BIG-IP Global Traffic Manager : Implementations. Version 11.0

Transcription

1 BIG-IP Global Traffic Manager : Implementations Version 11.0

2

3 Table of Contents Table of Contents Legal Notices...9 Acknowledgments...11 Chapter 1: Upgrading BIG-IP GTM to Version Converting a statistics collection server to a Prober pool automatically...14 Chapter 2: Delegating DNS Traffic to Wide IPs...15 Overview: Delegating DNS traffic to wide IPs...16 About listeners...17 Task summary...17 Creating a delegated zone on a local DNS server...17 Creating a self IP address using the IP address of the legacy DNS server...17 Designating GTM as the primary server for the zone...18 Creating a listener to handle traffic for wide IPs...18 Implementation results...19 Chapter 3: Replacing a DNS Server with BIG-IP GTM...21 Overview: Replacing a DNS server with BIG-IP GTM...22 About listeners...22 Task summary...23 Configuring the legacy DNS server to allow zone file transfers...23 Acquiring zone files from the legacy DNS server...23 Creating a self IP address using the IP address of the legacy DNS server...24 Designating GTM as the primary server for the zone...24 Creating listeners to identify DNS traffic...24 Implementation results...25 Chapter 4: Sending Traffic Through BIG-IP GTM...27 Overview: Configuring GTM to pass traffic to an existing DNS server...28 About listeners...29 About Router mode...29 About Bridge mode...29 Task summary...29 Placing GTM on your network to forward traffic...29 Creating a listener to forward traffic to a DNS server on a different network segment.29 Creating a listener to forward traffic to a DNS server on the same network segment..30 Implementation results

4 Table of Contents Chapter 5: Load Balancing Non-Wide IP DNS Traffic to a Pool of DNS Servers...31 Overview: Load balancing non-wide IP traffic to a pool of DNS servers...32 About listeners...32 Task summary...32 Creating a pool of local DNS servers...32 Creating a listener that alerts GTM to DNS queries for a pool of DNS servers...32 Implementation results...33 Chapter 6: Load Balancing DNS Traffic Between IPv-6 Only and IPv-4 Only Clouds...35 Overview: Load balancing IPv6-only connection requests to IPv4-only servers...36 Task summary...36 Creating a custom DNS profile...36 Assigning a DNS profile to a virtual server...37 Implementation results...38 Chapter 7: Configuring GTM on a Network with One Route Domain...39 Overview: How do I deploy BIG-IP GTM on a network with one route domain?...40 Task summary...40 Creating VLANs for a route domain on BIG-IP LTM...41 Creating a route domain on BIG-IP LTM...41 Creating a self IP address for a route domain on BIG-IP LTM...42 Defining a server for a route domain on BIG-IP GTM...42 Implementation results...43 Chapter 8: Configuring GTM on a Network with Multiple Route Domains...45 Overview: How do I deploy BIG-IP GTM on a network with multiple route domains?...46 Task summary...47 Creating VLANs for a route domain on BIG-IP LTM...48 Creating a route domain on BIG-IP LTM...48 Creating a self IP address for a route domain on BIG-IP LTM...49 Disabling auto-discovery at the global-level on BIG-IP GTM...49 Defining a server for a route domain on BIG-IP GTM...49 Implementation results...50 Chapter 9: Securing Your DNS Infrastructure...51 Overview: Securing your DNS infrastructure...52 How do I prepare for a manual rollover of a DNSSEC key?

5 Table of Contents Task summary...52 Creating DNSSEC key-signing keys...53 Creating DNSSEC zone-signing keys...53 Creating DNSSEC zones...54 Validating that a zone is correctly signed...55 Specifying which GTM creates new generations of DNSSEC keys...55 Implementation results...55 Chapter 10: Configuring DNS Express on BIG-IP Systems...57 Overview: How do I configure a BIG-IP system to mitigate DDoS attacks?...58 What is DNS Express?...58 Task summary...58 Creating a DNS Express TSIG key...58 Creating a DNS Express zone...58 Configuring the legacy DNS server to allow zone file transfers...59 Creating a DNS Express profile...59 Assigning a DNS Express profile to a virtual server...60 Assigning a DNS Express profile to a listener...60 Viewing information about DNS Express zones...60 Implementation results...61 Chapter 11: Configuring IP Anycast (Route Health Injection)...63 Overview: Configuring IP Anycast (Route Health Injection)...64 Task summary...64 Enabling the ZebOS dynamic routing protocol...64 Creating a custom DNS profile...64 Configuring a listener for route advertisement...65 Verifying advertisement of the route to a listener...66 Implementation results...66 Chapter 12: Configuring BIG-IP GTM VIPRION Systems...67 Overview: Configuring BIG-IP GTM VIPRION systems...68 Configuring dependency for virtual server status...68 Chapter 13: Ensuring Correct Synchronization When Adding GTM to a Network...69 Overview: Ensuring correct synchronization when adding GTM to a network...70 What is configuration synchronization?...70 About NTP Servers and Synchronization...70 About adding an additional BIG-IP GTM to your network...70 Task summary

6 Table of Contents Defining an NTP server on the existing GTM...71 Enabling synchronization on the existing GTM...71 Creating a data center on the existing GTM...71 Defining a server...72 Running the gtm_add script on the new GTM...73 Implementation results...73 Chapter 14: Integrating BIG-IP GTM with Other BIG-IP Systems...75 Overview: Integrating GTM with older BIG-IP systems on my network...76 About the iquery protocol and the big3d agent...76 Task summary...76 Defining a data center...77 Defining BIG-IP GTM...77 Defining the existing BIG-IP systems...78 Running the big3d_install script...79 Implementation results...79 Chapter 15: Setting Up a BIG-IP GTM Redundant System Configuration...81 Overview: Configuring a BIG-IP GTM redundant system...82 Task summary...82 Defining an NTP server...82 Creating listeners to identify DNS traffic...82 Defining a data center...83 Defining a server...83 Enabling global traffic configuration synchronization...84 Running the gtm_add script...85 Chapter 16: Authenticating with SSL Certificates Signed by a Third Party...87 Overview: Authenticating with SSL certificates signed by a third party...88 SSL Authentication...88 Configuring Level 1 SSL authentication...88 Importing the device certificate...88 Importing the root certificate for the gtmd agent...89 Importing the root certificate for the big3d agent...89 Verifying the certificate exchange...89 Implementation Results...90 Configuring certificate chain SSL authentication...90 Creating a certificate chain file...90 Importing the device certificate from the last CA server in the chain...90 Importing a certificate chain file for the gtmd agent

7 Table of Contents Importing a certificate chain for the big3d agent...91 Verifying the certificate chain exchange...91 Implementation results...92 Chapter 17: Monitoring Third-Party Servers with SNMP...93 Overview: SNMP monitoring of third-party servers...94 Task summary...94 Creating an SNMP monitor...94 Defining a third-party host server that is running SNMP...94 Implementation results...95 Chapter 18: Configuring Device-Specific Probing and Statistics Collection...97 Overview: Configuring device-specific probing and statistics collection...98 About Prober pools...98 About Prober pool status...99 About Prober pool statistics...99 Task summary Creating a Prober pool Assigning a Prober pool to a data center Assigning a Prober pool to a server Viewing Prober pool statistics and status Which Prober pool member marked my resource down? Implementation results Chapter 19: Diagnosing Network Connection Issues Diagnosing network connection issues Viewing information about connections between BIG-IP GTM and other BIG-IP systems iquery statistics descriptions

8 Table of Contents 8

9 Legal Notices Publication Date This document was published on August 17, Publication Number MAN Copyright Copyright 2011, F5 Networks, Inc. All rights reserved. F5 Networks, Inc. (F5) believes the information it furnishes to be accurate and reliable. However, F5 assumes no responsibility for the use of this information, nor any infringement of patents or other rights of third parties which may result from its use. No license is granted by implication or otherwise under any patent, copyright, or other intellectual property right of F5 except as specifically described by applicable user licenses. F5 reserves the right to change specifications at any time without notice. Trademarks 3DNS, Access Policy Manager, Acopia, Acopia Networks, Advanced Client Authentication, Advanced Routing, APM, Application Security Manager, ARX, AskF5, ASM, BIG-IP, Cloud Extender, CloudFucious, CMP, Data Manager, DevCentral, DevCentral [DESIGN], DNS Express, DSC, DSI, Edge Client, Edge Gateway, Edge Portal, EM, Enterprise Manager, F5, F5 [DESIGN], F5 Management Pack, F5 Networks, F5 World, Fast Application Proxy, Fast Cache, FirePass, Global Traffic Manager, GTM, IBR, Intelligent Browser Referencing, Intelligent Compression, IPv6 Gateway, iapps, icontrol, ihealth, iquery, irules, irules OnDemand, isession, IT agility. Your way., L7 Rate Shaping, LC, Link Controller, Local Traffic Manager, LTM, Message Security Module, MSM, Netcelera, OneConnect, Packet Velocity, Protocol Security Module, PSM, Real Traffic Policy Builder, Scale N, SSL Acceleration, StrongBox, SuperVIP, SYN Check, TCP Express, TDR, TMOS, Traffic Management Operating System, TrafficShield, Transparent Data Reduction, VIPRION, vcmp, WA, WAN Optimization Manager, WANJet, WebAccelerator, WOM, and ZoneRunner, are trademarks or service marks of F5 Networks, Inc., in the U.S. and other countries, and may not be used without F5's express written consent. All other product and company names herein may be trademarks of their respective owners. Patents This product may be protected by U.S. Patents 6,374,300; 6,473,802; 6,970,733; 7,047,301; 7,707,289. This list is believed to be current as of August 17, Export Regulation Notice This product may include cryptographic software. Under the Export Administration Act, the United States government may consider it a criminal offense to export this product from the United States. RF Interference Warning This is a Class A product. In a domestic environment this product may cause radio interference, in which case the user may be required to take adequate measures.

10 Legal Notices FCC Compliance This equipment has been tested and found to comply with the limits for a Class A digital device pursuant to Part 15 of FCC rules. These limits are designed to provide reasonable protection against harmful interference when the equipment is operated in a commercial environment. This unit generates, uses, and can radiate radio frequency energy and, if not installed and used in accordance with the instruction manual, may cause harmful interference to radio communications. Operation of this equipment in a residential area is likely to cause harmful interference, in which case the user, at his own expense, will be required to take whatever measures may be required to correct the interference. Any modifications to this device, unless expressly approved by the manufacturer, can void the user's authority to operate this equipment under part 15 of the FCC rules. Canadian Regulatory Compliance This Class A digital apparatus complies with Canadian ICES-003. Standards Compliance This product conforms to the IEC, European Union, ANSI/UL and Canadian CSA standards applicable to Information Technology products at the time of manufacture. 10

11 Acknowledgments This product includes software developed by Gabriel Forté. This product includes software developed by Bill Paul. This product includes software developed by Jonathan Stone. This product includes software developed by Manuel Bouyer. This product includes software developed by Paul Richards. This product includes software developed by the NetBSD Foundation, Inc. and its contributors. This product includes software developed by the Politecnico di Torino, and its contributors. This product includes software developed by the Swedish Institute of Computer Science and its contributors. This product includes software developed by the University of California, Berkeley and its contributors. This product includes software developed by the Computer Systems Engineering Group at the Lawrence Berkeley Laboratory. This product includes software developed by Christopher G. Demetriou for the NetBSD Project. This product includes software developed by Adam Glass. This product includes software developed by Christian E. Hopps. This product includes software developed by Dean Huxley. This product includes software developed by John Kohl. This product includes software developed by Paul Kranenburg. This product includes software developed by Terrence R. Lambert. This product includes software developed by Philip A. Nelson. This product includes software developed by Herb Peyerl. This product includes software developed by Jochen Pohl for the NetBSD Project. This product includes software developed by Chris Provenzano. This product includes software developed by Theo de Raadt. This product includes software developed by David Muir Sharnoff. This product includes software developed by SigmaSoft, Th. Lockert. This product includes software developed for the NetBSD Project by Jason R. Thorpe. This product includes software developed by Jason R. Thorpe for And Communications, This product includes software developed for the NetBSD Project by Frank Van der Linden. This product includes software developed for the NetBSD Project by John M. Vinopal. This product includes software developed by Christos Zoulas. This product includes software developed by the University of Vermont and State Agricultural College and Garrett A. Wollman. This product includes software developed by Balazs Scheidler which is protected under the GNU Public License.

