure using a similar name, and select Disabled from the State list. Creating DNSSEC zones Before BIG-IP GTM can sign zone requests, you must assign at least one enabled zone-signing and one enabled key-signing key to the zone. 1. On the Main tab, click Global Traffic > DNSSEC Zone List. The DNSSEC Zone List screen opens. 2. Click Create. The New DNSSEC Zone screen opens. 3. In the Name field, type a second-level domain name. For example, use a zone name of siterequest.com to handle DNSSEC requests for and *. 4. From the State list, select Enabled. 5. For the Zone Signing Key setting, assign at least one enabled zone-signing key to the zone. 6. For the Key Signing Key setting, assign at least one enabled key-signing key to the zone. 7. Click Finished. Upload the DS records for this zone to the organization that manages the parent zone. The administrators of the parent zone sign the DS record with their own key and upload it to their zone.you can find the DS records in the file /config/gtm/dsset-[dnssec.zone.name] (where zone is the name of the zone you are configuring). Confirm that GTM is signing the DNSSEC records After you create DNSSEC zones and zone-signing keys, you can confirm that GTM is signing the DNSSEC records.. 1. Log on to the command-line interface of a client. 2. At the prompt, type address of GTM listener> +dnssec siterequest.com GTM returns the signed RRSIG records for the zone. Implementation result BIG-IP GTM is now configured to respond to DNS queries with DNSSEC-compliant responses. 53

54

55 Chapter 10 Configuring DNS Express How do I configure DNS Express? Task summary Implementation result

56 Configuring DNS Express How do I configure DNS Express? You can configure DNS Express on BIG-IP systems to mitigate distributed denial-of-service attacks (DDoS) and increase the volume of DNS request resolutions on both the local BIND server on the BIG-IP system and any back-end DNS servers. What is DNS Express? DNS Express provides the ability for a BIG-IP system to act as a high-speed, authoritative secondary DNS server. This makes if possible for the system to: Perform zone transfers from multiple primary DNS servers that are responsible for different zones. Perform a zone transfer from the local BIND server on the BIG-IP system. Serve DNS records faster than the primary DNS servers. Task summary Perform these tasks to configure DNS Express on your BIG-IP system. Configuring a back-end DNS server to allow zone file transfers Creating a DNS Express TSIG key Creating a DNS Express zone Enabling DNS Express Assigning a DNS profile to a listener Viewing information about DNS Express zones Configuring a back-end DNS server to allow zone file transfers If you are unfamiliar with how to modify DNS server files, review the fifth edition of DNS and BIND, available from O Reilly Media. To configure a back-end DNS server to allow zone file transfers to the BIG-IP system, add to the DNS server an allow-transfer statement that specifies a self IP address on the BIG-IP system. You can modify the following allow-transfer statement to use a self IP address on the BIG-IP system: allow-transfer { localhost; <self IP address of BIG-IP system>; }; Creating a DNS Express TSIG key Ensure that your back-end DNS servers are configured for zone file transfers using TSIG keys. 56

57 BIG-IP Global Traffic Manager : Implementations When you want to verify the identity of the authoritative server that is sending information about the zone, create a DNS Express TSIG key. Note: This step is optional. 1. On the Main tab, click Local Traffic > DNS Express Zones > DNS Express TSIG Key List. The DNS Express TSIG Key List screen opens. 2. Click Create. The New DNS Express TSIG Key screen opens. 3. In the Name field, type a name for the key. 4. From the Algorithm list, select one of the following. The system uses the algorithm that you select to authenticate updates from an approved client and responses from an approved recursive nameserver. The algorithm is a hash function in combination with the secret key. Algorithm Name HMAC MD5 HMAC SHA-1 HMAC SHA-256 Description Produces a 128-bit hash sequence Produces a 160-bit hash sequence Produces a 256-bit hash sequence 5. In the Secret field, type the phrase required for authentication of the key. Note: The secret key is created by a third party tool such as BIND s keygen utility. 6. Click Finished. Creating a DNS Express zone If you are using back-end DNS servers, ensure that those servers are configured for zone transfers. To implement DNS Express on a BIG-IP system, create a DNS Express zone. 1. On the Main tab, click Local Traffic > DNS Express Zones > DNS Express Zone List. The DNS Express Zone List screen opens. 2. Click Create. The New DNS Express Zone screen opens. 3. In the Name field, type a name for the DNS Express zone. 4. In the Target IP Address field, type the IP address of the current master DNS server for the zone from which you want to transfer records. The default value is for the BIND server on the BIG-IP system. 5. To configure the system to verify the identity of the authoritative server that is sending information about the zone, from the TSIG Key list, select a key. 6. To specify an action for the BIG-IP system to take when it receives a NOTIFY message from a DNS server on which a zone has been updated, from the Notify Action list, select one of the following. Action Description Consume The BIG-IP system processes the NOTIFY message and does not pass the NOTIFY message to the back end DNS server. 57

58 Configuring DNS Express Action Bypass Repeat Description The BIG-IP system does not process the NOTIFY message, but instead sends the NOTIFY message to a back end DNS server (subject to DNS profile unhandled-query-action). The BIG-IP system processes the NOTIFY message and sends the NOTIFY message to a back end DNS server. Tip: If a TSIG Key is configured, the signature is only validated for Consume and Repeat actions. NOTIFY responses are assumed to be sent by a backend DNS resource, except when the action is Consume and DNS Express generates a response. 7. Click Finished. Enabling DNS Express Create a custom DNS profile and assign to a listener or virtual server to enable DNS Express, only if you want to use a back-end DNS server for name resolution while the BIG-IP system handles queries for wide IPs and DNS Express zones. Note: If you plan to use the BIND server on BIG-IP GTM, you can use the default dns profile. 1. On the Main tab, click Local Traffic > Profiles > Services > DNS. The DNS profile list screen opens. 2. Click Create. The New DNS Profile screen opens. 3. Name the profile dns_express. 4. In the Parent Profile list, accept the default dns profile. 5. Select the Custom check box. The fields in the Settings area become available for revision. 6. In the Global Traffic Management list, accept the default value Enabled. 7. From the DNS Express list, select Enabled. 8. From the Unhandled Query Actions list, select how you want the BIG-IP system to handle a query that is not for a wide IP or DNS Express zone. Option Allow Drop Reject Hint No Error Description The BIG-IP system forwards the connection request to another DNS server or DNS server pool. Note that if a DNS server pool is not associated with a listener and the Use BIND Server on BIG-IP option is set to enabled, connection requests are forwarded to the local BIND server. (Allow is the default value.) The BIG-IP system does not respond to the query. The BIG-IP system returns the query with the REFUSED return code. The BIG-IP system returns the query with a list of root name servers. The BIG-IP system returns the query with the NOERROR return code. 9. From the Use BIND Server on BIG-IP list, select Disabled. 10. Click Finished. 58

59 BIG-IP Global Traffic Manager : Implementations Assign the profile to virtual servers or listeners. Assigning a DNS profile to a listener If you plan to use the BIND server on the BIG-IP system, you can assign the default DNS profile (dns) to the listener. If you plan to use a back-end DNS server and you created a custom DNS Express profile, you can assign it to the listener. 1. On the Main tab, click Global Traffic > Listeners. The Listeners List screen opens. 2. Click the name of the listener you want to modify. 3. From the DNS Profile list, select either dns or the custom DNS profile you created for DNS Express. 4. Click Finished. Viewing information about DNS Express zones You can view information about the zones that are protected by DNS Express. 1. On the Main tab, click Statistics > Module Statistics > Local Traffic. The Local Traffic Statistics screen opens. 2. From the Statistics Type list, select DNS Express Zones. Information displays about the DNS Express zones. Record type SOA Records Resource Records Description Displays start of authority record information. Displays the number of resource records for the zone. Task summary Assigning a DNS profile to a listener Task summary Implementation result You now have an implementation in which the BIG-IP system helps to mitigate DDoS attacks on your network and to resolve more DNS queries faster. 59

60

61 Chapter 11 Configuring Fast DNS Overview: Improving DNS performance by caching responses from external resolvers Task summary Implementation result

62 Configuring Fast DNS Overview: Improving DNS performance by caching responses from external resolvers You can configure a transparent cache on the BIG-IP system to use external DNS resolvers to resolve queries, and then cache the responses from the resolvers. The next time the system receives a query for a response that exists in the cache, the system immediately returns the response from the cache. The transparent cache contains messages and resource records. A transparent cache in the BIG-IP system consolidates content that would otherwise be cached across multiple external resolvers. When a consolidated cache is in front of external resolvers (each with their own cache), it can produce a much higher cache hit percentage. F5 Networks recommends that you configure the BIG-IP system to forward queries, which cannot be answered from the cache, to a pool of local DNS servers rather than the local BIND instance because BIND performance is slower than using multiple external resolvers. Note: For systems using the DNS Express feature, the BIG-IP system first processes the requests through DNS Express, and then caches the responses. Figure 9: Illustration of BIG-IP system using transparent cache Task summary Perform these tasks to configure a transparent cache on the BIG-IP system. Creating a transparent DNS cache Creating a custom DNS profile for transparent DNS caching 62