12 Acknowledgments This product includes software developed by Niels Mueller which is protected under the GNU Public License. In the following statement, This software refers to the Mitsumi CD-ROM driver: This software was developed by Holger Veit and Brian Moore for use with 386BSD and similar operating systems. Similar operating systems includes mainly non-profit oriented systems for research and education, including but not restricted to NetBSD, FreeBSD, Mach (by CMU). This product includes software developed by the Apache Group for use in the Apache HTTP server project ( This product includes software licensed from Richard H. Porter under the GNU Library General Public License ( 1998, Red Hat Software), This product includes the standard version of Perl software licensed under the Perl Artistic License ( 1997, 1998 Tom Christiansen and Nathan Torkington). All rights reserved. You may find the most current standard version of Perl at This product includes software developed by Jared Minch. This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit ( This product includes cryptographic software written by Eric Young ([email protected]). This product contains software based on oprofile, which is protected under the GNU Public License. This product includes RRDtool software developed by Tobi Oetiker ( and licensed under the GNU General Public License. This product contains software licensed from Dr. Brian Gladman under the GNU General Public License (GPL). This product includes software developed by the Apache Software Foundation ( This product includes Hypersonic SQL. This product contains software developed by the Regents of the University of California, Sun Microsystems, Inc., Scriptics Corporation, and others. This product includes software developed by the Internet Software Consortium. This product includes software developed by Nominum, Inc. ( This product contains software developed by Broadcom Corporation, which is protected under the GNU Public License. This product contains software developed by MaxMind LLC, and is protected under the GNU Lesser General Public License, as published by the Free Software Foundation. This product includes the GeoPoint Database developed by Quova, Inc. and its contributors. 12

13 Chapter 1 Upgrading BIG-IP GTM to Version 11 Topics: Converting a statistics collection server to a Prober pool automatically

14 Upgrading BIG-IP GTM to Version 11 Converting a statistics collection server to a Prober pool automatically In version 10.2 of BIG-IP Global Traffic Manager (GTM ), you could assign a single BIG-IP system to probe a server to gather health and performance data. You did this by specifying the IP address of the BIG-IP system (which you chose to perform probes of the server) in the Statistics Collection Server field of the server. In version 11.0, this feature is replaced by the Prober pool feature. When you upgrade from version 10.2.x to version 11.0, if a single BIG-IP system was assigned to probe a server, BIG-IP GTM converts the single server to a Prober pool with one member, and then assigns the Prober pool to the server to which the Statistics Collection server was originally assigned. The name of the new Prober pool is based on the IP address of the original Statistics Collection server. If the original Statistics Collection server had an IP address of , the name of the automatically created Prober pool is prober_pool_10_10_2_3. 14

15 Chapter 2 Delegating DNS Traffic to Wide IPs Topics: Overview: Delegating DNS traffic to wide IPs Task summary Implementation results

16 Delegating DNS Traffic to Wide IPs Overview: Delegating DNS traffic to wide IPs BIG-IP Global Traffic Manager (GTM ) load balances incoming wide IP traffic to your network resources. BIG-IP GTM can work in conjunction with an existing DNS server on your network. In this situation, you configure the DNS server to delegate wide IP-related requests to the BIG-IP GTM for name resolution. Figure 1: Traffic flow when DNS server delegates traffic to BIG-IP GTM This implementation focuses on the fictional company SiteRequest, which recently purchased BIG-IP GTM to help load balance traffic across two of its web-based applications: store.siterequest.com and checkout.siterequest.com. These applications are delegated zones of which an existing DNS server manages. They have already configured BIG-IP GTM with two wide IPs, store.wip.siterequest.com and checkout.wip.siterequest.com, which correspond to these two web applications. 16

17 BIG-IP Global Traffic Manager : Implementations About listeners Listeners control how BIG-IP GTM handles network traffic. A listener is a specialized virtual server that is assigned a specific IP address. A wildcard listener is a special listener that is assigned an IP address of and DNS query port (port 53). When traffic is sent to the IP address of a listener, BIG-IP GTM either handles the traffic locally or sends the traffic to the appropriate resource. Task summary Perform these tasks to delegate DNS traffic to wide IPs. Creating a delegated zone on a local DNS server Creating a self IP address using the IP address of the legacy DNS server Designating GTM as the primary server for the zone Creating a listener to handle traffic for wide IPs Creating a delegated zone on a local DNS server If you are unfamiliar with how to modify the files on DNS servers, review the fifth edition of DNS and BIND, available from O Reilly Media. Determine which DNS servers will delegate wide IP-related requests to BIG-IP GTM. In order for BIG-IP GTM to manage the web applications of store.siterequest.com and checkout.siterequest.com, you must create a delegated zone on the existing DNS server. Perform the following steps on the selected DNS servers. 1. Create an address record (A record) that defines the domain name and IP address of BIG-IP GTM. 2. Create a nameserver record (NS record) that defines the delegated zone for which BIG-IP GTM is responsible. 3. Create canonical name records (CNAME records) for each web application, which forwards requests to store.siterequest.com and checkout.siterequest.com to the wide IP addresses of store.wip.siterequest.com and checkout.wip.siterequest.com, respectively. A delegated zone exists on each DNS server on which you performed this procedure. Creating a self IP address using the IP address of the legacy DNS server Create a self IP address on BIG-IP GTM using the IP address of the legacy DNS server. 1. On the Main tab, click Network > Self IPs. 2. Click Create. The New Self IP screen opens. 3. In the IP Address field, type the IP address of the legacy DNS server. The system accepts IP addresses in both the IPv4 and IPv6 formats. 4. In the Netmask field, type the network mask for the specified IP address. 5. Click Finished. 17

18 Delegating DNS Traffic to Wide IPs The screen refreshes, and displays the new self IP address in the list. Designating GTM as the primary server for the zone Ensure that you have created a self IP address on BIG-IP GTM using the IP address of the legacy DNS server. Add the new self IP address to the BIG-IP GTM server object. Then modify the DNS server based on your network configuration. 1. Log on to BIG-IP GTM. 2. On the Main tab, click Global Traffic > Servers. The Server List screen opens. 3. Click the name of the BIG-IP GTM system that you want to modify. The server settings and values display. 4. In the Address List area, add the new self IP address. 5. Click Update. 6. Do one of the following based on your network configuration: Modify the IP address of the legacy DNS server so that it becomes a secondary DNS server to BIG-IP GTM. Ensure that the IP address of the DNS server does not conflict with the self IP address that you added to the BIG-IP GTM server object. Note: If you are unfamiliar with how to change a DNS server from a primary to a secondary, refer to the fifth edition of DNS and BIND, available from O Reilly Media. Remove the legacy DNS server from your network. BIG-IP GTM is now the authoritative name server for the zone. The root servers for the zone do not need to be updated, because the IP address of the legacy DNS server was added to BIG-IP GTM. Creating a listener to handle traffic for wide IPs You need to create a listener that corresponds to a delegated zone that you create on your existing DNS server. This listener will identify DNS traffic that is destined for BIG-IP GTM. 1. On the Main tab, click Global Traffic > Listeners. The Listeners List screen opens. 2. Click Create. The new Listeners screen opens. 3. In the Destination field, type the IP address on which BIG-IP GTM listens for network traffic. The destination is a self IP address on BIG-IP GTM. 4. From the VLAN Traffic list, select All VLANs. 5. From the Protocol list, select either UDP or TCP. 6. Click Finished. 18

19 BIG-IP Global Traffic Manager : Implementations Implementation results You now have an implementation of BIG-IP GTM in which a DNS server manages DNS traffic unless a query is for a wide IP configured on BIG-IP GTM. When the DNS server receives queries for store.siterequest.com or checkout.siterequest.com, it delegates the queries to BIG-IP GTM, which then load balances the traffic to the appropriate wide IPs. 19

20 Delegating DNS Traffic to Wide IPs 20

21 Chapter 3 Replacing a DNS Server with BIG-IP GTM Topics: Overview: Replacing a DNS server with BIG-IP GTM Task summary Implementation results

22 Replacing a DNS Server with BIG-IP GTM Overview: Replacing a DNS server with BIG-IP GTM BIG-IP Global Traffic Manager (GTM ) load balances incoming wide IP traffic to your network resources. BIG-IP GTM can also replace a local DNS server as the authoritative nameserver for wide IPs, zones, and all other DNS-related traffic. You can configure BIG-IP GTM to replace the DNS server that currently manages BIG-IP GTM becomes the authoritative nameserver for and load balances traffic across the web-based applications store.siterequest.com and checkout.siterequest.com. Figure 2: Traffic flow when BIG-IP GTM replaces DNS server About listeners Listeners control how BIG-IP GTM handles network traffic. A listener is a specialized virtual server that is assigned a specific IP address. A wildcard listener is a special listener that is assigned an IP address of and DNS query port (port 53). When traffic is sent to the IP address of a listener, BIG-IP GTM either handles the traffic locally or sends the traffic to the appropriate resource. 22

23 BIG-IP Global Traffic Manager : Implementations Task summary Perform these tasks to replace a DNS server with BIG-IP GTM. Configuring the legacy DNS server to allow zone file transfers Acquiring zone files from the legacy DNS server Creating a self IP address using the IP address of the legacy DNS server Designating GTM as the primary server for the zone Creating listeners to identify DNS traffic Configuring the legacy DNS server to allow zone file transfers If you are unfamiliar with how to modify DNS server files, review the fifth edition of DNS and BIND, available from O Reilly Media. To configure the legacy DNS server to allow zone file transfers to BIG-IP GTM, add to the DNS server an allow-transfer statement that specifies the IP address of the new BIG-IP GTM system. You can modify the following allow-transfer statement to use the IP address of your BIG-IP GTM: allow-transfer { localhost; <IP address of BIG-IP GTM>; }; Acquiring zone files from the legacy DNS server Ensure that you have configured the legacy DNS server with an allow-transfer statement that authorizes zone transfers to BIG-IP GTM. For BIG-IP GTM to acquire zone files from the legacy DNS server, create a new zone. 1. On the Main tab, click Global Traffic > ZoneRunner > Zone List. The Zone List screen opens. 2. Click Create. 3. From the View Name list, select the view that you want this zone to be a member of. The default view is external. 4. In the Zone Name field, type a name for the zone file in this format, including the trailing dot: db.[viewname].[zonename]. For example, db.external.siterequest.com. 5. From the Zone Type list, select Master. 6. From the Records Creation Method list, select Transfer from Server. 7. In the Source Server field, type the IP address of the DNS server (the server from which you want BIG-IP GTM to acquire zone files). 8. Click Finished. 23

24 Replacing a DNS Server with BIG-IP GTM Creating a self IP address using the IP address of the legacy DNS server Create a self IP address on BIG-IP GTM using the IP address of the legacy DNS server. 1. On the Main tab, click Network > Self IPs. 2. Click Create. The New Self IP screen opens. 3. In the IP Address field, type the IP address of the legacy DNS server. The system accepts IP addresses in both the IPv4 and IPv6 formats. 4. In the Netmask field, type the network mask for the specified IP address. 5. Click Finished. The screen refreshes, and displays the new self IP address in the list. Designating GTM as the primary server for the zone Ensure that you have created a self IP address on BIG-IP GTM using the IP address of the legacy DNS server. Add the new self IP address to the BIG-IP GTM server object. Then modify the DNS server based on your network configuration. 1. Log on to BIG-IP GTM. 2. On the Main tab, click Global Traffic > Servers. The Server List screen opens. 3. Click the name of the BIG-IP GTM system that you want to modify. The server settings and values display. 4. In the Address List area, add the new self IP address. 5. Click Update. 6. Do one of the following based on your network configuration: Modify the IP address of the legacy DNS server so that it becomes a secondary DNS server to BIG-IP GTM. Ensure that the IP address of the DNS server does not conflict with the self IP address that you added to the BIG-IP GTM server object. Note: If you are unfamiliar with how to change a DNS server from a primary to a secondary, refer to the fifth edition of DNS and BIND, available from O Reilly Media. Remove the legacy DNS server from your network. BIG-IP GTM is now the authoritative name server for the zone. The root servers for the zone do not need to be updated, because the IP address of the legacy DNS server was added to BIG-IP GTM. Creating listeners to identify DNS traffic Create two listeners to identify the DNS traffic, which was previously handled by the DNS server, for which BIG-IP GTM is now responsible. Create one listener that uses the UDP protocol and one that uses the TCP protocol. 24

25 BIG-IP Global Traffic Manager : Implementations Note: DNS zone transfers use TCP port 53. If you do not configure a listener for TCP the client may receive the error: connection refused or TCP RSTs. 1. On the Main tab, click Global Traffic > Listeners. The Listeners List screen opens. 2. Click Create. The new Listeners screen opens. 3. In the Destination field, type the IP address previously used by the legacy DNS server. 4. From the VLAN Traffic list, select All VLANs. 5. From the Protocol list, select UDP. 6. Click Finished. Create another listener with the same IP address, but select TCP from the Protocol list. Implementation results BIG-IP GTM replaces the legacy DNS server as the authoritative nameserver for the zone. BIG-IP GTM handles all incoming DNS traffic, whether destined for a wide IP or handled by the BIND instance on the system. 25

26 Replacing a DNS Server with BIG-IP GTM 26

27 Chapter 4 Sending Traffic Through BIG-IP GTM Topics: Overview: Configuring GTM to pass traffic to an existing DNS server Task summary Implementation results