63 BIG-IP Global Traffic Manager : Implementations Assigning a custom DNS profile to a GTM listener Creating a custom DNS monitor Creating a pool of local DNS servers Determining DNS cache performance Clearing a DNS cache Creating a transparent DNS cache Create a transparent cache on the BIG-IP system when you want the system to cache DNS responses from external DNS resolvers. 1. On the Main tab, click Local Traffic > DNS Caches > DNS Cache List. The DNS Cache List screen opens. 2. Click Create. The New DNS Cache screen opens. 3. In the Name field, type a name for the cache. 4. From the Resolver Type list, select Transparent. 5. Click Finished. Associate the DNS cache with a custom DNS profile. Creating a custom DNS profile for transparent DNS caching Ensure that at least one transparent cache exists on the BIG-IP system. You can create a custom DNS profile to configure the BIG-IP system to cache responses to DNS queries. 1. On the Main tab, click Local Traffic > Profiles > Services > DNS. The DNS profile list screen opens. 2. Click Create. The New DNS Profile screen opens. 3. In the Name field, type a name for the profile. 4. In the Parent Profile list, accept the default dns profile. 5. Select the Custom check box. The fields in the Settings area become available for revision. 6. From the Use BIND Server on BIG-IP list, select Disabled. 7. From the DNS Cache list, select Enabled. When you enable the DNS Cache option, you must also select a DNS cache from the DNS Cache Name list. 8. From the DNS Cache Name list, select the DNS cache that you want to associate with this profile. You can associate a DNS cache with a profile, even when the DNS Cache option, is Disabled. This allows you to enable and disable the cache for debugging purposes. 9. Click Finished. Assign the custom DNS profile to the virtual server that handles the DNS traffic from which you want to cache responses. 63

64 Configuring Fast DNS Assigning a custom DNS profile to a GTM listener Ensure that at least one custom DNS profile that is configured for DNS caching exists on the BIG-IP system. You can assign a custom DNS profile to a listener to enable the BIG-IP system to perform DNS caching on the traffic the listener handles. Note: This task applies only to GTM-provisioned systems. 1. On the Main tab, click Global Traffic > Listeners. The Listeners List screen opens. 2. Click the name of the listener you want to modify. 3. From the DNS Profile list, select the custom DNS profile you created for DNS caching. 4. Click Finished. Creating a custom DNS monitor Create a custom DNS monitor to send DNS requests, generated using the settings you specify, to a pool of DNS servers and validate the DNS responses. Important: When defining values for custom monitors, make sure you avoid using any values that are on the list of reserved keywords. For more information, see solution number 3653 (for version 9.0 systems and later) on the AskF5 technical support web site. 1. On the Main tab, click Local Traffic > Monitors. The Monitor List screen opens. 2. Click Create. The New Monitor screen opens. 3. Type a name for the monitor in the Name field. 4. From the Type list, select DNS. 5. In the Configuration area of the screen, select Advanced. This selection makes it possible for you to modify additional default settings. 6. Configure settings based on your network requirements. 7. Click Finished. Creating a pool of local DNS servers Ensure that you have created a custom DNS monitor to assign to the pool of DNS servers. Gather the IP addresses of the DNS servers that you want to include in a pool to which the BIG-IP system load balances DNS traffic. 1. Log in to the command-line interface of the BIG-IP system. 2. Type tmsh, to access the Traffic Management Shell. 64

65 BIG-IP Global Traffic Manager : Implementations 3. Run a variation on this command sequence to create a pool using the IP addresses of the DNS servers on your network: create /ltm pool DNS_pool members add { :domain :domain :domain } monitor my_custom_dns_monitor Note: :domain indicates the DNS port. When you run this example command, the system creates a pool named DNS_pool that includes three DNS servers with the following IP addresses: , , and The custom DNS monitor you created to monitor DNS servers is assigned to the pool. The monitor sends DNS requests to the pool of DNS servers and validates the DNS responses. 4. Run this command sequence to save the pool: save /sys config 5. Run this command sequence to display the pool: list /ltm pool 6. Verify that the pool is configured correctly. Determining DNS cache performance You can view statistics to determine how well a DNS cache on the BIG-IP system is performing. 1. On the Main tab, click Statistics > Module Statistics > Local Traffic. The Local Traffic Statistics screen opens. 2. From the Statistics Type list, select DNS Cache. 3. In the Details column for a cache, click View, to display detailed information about the cache. 4. To return to the Local Traffic Statistics screen, click Back. Viewing records in a DNS cache You can view records in a DNS cache to determine how well a specific cache on the BIG-IP system is performing. 1. Log in to the command-line interface of the BIG-IP system. 2. At the BASH prompt, type tmsh. 3. At the tmsh prompt, type show ltm dns cache <cache type> <cache name>, and press Enter. For example, the command sequence show ltm dns cache transparent my_transparent_cache, displays the messages and resource records in the transparent cache named my_transparent_cache. Viewing DNS cache statistics using tmsh You can view DNS cache statistics using tmsh to determine how well a specific cache on the BIG-IP system is performing. 1. Log in to the command-line interface of the BIG-IP system. 2. At the BASH prompt, type tmsh. 3. At the tmsh prompt, type show ltm dns cache, and press Enter. Statistics for all of the DNS caches on the BIG-IP system display. 4. At the tmsh prompt, type show ltm dns cache <cache-type>, and press Enter. For example, the command sequence show ltm dns cache transparent, displays statistics for each of the transparent caches on the system. 65

66 Configuring Fast DNS 5. At the tmsh prompt, type show ltm dns cache <cache type> <cache name>, and press Enter. For example, the command sequence, show ltm dns cache transparent my_t1, displays statistics for the transparent cache on the system named my_t1. Managing transparent cache size Determine the amount of memory the BIG-IP system has and how much of that memory you want to commit to DNS caching. View the statistics for a cache to determine how well the cache is working. You can change the size of a DNS cache to fix cache performance issues. 1. On the Main tab, click Local Traffic > DNS Caches > DNS Cache List. The DNS Cache List screen opens. 2. Click the name of the cache you want to modify. 3. In the Message Cache Size field, type the maximum size in bytes for the DNS message cache. The BIG-IP system caches the messages in a DNS response in the message cache. A higher maximum size makes if possible for more DNS responses to be cached and increases the cache hit percentage. A lower maximum size forces earlier eviction of cached content, but can lower the cache hit percentage. Important: The message cache size includes all tmms on the BIG-IP system; therefore, if there are eight tmms, multiply the size by eight and put that value in this field. 4. In the Resource Record Cache Size field, type the maximum size in bytes for the DNS resource record cache. The BIG-IP system caches the supporting records in a DNS response in the Resource Record cache. A higher maximum size makes if possible for more DNS responses to be cached and increases the cache hit percentage. A lower maximum size forces earlier eviction of cached content, but can lower the cache hit percentage. Important: The resource record cache size includes all tmms on the BIG-IP system; therefore, if there are eight tmms, multiply the size by eight and put that value in this field. 5. Click Finished. Clearing a DNS cache You can clear all records from a specific DNS cache on the BIG-IP system. 1. On the Main tab, click Local Traffic > DNS Caches > DNS Cache List. The DNS Cache List screen opens. 2. Click the Statistics tab. The Local Traffic Statistics screen opens. 3. Select the check box next to the cache you want to clear, and then click Clear Cache. Clearing specific records from a DNS cache You can clear specific records from a DNS cache using tmsh. For example, you can delete all RRSET records or only the A records in the specified cache. 66

67 BIG-IP Global Traffic Manager : Implementations Tip: In tmsh, you can use the command completion feature to discover the types of records that are available for deletion. 1. Log in to the command-line interface of the BIG-IP system. 2. At the BASH prompt, type tmsh. 3. At the tmsh prompt, type ltm dns cache records, and press Enter to navigate to the dns cache records module. 4. Type delete <cache-type> type <record-type> cache <cache-name>, and press Enter. For example, the command sequence delete rrset type a cache my_resolver_cache, deletes the A records from the resource record cache of the resolver cache named my_resolver_cache. Implementation result You now have an implementation in which the BIG-IP system caches DNS responses from external DNS resolvers, and answers queries for a cached response. Additionally, the system forwards DNS queries that cannot be answered from the cache to a pool of local DNS servers. 67

68

69 Chapter 12 Resolving DNS Queries and Caching Responses Overview: Improving DNS performance by resolving queries and caching responses Task summary Implementation result

70 Resolving DNS Queries and Caching Responses Overview: Improving DNS performance by resolving queries and caching responses You can configure a resolver cache on the BIG-IP system to resolve DNS queries and cache the responses. The next time the system receives a query for a response that exists in the cache, the system returns the response from the cache. The resolver cache contains messages, resource records, and the nameservers the system queries to resolve DNS queries. Figure 10: Illustration of BIG-IP system using resolver cache Task summary Perform these tasks to configure a resolver cache on the BIG-IP system. 70

71 BIG-IP Global Traffic Manager : Implementations Creating a resolver DNS cache Creating a custom DNS profile for DNS resolving and caching Assigning a custom DNS profile to a GTM listener Determining DNS cache performance Clearing a DNS cache Creating a resolver DNS cache Create a resolver cache on the BIG-IP system when you want the system to resolve DNS queries and cache responses. 1. On the Main tab, click Local Traffic > DNS Caches > DNS Cache List. The DNS Cache List screen opens. 2. Click Create. The New DNS Cache screen opens. 3. In the Name field, type a name for the cache. 4. From the Resolver Type list, select Resolver. 5. Click Finished. Associate the DNS cache with a custom DNS profile. Creating a custom DNS profile for DNS resolving and caching Ensure that at least one DNS cache exists on the BIG-IP system. You can create a custom DNS profile to configure the BIG-IP system to cache responses to DNS connection requests. 1. On the Main tab, click Local Traffic > Profiles > Services > DNS. The DNS profile list screen opens. 2. Click Create. The New DNS Profile screen opens. 3. In the Name field, type a name for the profile. 4. Select the Custom check box. The fields in the Settings area become available for revision. 5. From the Use BIND Server on BIG-IP list, select Disabled. 6. From the DNS Cache list, select Enabled. When you enable the DNS Cache option, you must also select a DNS cache from the DNS Cache Name list. 7. From the DNS Cache Name list, select the DNS cache that you want to associate with this profile. You can associate a DNS cache with a profile, even when the DNS Cache option, is Disabled. This allows you to enable and disable the cache for debugging purposes. 8. Click Finished. Assign the custom DNS profile to the virtual server handling the DNS traffic, which includes the responses to queries that you want to cache. 71