28 Sending Traffic Through BIG-IP GTM Overview: Configuring GTM to pass traffic to an existing DNS server You can use BIG-IP Global Traffic Manager (GTM ) as a router or forwarder in front of an existing DNS server. With this setup, all DNS traffic flows through BIG-IP GTM. Listeners that you configure on BIG-IP GTM verify incoming DNS queries. If the query is for a wide IP, BIG-IP GTM load balances the request to the appropriate resource. If the query is for a destination that does not match a wide IP or for an IP address that is not configured on BIG-IP GTM, the system routes or forwards the query to the specified DNS server for resolution. When forwarding a query, BIG-IP GTM transforms the source address to a self IP address on BIG-IP GTM. This ensures that BIG-IP GTM returns responses through the system before forwarding the response to the client. Figure 3: Traffic flow through the BIG-IP GTM routing or forwarding traffic to DNS server 28

29 BIG-IP Global Traffic Manager : Implementations About listeners Listeners control how BIG-IP GTM handles network traffic. A listener is a specialized virtual server that is assigned a specific IP address. A wildcard listener is a special listener that is assigned an IP address of and DNS query port (port 53). When traffic is sent to the IP address of a listener, BIG-IP GTM either handles the traffic locally or sends the traffic to the appropriate resource. About Router mode When BIG-IP GTM is in Router mode, a listener alerts the system when it receives requests destined for a DNS server on a different subnet. BIG-IP GTM routes these requests to the specified DNS server. About Bridge mode When BIG-IP GTM is in Bridge mode, a listener alerts the system when it receives requests destined for a DNS server on the same network segment. The BIG-IP GTM forwards these requests to the specified DNS server. Task summary Perform these tasks to send traffic through BIG-IP GTM. Placing GTM on your network to forward traffic Creating a listener to forward traffic to a DNS server on a different network segment Creating a listener to forward traffic to a DNS server on the same network segment Placing GTM on your network to forward traffic You need to determine to which DNS server you want this BIG-IP GTM system to forward traffic. Now you want to place BIG-IP GTM between the existing DNS server and the Internet. 1. Physically connect BIG-IP GTM to your Internet connection. 2. Connect the DNS server to an Ethernet port on BIG-IP GTM. Creating a listener to forward traffic to a DNS server on a different network segment You need to determine to which DNS server you want this listener to forward traffic. 1. On the Main tab, click Global Traffic > Listeners. The Listeners List screen opens. 2. Click Create. The new Listeners screen opens. 3. In the Destination field, type the IP address on which BIG-IP GTM listens for network traffic. The destination is the IP address of a DNS server to which you want the listener to route traffic. 29

30 Sending Traffic Through BIG-IP GTM Important: The destination must not match a self IP address on BIG-IP GTM. 4. From the VLAN Traffic list, select All VLANs. 5. Click Finished. Creating a listener to forward traffic to a DNS server on the same network segment You need to determine to which DNS server you want this listener to forward traffic. 1. On the Main tab, click Global Traffic > Listeners. The Listeners List screen opens. 2. Click Create. The new Listeners screen opens. 3. In the Destination field, type the IP address on which BIG-IP GTM listens for network traffic. The destination is the IP address of a DNS server to which you want the listener to forward traffic. Important: The destination must not match a self IP address on BIG-IP GTM. 4. From the VLAN Traffic list, select All VLANs. 5. Click Finished. Implementation results You now have an implementation in which BIG-IP GTM receives all DNS queries. If the query is for a wide IP, BIG-IP GTM load balances the request to the appropriate resource. If the query is for an IP address of a DNS server, BIG-IP GTM either routes or forwards the query to the DNS server for resolution. 30

31 Chapter 5 Load Balancing Non-Wide IP DNS Traffic to a Pool of DNS Servers Topics: Overview: Load balancing non-wide IP traffic to a pool of DNS servers Task summary Implementation results

32 Load Balancing Non-Wide IP DNS Traffic to a Pool of DNS Servers Overview: Load balancing non-wide IP traffic to a pool of DNS servers BIG-IP Global Traffic Manager (GTM ) can function as a load balancer in front of a pool of DNS servers. In this situation, BIG-IP GTM checks incoming DNS queries and if the query is for a wide IP, load balances it to the appropriate resource. Otherwise, BIG-IP GTM forwards the DNS query to one of the servers in a pool of DNS servers, and that server handles the query. About listeners Listeners control how BIG-IP GTM handles network traffic. A listener is a specialized virtual server that is assigned a specific IP address. A wildcard listener is a special listener that is assigned an IP address of and DNS query port (port 53). When traffic is sent to the IP address of a listener, BIG-IP GTM either handles the traffic locally or sends the traffic to the appropriate resource. Task summary Perform these tasks to load balance non-wide IP traffic to a pool of DNS servers. Creating a pool of local DNS servers Creating a listener that alerts GTM to DNS queries for a pool of DNS servers Creating a pool of local DNS servers Gather the IP addresses of the DNS servers that you want to include in a pool to which BIG-IP GTM load balances DNS traffic. 1. Log on to the command line interface of BIG-IP GTM. 2. Type tmsh, to access the Traffic Management Shell. 3. Run a variation on this command sequence to create a pool using the IP addresses of the DNS servers on your network: create /ltm pool DNS_pool members add { :domain :domain :domain } monitor udp When you run the above example command, the system creates a BIG-IP LTM pool named DNS_pool that includes three DNS servers with the following IP addresses , , and A UDP monitor is assigned to the pool to determine the availability of the pool members. 4. Run this command sequence to save the pool: save /sys config 5. Run this command sequence to display the pool: list /ltm pool 6. Verify that the pool is configured correctly. Creating a listener that alerts GTM to DNS queries for a pool of DNS servers Configure a listener that alerts BIG-IP GTM to DNS queries destined for DNS servers that are members of a pool. 1. Log on to the command line interface of BIG-IP GTM. 32

33 BIG-IP Global Traffic Manager : Implementations 2. Type tmsh, to access the Traffic Management Shell. 3. Run this command sequence to create a listener: create /gtm listener DNS_listener address ip-protocol udp pool DNS_pool translate-address enabled When you run the above example command, the system creates a listener named DNS_pool with an IP address of that alerts BIG-IP GTM to queries destined for the members of DNS_pool. 4. Run this command sequence to save the listener: save /sys config 5. Run this command sequence to display the listener: list /gtm listener The system displays the new listener configuration. Implementation results You now have an implementation in which BIG-IP GTM receives DNS queries, load balances wide IP requests to the appropriate resource, and load balances all other DNS queries to the members of the pool of DNS servers. 33

34 Load Balancing Non-Wide IP DNS Traffic to a Pool of DNS Servers 34

35 Chapter 6 Load Balancing DNS Traffic Between IPv-6 Only and IPv-4 Only Clouds Topics: Overview: Load balancing IPv6-only connection requests to IPv4-only servers Task summary Implementation results

36 Load Balancing DNS Traffic Between IPv-6 Only and IPv-4 Only Clouds Overview: Load balancing IPv6-only connection requests to IPv4-only servers You can configure the BIG-IP Local Traffic Manager (LTM) and BIG-IP Global Traffic Manager (GTM) system to load balance IPv6-only client connection requests to IPv4-only servers on your network by returning an AAAA record response to the client. Task summary Perform these tasks to configure load balancing of IPv6-only connection requests to IPv4-only servers on your network. Creating a custom DNS profile Assigning a DNS profile to a virtual server Creating a custom DNS profile You can create a custom DNS profile to configure how the BIG-IP system handles DNS connection requests. 1. On the Main tab, click Local Traffic > Profiles > Services > DNS. The DNS profile list screen opens. 2. Click Create. The New Fast L4 Profile screen opens. 3. In the Name field, type a name for the profile. Names must begin with a letter, and can contain only letters, numbers, and the underscore (_) character. 4. In the Parent Profile list, accept the default dns profile. 5. Select the Custom check box. The fields in the Settings area become available for configuring. 6. In the Global Traffic Management list, accept the default value Enabled. 7. From the DNS IPv6 to IPv4 list, select how you want the system to handle IPv6 to IPv4 address mapping in DNS queries and responses. Option Disabled Immediate Secondary Description The BIG-IP system does not map IPv4 addresses to IPv6 addresses. The BIG-IP system forwards the first good response from the DNS server to the client. If the system receives an A response first, it appends a 96-bit prefix to the record and forwards it to the client. If the system receives an AAAA response first, it simply forwards the response to the client. The system disregards the second response from the DNS server. The BIG-IP system sends an AAAA query to the DNS server. Only if the response fails, does the BIG-IP system send an A query. If the BIG-IP system receives an A response, it appends a 96-bit user-configured prefix to the record and forwards it to the client. 36

37 BIG-IP Global Traffic Manager : Implementations Option v4 Only Description The BIG-IP system receives an AAAA query and translates it into an A query and forwards the query to a DNS server. After receiving the response, the system appends a 96-bit user-configured prefix to the record and forwards it to the IPv6 client. Important: Select this option only if you know that no DNS AAAA queries will be sent to the BIG-IP system. If you selected Immediate, Secondary, or V4 Only two new fields display. 8. In the IPv6 to IPv4 Prefix field, specify the prefix the BIG-IP system appends to all A query responses to an IPv6 request. 9. From the IPv6 to IPv4 Additional Section Rewrite list, select an option to allow improved network efficiency for both Unicast and Multicast DNS-SD responses. Option Disabled v4 Only v6 Only Any Description The BIG-IP system does not perform additional rewrite. The BIG-IP system accepts only A records. The system appends the 96-bit user-configured prefix to a record and returns an IPv6 response to the client. The BIG-IP system accepts only AAAA records and returns those records to the client. The BIG-IP system accepts and returns both A and AAAA records. If the DNS server returns an A record in the Additional section of a DNS message, the BIG-IP system appends the 96-bit user-configured prefix to the record and returns an IPv6 response to the client. 10. From the Use BIND Server on BIG-IP list, select Enabled. Note: Enable this setting only when you want the system to forward non-wide IP queries to the local BIND server on BIG-IP GTM. 11. Click Finished. Assigning a DNS profile to a virtual server 1. On the Main tab, click Local Traffic > Virtual Servers. The Virtual Server List screen displays a list of existing virtual servers. 2. Click the name of the virtual server you want to modify. 3. From the DNS Profile list, select the profile you created to manage IPv6 to IPv4 address mapping. 4. Click Update. This virtual server can now pass traffic between an IPv6-only client and an IPv4-only DNS server. 37

38 Load Balancing DNS Traffic Between IPv-6 Only and IPv-4 Only Clouds Implementation results You now have an implementation in which the BIG-IP system handles connection requests from an IPv6-only client to an IPv4-only server. 38

39 Chapter 7 Configuring GTM on a Network with One Route Domain Topics: Overview: How do I deploy BIG-IP GTM on a network with one route domain? Task summary Implementation results

40 Configuring GTM on a Network with One Route Domain Overview: How do I deploy BIG-IP GTM on a network with one route domain? You can deploy BIG-IP Global Traffic Manager (GTM ) on a network where BIG-IP Local Traffic Manager (LTM ) is configured with one route domain and no overlapping IP addresses. Caution: F5 Networks does not support the configuration of route domains on a standalone BIG-IP GTM. Figure 4: BIG-IP GTM deployed on a network in front of a BIG-IP LTM configured with a route domain Task summary BIG-IP GTM can gather status and statistics for the virtual servers hosted on BIG-IP Local Traffic Manager (LTM) systems on your network that are configured on a route domain. The BIG-IP LTM systems must contain: VLANs through which traffic for the route domain passes. 40

41 BIG-IP Global Traffic Manager : Implementations A self IP address that represents the address space of the route domain. Additionally, BIG-IP GTM must contain a server object for each route domain. The server objects must be configured with a self IP address that represents the address space of the route domain. Perform the specified tasks to configure BIG-IP LTM systems with a route domain, and then to configure BIG-IP GTM to be able to monitor these systems. Creating VLANs for a route domain on BIG-IP LTM Creating a route domain on BIG-IP LTM Creating a self IP address for a route domain on BIG-IP LTM Defining a server for a route domain on BIG-IP GTM Creating VLANs for a route domain on BIG-IP LTM You need to create two VLANs on BIG-IP Local Traffic Manager (LTM ) through which traffic can pass to a route domain. 1. On the Main tab, click Network > VLANs. The VLAN List screen opens. 2. Click Create. The New VLAN screen opens. 3. In the Name field, type external. 4. In the Tag field, type a numeric tag, from 1 to 4094, for the VLAN. Leave the field blank if you want the BIG-IP system to automatically assign a VLAN tag. The VLAN tag identifies the traffic from hosts in the associated VLAN. 5. For the Interfaces setting, in the Available list, click an interface number or trunk name and add the selected interface or trunk to the Untagged list. Repeat this step as necessary. 6. Select the Source Check check box if you want the system to verify that the return route to an initial packet is the same VLAN from which the packet originated. 7. Click Finished. The screen refreshes, and displays the new VLAN in the list. Repeat this procedure, but in Step 3, name the VLAN internal. Creating a route domain on BIG-IP LTM Ensure that an external and internal VLAN exist on BIG-IP LTM, before you create a route domain. You can create a route domain on BIG-IP LTM to segment (isolate) network traffic on your network. 1. On the Main tab, click Network > Route Domains. 2. Click Create. The New Route Domain screen opens. 3. Type an ID number for the route domain. This is the ID number that you will append later to any relevant IP addresses that you create on the BIG-IP system, such as virtual addresses, pool member addresses, and self IP addresses. 4. In the Description field, type a description of the route domain. This route domain applies to traffic for application MyApp. 5. In the Strict Isolation area, select the Enabled check box to restrict traffic in this route domain from crossing into another route domain. 41