72 Resolving DNS Queries and Caching Responses Assigning a custom DNS profile to a GTM listener Ensure that at least one custom DNS profile that is configured for DNS caching exists on the BIG-IP system. You can assign a custom DNS profile to a listener to enable the BIG-IP system to perform DNS caching on the traffic the listener handles. Note: This task applies only to GTM-provisioned systems. 1. On the Main tab, click Global Traffic > Listeners. The Listeners List screen opens. 2. Click the name of the listener you want to modify. 3. From the DNS Profile list, select the custom DNS profile you created for DNS caching. 4. Click Finished. Determining DNS cache performance You can view statistics to determine how well a DNS cache on the BIG-IP system is performing. 1. On the Main tab, click Statistics > Module Statistics > Local Traffic. The Local Traffic Statistics screen opens. 2. From the Statistics Type list, select DNS Cache. 3. In the Details column for a cache, click View, to display detailed information about the cache. 4. To return to the Local Traffic Statistics screen, click Back. Viewing records in a DNS cache You can view records in a DNS cache to determine how well a specific cache on the BIG-IP system is performing. 1. Log in to the command-line interface of the BIG-IP system. 2. At the BASH prompt, type tmsh. 3. At the tmsh prompt, type show ltm dns cache <cache type> <cache name>, and press Enter. For example, the command sequence show ltm dns cache transparent my_transparent_cache, displays the messages and resource records in the transparent cache named my_transparent_cache. Viewing DNS cache statistics using tmsh You can view DNS cache statistics using tmsh to determine how well a specific cache on the BIG-IP system is performing. 1. Log in to the command-line interface of the BIG-IP system. 2. At the BASH prompt, type tmsh. 3. At the tmsh prompt, type show ltm dns cache, and press Enter. Statistics for all of the DNS caches on the BIG-IP system display. 4. At the tmsh prompt, type show ltm dns cache <cache-type>, and press Enter. 72

73 BIG-IP Global Traffic Manager : Implementations For example, the command sequence show ltm dns cache transparent, displays statistics for each of the transparent caches on the system. 5. At the tmsh prompt, type show ltm dns cache <cache type> <cache name>, and press Enter. For example, the command sequence, show ltm dns cache transparent my_t1, displays statistics for the transparent cache on the system named my_t1. Managing cache size Determine the amount of memory the BIG-IP system has and how much you want to commit to DNS caching. View the statistics for a cache to determine how well the cache is working. You can change the size of a DNS cache to fix cache performance issues. 1. On the Main tab, click Local Traffic > DNS Caches > DNS Cache List. The DNS Cache List screen opens. 2. Click the name of the cache you want to modify. 3. In the Message Cache Size field, type the maximum size in bytes for the DNS message cache. The BIG-IP system caches the messages in a DNS response in the message cache. A higher maximum size makes if possible for more DNS responses to be cached and increases the cache hit percentage. A lower maximum size forces earlier eviction of cached content, but can lower the cache hit percentage. Important: The message cache size includes all tmms on the BIG-IP system; therefore, if there are eight tmms, multiply the size by eight and put that value in this field. 4. In the Resource Record Cache Size field, type the maximum size in bytes for the DNS resource record cache. The BIG-IP system caches the supporting records in a DNS response in the Resource Record cache. A higher maximum size makes if possible for more DNS responses to be cached and increases the cache hit percentage. A lower maximum size forces earlier eviction of cached content, but can lower the cache hit percentage. Important: The resource record cache size includes all tmms on the BIG-IP system; therefore, if there are eight tmms, multiply the size by eight and put that value in this field. 5. In the Nameserver Cache Count field, type the maximum number of DNS nameservers for which the BIG-IP system caches connection and capability data. Important: The nameserver cache count includes all tmms on the BIG-IP system; therefore, if there are eight tmms, multiply the count by eight and put that value in this field. 6. In the Unsolicited Reply Threshold field, change the default value if you are using the BIG-IP system to monitor for unsolicited replies using SNMP. The system always rejects unsolicited replies. The default value of 0 (off) indicates the system does not generate SNMP traps or log messages when rejecting unsolicited replies. Changing the default value alerts you to a potential security attack, such as cache poisoning or DOS. For example, if you specify 1,000,000 unsolicited replies, each time the system receives 1,000,000 unsolicited replies, it generates an SNMP trap and log message. 7. Click Finished. 73

74 Resolving DNS Queries and Caching Responses Clearing a DNS cache You can clear all records from a specific DNS cache on the BIG-IP system. 1. On the Main tab, click Local Traffic > DNS Caches > DNS Cache List. The DNS Cache List screen opens. 2. Click the Statistics tab. The Local Traffic Statistics screen opens. 3. Select the check box next to the cache you want to clear, and then click Clear Cache. Clearing specific records from a DNS cache You can clear specific records from a DNS cache using tmsh. For example, you can delete all RRSET records or only the A records in the specified cache. Tip: In tmsh, you can use the command completion feature to discover the types of records that are available for deletion. 1. Log in to the command-line interface of the BIG-IP system. 2. At the BASH prompt, type tmsh. 3. At the tmsh prompt, type ltm dns cache records, and press Enter to navigate to the dns cache records module. 4. Type delete <cache-type> type <record-type> cache <cache-name>, and press Enter. For example, the command sequence delete rrset type a cache my_resolver_cache, deletes the A records from the resource record cache of the resolver cache named my_resolver_cache. Implementation result You now have an implementation in which the BIG-IP system acts as a DNS resolver, caches DNS responses, and answers queries for a cached response from the cache. 74

75 Chapter 13 Resolving DNS Queries and Caching Validated Responses Overview: Resolving queries and caching validated responses Task summary Implementation result

76 Resolving DNS Queries and Caching Validated Responses Overview: Resolving queries and caching validated responses You can configure a validating resolver cache on the BIG-IP system to recursively query public DNS servers, validate the identity of the DNS server sending the responses, and then cache the responses. The next time the system receives a query for a response that exists in the cache, the system returns the DNSSEC-compliant response from the cache. The validating resolver cache contains messages, resource records, the nameservers the system queries to resolve DNS queries, and DNSSEC keys. Using the validating resolver cache, the BIG-IP system mitigates cache poisoning by validating DNS responses using DNSSEC validation. This is important, because attackers can attempt to populate a DNS cache with erroneous data that redirects clients to fake web sites, or downloads malware and viruses to client computers. When an authoritative server signs a DNS response, the validating resolver verifies the data before entering the data into the cache. Additionally, the validating resolver cache includes a built-in filter and detection mechanism that rejects unsolicited DNS responses. Figure 11: Illustration of BIG-IP system using validating resolver cache 76

77 BIG-IP Global Traffic Manager : Implementations Task summary Perform these tasks to configure a validating resolver cache on the BIG-IP system. Creating a validating resolver DNS cache Creating a custom DNS profile for validating resolver DNS caching Assigning a custom DNS profile to a GTM listener Determining DNS cache performance Clearing a DNS cache Creating a validating resolver DNS cache Create a validating resolver cache on the BIG-IP system when you want the system to resolve DNS queries, use DNSSEC to validate the responses, and cache the responses. 1. On the Main tab, click Local Traffic > DNS Caches > DNS Cache List. The DNS Cache List screen opens. 2. Click Create. The New DNS Cache screen opens. 3. In the Name field, type a name for the cache. 4. From the Resolver Type list, select Validating Resolver. 5. Click Finished. Associate the DNS cache with a custom DNS profile. Creating a trust anchor for a validating resolver DNS cache You must create a trust anchor for a validating resolver to be able to validate content in a DNS response. 1. From a client, run the command <zone> DNSKEY, and then copy the 257 record type key. This is an example of a 257 record type key IN DNSKEY AwEAAds8tHDE1wQgDjJ8/fE7aunu9Kc5bNcGcsKvVc3D1Y4mRIBnLm4q f42b5eu2apzb/seyd76qohylnnvnrel510rx0yf77qy3vwfgbimzrxy4 JUVlewG0k4zKpiOo8ZFFLX7kGvLF1o2LUa3B2OjPZBo3KPdlwr8xVzU0 ypjfie/9kuaq81eplxrshn5i7owu8hhemmefa+e/9vnsdnckue+7ghyr ToDftWxS+XkRkC6Q8Yfp/25hsTi1ZbSytoXc1+syDwh1pykxvYq+526R 3m8Yy74Hd987/IXRjuRi6X4WWq282Cm2FQRsgNCTLPwwjZ0nDB6dhfUp DsawoAw8f4k= 2. Log on to the command-line interface of the BIG-IP system. 3. At the BASH prompt, type tmsh, and press Enter. 4. At the tmsh prompt, type ltm dns cache validating-resolver, and press Enter. 5. Type modify <validating-resolver name> trust-anchors add { " <paste the contents of the 257 record type key that you copied here> " }, and press Enter. 77