42 Configuring GTM on a Network with One Route Domain 6. From the Parent Name list, retain the default value. 7. For the VLANs setting, move the external and internal VLANs from the Available list, to the Members list. 8. Click Finished. The system displays a list of route domains on the BIG-IP system. Creating a self IP address for a route domain on BIG-IP LTM Ensure that external and internal VLANs exist on BIG-IP LTM, before you begin creating a self IP address for a route domain. Create a self IP address on BIG-IP LTM that resides in the address space of the route domain. 1. On the Main tab, click Network > Self IPs. 2. Click Create. The New Self IP screen opens. 3. In the IP Address field, type an IP address. This IP address must represent a self IP address in a route domain. Use the format x.x.x.x%n, where n is the route domain ID, for example, %1. The system accepts IP addresses in both the IPv4 and IPv6 formats. 4. In the Netmask field, type the network mask for the specified IP address. 5. From the VLAN/Tunnel list, select external. 6. From the Port Lockdown list, select Allow Default. 7. Click Finished. The screen refreshes, and displays the new self IP address in the list. Repeat this procedure, but in Step 5, select VLAN internal. Defining a server for a route domain on BIG-IP GTM On a BIG-IP GTM system, define a server that represents the route domain. 1. On the Main tab, click Global Traffic > Servers. The Server List screen opens. 2. Click Create. The New Server screen displays. 3. In the Name field, type a name for the server. Names must begin with a letter, and can contain only letters, numbers, and the underscore (_) character. Important: Server names are limited to 63 characters. 4. From the Product list, select either BIG-IP System (Single) or BIG-IP System (Redundant). The server type determines the metrics that the system can collect from the server. 5. In the Address List area, add the self IP address that you assigned to the VLAN that you assigned to the route domain. Important: Do not include the route domain ID in this IP address. Use the format x.x.x.x, for example,

43 BIG-IP Global Traffic Manager : Implementations 6. From the Data Center list, select the data center where the server resides. 7. In the Health Monitors area, assign the bigip monitor to the server by moving it from the Available list to the Selected list. 8. From the Virtual Server Discovery list, select how you want virtual servers to be added to the system. Virtual server discovery is supported when you have only one route domain. Options Disabled Enabled Enabled (No Delete) Description Use this option when you plan to manually add virtual servers to the system. The system automatically adds virtual servers using the discovery feature. The system uses the discovery feature and does not delete any virtual servers that already exist. 9. Click Create. The Server List screen opens displaying the new server in the list. Implementation results You now have an implementation in which BIG-IP GTM can monitor virtual servers on BIG-IP LTM systems configured with one route domain. 43

44 Configuring GTM on a Network with One Route Domain 44

45 Chapter 8 Configuring GTM on a Network with Multiple Route Domains Topics: Overview: How do I deploy BIG-IP GTM on a network with multiple route domains? Task summary Implementation results

46 Configuring GTM on a Network with Multiple Route Domains Overview: How do I deploy BIG-IP GTM on a network with multiple route domains? You can deploy BIG-IP Global Traffic Manager (GTM) on a network where BIG-IP Local Traffic Manager (LTM) systems are configured with multiple route domains and overlapping IP addresses. Important: On a network with route domains, you must ensure that virtual server discovery (autoconf) is disabled, because virtual server discovery does not discover translation IP addresses. Caution: F5 Networks does not support the configuration of route domains on a standalone BIG-IP GTM. The following figure shows BIG-IP GTM deployed in a network with multiple BIG-IP Local Traffic Manager (LTM) systems configured with the default route domain (zero), and two additional route domains. BIG-IP GTM can monitor the Application1 and Application2 servers that have overlapping IP addresses and reside in different route domains. The firewalls perform the required address translation between the BIG-IP GTM and BIG-IP LTM addresses; you must configure the firewalls to segment traffic and avoid improperly routing packets between route domain 1 and route domain 2. 46

47 BIG-IP Global Traffic Manager : Implementations Figure 5: BIG-IP GTM deployed on a network with multiple route domains Task summary Before BIG-IP GTM can gather status and statistics for the virtual servers hosted on BIG-IP LTM systems on your network that are configured with route domains, you must configure the following on each BIG-IP LTM that handles traffic for route domains: VLANs through which traffic for your route domains passes Route domains that represent each network segment 47

48 Configuring GTM on a Network with Multiple Route Domains Self IP addresses that represent the address spaces of the route domains Additionally, on BIG-IP GTM you must: Configure, for each route domain, a server object with virtual server discovery disabled Disable virtual server discovery globally Perform the following tasks to configure BIG-IP GTM to monitor BIG-IP LTM systems with route domains. Creating VLANs for a route domain on BIG-IP LTM Creating a route domain on BIG-IP LTM Creating a self IP address for a route domain on BIG-IP LTM Disabling auto-discovery at the global-level on BIG-IP GTM Defining a server for a route domain on BIG-IP GTM Creating VLANs for a route domain on BIG-IP LTM Create two VLANs on BIG-IP LTM through which traffic can pass to a route domain. 1. On the Main tab, click Network > VLANs. The VLAN List screen opens. 2. Click Create. The New VLAN screen opens. 3. In the Name field, type external. 4. In the Tag field, type a numeric tag, from 1 to 4094, for the VLAN. Leave the field blank if you want the BIG-IP system to automatically assign a VLAN tag. The VLAN tag identifies the traffic from hosts in the associated VLAN. 5. For the Interfaces setting, in the Available list, click an interface number or trunk name and add the selected interface or trunk to the Untagged list. Repeat this step as necessary. 6. Select the Source Check check box if you want the system to verify that the return route to an initial packet is the same VLAN from which the packet originated. 7. Click Finished. The screen refreshes, and displays the new VLAN in the list. Repeat this procedure, but in Step 3, name the second VLAN internal. Creating a route domain on BIG-IP LTM Ensure that VLANs exist on BIG-IP LTM, before you create a route domain. You can create a route domain on a BIG-IP system to segment (isolate) network traffic on your network. 1. On the Main tab, click Network > Route Domains. 2. Click Create. The New Route Domain screen opens. 3. Type an ID number for the route domain. This is the ID number that you will append later to any relevant IP addresses that you create on the BIG-IP system, such as virtual addresses, pool member addresses, and self IP addresses. 4. In the Description field, type a description of the route domain. This route domain applies to traffic for application MyApp. 5. In the Strict Isolation area, select the Enabled check box to restrict traffic in this route domain from crossing into another route domain. 48

49 BIG-IP Global Traffic Manager : Implementations 6. From the Parent Name list, retain the default value. 7. For the VLANs setting, move the external and internal VLANs from the Available list, to the Members list. 8. Click Finished. The system displays a list of route domains on the BIG-IP system. Create additional route domains based on your network configuration. Creating a self IP address for a route domain on BIG-IP LTM Ensure that VLANs exist on BIG-IP LTM, before you begin creating a self IP address for a route domain. Create a self IP address on the BIG-IP system that resides in the address space of the route domain. 1. On the Main tab, click Network > Self IPs. 2. Click Create. The New Self IP screen opens. 3. In the IP Address field, type an IP address. This IP address must represent a self IP address in a route domain. Use the format x.x.x.x%n, where n is the route domain ID, for example, %1. The system accepts IP addresses in both the IPv4 and IPv6 formats. 4. In the Netmask field, type the network mask for the specified IP address. 5. From the VLAN/Tunnel list, select the VLAN that you assigned to the route domain that contains this self IP address. 6. From the Port Lockdown list, select Allow Default. 7. Click Finished. The screen refreshes, and displays the new self IP address in the list. Create additional self IP addresses based on your network configuration. Disabling auto-discovery at the global-level on BIG-IP GTM On BIG-IP GTM, disable auto-discovery at the global-level. 1. On the Main tab, click System > Configuration > Global Traffic > General. The general Configuration screen opens. 2. Clear the Auto-Discovery check box. 3. Click Update. Defining a server for a route domain on BIG-IP GTM On BIG-IP GTM, define a server that represents the route domain. 1. On the Main tab, click Global Traffic > Servers. The Server List screen opens. 2. Click Create. The New Server screen displays. 3. In the Name field, type a name for the server. Names must begin with a letter, and can contain only letters, numbers, and the underscore (_) character. 49

50 Configuring GTM on a Network with Multiple Route Domains Important: Server names are limited to 63 characters. 4. From the Product list, select either BIG-IP System (Single) or BIG-IP System (Redundant). The server type determines the metrics that the system can collect from the server. 5. In the Address List area, add the self IP address that you assigned to the VLAN that you assigned to the route domain. Important: Do not include the route domain ID in this IP address. Use the format x.x.x.x, for example, From the Data Center list, select the data center where the server resides. 7. From the Prober Pool list, select one of the following. Options Description Inherit from Data Center Prober pool name By default, a server inherits the Prober pool assigned to the data center in which the server resides. Select the Prober pool that contains the BIG-IP systems that you want to perform monitor probes of this server. Note: The selected Prober pool must reside in the same route domain as the servers you want the pool members to probe. 8. In the Health Monitors area, assign the bigip monitor to the server by moving it from the Available list to the Selected list. 9. From the Virtual Server Discovery list, select Disabled. 10. Click Create. The New Server screen displays. Implementation results You now have an implementation in which BIG-IP GTM monitors BIG-IP LTM virtual servers on the various route domains in your network. 50

51 Chapter 9 Securing Your DNS Infrastructure Topics: Overview: Securing your DNS infrastructure Task summary Implementation results

52 Securing Your DNS Infrastructure Overview: Securing your DNS infrastructure You can use BIG-IP Global Traffic Manager (GTM ) to ensure that all responses to DNS-related traffic comply with the DNSSEC security protocol. To configure DNSSEC compliance, you create DNSSEC key-signing and zone-signing keys and a DNSSEC zone. Then you assign at least one enabled key-signing key and one enabled zone-signing key to the zone. Figure 6: Traffic flow when BIG-IP GTM is DNSSEC authoritative nameserver How do I prepare for a manual rollover of a DNSSEC key? When you create DNSSEC key-signing keys and DNSSEC zone-signing keys, it is important to create a disabled standby version of each key that has a similar name. To do so, associate both pairs of keys with the same zone. This prepares you to easily perform a manual rollover of the keys should an enabled key become compromised. Task summary Perform these tasks on BIG-IP GTM to secure your DNS infrastructure. Creating DNSSEC key-signing keys Creating DNSSEC zone-signing keys Creating DNSSEC zones Validating that a zone is correctly signed Specifying which GTM creates new generations of DNSSEC keys 52

53 BIG-IP Global Traffic Manager : Implementations Creating DNSSEC key-signing keys Determine the values you want to configure for the rollover period, expiration period, and TTL of the key, using the following criteria: The amount of time required to send the DS records for the zone to which this key is associated to the organization that manages the parent zone. The value of the rollover period must be greater than half the value of the expiration period, as well as less than the value of the expiration period. The difference between the values of the rollover and expiration periods must be more than the value of the TTL. Note: The values recommended in this procedure are based on the values in the NIST Secure Domain Name System (DNS) Deployment Guide. 1. On the Main tab, click Global Traffic > DNSSEC Key List. 2. Click Create. 3. In the Name field, type a name for the key. Names must begin with a letter, and can contain only letters, numbers, and the underscore (_) character. Zone names are limited to 63 characters. 4. In the Bit Width field, type From the Use FIPS list, if your system has a FIPS hardware security module (HSM), select Enabled. 6. From the Type list, select Key Signing Key. 7. From the State list, select Enabled. 8. In the TTL field, accept the default value of (the number of seconds in one day.) This value specifies how long a client resolver can cache the key. This value must be less than the difference between the values of the rollover and expiration periods of the key; otherwise, a client can make a query and the system can send a valid key that the client cannot recognize. 9. For the Rollover Period setting, in the Days field, type For the Expiration Period setting, in the Days field, type For the Signature Validity Period setting, accept the default value of seven days. This value must be greater than the value of the signature publication period. 12. For the Signature Publication Period setting, accept the default value of four days and 16 hours. This value must be less than the value of the signature validity period. 13. Click Finished. 14. To create a standby key for emergency rollover purposes, repeat this procedure using a similar name, and select Disabled from the State list. Creating DNSSEC zone-signing keys Determine the values you want to configure for the rollover period, expiration period, and TTL of the key, using the following criteria: The amount of time required to send the DS records for the zone to which this key is associated to the organization that manages the parent zone. 53