78 Resolving DNS Queries and Caching Validated Responses For example, modify my_validating_resolver trust-anchors add { ". 500 IN DNSKEY AwEAAds8tHDE1wQgDjJ8/fE7aunu9Kc5bNcGcsKvVc3D1Y4mRIBnLm4q f42b5eu2apzb/seyd76qohylnnvnrel510rx0yf77qy3vwfgbimzrxy4 JUVlewG0k4zKpiOo8ZFFLX7kGvLF1o2LUa3B2OjPZBo3KPdlwr8xVzU0 ypjfie/9kuaq81eplxrshn5i7owu8hhemmefa+e/9vnsdnckue+7ghyr ToDftWxS+XkRkC6Q8Yfp/25hsTi1ZbSytoXc1+syDwh1pykxvYq+526R 3m8Yy74Hd987/IXRjuRi6X4WWq282Cm2FQRsgNCTLPwwjZ0nDB6dhfUp DsawoAw8f4k } Creating a custom DNS profile for validating resolver DNS caching Ensure that at least one DNS cache exists on the BIG-IP system. You can create a custom DNS profile to configure the BIG-IP system to cache responses to DNS connection requests. 1. On the Main tab, click Local Traffic > Profiles > Services > DNS. The DNS profile list screen opens. 2. Click Create. The New DNS Profile screen opens. 3. In the Name field, type a name for the profile. 4. In the Parent Profile list, accept the default dns profile. 5. Select the Custom check box. The fields in the Settings area become available for revision. 6. From the Use BIND Server on BIG-IP list, select Disabled. 7. From the DNS Cache list, select Enabled. When you enable the DNS Cache option, you must also select a DNS cache from the DNS Cache Name list. 8. From the DNS Cache Name list, select the DNS cache that you want to associate with this profile. You can associate a DNS cache with a profile, even when the DNS Cache option, is Disabled. This allows you to enable and disable the cache for debugging purposes. 9. Click Finished. Assign the custom DNS profile to the virtual server that handles the DNS traffic that includes the responses to queries that you want to cache. Assigning a custom DNS profile to a GTM listener Ensure that at least one custom DNS profile that is configured for DNS caching exists on the BIG-IP system. You can assign a custom DNS profile to a listener to enable the BIG-IP system to perform DNS caching on the traffic the listener handles. Note: This task applies only to GTM-provisioned systems. 78

79 BIG-IP Global Traffic Manager : Implementations 1. On the Main tab, click Global Traffic > Listeners. The Listeners List screen opens. 2. Click the name of the listener you want to modify. 3. From the DNS Profile list, select the custom DNS profile you created for DNS caching. 4. Click Finished. Determining DNS cache performance You can view statistics to determine how well a DNS cache on the BIG-IP system is performing. 1. On the Main tab, click Statistics > Module Statistics > Local Traffic. The Local Traffic Statistics screen opens. 2. From the Statistics Type list, select DNS Cache. 3. In the Details column for a cache, click View, to display detailed information about the cache. 4. To return to the Local Traffic Statistics screen, click Back. Viewing records in a DNS cache You can view records in a DNS cache to determine how well a specific cache on the BIG-IP system is performing. 1. Log in to the command-line interface of the BIG-IP system. 2. At the BASH prompt, type tmsh. 3. At the tmsh prompt, type show ltm dns cache <cache type> <cache name>, and press Enter. For example, the command sequence show ltm dns cache transparent my_transparent_cache, displays the messages and resource records in the transparent cache named my_transparent_cache. Viewing DNS cache statistics using tmsh You can view DNS cache statistics using tmsh to determine how well a specific cache on the BIG-IP system is performing. 1. Log in to the command-line interface of the BIG-IP system. 2. At the BASH prompt, type tmsh. 3. At the tmsh prompt, type show ltm dns cache, and press Enter. Statistics for all of the DNS caches on the BIG-IP system display. 4. At the tmsh prompt, type show ltm dns cache <cache-type>, and press Enter. For example, the command sequence show ltm dns cache transparent, displays statistics for each of the transparent caches on the system. 5. At the tmsh prompt, type show ltm dns cache <cache type> <cache name>, and press Enter. For example, the command sequence, show ltm dns cache transparent my_t1, displays statistics for the transparent cache on the system named my_t1. 79

80 Resolving DNS Queries and Caching Validated Responses Managing cache size Determine the amount of memory the BIG-IP system has and how much you want to commit to DNS caching. View the statistics for a cache to determine how well the cache is working. You can change the size of a DNS cache to fix cache performance issues. 1. On the Main tab, click Local Traffic > DNS Caches > DNS Cache List. The DNS Cache List screen opens. 2. Click the name of the cache you want to modify. 3. In the Message Cache Size field, type the maximum size in bytes for the DNS message cache. The BIG-IP system caches the messages in a DNS response in the message cache. A higher maximum size makes if possible for more DNS responses to be cached and increases the cache hit percentage. A lower maximum size forces earlier eviction of cached content, but can lower the cache hit percentage. Important: The message cache size includes all tmms on the BIG-IP system; therefore, if there are eight tmms, multiply the size by eight and put that value in this field. 4. In the Resource Record Cache Size field, type the maximum size in bytes for the DNS resource record cache. The BIG-IP system caches the supporting records in a DNS response in the Resource Record cache. A higher maximum size makes if possible for more DNS responses to be cached and increases the cache hit percentage. A lower maximum size forces earlier eviction of cached content, but can lower the cache hit percentage. Important: The resource record cache size includes all tmms on the BIG-IP system; therefore, if there are eight tmms, multiply the size by eight and put that value in this field. 5. In the Nameserver Cache Count field, type the maximum number of DNS nameservers for which the BIG-IP system caches connection and capability data. Important: The nameserver cache count includes all tmms on the BIG-IP system; therefore, if there are eight tmms, multiply the count by eight and put that value in this field. 6. In the Unsolicited Reply Threshold field, change the default value if you are using the BIG-IP system to monitor for unsolicited replies using SNMP. The system always rejects unsolicited replies. The default value of 0 (off) indicates the system does not generate SNMP traps or log messages when rejecting unsolicited replies. Changing the default value alerts you to a potential security attack, such as cache poisoning or DOS. For example, if you specify 1,000,000 unsolicited replies, each time the system receives 1,000,000 unsolicited replies, it generates an SNMP trap and log message. 7. Click Finished. Clearing a DNS cache You can clear all records from a specific DNS cache on the BIG-IP system. 1. On the Main tab, click Local Traffic > DNS Caches > DNS Cache List. The DNS Cache List screen opens. 2. Click the Statistics tab. The Local Traffic Statistics screen opens. 80

81 BIG-IP Global Traffic Manager : Implementations 3. Select the check box next to the cache you want to clear, and then click Clear Cache. Clearing specific records from a DNS cache You can clear specific records from a DNS cache using tmsh. For example, you can delete all RRSET records or only the A records in the specified cache. Tip: In tmsh, you can use the command completion feature to discover the types of records that are available for deletion. 1. Log in to the command-line interface of the BIG-IP system. 2. At the BASH prompt, type tmsh. 3. At the tmsh prompt, type ltm dns cache records, and press Enter to navigate to the dns cache records module. 4. Type delete <cache-type> type <record-type> cache <cache-name>, and press Enter. For example, the command sequence delete rrset type a cache my_resolver_cache, deletes the A records from the resource record cache of the resolver cache named my_resolver_cache. Implementation result You now have an implementation in which the BIG-IP system acts as a DNS resolver, verifies the validity of the responses, caches DNSSEC-compliant responses, and answers queries for a cached response with a DNSSEC-compliant response from the cache. 81

82

83 Chapter 14 Customizing a DNS Cache Overview: Customizing a DNS cache Configuring a DNS cache to answer queries for local zones Configuring a DNS cache to use specific root nameservers Configuring a DNS cache alert for cache poisoning

84 Customizing a DNS Cache Overview: Customizing a DNS cache You can customize a DNS cache on the BIG-IP system to meet specific network needs by changing the default values on the DNS cache settings. Configuring a DNS cache to answer queries for local zones You can configure a DNS cache on the BIG-IP system to answer client requests for local zones. 1. On the Main tab, click Local Traffic > DNS Caches > DNS Cache List. The DNS Cache List screen opens. 2. Click the name of the cache you want to modify. 3. Select the Enabled check box for the Answer Default Zones setting, when you want the BIG-IP system to answer queries for the default zones: localhost, reverse and ::1, and AS112 zones. 4. Click Update. Configuring a DNS cache to use specific root nameservers You can configure a resolver or validating resolver DNS cache on the BIG-IP system to use a specific server as an authoritative nameserver for the DNS root nameservers. 1. On the Main tab, click Local Traffic > DNS Caches > DNS Cache List. The DNS Cache List screen opens. 2. Click the name of the cache you want to modify. 3. In the Root Hints section, in the IP address field, type the IP address of a DNS server that the system considers authoritative for the DNS root nameservers, and then click Add. Caution: By default, the system uses the DNS root nameservers published by InterNIC. When you add DNS root nameservers, the BIG-IP system no longer uses the default nameservers published by InterNIC, but uses the nameservers you add as authoritative for the DNS root nameservers. Based on your network configuration, add IPv4 or IPv6 addresses or both. 4. Click Update. Configuring a DNS cache alert for cache poisoning You can configure a resolver or validating resolver DNS cache on the BIG-IP system to generate SNMP alerts and log messages when the cache receives unsolicited replies. This is helpful as an alert to a potential security attack, such as cache poisoning or DOS. 1. On the Main tab, click Local Traffic > DNS Caches > DNS Cache List. 84