54 Securing Your DNS Infrastructure The value of the rollover period must be greater than half the value of the expiration period, as well as less than the value of the expiration period. The difference between the values of the rollover and expiration periods must be more than the value of the TTL. Note: The values recommended in this procedure are based on the values in the NIST Secure Domain Name System (DNS) Deployment Guide. 1. On the Main tab, click Global Traffic > DNSSEC Key List. 2. Click Create. 3. In the Name field, type a name for the key. Names must begin with a letter, and can contain only letters, numbers, and the underscore (_) character. Zone names are limited to 63 characters. 4. In the Bit Width field, type From the Use FIPS list, if your system has a FIPS hardware security module (HSM), select Enabled. 6. From the Type list, select Zone Signing Key. 7. From the State list, select Enabled. 8. In the TTL field, accept the default value of (the number of seconds in one day.) This value specifies how long a client resolver can cache the key. This value must be less than the difference between the values of the rollover and expiration periods of the key; otherwise, a client can make a query and the system can send a valid key that the client cannot recognize. 9. For the Rollover Period setting, in the Days field, type For the Expiration Period setting, in the Days field, type For the Signature Validity Period setting, accept the default value of seven days. This value must be greater than the value of the signature publication period. 12. For the Signature Publication Period setting, accept the default value of four days and 16 hours. This value must be less than the value of the signature validity period. 13. Click Finished. 14. To create a standby key for emergency rollover purposes, repeat this procedure using a similar name, and select Disabled from the State list. Creating DNSSEC zones Before BIG-IP GTM can sign zone requests, you must assign at least one enabled zone-signing and one enabled key-signing key to the zone. 1. On the Main tab, click Global Traffic > DNSSEC Zone List. 2. Click Create. 3. In the Name field, type a FQDN that is a subset of the domain name. For example, use a zone name of example.com to handle DNSSEC requests for example.com, including *.example.com. Use a zone name of to handle DNSSEC requests for and *. 4. From the State list, select Enabled. 5. For the Zone Signing Key setting, assign at least one enabled zone-signing key to the zone. 6. For the Key Signing Key setting, assign at least one enabled key-signing key to the zone. 54

55 BIG-IP Global Traffic Manager : Implementations 7. Click Finished. 8. After the keys that you assigned to the zone roll over, upload the DS records for this zone to the organization that manages the parent zone. You can find the DS records in the file /Common/config/gtm/dsset-[zone] (where zone is the name of the zone you are configuring). Validating that a zone is correctly signed After you create DNSSEC zones and zone-signing keys, you can validate that your zone can be correctly signed. 1. Log on to the command line of a client. 2. At the prompt, type <IP of BIG-IP GTM listener> -t A +dnssec siterequest.com A correct response must include an A record for example.com, as well as an RRSIG record for the zone-signing key, key-signing key, and A record. Specifying which GTM creates new generations of DNSSEC keys Determine the server name of the BIG-IP GTM system that you want to designate as the creator of new generations of DNSSEC keys. If you do not designate a specific system, any BIG-IP GTM system in the synchronization group can be automatically chosen to create new generations of DNSSEC keys. 1. On the Main tab, click System > Configuration > Global Traffic > General. The General configuration screen opens. 2. In the DNSSEC Key Creation Server field, type the server name of the BIG-IP GTM system that you want to designate as the creator of new generations of DNSSEC keys. 3. Click Update. The designated BIG-IP GTM system creates new generations of DNSSEC keys. The new generations of the keys are automatically distributed to the other systems in the synchronization group during configuration synchronization. Implementation results BIG-IP GTM is now configured to respond to DNS queries with DNSSEC-compliant responses. 55

56 Securing Your DNS Infrastructure 56

57 Chapter 10 Configuring DNS Express on BIG-IP Systems Topics: Overview: How do I configure a BIG-IP system to mitigate DDoS attacks? Task summary Implementation results

58 Configuring DNS Express on BIG-IP Systems Overview: How do I configure a BIG-IP system to mitigate DDoS attacks? You can configure DNS Express on BIG-IP Global Traffic Manager (GTM ) to mitigate distributed denial-of-service attacks (DDoS) and improve performance of both the local BIND server on the BIG-IP system and any back-end DNS servers. What is DNS Express? DNS Express provides the ability for a BIG-IP system to act as a high-speed, authoritative secondary DNS server. This allows the system to: Perform zone transfers from multiple primary DNS servers that are responsible for different zones. Perform a zone transfer from the local BIND server on the BIG-IP system. Serve DNS records faster than both the primary DNS servers and the local BIND server. Task summary Perform these tasks to configure DNS Express on your BIG-IP system. Creating a DNS Express TSIG key Creating a DNS Express zone Configuring the legacy DNS server to allow zone file transfers Creating a DNS Express profile Assigning a DNS Express profile to a virtual server Assigning a DNS Express profile to a listener Viewing information about DNS Express zones Creating a DNS Express TSIG key Ensure that your back-end DNS servers are configured for zone transfers using TSIG keys. Create a DNS Express TSIG key when you want to verify the identity of the authoritative server that is sending information about the zone. 1. On the Main tab, click Local Traffic > DNS Express Zones > DNS Express TSIG Key List. The DNS Express TSIG Key List screen opens. 2. Click Create. 3. In the Name field, type a name for the key. 4. In the Secret field, type the phrase required for authentication of the key. 5. Click Finished. Creating a DNS Express zone Ensure that your back-end DNS servers are configured for zone transfers. 58

59 BIG-IP Global Traffic Manager : Implementations Create a DNS Express zone when you want to protect a zone on either the local BIND server or a back-end DNS server from DDoS attacks. 1. On the Main tab, click Local Traffic > DNS Express Zones > DNS Express Zone List. The DNS Express Zone List screen opens. 2. Click Create. 3. In the Name field, type a name for the zone. The best practice is to use the name that appears at the apex in a BIND zone file. 4. In the Target IP Address field, type the IP address of the DNS server from which you want to transfer records. The default value is for the BIND server on the BIG-IP system. 5. To configure the system to verify the identity of the authoritative server that is sending information about the zone, from the TSIG Key list, select a key. 6. Click Finished. Configuring the legacy DNS server to allow zone file transfers If you are unfamiliar with how to modify DNS server files, review the fifth edition of DNS and BIND, available from O Reilly Media. To configure the legacy DNS server to allow zone file transfers to BIG-IP GTM, add to the DNS server an allow-transfer statement that specifies the IP address of the new BIG-IP GTM system. You can modify the following allow-transfer statement to use the IP address of your BIG-IP GTM: allow-transfer { localhost; <IP address of BIG-IP GTM>; }; Creating a DNS Express profile Create a custom DNS profile to enable DNS Express, only if you want to use a back-end DNS server. If you plan to use the BIND server on BIG-IP GTM, you can use the default dns profile. 1. On the Main tab, click Local Traffic > Profiles > Services > DNS. The DNS profile list screen opens. 2. Click Create. The New Fast L4 Profile screen opens. 3. Name the profile dns_express. Names must begin with a letter, and can contain only letters, numbers, and the underscore (_) character. 4. In the Parent Profile list, accept the default dns profile. 5. Select the Custom check box. The fields in the Settings area become available for configuring. 6. In the Global Traffic Management list, accept the default value Enabled. 7. From the DNS Express list, select Enabled. 8. From the Unhandled Query Actions list, select an action to take when a query is not for a wide IP or DNS Express zone. 59

60 Configuring DNS Express on BIG-IP Systems Option Allow Drop Reject Hint No Error Description Forward the connection request to another DNS server or DNS server pool. Note that if a DNS server pool is not associated with a listener and the Use BIND Server on BIG-IP option is enabled, connection requests are forwarded to the local BIND server. (Allow is the default value.) Do not reply. Return the query with the REFUSED return code. Return the query with a list of root name servers. Return the query with the NOERROR return code. 9. From the Use BIND Server on BIG-IP list, select Disabled. 10. Click Finished. Assign the DNS profile to virtual servers or listeners. Assigning a DNS Express profile to a virtual server If you plan to use the BIND server on BIG-IP GTM, you can assign the default DNS profile (dns) to a virtual server. If you plan to use a back-end DNS server and you created a custom DNS Express profile, you can assign it to the virtual server. 1. On the Main tab, click Local Traffic > Virtual Servers. The Virtual Server List screen displays a list of existing virtual servers. 2. Click the name of the virtual server you want to modify. 3. From the DNS Profile list, select dns_express. 4. Click Finished. The traffic handled by this virtual server is protected by DNS Express. Assigning a DNS Express profile to a listener If you plan to use the BIND server on BIG-IP GTM, you can assign the default DNS profile (dns) to the listener. If you plan to use a back-end DNS server and you created a custom DNS Express profile, you can assign it to the listener. 1. On the Main tab, click Global Traffic > Listeners. The Listeners List screen opens. 2. Click the name of the listener you want to modify. 3. From the DNS Profile list, select dns_express. 4. Click Finished. Viewing information about DNS Express zones You can view information about the zones that are protected by DNS Express. 1. On the Main tab, click Overview > Statistics > Local Traffic. The Local Traffic Statistics screen opens. 60

61 BIG-IP Global Traffic Manager : Implementations 2. From the Statistics Type list, select DNS Express Zones. Information displays about the zones that are protected by DNS Express. Record type SOA Records Resource Records Description Displays start of authority record information. Displays the number of resource records for the zone. Implementation results You now have an implementation in which BIG-IP GTM helps to mitigate DDoS attacks on your network. 61

62 Configuring DNS Express on BIG-IP Systems 62

63 Chapter 11 Configuring IP Anycast (Route Health Injection) Topics: Overview: Configuring IP Anycast (Route Health Injection) Task summary Implementation results

64 Configuring IP Anycast (Route Health Injection) Overview: Configuring IP Anycast (Route Health Injection) You can configure IP Anycast for DNS services on BIG-IP Global Traffic Manager (GTM) to help mitigate distributed denial-of-service attacks (DDoS), reduce DNS latency, improve the scalability of your network, and assist with global traffic management. This configuration adds routes to and removes routes from the routing table based on availability. Advertising routes to virtual addresses based on the status of attached listeners is known as Route Health Injection (RHI). Task summary Perform these tasks to configure BIG-IP GTM for IP Anycast. Enabling the ZebOS dynamic routing protocol Creating a custom DNS profile Configuring a listener for route advertisement Verifying advertisement of the route to a listener Enabling the ZebOS dynamic routing protocol Before you enable ZebOS dynamic routing on BIG-IP GTM : Ensure that the system license includes the Routing Bundle add-on. Ensure that ZebOS is configured correctly. If you need help, refer to the following resources on AskF5: TMOS Management Guide for BIG-IP Systems Configuration Guide for the VIPRION System ZebOS Advanced Routing Suite Configuration Guide Run a command to enable the ZebOS dynamic routing protocol. 1. Log on to the command-line interface of BIG-IP GTM. 2. At the command prompt, type zebos enable <protocol_type> and press Enter. The system returns an enabled response. 3. To verify that the ZebOS dynamic routing protocol is enabled, at the command prompt, type zebos check and press Enter. The system returns a list of all enabled protocols. Creating a custom DNS profile To specify how you want BIG-IP GTM to handle non-wide IP queries, create a custom DNS profile based on your network configuration. 1. On the Main tab, click Local Traffic > Profiles > Services > DNS. The DNS profile list screen opens. 2. Click Create. 64

65 BIG-IP Global Traffic Manager : Implementations The New Fast L4 Profile screen opens. 3. In the Name field, type a name for the profile. Names must begin with a letter, and can contain only letters, numbers, and the underscore (_) character. 4. In the Parent Profile list, accept the default dns profile. 5. Select the Custom check box. The fields in the Settings area become available for configuring. 6. In the Global Traffic Management list, accept the default value Enabled. 7. From the Unhandled Query Actions list, select an action to take when a query is not for a wide IP or DNS Express zone. Option Allow Drop Reject Hint No Error Description Forward the connection request to another DNS server or DNS server pool. Note that if a DNS server pool is not associated with a listener and the Use BIND Server on BIG-IP option is enabled, connection requests are forwarded to the local BIND server. (Allow is the default value.) Do not reply. Return the query with the REFUSED return code. Return the query with a list of root name servers. Return the query with the NOERROR return code. 8. From the Use BIND Server on BIG-IP list, select Enabled. Note: Enable this setting only when you want the system to forward non-wide IP queries to the local BIND server on BIG-IP GTM. 9. Click Finished. Configuring a listener for route advertisement Ensure that ZebOS dynamic routing is enabled on BIG-IP GTM. Create a listener and configure it for route advertisement. 1. On the Main tab, click Global Traffic > Listeners. The Listeners List screen opens. 2. Click Create. The new Listeners screen opens. 3. In the Destination field, type the IP address on which BIG-IP GTM listens for network traffic. Caution: The destination cannot be a self IP address on the system, because a listener with the same IP address as a self IP address cannot be advertised. 4. From the VLAN Traffic list, select one of the following options: 65

66 Configuring IP Anycast (Route Health Injection) Options All VLANs Description When you want this listener to handle traffic on all VLANs within the network segment. Note: Use this option if BIG-IP GTM is handling traffic for the destination IP address locally. This option also applies when the system resides on a network segment that does not use VLANs. Enabled on When you want this listener to handle traffic on only the VLANs that you move from the Available list to the Selected list. 5. From the Protocol list, select either UDP or TCP. 6. From the DNS Profile list, select: Options dns Description This is the default DNS profile. With the default dns profile, BIG-IP GTM forwards non-wide IP queries to the BIND server on the BIG-IP GTM system itself. <custom profile> If you have created a custom DNS profile to handle non-wide IP queries in a way that works for your network configuration, select it. 7. For Route Advertisement, select the Enabled check box. 8. Click Finished. BIG-IP GTM can now advertise the virtual address of the listener to routers on the network. Configure other listeners for route advertisement. Verifying advertisement of the route to a listener Ensure that ZebOS dynamic routing is enabled on BIG-IP GTM and that the listener is configured for route advertisement. Run a command to verify that BIG-IP GTM is advertising the virtual address of a listener. 1. Log on to the command-line interface of BIG-IP GTM. 2. At the command prompt, type zebos cmd sh ip route grep <listener IP address> and press Enter. An advertised route displays with a code of K and a 32 bit kernel, for example: K /32 Implementation results You now have an implementation in which the BIG-IP GTM broadcasts the IP addresses of the listeners that you configured for route advertisement. 66

67 Chapter 12 Configuring BIG-IP GTM VIPRION Systems Topics: Overview: Configuring BIG-IP GTM VIPRION systems

68 Configuring BIG-IP GTM VIPRION Systems Overview: Configuring BIG-IP GTM VIPRION systems You configure BIG-IP Global Traffic Manager (GTM ) on VIPRION systems in the same manner that you configure BIG-IP GTM on an appliance, with two notable exceptions. You can access BIG-IP Local Traffic Manager (LTM ) irules from within BIG-IP GTM irules. You can also access BIG-IP GTM irules from within BIG-IP LTM irules. It is important to change the general system configuration for virtual server status. Configuring dependency for virtual server status You can configure virtual server status to be dependent only on the timeout value of the monitor associated with the virtual server. This ensures that when the primary blade in a cluster becomes unavailable, the gtmd agent on the new primary blade has time to establish new iquery connections with and receive updated status from other BIG-IP systems. Tip: The big3d agent on the new primary blade must be up and functioning within 90 seconds (the timeout value of the BIG-IP monitor). 1. On the Main tab, click System > Configuration > Global Traffic > General. The General configuration screen opens. 2. Select Depends on Monitors Only from the Virtual Server Status list. 3. Click Update. 68

69 Chapter 13 Ensuring Correct Synchronization When Adding GTM to a Network Topics: Overview: Ensuring correct synchronization when adding GTM to a network Task summary Implementation results

70 Ensuring Correct Synchronization When Adding GTM to a Network Overview: Ensuring correct synchronization when adding GTM to a network You can configure BIG-IP Global Traffic Manager (GTM) systems in collections called synchronization groups. All BIG-IP GTM systems in the same synchronization group have the same rank, exchange heartbeat messages, and share probing responsibility. Figure 7: BIG-IP GTM systems in a synchronization group What is configuration synchronization? Configuration synchronization ensures the rapid distribution of BIG-IP Global Traffic Manager (GTM) settings to other BIG-IP systems that belong to the same synchronization group. A synchronization group might contain both BIG-IP GTM and BIG-IP Link Controller systems. Configuration synchronization occurs in the following manner: When a change is made to a BIG-IP GTM configuration, the system broadcasts the change to the other systems in the configuration synchronization group. This broadcast occurs in a heartbeat message that happens every ten seconds. When a configuration synchronization is in progress, the process must either complete or timeout, before another configuration synchronization can occur. About NTP Servers and Synchronization The Network Time Protocol (NTP) servers that BIG-IP GTM references ensure that each system in a synchronization group is referencing the same time when verifying configuration file timestamps. About adding an additional BIG-IP GTM to your network BIG-IP GTM systems exchange heartbeat messages when different software versions are installed on the systems. However, configuration synchronization cannot occur when different software versions are installed on the systems. Therefore, when you upgrade BIG-IP GTM, the configuration of the upgraded system does not automatically synchronize with the configuration of the systems in the synchronization group that have an older software version. 70

71 BIG-IP Global Traffic Manager : Implementations Task summary When adding an additional BIG-IP GTM system to your network, perform the following tasks on a BIG-IP GTM system that is already on your network. Defining an NTP server on the existing GTM Enabling synchronization on the existing GTM Creating a data center on the existing GTM Defining a server Running the gtm_add script on the new GTM Defining an NTP server on the existing GTM Define a Network Time Protocol (NTP) server on the existing BIG-IP GTM. 1. On the Main tab, click System > Configuration > Device > NTP. The NTP screen displays. 2. Type an address for the NTP server in the Address field. 3. Click Add. 4. Click Update. The NTP server is defined. Enabling synchronization on the existing GTM Enable synchronization on the existing BIG-IP GTM. 1. On the Main tab, click System > Configuration > Global Traffic > General. The General configuration screen opens. 2. Select the Synchronization check box. 3. In the Synchronization Time Tolerance field, type the maximum number of seconds allowed between the time settings on this system and the other systems in the synchronization group. The lower the value, the more often this system makes a log entry indicating that there is a difference. Tip: If you are using NTP, leave this setting at the default value of 10. In the event that NTP fails, the system uses the time_tolerance variable to maintain synchronization. 4. In the Synchronization Group Name field, type the name of the synchronization group to which you want this system to belong. 5. Click Update. Synchronization is enabled on the existing BIG-IP GTM. Creating a data center on the existing GTM Create a data center on the existing BIG-IP GTM system to represent the location where the new BIG-IP GTM system resides. 71

72 Ensuring Correct Synchronization When Adding GTM to a Network 1. On the Main tab, click Global Traffic > Data Centers. The Data Center List screen opens. 2. Click Create. The New Data Center screen opens. 3. Type a name for the data center. Names must begin with a letter, and can contain only letters, numbers, and the underscore (_)character. Important: The data center name is limited to 63 characters. 4. In the Location field, type the geographic location of the data center. 5. In the Contact field, type the name of either the administrator or the department that manages the data center. 6. Click Finished. Defining a server Ensure that a data center where the new BIG-IP GTM system resides exists in the configuration of the existing BIG-IP GTM system. Define a new server, on the existing BIG-IP GTM, that represents the new BIG-IP GTM system. 1. On the Main tab, click Global Traffic > Servers. The Server List screen opens. 2. Click Create. The New Server screen displays. 3. In the Name field, type a name for the server. Names must begin with a letter, and can contain only letters, numbers, and the underscore (_) character. Important: Server names are limited to 63 characters. 4. From the Product list, select BIG-IP System (Single). The server type determines the metrics that the system can collect from the server. 5. In the Address List area, add the IP address of the server. Important: You must use a self IP address for a BIG-IP system; you cannot use the management IP address. 6. From the Data Center list, select the data center where the server resides. 7. From the Link Discovery list, select how you want links to be added to the system. Options Description Disabled Enabled This is the default value. Use this option for a standalone BIG-IP GTM or for a BIG-IP GTM/LTM combo system when you plan to manually add links to the system. The system uses the discovery feature to add links. Use this option for a BIG-IP GTM/LTM combo system when you want BIG-IP GTM to discover links. 72

73 BIG-IP Global Traffic Manager : Implementations Options Enabled (No Delete) Description The system uses the discovery feature and does not delete any links that already exist. Use this option for a BIG-IP GTM/LTM combo system when you want BIG-IP GTM to discover links. 8. Click Create. The Server List screen opens displaying the new server in the list. The status of the newly defined BIG-IP GTM system is red, because you have not yet run the gtm_add script. Running the gtm_add script on the new GTM Determine the self IP address of the existing BIG-IP GTM. Run the gtm_add script on the new BIG-IP GTM to acquire the configuration settings on the existing BIG-IP GTM. Note: You must perform this task from the command-line interface. 1. On the new BIG-IP GTM, log on to the command-line interface. 2. Type gtm_add, and press Enter. 3. Press the y key to start the gtm_add script. 4. Type the IP address of the existing BIG-IP GTM, and press Enter. The new BIG-IP GTM has acquired the configuration files from the existing system. Implementation results The new BIG-IP GTM that you added to the network is a part of a synchronization group. Changes you make to any system in the synchronization group are automatically propagated to all other systems in the group. 73

74 Ensuring Correct Synchronization When Adding GTM to a Network 74

75 Chapter 14 Integrating BIG-IP GTM with Other BIG-IP Systems Topics: Overview: Integrating GTM with older BIG-IP systems on my network Task summary Implementation results

76 Integrating BIG-IP GTM with Other BIG-IP Systems Overview: Integrating GTM with older BIG-IP systems on my network You can add BIG-IP Global Traffic Manager (GTM ) systems to a network in which Local Traffic Manager systems are already present. This allows you to expand your load balancing and traffic management capabilities beyond the local area network. For this implementation to be successful, you must authorize communications between the systems. Note: The BIG-IP GTM systems in a synchronization group and the BIG-IP LTM and BIG-IP Link Controller systems that are configured to communicate with the systems in the synchronization group must have port 4353 open through the firewall between the systems. The BIG-IP systems connect and communicate through this port. About the iquery protocol and the big3d agent The gtmd process on BIG-IP Global Traffic Manager (GTM ) systems uses the iquery protocol to communicate with the big3d agent on the system and the big3d agents installed on other BIG-IP systems. The gtmd process monitors both the availability of the BIG-IP systems, and the integrity of the network paths between the systems that host a domain and the local DNS servers that attempt to connect to that domain. Important: To facilitate communication across BIG-IP systems ensure that the big3d agent is installed on each system. Figure 8: Illustration of communications between big3d and gtmd agents Task summary To authorize communications between BIG-IP systems, perform the following tasks on the BIG-IP GTM that you are adding to the network. Defining a data center Defining BIG-IP GTM Defining the existing BIG-IP systems Running the big3d_install script 76

77 BIG-IP Global Traffic Manager : Implementations Defining a data center Create a data center to contain the servers that reside on a subnet of your network. 1. On the Main tab, click Global Traffic > Data Centers. The Data Center List screen opens. 2. Click Create. The New Data Center screen opens. 3. Type a name for the data center. Names must begin with a letter, and can contain only letters, numbers, and the underscore (_)character. Important: The data center name is limited to 63 characters. 4. In the Location field, type the geographic location of the data center. 5. In the Contact field, type the name of either the administrator or the department that manages the data center. 6. From the State list, select Enabled. 7. Click Finished. You can now create server objects and assign them to this data center. Repeat this procedure to create additional data centers. Defining BIG-IP GTM Ensure that at least one data center exists in the configuration before you start creating a server. Create a server object for BIG-IP GTM. 1. On the Main tab, click Global Traffic > Servers. The Server List screen opens. 2. Click Create. The New Server screen displays. 3. In the Name field, type a name for the server. Names must begin with a letter, and can contain only letters, numbers, and the underscore (_) character. Important: Server names are limited to 63 characters. 4. From the Product list, select BIG-IP System (Single). The server type determines the metrics that the system can collect from the server. 5. In the Address List area, add the IP addresses of the server. You can add more than one IP address, depending on how the server interacts with the rest of your network. Important: You must use a self IP address for a BIG-IP system; you cannot use the management IP address. 6. From the Data Center list, select the data center where the server resides. 77

78 Integrating BIG-IP GTM with Other BIG-IP Systems 7. In the Health Monitors area, assign the bigip monitor to the server by moving it from the Available list to the Selected list. 8. From the Virtual Server Discovery list, select how you want virtual servers to be added to the system. Options Disabled Enabled Enabled (No Delete) Description This is the default value. Use this option for a standalone BIG-IP GTM or for a BIG-IP GTM/LTM combo system when you plan to manually add virtual servers to the system. The system uses the discovery feature to automatically add virtual servers. Use this option for a BIG-IP GTM/LTM combo system when you want BIG-IP GTM to discover BIG-IP LTM virtual servers. The system uses the discovery feature to automatically add virtual servers and does not delete any virtual servers that already exist. Use this option for a BIG-IP GTM/LTM combo system when you want BIG-IP GTM to discover BIG-IP LTM virtual servers. 9. Click Create. The Server List screen opens displaying the new server in the list. Defining the existing BIG-IP systems On BIG-IP GTM, define a server that represents each BIG-IP system to place the systems on the network map. 1. On the Main tab, click Global Traffic > Servers. The Server List screen opens. 2. Click Create. The New Server screen displays. 3. In the Name field, type a name for the server. Names must begin with a letter, and can contain only letters, numbers, and the underscore (_) character. Important: Server names are limited to 63 characters. 4. From the Product list, select either BIG-IP System (Single) or BIG-IP System (Redundant). The server type determines the metrics that the system can collect from the server. 5. In the Address List area, add the IP addresses of the server. You can add more than one IP address, depending on how the server interacts with the rest of your network. Important: You must use a self IP address for a BIG-IP system; you cannot use the management IP address. 6. From the Data Center list, select the data center where the server resides. 7. In the Health Monitors area, assign the bigip monitor to the server by moving it from the Available list to the Selected list. 8. From the Virtual Server Discovery list, select how you want virtual servers to be added to the system. 78