85 BIG-IP Global Traffic Manager : Implementations The DNS Cache List screen opens. 2. Click the name of the cache you want to modify. 3. In the Unsolicited Reply Threshold field, change the default value if you are using the BIG-IP system to monitor for unsolicited replies using SNMP. The system always rejects unsolicited replies. The default value of 0 (off) indicates the system does not generate SNMP traps or log messages when rejecting unsolicited replies. Changing the default value alerts you to a potential security attack, such as cache poisoning or DOS. For example, if you specify 1,000,000 unsolicited replies, each time the system receives 1,000,000 unsolicited replies, it generates an SNMP trap and log message. 4. Click Update. 85

86

87 Chapter 15 Configuring IP Anycast (Route Health Injection) Overview: Configuring IP Anycast (Route Health Injection) Task summary Implementation result

88 Configuring IP Anycast (Route Health Injection) Overview: Configuring IP Anycast (Route Health Injection) You can configure IP Anycast for DNS services on the BIG-IP system to help mitigate distributed denial-of-service attacks (DDoS), reduce DNS latency, improve the scalability of your network, and assist with traffic management. This configuration adds routes to and removes routes from the routing table based on availability. Advertising routes to virtual addresses based on the status of attached listeners is known as Route Health Injection (RHI). Task summary Perform these tasks to configure the BIG-IP system for IP Anycast. Enabling the ZebOS dynamic routing protocol Creating a custom DNS profile Configuring a listener for route advertisement Verifying advertisement of the route Enabling the ZebOS dynamic routing protocol Before you enable ZebOS dynamic routing on the BIG-IP system: Ensure that the system license includes the Routing Bundle add-on. Ensure that ZebOS is configured correctly. If you need help, refer to the following resources on AskF5 : TMOS Management Guide for BIG-IP Systems Configuration Guide for the VIPRION System ZebOS Advanced Routing Suite Configuration Guide Enable ZebOS protocols to allow the BIG-IP system to dynamically learn routes. 1. Log on to the command-line interface of the BIG-IP system. 2. At the command prompt, type zebos enable <protocol_type> and press Enter. The system returns an enabled response. 3. To verify that the ZebOS dynamic routing protocol is enabled, at the command prompt, type zebos check and press Enter. The system returns a list of all enabled protocols. Creating a custom DNS profile Create a custom DNS profile based on your network configuration, to specify how you want the BIG-IP system to handle non-wide IP DNS queries. 1. On the Main tab, click Local Traffic > Profiles > Services > DNS. The DNS profile list screen opens. 2. Click Create. The New DNS Profile screen opens. 88

89 BIG-IP Global Traffic Manager : Implementations 3. In the Name field, type a name for the profile. 4. In the Parent Profile list, accept the default dns profile. 5. Select the Custom check box. The fields in the Settings area become available for revision. 6. In the Global Traffic Management list, accept the default value Enabled. 7. From the Unhandled Query Actions list, select how you want the BIG-IP system to handle a query that is not for a wide IP or DNS Express zone. Option Allow Drop Reject Hint No Error Description The BIG-IP system forwards the connection request to another DNS server or DNS server pool. Note that if a DNS server pool is not associated with a listener and the Use BIND Server on BIG-IP option is set to enabled, connection requests are forwarded to the local BIND server. (Allow is the default value.) The BIG-IP system does not respond to the query. The BIG-IP system returns the query with the REFUSED return code. The BIG-IP system returns the query with a list of root name servers. The BIG-IP system returns the query with the NOERROR return code. 8. From the Use BIND Server on BIG-IP list, select Enabled. Note: Enable this setting only when you want the system to forward non-wide IP queries to the local BIND server on BIG-IP GTM. 9. Click Finished. Configuring a listener for route advertisement Ensure that ZebOS dynamic routing is enabled on BIG-IP Global Traffic Manager (GTM). To allow BIG-IP GTM to advertise the virtual address of a listener to the routers on your network, configure the listener for route advertisement. 1. On the Main tab, click Global Traffic > Listeners. The Listeners List screen opens. 2. Click Create. The new Listeners screen opens. 3. In the Destination field, type the IP address on which BIG-IP GTM listens for network traffic. Caution: The destination cannot be a self IP address on the system, because a listener with the same IP address as a self IP address cannot be advertised. 4. From the VLAN Traffic list, select one of the following options: Option All VLANs Description When you want this listener to handle traffic from VLANs within the network segment. Note: Use this option if BIG-IP GTM is handling traffic for the destination IP address locally. This option also applies when the system resides on a network segment that does not use VLANs. 89

90 Configuring IP Anycast (Route Health Injection) Option Enabled on Disabled on Description When you want this listener to handle traffic from only the VLANs that you move from the Available list to the Selected list. When you want this listener to exclude the traffic from the VLANs that you move from the Available list to the Selected list. 5. From the Protocol list, select either UDP or TCP. 6. From the DNS Profile list, select: Option Description dns <custom profile> This is the default DNS profile. With the default dns profile, BIG-IP GTM forwards non-wide IP queries to the BIND server on the BIG-IP GTM system itself. If you have created a custom DNS profile to handle non-wide IP queries in a way that works for your network configuration, select it. 7. For Route Advertisement, select the Enabled check box. 8. Click Finished. Configure other listeners for route advertisement. Verifying advertisement of the route Ensure that ZebOS dynamic routing is enabled on the BIG-IP system. Run a command to verify that the BIG-IP system is advertising the virtual address. 1. Log on to the command-line interface of the BIG-IP system. 2. At the command prompt, type zebos cmd sh ip route grep <listener IP address> and press Enter. An advertised route displays with a code of K and a 32 bit kernel, for example: K /32 Implementation result You now have an implementation in which the BIG-IP system broadcasts virtual IP addresses that you configured for route advertisement. 90

91 Chapter 16 Configuring BIG-IP GTM VIPRION Systems Overview: Configuring BIG-IP GTM VIPRION systems

92 Configuring BIG-IP GTM VIPRION Systems Overview: Configuring BIG-IP GTM VIPRION systems You configure BIG-IP Global Traffic Manager (GTM ) on VIPRION systems in the same manner that you configure BIG-IP GTM on an appliance, with two notable exceptions. You can access BIG-IP Local Traffic Manager (LTM ) irules from within BIG-IP GTM irules. You can also access BIG-IP GTM irules from within BIG-IP LTM irules. It is important to change the general system configuration for virtual server status. Configuring dependency for virtual server status You can configure virtual server status to be dependent only on the timeout value of the monitor associated with the virtual server. This ensures that when the primary blade in a cluster becomes unavailable, the gtmd agent on the new primary blade has time to establish new iquery connections with and receive updated status from other BIG-IP systems. Tip: The big3d agent on the new primary blade must be up and functioning within 90 seconds (the timeout value of the BIG-IP monitor). 1. On the Main tab, click System > Configuration > Global Traffic > General. The General configuration screen opens. 2. Select Depends on Monitors Only from the Virtual Server Status list. 3. Click Update. 92

93 Chapter 17 Ensuring Correct Synchronization When Adding GTM to a Network Overview: Ensuring correct synchronization when adding GTM to a network Task summary Implementation result

94 Ensuring Correct Synchronization When Adding GTM to a Network Overview: Ensuring correct synchronization when adding GTM to a network You can configure BIG-IP Global Traffic Manager (GTM) systems in collections called synchronization groups. All BIG-IP GTM systems in the same synchronization group have the same rank, exchange heartbeat messages, and share probing responsibility. Figure 12: BIG-IP GTM systems in a synchronization group What is configuration synchronization? Configuration synchronization ensures the rapid distribution of BIG-IP Global Traffic Manager (GTM) settings to other BIG-IP systems that belong to the same synchronization group. A synchronization group might contain both BIG-IP GTM and BIG-IP Link Controller systems. Configuration synchronization occurs in the following manner: When a change is made to a BIG-IP GTM configuration, the system broadcasts the change to the other systems in the configuration synchronization group. When a configuration synchronization is in progress, the process must either complete or timeout, before another configuration synchronization can occur. About adding an additional BIG-IP GTM to your network BIG-IP GTM systems exchange heartbeat messages when different software versions are installed on the systems. However, configuration synchronization cannot occur when different software versions are installed on the systems. Therefore, when you upgrade BIG-IP GTM, the configuration of the upgraded system does not automatically synchronize with the configuration of the systems in the synchronization group that have an older software version. Task summary When adding an additional BIG-IP GTM system to your network, perform the following tasks. Defining an NTP server on the existing GTM Enabling synchronization on the existing GTM 94

95 BIG-IP Global Traffic Manager : Implementations Creating a data center on the existing GTM Defining a server on the existing GTM Running the gtm_add script on the new GTM Defining an NTP server on the existing GTM Define a Network Time Protocol (NTP) server on the existing BIG-IP GTM to ensure that each system in the synchronization group is referencing the same time when verifying configuration file timestamps. 1. On the Main tab, click System > Configuration > Device > NTP. The NTP screen opens. 2. Type an address for the NTP server in the Address field. 3. Click Add. 4. Click Update. The NTP server is defined. Enabling synchronization on the existing GTM To ensure that this system can share configuration changes with other systems that you add to the configuration synchronization group, enable synchronization on the existing BIG-IP GTM. 1. On the Main tab, click System > Configuration > Global Traffic > General. The General configuration screen opens. 2. Select the Synchronization check box. 3. In the Synchronization Time Tolerance field, type the maximum number of seconds allowed between the time settings on this system and the other systems in the synchronization group. The lower the value, the more often this system makes a log entry indicating that there is a difference. Tip: If you are using NTP, leave this setting at the default value of 10. In the event that NTP fails, the system uses the time_tolerance variable to maintain synchronization. 4. In the Synchronization Group Name field, type the name of the synchronization group to which you want this system to belong. 5. Click Update. Synchronization is enabled on the existing BIG-IP GTM. Creating a data center on the existing GTM Create a data center on the existing BIG-IP GTM system to represent the location where the new BIG-IP GTM system resides. 1. On the Main tab, click Global Traffic > Data Centers. The Data Center List screen opens. 2. Click Create. The New Data Center screen opens. 3. Type a name for the data center. 95

96 Ensuring Correct Synchronization When Adding GTM to a Network Important: The data center name is limited to 63 characters. 4. In the Location field, type the geographic location of the data center. 5. In the Contact field, type the name of either the administrator or the department that manages the data center. 6. Click Finished. Defining a server on the existing GTM Ensure that a data center where the new BIG-IP GTM system resides exists in the configuration of the existing BIG-IP GTM system. Define a new server, on the existing BIG-IP GTM, to represent the new BIG-IP GTM system. 1. On the Main tab, click Global Traffic > Servers. The Server List screen opens. 2. Click Create. The New Server screen opens. 3. In the Name field, type a name for the server. Important: Server names are limited to 63 characters. 4. From the Product list, select BIG-IP System (Single). The server type determines the metrics that the system can collect from the server. 5. In the Address List area, add the IP address of the server. Important: You must use a self IP address for a BIG-IP system; you cannot use the management IP address. 6. From the Data Center list, select the data center where the server resides. 7. From the Virtual Server Discovery list, select how you want virtual servers to be added to the system. Option Disabled Enabled Enabled (No Delete) Description The system does not use the discovery feature to automatically add virtual servers. This is the default value. Use this option for a standalone BIG-IP GTM or for a BIG-IP GTM/LTM combo system when you plan to manually add virtual servers to the system. The system uses the discovery feature to automatically add virtual servers. Use this option for a BIG-IP GTM/LTM combo system when you want BIG-IP GTM to discover BIG-IP LTM virtual servers. The system uses the discovery feature to automatically add virtual servers and does not delete any virtual servers that already exist. Use this option for a BIG-IP GTM/LTM combo system when you want BIG-IP GTM to discover BIG-IP LTM virtual servers. 8. Click Create. The Server List screen opens displaying the new server in the list. The status of the newly defined BIG-IP GTM system is blue, because you have not yet run the gtm_add script. 96

97 BIG-IP Global Traffic Manager : Implementations Running the gtm_add script on the new GTM Determine the self IP address of the existing BIG-IP GTM. Run the gtm_add script on the new BIG-IP GTM to acquire the configuration settings on the existing BIG-IP GTM. Note: You must perform this task from the command-line interface. 1. On the new BIG-IP GTM, log in to the command-line interface. 2. At the BASH prompt, type tmsh, and press Enter. 3. At the tmsh prompt, type run gtm gtm_add, and press Enter. 4. Press the y key to start the gtm_add script. 5. Type the IP address of the existing BIG-IP GTM, and press Enter. 6. If prompted, type the root password, and then press Enter. Implementation result The new BIG-IP GTM that you added to the network is a part of a synchronization group. Changes you make to any system in the synchronization group are automatically propagated to all other systems in the group. 97

98

99 Chapter 18 Integrating BIG-IP GTM with Other BIG-IP Systems Overview: Integrating GTM with older BIG-IP systems on a network Task summary Implementation result

100 Integrating BIG-IP GTM with Other BIG-IP Systems Overview: Integrating GTM with older BIG-IP systems on a network You can add BIG-IP Global Traffic Manager (GTM ) systems to a network in which BIG-IP Local Traffic Manager (LTM ) systems are already present. This expands your load balancing and traffic management capabilities beyond the local area network. For this implementation to be successful, you must authorize communications between the systems. Note: The BIG-IP GTM systems in a synchronization group, and the BIG-IP LTM and BIG-IP Link Controller systems that are configured to communicate with the systems in the synchronization group must have TCP port 4353 open through the firewall between the systems. The BIG-IP systems connect and communicate through this port. About the iquery protocol and the big3d agent The gtmd agent on BIG-IP Global Traffic Manager (GTM ) systems uses the iquery protocol to communicate with the local big3d agent and the big3d agents installed on other BIG-IP systems. The gtmd agent monitors both the availability of the BIG-IP systems, and the integrity of the network paths between the systems that host a domain and the local DNS servers that attempt to connect to that domain. Important: To facilitate communication across BIG-IP systems, ensure that the big3d agent is installed on each system. Figure 13: Example of communications between big3d and gtmd agents Task summary To authorize communications between BIG-IP systems, perform the following tasks on the BIG-IP GTM that you are adding to the network. Defining a data center Defining BIG-IP GTM Defining the existing BIG-IP systems Running the big3d_install script 100

101 BIG-IP Global Traffic Manager : Implementations Defining a data center Create a data center to contain the servers that reside on a subnet of your network. 1. On the Main tab, click Global Traffic > Data Centers. The Data Center List screen opens. 2. Click Create. The New Data Center screen opens. 3. Type a name for the data center. Important: The data center name is limited to 63 characters. 4. In the Location field, type the geographic location of the data center. 5. In the Contact field, type the name of either the administrator or the department that manages the data center. 6. From the State list, select Enabled. 7. Click Finished. You can now create server objects and assign them to this data center. Repeat this procedure to create additional data centers. Defining BIG-IP GTM Ensure that at least one data center exists in the configuration before you start creating a server. Create a server object for BIG-IP GTM. 1. On the Main tab, click Global Traffic > Servers. The Server List screen opens. 2. Click Create. The New Server screen opens. 3. In the Name field, type a name for the server. Important: Server names are limited to 63 characters. 4. From the Product list, select BIG-IP System (Single). The server type determines the metrics that the system can collect from the server. 5. In the Address List area, add the IP addresses of the server. You can add more than one IP address, depending on how the server interacts with the rest of your network. Important: You must use a self IP address for a BIG-IP system; you cannot use the management IP address. 6. From the Data Center list, select the data center where the server resides. 7. In the Health Monitors area, assign the bigip monitor to the server by moving it from the Available list to the Selected list. 8. From the Virtual Server Discovery list, select how you want virtual servers to be added to the system. 101

102 Integrating BIG-IP GTM with Other BIG-IP Systems Option Disabled Enabled Enabled (No Delete) Description The system does not use the discovery feature to automatically add virtual servers. This is the default value. Use this option for a standalone BIG-IP GTM or for a BIG-IP GTM/LTM combo system when you plan to manually add virtual servers to the system. The system uses the discovery feature to automatically add virtual servers. Use this option for a BIG-IP GTM/LTM combo system when you want BIG-IP GTM to discover BIG-IP LTM virtual servers. The system uses the discovery feature to automatically add virtual servers and does not delete any virtual servers that already exist. Use this option for a BIG-IP GTM/LTM combo system when you want BIG-IP GTM to discover BIG-IP LTM virtual servers. 9. From the Link Discovery list, select how you want links to be added to the system. Option Disabled Enabled Enabled (No Delete) Description The system does not use the discovery feature to automatically add links. This is the default value. Use this option for a standalone BIG-IP GTM or for a BIG-IP GTM/LTM combo system when you plan to manually add links to the system. The system uses the discovery feature to automatically add links. Use this option for a BIG-IP GTM/LTM combo system when you want BIG-IP GTM to discover links. The system uses the discovery feature to automatically add links and does not delete any links that already exist. Use this option for a BIG-IP GTM/LTM combo system when you want BIG-IP GTM to discover links. 10. Click Create. The Server List screen opens displaying the new server in the list. Defining the existing BIG-IP systems On BIG-IP GTM, define a server that represents each BIG-IP system to place the systems on the network map. 1. On the Main tab, click Global Traffic > Servers. The Server List screen opens. 2. Click Create. The New Server screen opens. 3. In the Name field, type a name for the server. Important: Server names are limited to 63 characters. 4. From the Product list, select either BIG-IP System (Single) or BIG-IP System (Redundant). The server type determines the metrics that the system can collect from the server. 5. In the Address List area, add the IP addresses of the server. You can add more than one IP address, depending on how the server interacts with the rest of your network. 102

103 BIG-IP Global Traffic Manager : Implementations Important: You must use a self IP address for a BIG-IP system; you cannot use the management IP address. 6. From the Data Center list, select the data center where the server resides. 7. In the Health Monitors area, assign the bigip monitor to the server by moving it from the Available list to the Selected list. 8. From the Virtual Server Discovery list, select how you want virtual servers to be added to the system. Option Disabled Enabled Enabled (No Delete) Description The system does not use the discovery feature to automatically add virtual servers. This is the default value. Use this option for a standalone BIG-IP GTM or for a BIG-IP GTM/LTM combo system when you plan to manually add virtual servers to the system. The system uses the discovery feature to automatically add virtual servers. Use this option for a BIG-IP GTM/LTM combo system when you want BIG-IP GTM to discover BIG-IP LTM virtual servers. The system uses the discovery feature to automatically add virtual servers and does not delete any virtual servers that already exist. Use this option for a BIG-IP GTM/LTM combo system when you want BIG-IP GTM to discover BIG-IP LTM virtual servers. 9. From the Link Discovery list, select how you want links to be added to the system. Option Disabled Enabled Enabled (No Delete) Description The system does not use the discovery feature to automatically add links. This is the default value. Use this option for a standalone BIG-IP GTM or for a BIG-IP GTM/LTM combo system when you plan to manually add links to the system. The system uses the discovery feature to automatically add links. Use this option for a BIG-IP GTM/LTM combo system when you want BIG-IP GTM to discover links. The system uses the discovery feature to automatically add links and does not delete any links that already exist. Use this option for a BIG-IP GTM/LTM combo system when you want BIG-IP GTM to discover links. 10. Click Create. The Server List screen opens displaying the new server in the list. Running the big3d_install script Determine the self IP addresses for the existing BIG-IP systems that you want to upgrade with the latest big3d agent. Ensure that port 22 is open. Run the big3d_install script to upgrade the big3d agents on the BIG-IP systems and instructs these systems to authenticate with the other systems through the exchange of SSL certificates. For additional information about running the script, see SOL8195 on AskF5.com ( You must perform this task from the command-line interface. 103