79 BIG-IP Global Traffic Manager : Implementations Options Disabled Enabled Enabled (No Delete) Description This is the default value. Use this option for a standalone BIG-IP GTM or for a BIG-IP GTM/LTM combo system when you plan to manually add virtual servers to the system. The system uses the discovery feature to automatically add virtual servers. Use this option for a BIG-IP GTM/LTM combo system when you want BIG-IP GTM to discover BIG-IP LTM virtual servers. The system uses the discovery feature to automatically add virtual servers and does not delete any virtual servers that already exist. Use this option for a BIG-IP GTM/LTM combo system when you want BIG-IP GTM to discover BIG-IP LTM virtual servers. 9. Click Create. The New Server screen displays. Running the big3d_install script Determine the self IP addresses for the existing BIG-IP systems that you want to upgrade with the latest big3d agent. Run the big3d_install script. This script upgrades the big3d agents on the BIG-IP systems and instructs these systems to authenticate with the other systems through the exchange of SSL certificates. For additional information about running the script, see SOL8195 on AskF5.com ( You must perform this task from the command-line interface. Important: Run the big3d_install script on BIG-IP GTM only for target systems that are running the same or an older version of BIG-IP software. 1. Log on to the command-line interface of the new BIG-IP GTM. 2. At the command prompt, type big3d_install <IP_addresses_of_target_BIG-IP_systems>, and press Enter. The script instructs BIG-IP GTM to connect to each specified BIG-IP system. 3. When prompted, supply the logon information for each system. The SSL certificates are exchanged, authorizing communications between the systems. The big3d agent on each system is upgraded to the same version as is installed on BIG-IP GTM from which you ran the script. Implementation results You now have an implementation in which the BIG-IP systems can communicate with each other. BIG-IP GTM can now use the other BIG-IP systems when load balancing DNS requests, and can acquire statistics and status information for the virtual servers these systems manage. 79

80 Integrating BIG-IP GTM with Other BIG-IP Systems 80

81 Chapter 15 Setting Up a BIG-IP GTM Redundant System Configuration Topics: Overview: Configuring a BIG-IP GTM redundant system Task summary

82 Setting Up a BIG-IP GTM Redundant System Configuration Overview: Configuring a BIG-IP GTM redundant system You can configure BIG-IP Global Traffic Manager (GTM) in a redundant system configuration, which is a set of two BIG-IP GTM systems: one operating as the active unit, the other operating as the standby unit. If the active unit goes offline, the standby unit immediately assumes responsibility for managing DNS traffic. The new active unit remains active until another event occurs that would cause the unit to go offline, or you manually reset the status of each unit. Task summary Perform the following tasks to configure a BIG-IP GTM redundant system configuration. Before you begin, ensure that the Setup utility was run on both devices. During the Setup process, you create VLANs internal and external and the associated floating and non-floating IP addresses, and VLAN HA and the associated non-floating self IP address. You also configure the devices to be in an active/standby redundant system configuration. Defining an NTP server Creating listeners to identify DNS traffic Defining a data center Defining a server Enabling global traffic configuration synchronization Running the gtm_add script Defining an NTP server Define a Network Time Protocol (NTP) server that both BIG-IP GTM systems use during configuration synchronization. Important: Perform the following procedure on both the active and standby systems. 1. On the Main tab, click System > Configuration > Device > NTP. The NTP screen displays. 2. In the Address field, type the IP address of the NTP server. 3. Click Add. 4. Click Update. During configuration synchronization, the systems use this time value to see if any newer configuration files exist. Creating listeners to identify DNS traffic Create two listeners to identify DNS traffic for which BIG-IP GTM is responsible. Create one listener that uses the UDP protocol and one that uses the TCP protocol. 82

83 BIG-IP Global Traffic Manager : Implementations Important: Perform the following procedure on only the active system. Note: DNS zone transfers use TCP port 53. If you do not configure a listener for TCP the client may receive the error: connection refused or TCP RSTs. 1. On the Main tab, click Global Traffic > Listeners. The Listeners List screen opens. 2. Click Create. The new Listeners screen opens. 3. In the Destination field, type the floating IP address of VLAN external. This is the IP address on which BIG-IP GTM listens for network traffic. 4. From the VLAN Traffic list, select All VLANs. 5. From the Protocol list, select UDP. 6. Click Finished. Create another listener with the same IP address, but select TCP from the Protocol list. Defining a data center Create a data center to contain the servers that reside on a subnet of your network. Important: Perform the following procedure on only the active system. 1. On the Main tab, click Global Traffic > Data Centers. The Data Center List screen opens. 2. Click Create. The New Data Center screen opens. 3. Type a name for the data center. Names must begin with a letter, and can contain only letters, numbers, and the underscore (_)character. Important: The data center name is limited to 63 characters. 4. In the Location field, type the geographic location of the data center. 5. In the Contact field, type the name of either the administrator or the department that manages the data center. 6. From the State list, select Enabled. 7. Click Finished. You can now create server objects and assign them to this data center. Repeat this procedure to create additional data centers. Defining a server Ensure that the data centers where the BIG-IP GTM systems reside exist in the configuration. Perform this procedure twice to create two servers, one that represents the active system and one that represents the standby system. 83

84 Setting Up a BIG-IP GTM Redundant System Configuration Important: Perform the following procedure on only the active system. 1. On the Main tab, click Global Traffic > Servers. The Server List screen opens. 2. Click Create. The New Server screen displays. 3. In the Name field, type a name for the server. Names must begin with a letter, and can contain only letters, numbers, and the underscore (_) character. Important: Server names are limited to 63 characters. 4. From the Product list, select BIG-IP System (Redundant). The server type determines the metrics that the system can collect from the server. 5. In the Address List area, add the IP address of the server. Important: You must use a self IP address for a BIG-IP system; you cannot use the management IP address. 6. In the Address List area, add the IP addresses of the back up system using the Peer Address List setting. a) Type an external (public) IP address in the Address field, and then click Add. b) Type an internal (private) IP address in the Translation field, and then click Add. You can add more than one IP address, depending on how the server interacts with the rest of your network. 7. From the Data Center list, select the data center where the server resides. 8. From the Virtual Server Discovery list, select Disabled. 9. Click Create. The Server List screen opens displaying the new server in the list. Enabling global traffic configuration synchronization Enable global traffic configuration synchronization options and assign a name to the global traffic synchronization group. Important: Perform the following procedure on only the active system. 1. On the Main tab, click System > Configuration > Global Traffic > General. The General configuration screen opens. 2. Select the Synchronization check box. 3. Select the Synchronize DNS Files check box. 4. In the Synchronization Group Name field, type the name of the synchronization group. 5. Click Update. The settings you selected will be transferred to the standby system during configuration synchronization. 84

85 BIG-IP Global Traffic Manager : Implementations Running the gtm_add script You must run the gtm_add script from the standby system. Note: You must perform this task from the command-line interface. 1. On the new BIG-IP GTM, log on to the command-line interface. 2. Type gtm_add, and press Enter. 3. Press the y key to start the gtm_add script. 4. Type the IP address of the existing BIG-IP GTM, and press Enter. The gtm_add process begins, acquiring configuration data from the active system; Once the process completes, you have successfully created a redundant system consisting of two BIG-IP GTM systems. 85

86 Setting Up a BIG-IP GTM Redundant System Configuration 86

87 Chapter 16 Authenticating with SSL Certificates Signed by a Third Party Topics: Overview: Authenticating with SSL certificates signed by a third party Configuring Level 1 SSL authentication Implementation Results Configuring certificate chain SSL authentication Implementation results

88 Authenticating with SSL Certificates Signed by a Third Party Overview: Authenticating with SSL certificates signed by a third party BIG-IP systems use Secure Sockets Layer (SSL) authentication to verify the authenticity of the credentials of systems with which data exchange is necessary. BIG-IP software includes a self-signed SSL certificate. If your network includes one or more certificate authority (CA) servers, you can also install SSL certificates that are signed by a third party. The BIG-IP systems exchange SSL certificates, and use a CA server to verify the authenticity of the certificates. The big3d agent on all BIG-IP systems and the gtmd agent on BIG-IP Global Traffic Manager (GTM ) systems utilize the certificates to authenticate communication between the systems. SSL Authentication SSL supports ten levels of authentication (also known as certificate depth): Level 0 certificates (self-signed certificates) are verified by the system to which they belong. Level 1 certificates are authenticated by a CA server that is separate from the system. Levels 2-9 certificates are authenticated by additional CA servers that verify the authenticity of other servers. These multiple levels of authentication (referred to as certificate chains) allow for a tiered verification system that ensures that only authorized communications occur between servers. Configuring Level 1 SSL authentication You can configure BIG-IP systems for Level 1 SSL authentication. Before you begin, ensure that the systems you are configuring include the following: A signed certificate/key pair. The root certificate from the CA server. Task Summary Importing the device certificate Importing the root certificate for the gtmd agent Importing the root certificate for the big3d agent Verifying the certificate exchange Importing the device certificate Import the device certificate signed by the CA server. Note: Perform this procedure on all BIG-IP systems that you want to configure for certificate chain SSL authentication. 1. On the Main tab, click System > Device Certificates. The Device Certificate screen opens. 88

89 BIG-IP Global Traffic Manager : Implementations 2. Click Import. 3. From the Import Type list, select Certificate and Key. 4. For the Certificate Source setting, select Upload File and browse to select the certificate signed by the CA server. 5. For the Key Source setting, select Upload File and browse to select the device key file. 6. Click Import. Importing the root certificate for the gtmd agent Before you start this procedure, ensure that you have the root certificate from your CA server available. To set up the system to use a third-party certificate signed by a CA server, replace the existing certificate file for the gtmd agent with the root certificate of your CA server. Note: Perform this procedure on only one BIG-IP GTM system in the synchronization group. The system automatically synchronizes the setting with the other systems in the group. 1. On the Main tab, click Global Traffic > Servers > Trusted Server Certificates. The Trusted Server Certificates screen opens. 2. Click Import. 3. From the Import Method list, select Replace. 4. For the Certificate Source setting, select Upload File and browse to select the root certificate file. 5. Click Import. Importing the root certificate for the big3d agent Before you start this procedure, ensure that the root certificate from your CA server is available. Note: Perform this procedure on all BIG-IP systems that you want to configure for Level 1 SSL authentication. 1. On the Main tab, click System > Device Certificates > Trusted Device Certificates. The Trusted Device Certificates screen opens. 2. Click Import. 3. From the Import Method list, select Replace. 4. For the Certificate Source setting, select Upload File and browse to select the certificate signed by the CA server. 5. Click Import. Verifying the certificate exchange You can verify that you installed the certificate correctly, by running the following commands on all BIG-IP systems that you configured for Level 1 SSL authentication. iqdump <IP address of BIG-IP you are testing> iqdump <IP address of BIG-IP peer system, if testing a redundant system configuration> 89

90 Authenticating with SSL Certificates Signed by a Third Party If the certificate was installed correctly, these commands display a continuous stream of information. Implementation Results The BIG-IP systems are now configured for Level 1 SSL authentication. Configuring certificate chain SSL authentication You can configure BIG-IP systems for certificate chain SSL authentication. Task Summary Creating a certificate chain file Importing the device certificate from the last CA server in the chain Importing a certificate chain file for the gtmd agent Importing a certificate chain for the big3d agent Verifying the certificate chain exchange Creating a certificate chain file Before you start this procedure, ensure that you have the certificate files from your CA servers available. Create a certificate chain file that you can use to replace the existing certificate file. 1. Using a text editor, create an empty file for the certificate chain. 2. Still using a text editor, copy an individual certificate from its own certificate file and paste the certificate into the file you created in step Repeat step 2 for each certificate that you want to include in the certificate chain. You now have a certificate chain file. Importing the device certificate from the last CA server in the chain Import the device certificate signed by the last CA in the certificate chain. Note: Perform this procedure on all BIG-IP systems that you want to configure for certificate chain SSL authentication. 1. On the Main tab, click System > Device Certificates. The Device Certificate screen opens. 2. Click Import. 3. From the Import Type list, select Certificate and Key. 4. For the Certificate Source setting, select Upload File and browse to select the certificate signed by the CA server. 90