104 Integrating BIG-IP GTM with Other BIG-IP Systems Important: Run the big3d_install script on BIG-IP GTM only for target systems that are running the same or an older version of BIG-IP software. 1. Log on to the command-line interface of the new BIG-IP GTM. 2. At the BASH prompt, type tmsh. 3. At the tmsh prompt, type run gtm big3d_install <IP_addresses_of_target_BIG-IP_systems>, and press Enter. The script instructs BIG-IP GTM to connect to each specified BIG-IP system. 4. If prompted, supply the root password for each system. The SSL certificates are exchanged, authorizing communications between the systems. The big3d agent on each system is upgraded to the same version as is installed on BIG-IP GTM from which you ran the script. Implementation result You now have an implementation in which the BIG-IP systems can communicate with each other. BIG-IP GTM can now use the other BIG-IP systems when load balancing DNS requests, and can acquire statistics and status information for the virtual servers these systems manage. 104

105 Chapter 19 Setting Up a BIG-IP GTM Redundant System Configuration Overview: Configuring a BIG-IP GTM redundant system Task summary

106 Setting Up a BIG-IP GTM Redundant System Configuration Overview: Configuring a BIG-IP GTM redundant system You can configure BIG-IP Global Traffic Manager (GTM) in a redundant system configuration, which is a set of two BIG-IP GTM systems: one operating as the active unit, the other operating as the standby unit. If the active unit goes offline, the standby unit immediately assumes responsibility for managing DNS traffic. The new active unit remains active until another event occurs that would cause the unit to go offline, or you manually reset the status of each unit. Task summary Perform the following tasks to configure a BIG-IP GTM redundant system configuration. Before you begin, ensure that the Setup utility was run on both devices. During the Setup process, you create VLANs internal and external and the associated floating and non-floating IP addresses, and VLAN HA and the associated non-floating self IP address. You also configure the devices to be in an active/standby redundant system configuration. Defining an NTP server Creating listeners to identify DNS traffic Defining a data center Defining a server Enabling global traffic configuration synchronization Running the gtm_add script Defining an NTP server Define a Network Time Protocol (NTP) server that both BIG-IP GTM systems use during configuration synchronization. Important: Perform the following procedure on both the active and standby systems. 1. On the Main tab, click System > Configuration > Device > NTP. The NTP screen opens. 2. In the Address field, type the IP address of the NTP server. 3. Click Add. 4. Click Update. During configuration synchronization, the systems use this time value to see if any newer configuration files exist. Creating listeners to identify DNS traffic Create two listeners to identify DNS traffic for which BIG-IP GTM is responsible. Create one listener that uses the UDP protocol and one that uses the TCP protocol. 106

107 BIG-IP Global Traffic Manager : Implementations Important: Perform the following procedure on only the active system. Note: DNS zone transfers use TCP port 53. If you do not configure a listener for TCP the client might receive the error: connection refused or TCP RSTs. 1. On the Main tab, click Global Traffic > Listeners. The Listeners List screen opens. 2. Click Create. The new Listeners screen opens. 3. In the Destination field, type the floating IP address of VLAN external. This is the IP address on which BIG-IP GTM listens for network traffic. 4. From the VLAN Traffic list, select All VLANs. 5. From the Protocol list, select UDP. 6. Click Finished. Create another listener with the same IP address, but select TCP from the Protocol list. Defining a data center Create a data center to contain the servers that reside on a subnet of your network. Important: Perform the following procedure on only the active system. 1. On the Main tab, click Global Traffic > Data Centers. The Data Center List screen opens. 2. Click Create. The New Data Center screen opens. 3. Type a name for the data center. Important: The data center name is limited to 63 characters. 4. In the Location field, type the geographic location of the data center. 5. In the Contact field, type the name of either the administrator or the department that manages the data center. 6. From the State list, select Enabled. 7. Click Finished. You can now create server objects and assign them to this data center. Repeat this procedure to create additional data centers. Defining a server Ensure that the data centers where the BIG-IP GTM systems reside exist in the configuration. Perform this procedure twice to create two servers, one that represents the active system and one that represents the standby system. Important: Perform the following procedure on only the active system. 107

108 Setting Up a BIG-IP GTM Redundant System Configuration 1. On the Main tab, click Global Traffic > Servers. The Server List screen opens. 2. Click Create. The New Server screen opens. 3. In the Name field, type a name for the server. Important: Server names are limited to 63 characters. 4. From the Product list, select BIG-IP System (Redundant). The server type determines the metrics that the system can collect from the server. 5. In the Address List area, add the IP address of the server. Important: You must use a self IP address for a BIG-IP system; you cannot use the management IP address. 6. In the Address List area, add the IP addresses of the back up system using the Peer Address List setting. a) Type an external (public) IP address in the Address field, and then click Add. b) Type an internal (private) IP address in the Translation field, and then click Add. You can add more than one IP address, depending on how the server interacts with the rest of your network. 7. From the Data Center list, select the data center where the server resides. 8. From the Virtual Server Discovery list, select Disabled. 9. From the Link Discovery list, select Disabled. 10. Click Create. The Server List screen opens displaying the new server in the list. Enabling global traffic configuration synchronization Enable global traffic configuration synchronization options and assign a name to the global traffic synchronization group. Important: Perform the following procedure on only the active system. 1. On the Main tab, click System > Configuration > Global Traffic > General. The General configuration screen opens. 2. Select the Synchronization check box. 3. Select the Synchronize DNS Files check box. 4. In the Synchronization Group Name field, type the name of the synchronization group. 5. Click Update. The settings you selected will be transferred to the standby system during configuration synchronization. Running the gtm_add script You must run the gtm_add script from the standby system. 108

109 BIG-IP Global Traffic Manager : Implementations Note: You must perform this task from the command-line interface. 1. On the new BIG-IP GTM, log in to the command-line interface. 2. Type gtm_add, and press Enter. 3. Press the y key to start the gtm_add script. 4. Type the IP address of the existing BIG-IP GTM, and press Enter. The gtm_add process begins, acquiring configuration data from the active system; Once the process completes, you have successfully created a redundant system consisting of two BIG-IP GTM systems. 109

110

111 Chapter 20 Authenticating with SSL Certificates Signed by a Third Party Overview: Authenticating with SSL certificates signed by a third party Configuring Level 1 SSL authentication Implementation Results Configuring certificate chain SSL authentication Implementation result

112 Authenticating with SSL Certificates Signed by a Third Party Overview: Authenticating with SSL certificates signed by a third party BIG-IP systems use Secure Sockets Layer (SSL) authentication to verify the authenticity of the credentials of systems with which data exchange is necessary. BIG-IP software includes a self-signed SSL certificate. If your network includes one or more certificate authority (CA) servers, you can also install SSL certificates that are signed by a third party. The BIG-IP systems exchange SSL certificates, and use a CA server to verify the authenticity of the certificates. The big3d agent on all BIG-IP systems and the gtmd agent on BIG-IP Global Traffic Manager (GTM ) systems use the certificates to authenticate communication between the systems. About SSL authentication levels SSL supports ten levels of authentication (also known as certificate depth): Level 0 certificates (self-signed certificates) are verified by the system to which they belong. Level 1 certificates are authenticated by a CA server that is separate from the system. Levels 2-9 certificates are authenticated by additional CA servers that verify the authenticity of other servers. These multiple levels of authentication (referred to as certificate chains) allow for a tiered verification system that ensures that only authorized communications occur between servers. Configuring Level 1 SSL authentication You can configure BIG-IP systems for Level 1 SSL authentication. Before you begin, ensure that the systems you are configuring include the following: A signed certificate/key pair. The root certificate from the CA server. Task Summary Importing the device certificate Importing the root certificate for the gtmd agent Importing the root certificate for the big3d agent Verifying the certificate exchange Importing the device certificate To configure the BIG-IP system for Level 1 SSL authentication, import the device certificate signed by the CA server. Note: Perform this procedure on all BIG-IP systems that you want to handle Level 1 SSL authentication. 1. On the Main tab, click System > Device Certificates. The Device Certificate screen opens. 2. Click Import. 112

113 BIG-IP Global Traffic Manager : Implementations 3. From the Import Type list, select Certificate and Key. 4. For the Certificate Source setting, select Upload File and browse to select the certificate signed by the CA server. 5. For the Key Source setting, select Upload File and browse to select the device key file. 6. Click Import. Importing the root certificate for the gtmd agent Before you start this procedure, ensure that you have the root certificate from your CA server available. To set up the system to use a third-party certificate signed by a CA server, replace the existing certificate file for the gtmd agent with the root certificate of your CA server. Note: Perform this procedure on only one BIG-IP GTM system in the synchronization group. The system automatically synchronizes the setting with the other systems in the group. 1. On the Main tab, click Global Traffic > Servers > Trusted Server Certificates. The Trusted Server Certificates screen opens. 2. Click Import. 3. From the Import Method list, select Replace. 4. For the Certificate Source setting, select Upload File and browse to select the root certificate file. 5. Click Import. Importing the root certificate for the big3d agent Before you start this procedure, ensure that the root certificate from your CA server is available. Note: Perform this procedure on all BIG-IP systems that you want to configure for Level 1 SSL authentication. 1. On the Main tab, click System > Device Certificates > Trusted Device Certificates. The Trusted Device Certificates screen opens. 2. Click Import. 3. From the Import Method list, select Replace. 4. For the Certificate Source setting, select Upload File and browse to select the certificate signed by the CA server. 5. Click Import. Verifying the certificate exchange You can verify that you installed the certificate correctly, by running the following commands on all BIG-IP systems that you configured for Level 1 SSL authentication. iqdump <IP address of BIG-IP you are testing> iqdump <IP address of BIG-IP peer system, if testing a redundant system configuration> 113

114 Authenticating with SSL Certificates Signed by a Third Party If the certificate was installed correctly, these commands display a continuous stream of information. Implementation Results The BIG-IP systems are now configured for Level 1 SSL authentication. Configuring certificate chain SSL authentication You can configure BIG-IP systems for certificate chain SSL authentication. Task Summary Creating a certificate chain file Importing the device certificate from the last CA server in the chain Importing a certificate chain file for the gtmd agent Importing a certificate chain for the big3d agent Verifying the certificate chain exchange Creating a certificate chain file Before you start this procedure, ensure that you have the certificate files from your CA servers available. Create a certificate chain file that you can use to replace the existing certificate file. 1. Using a text editor, create an empty file for the certificate chain. 2. Still using a text editor, copy an individual certificate from its own certificate file and paste the certificate into the file you created in step Repeat step 2 for each certificate that you want to include in the certificate chain. You now have a certificate chain file. Importing the device certificate from the last CA server in the chain Import the device certificate signed by the last CA in the certificate chain. Note: Perform this procedure on all BIG-IP systems that you want to configure for certificate chain SSL authentication. 1. On the Main tab, click System > Device Certificates. The Device Certificate screen opens. 2. Click Import. 3. From the Import Type list, select Certificate and Key. 4. For the Certificate Source setting, select Upload File and browse to select the certificate signed by the CA server. 5. For the Key Source setting, select Upload File and browse to select the device key file. 114

115 BIG-IP Global Traffic Manager : Implementations 6. Click Import. Importing a certificate chain file for the gtmd agent Before you start this procedure, ensure that you have the certificate chain file available. Replace the existing certificate file on the system with a certificate chain file. Note: Perform this procedure on only one BIG-IP GTM in a synchronization group. The system automatically synchronizes the setting with the other systems in the group. 1. On the Main tab, click Global Traffic > Servers > Trusted Server Certificates. The Trusted Server Certificates screen opens. 2. Click Import. 3. From the Import Method list, select Replace. 4. For the Certificate Source setting, select Upload File and browse to select the device certificate for the last CA in the certificate chain. 5. Click Import. Importing a certificate chain for the big3d agent Before you start this procedure, ensure that the certificate chain file is available. Note: Perform this procedure on all BIG-IP systems that you want to configure for certificate chain SSL authentication. 1. On the Main tab, click System > Device Certificates > Trusted Device Certificates. The Trusted Device Certificates screen opens. 2. Click Import. 3. From the Import Method list, select Replace. 4. For the Certificate Source setting, select Upload File and browse to select the certificate chain file. 5. Click Import. Verifying the certificate chain exchange You can verify that you installed the certificate chain correctly, by running the following commands on all the systems you configure for certificate chain SSL authentication. iqdump <IP address of BIG-IP you are testing> iqdump <IP address of BIG-IP peer system, if testing a redundant system configuration> If the certificate chain was installed correctly, these commands display a continuous stream of information. 115

116 Authenticating with SSL Certificates Signed by a Third Party Implementation result The BIG-IP systems are now configured for certificate chain SSL authentication. For information about troubleshooting BIG-IP device certificates, see SOL8187 on AskF5.com ( 116

117 Chapter 21 Monitoring Third-Party Servers with SNMP Overview: SNMP monitoring of third-party servers Task summary Implementation result

118 Monitoring Third-Party Servers with SNMP Overview: SNMP monitoring of third-party servers You can configure the BIG-IP Global Traffic Manager (GTM ) to acquire information about the health of a third-party server using SNMP. The server must be running an SNMP agent. Task summary To configure BIG-IP GTM to acquire information about the health of a third-party server using SNMP, perform the following tasks. Creating an SNMP monitor Defining a third-party host server that is running SNMP Creating an SNMP monitor Create an SNMP monitor that BIG-IP Global Traffic Manager can use to monitor a third-party server running SNMP. 1. On the Main tab, click Global Traffic > Monitors. The Monitor List screen opens. 2. Click Create. The New Monitor screen opens. 3. Type a name for the monitor. Important: Monitor names are limited to 63 characters. 4. From the Type list, select SNMP. 5. Click Finished. Defining a third-party host server that is running SNMP Ensure that the third-party host server is running SNMP. During this procedure, you assign a virtual server to the server. Determine the IP address that you want to assign to the virtual server. Define the third-party host server. 1. On the Main tab, click Global Traffic > Servers. The Server List screen opens. 2. Click Create. The New Server screen opens. 3. In the Name field, type a name for the server. Important: Server names are limited to 63 characters. 4. From the Product list, select a third-party host server or select Generic Host. 118

119 BIG-IP Global Traffic Manager : Implementations The server type determines the metrics that the system can collect from the server. 5. In the Address List area, add the IP addresses of the server. a) Type an external (public) IP address in the Address field, and then click Add. b) If you use NAT, type an internal (private) IP address in the Translation field, and then click Add. You can add more than one IP address, depending on how the server interacts with the rest of your network. 6. From the Data Center list, select the data center where the server resides. 7. From the Prober Pool list, select one of the following. Option Description Inherit from Data Center Prober pool name By default, a server inherits the Prober pool assigned to the data center in which the server resides. Select the Prober pool that contains the BIG-IP systems that you want to perform monitor probes of this server. 8. In the Health Monitors area, assign the SNMP monitor that you created to the server by moving it from the Available list to the Selected list. 9. From the Virtual Server Discovery list, select Disabled. 10. Click Create. The New Server screen opens. 11. Click a server name. The server settings and values display. 12. Click Virtual Servers on the menu bar. A list of the virtual servers configured on the server displays. 13. Click Add. The IP addresses display in the list. 14. In the Virtual Server List area, specify the virtual servers that are resources on this server. a) In the Name field, type the name of the virtual server. b) In the Address field, type the IP address of the virtual server. 15. Click Create. The Server List screen opens displaying the new server in the list. Implementation result BIG-IP GTM can now use the SNMP monitor to verify the availability of and to collect statistics about the generic host. 119

120

121 Chapter 22 Configuring Device-Specific Probing and Statistics Collection Overview: Configuring device-specific probing and statistics collection Task summary Implementation result

122 Configuring Device-Specific Probing and Statistics Collection Overview: Configuring device-specific probing and statistics collection BIG-IP Global Traffic Manager (GTM) performs intelligent probing of your network resources to determine whether the resources are up or down. In some circumstances, for example, if your network contains firewalls, you might want to set up device-specific probing to specify which BIG-IP systems probe specific servers for health and performance data. About Prober pools A Prober pool is an ordered collection of one or more BIG-IP systems. A BIG-IP system can be a member of more than one Prober pool, and a Prober pool can be assigned to an individual server or a data center. When you assign a Prober pool to a data center, by default, the servers in that data center inherit that Prober pool. The members of a Prober pool perform monitor probes of servers to gather data about the health and performance of the resources on the servers. BIG-IP GTM makes load balancing decisions based on the gathered data. If all of the members of a Prober pool are marked down, or if a server has no Prober pool assigned, BIG-IP GTM reverts to a default intelligent probing algorithm to gather data about the resources on the server. The following figure illustrates how Prober pools work. BIG-IP GTM contains two BIG-IP Local Traffic Manager (LTM) systems that are assigned Prober pools and one BIG-IP LTM system that is not assigned a Prober pool: Figure 14: Example illustration of how Prober pools work Prober Pool 1 is assigned to a generic host server BIG-IP LTM3 is the only member of Prober Pool 1, and performs all HTTPS monitor probes of the server. Prober Pool 2 is assigned to generic load balancers BIG-IP LTM1 and BIG-IP LTM2 are members of Prober Pool 2. These two systems perform HTTP monitor probes of generic load balancers based on the load balancing method assigned to Prober Pool 2. The generic load balancers on the left side of the graphic are not assigned a Prober pool BIG-IP GTM can solicit any BIG-IP system to perform FTP monitor probes of these load balancers, including systems that are Prober pool members. 122

123 BIG-IP Global Traffic Manager : Implementations About Prober pool status The status of a Prober pool also indicates the status of the members of the pool. If at least one member of a Prober pool has green status (Available), the Prober pool has green status. The status of a Prober pool member indicates whether the BIG-IP GTM system, on which you are viewing status, can establish an iquery connection with the member. Note: If a Prober pool member has red status (Offline), no iquery connection exists between the member and the BIG-IP GTM system on which you are viewing status. Therefore, that BIG-IP GTM system cannot request that member to perform probes, and the Prober pool will not select the member for load balancing. About Prober pool statistics You can view the number of successful and failed probe requests that the BIG-IP GTM system (on which you are viewing statistics) made to the Prober pools. These statistics reflect only the number of Probe requests and their success or failure. These statistics do not reflect the actual probes that the pool members made to servers on your network. Prober pool statistics are not aggregated among the BIG-IP GTM systems in a synchronization group. The statistics on one BIG-IP GTM include only the requests made from that BIG-IP GTM system. In the following figure, the Prober pool statistics that display on BIG-IP GTM1 are the probe requests made only by that system. Figure 15: Prober pool statistics displayed per system 123