91 BIG-IP Global Traffic Manager : Implementations 5. For the Key Source setting, select Upload File and browse to select the device key file. 6. Click Import. Importing a certificate chain file for the gtmd agent Before you start this procedure, ensure that you have the certificate chain file available. Replace the existing certificate file on the system with a certificate chain file. Note: Perform this procedure on only one BIG-IP GTM in a synchronization group. The system automatically synchronizes the setting with the other systems in the group. 1. On the Main tab, click Global Traffic > Servers > Trusted Server Certificates. The Trusted Server Certificates screen opens. 2. Click Import. 3. From the Import Method list, select Replace. 4. For the Certificate Source setting, select Upload File and browse to select the device certificate for the last CA in the certificate chain. 5. Click Import. Importing a certificate chain for the big3d agent Before you start this procedure, ensure that the certificate chain file is available. Note: Perform this procedure on all BIG-IP systems that you want to configure for certificate chain SSL authentication. 1. On the Main tab, click System > Device Certificates > Trusted Device Certificates. The Trusted Device Certificates screen opens. 2. Click Import. 3. From the Import Method list, select Replace. 4. For the Certificate Source setting, select Upload File and browse to select the certificate chain file. 5. Click Import. Verifying the certificate chain exchange You can verify that you installed the certificate chain correctly, by running the following commands on all the systems you configure for certificate chain SSL authentication. iqdump <IP address of BIG-IP you are testing> iqdump <IP address of BIG-IP peer system, if testing a redundant system configuration> If the certificate chain was installed correctly, these commands display a continuous stream of information. 91

92 Authenticating with SSL Certificates Signed by a Third Party Implementation results The BIG-IP systems are now configured for certificate chain SSL authentication. For information about troubleshooting BIG-IP device certificates, see SOL8187 on AskF5.com ( 92

93 Chapter 17 Monitoring Third-Party Servers with SNMP Topics: Overview: SNMP monitoring of third-party servers Task summary Implementation results

94 Monitoring Third-Party Servers with SNMP Overview: SNMP monitoring of third-party servers You can configure the BIG-IP Global Traffic Manager (GTM ) to acquire information about the health of a third-party server using SNMP. The server must be running an SNMP agent. Task summary To configure BIG-IP GTM to acquire information about the health of a third-party server using SNMP, perform the following tasks. Creating an SNMP monitor Defining a third-party host server that is running SNMP Creating an SNMP monitor Create an SNMP monitor that BIG-IP Global Traffic Manager can use to monitor a third-party server running SNMP. 1. Click Create. The New Monitor screen opens. 2. Type a name for the monitor. Names must begin with a letter, and can contain only letters, numbers, and the underscore (_) character. Important: Monitor names are limited to 63 characters. 3. From the Type list, select SNMP. 4. Click Finished. Defining a third-party host server that is running SNMP Ensure that the third-party host server is running SNMP. During this procedure, you assign a virtual server to the server. Determine the IP address that you want to assign to the virtual server. Define the third-party host server. 1. On the Main tab, click Global Traffic > Servers. The Server List screen opens. 2. Click Create. The New Server screen displays. 3. In the Name field, type a name for the server. Names must begin with a letter, and can contain only letters, numbers, and the underscore (_) character. Important: Server names are limited to 63 characters. 94

95 BIG-IP Global Traffic Manager : Implementations 4. From the Product list, select Generic Host. The server type determines the metrics that the system can collect from the server. 5. In the Address List area, add the IP addresses of the server. a) Type an external (public) IP address in the Address field, and then click Add. b) If you use NAT, type an internal (private) IP address in the Translation field, and then click Add. You can add more than one IP address, depending on how the server interacts with the rest of your network. 6. From the Data Center list, select the data center where the server resides. 7. In the Health Monitors area, assign the SNMP monitor that you created to the server by moving it from the Available list to the Selected list. 8. From the Virtual Server Discovery list, select Disabled. 9. Click Create. The New Server screen displays. 10. Click a server name in the list. The server settings and values display. 11. Click Virtual Servers on the menu bar. A list of the virtual servers configured on the server displays. 12. Click Add. The IP addresses display in the list. 13. In the Virtual Server List area, specify the virtual servers that are resources on this server. a) In the Name field, type the name of the virtual server. b) In the Address field, type the IP address of the virtual server. 14. Click Create. Implementation results BIG-IP GTM can now use the SNMP monitor to verify the availability of and to collect statistics about the generic host. 95

96 Monitoring Third-Party Servers with SNMP 96

97 Chapter 18 Configuring Device-Specific Probing and Statistics Collection Topics: Overview: Configuring device-specific probing and statistics collection Task summary Implementation results

98 Configuring Device-Specific Probing and Statistics Collection Overview: Configuring device-specific probing and statistics collection BIG-IP Global Traffic Manager (GTM) performs intelligent probing of your network resources to determine whether the resources are up or down. In some circumstances, for example, if your network contains firewalls, you may want to set up device-specific probing. This allows you to specify which BIG-IP systems probe specific servers for health and performance data. About Prober pools A Prober pool is an ordered collection of one or more BIG-IP systems. A BIG-IP system can be a member of more than one Prober pool, and a Prober pool can be assigned to an individual server or a data center. When you assign a Prober pool to a data center, by default, the servers in that data center inherit that Prober pool. The members of a Prober pool perform monitor probes of servers to gather data about the health and performance of the resources on the servers. BIG-IP GTM makes load balancing decisions based on the gathered data. If all of the members of a Prober pool are marked down, or if a server has no Prober pool assigned, BIG-IP GTM reverts to a default intelligent probing algorithm to gather data about the resources on the server. The following figure illustrates how Prober pools work. BIG-IP GTM contains two BIG-IP Local Traffic Manager (LTM) systems that are assigned Prober pools and one BIG-IP LTM system that is not assigned a Prober pool: Figure 9: Example illustration of how Prober pools work Prober Pool 1 is assigned to a generic host server Prober Pool 2 is assigned to generic load balancers The generic load balancers on the left side of the graphic above are not assigned a Prober pool BIG-IP LTM3 is the only member of Prober Pool 1, and performs all HTTPS monitor probes of the server. BIG-IP LTM1 and BIG-IP LTM2 are members of Prober Pool 2. These two systems perform HTTP monitor probes of generic load balancers based on the load balancing method assigned to Prober Pool 2. BIG-IP GTM can solicit any BIG-IP system to perform FTP monitor probes of these load balancers, including systems that are Prober pool members. 98

99 BIG-IP Global Traffic Manager : Implementations About Prober pool status The status of a Prober pool also indicates the status of the members of the pool. If at least one member of a Prober pool has green status (Available), the Prober pool has green status. The status of a Prober pool member indicates whether the BIG-IP GTM system, on which you are viewing status, can establish an iquery connection with the member. Note: If a Prober pool member has red status (Offline), no iquery connection exists between the member and the BIG-IP GTM system on which you are viewing status. Therefore, that BIG-IP GTM system cannot request that member to perform probes, and the Prober pool will not select the member for load balancing. About Prober pool statistics You can view the number of successful and failed probe requests that the BIG-IP GTM system (on which you are viewing statistics) made to the Prober pools. These statistics reflect only the number of Probe requests and their success or failure. These statistics do not reflect the actual probes that the pool members made to servers on your network. Prober pool statistics are not aggregated among the BIG-IP GTM systems in a synchronization group. The statistics on one BIG-IP GTM include only the requests made from that BIG-IP GTM system. In the following figure, the Prober pool statistics that display on BIG-IP GTM1 are the probe requests made only by that system. Figure 10: Prober pool statistics displayed per system 99

100 Configuring Device-Specific Probing and Statistics Collection Task summary Perform these tasks to configure device-specific probing and statistics collection. Creating a Prober pool Assigning a Prober pool to a data center Assigning a Prober pool to a server Viewing Prober pool statistics and status Which Prober pool member marked my resource down? Creating a Prober pool Obtain a list of the BIG-IP systems in your network and ensure that a server object is configured for each system on BIG-IP GTM. Create a Prober pool that contains the BIG-IP systems that you want to perform monitor probes of a specific server or the servers in a data center. 1. On the Main tab, click Global Traffic > Prober Pools. The Prober Pool List screen opens. 2. Click Create. 3. In the Name field, type a name for the Prober pool. Names must begin with a letter, and can contain only letters, numbers, and the underscore (_) character. Important: Prober pool names are limited to 63 characters. 4. Select a method from the Load Balancing Method list. Options Description Round Robin Global Availability BIG-IP GTM load balances monitor probes among the members of a Prober pool in a circular and sequential pattern. BIG-IP GTM selects the first available Prober pool member to perform a monitor probe. 5. Assign members to the pool by moving servers from the Available list to the Selected list. 6. To reorder the members in the Selected list, choose a server and use the Up and Down buttons to move the server to a different location in the list. The order of the servers in the list is important in relation to the load balancing method you selected. 7. Click Finished. Assign the Prober pool to a data center or a server. Assigning a Prober pool to a data center Ensure that a Prober pool is available on the system. To make a specific collection of BIG-IP systems available to probe the servers in a data center, assign a Prober pool to the data center. 100

101 BIG-IP Global Traffic Manager : Implementations 1. On the Main tab, click Global Traffic > Data Centers. The Data Center List screen opens. 2. Click a data center name in the list. The data center settings and values display. 3. From the Prober Pool list, select the Prober pool that contains the BIG-IP systems that you want to perform monitor probes of the servers in this data center. By default, all of the servers in the data center inherit this Prober pool. 4. Click Finished. Assigning a Prober pool to a server Ensure that a Prober pool is available on the system. To specify which BIG-IP systems perform monitor probes of a server, assign a Prober pool to the server. 1. On the Main tab, click Global Traffic > Servers. The Server List screen opens. 2. Click a server name in the list. The server settings and values display. 3. From the Prober Pool list, select one of the following. Options Description Inherit from Data Center Prober pool name By default, a server inherits the Prober pool assigned to the data center in which the server resides. Select the Prober pool that contains the BIG-IP systems that you want to perform monitor probes of this server. 4. Click Finished. Viewing Prober pool statistics and status You can view status and statistics for Prober pools and the members of the pools. 1. On the Main tab, click Global Traffic > Prober Pools. The Prober Pool List screen opens. 2. On the menu bar, click Statistics. The Global Traffic Statistics screen opens. 3. Click the Refresh button. The statistics are updated. 4. To view additional information about the status of a Prober pool, place your cursor over the icon in the Status column. 5. To view additional information about the status of a Prober pool member, click View in the Members column, and then place your cursor over the icon in the Status column of a specific member. Which Prober pool member marked my resource down? When a resource is marked down, you can open the BIG-IP GTM log to view the SNMP trap and determine which member of a Prober pool marked the resource down. 101

102 Configuring Device-Specific Probing and Statistics Collection 1. On the Main tab, click System > Logs. The System Logs screen opens. 2. On the menu bar, click Global Traffic. The Global Traffic Logs screen opens. 3. You can either scroll through the log or search for a log entry about a specific event. Implementation results You now have an implementation in which a specific BIG-IP system probes the resources on a specific server, or the servers in a specific data center. 102

103 Chapter 19 Diagnosing Network Connection Issues Topics: Diagnosing network connection issues

104 Diagnosing Network Connection Issues Diagnosing network connection issues To help you diagnose network connection issues, you can view the status of and statistics about the iquery connections between BIG-IP Global Traffic Manager (GTM) and other BIG-IP systems on your network. iquery connection information displays for IP addresses that are configured on BIG-IP server objects. Viewing information about connections between BIG-IP GTM and other BIG-IP systems Ensure that the BIG-IP GTM configuration contains at least one BIG-IP server object with a self IP address. 1. On the Main tab, click Overview > Statistics > Global Traffic. The Global Traffic Statistics screen opens. 2. From the Statistics Type list, select iquery. Information about the iquery connections between this system and other BIG-IP systems in your network displays. 3. When you want to estimate iquery traffic throughput, click Reset. The following statistics are reset to zero: iquery Reconnects Bytes In Bytes Out Backlogs Bytes Dropped To view information about the iquery connections between a different BIG-IP GTM and the BIG-IP systems in your network, log on to that BIG-IP GTM system and repeat this procedure. iquery statistics descriptions The information in the table describes the iquery statistics. iquery Statistics IP Address Server Data Center iquery State Description Displays the IP addresses of the servers that have an iquery connection with this BIG-IP GTM. Displays the name of the server with the specified IP address. Displays the data center to which the specified server belongs. Displays the state of the iquery connection between the specified server and the BIG-IP GTM. Possible states are: Not Connected Connecting Connected Backlogged (indicates messages are queued and waiting to be sent) 104

105 BIG-IP Global Traffic Manager : Implementations iquery Statistics iquery Reconnects Bytes In Bytes Out Backlogs Bytes Dropped SSL Certificate Expiration Configuration Time Description Displays the number of times the BIG-IP GTM re-established an iquery connection with the specified server. Displays the amount of data in bytes received by the BIG-IP GTM over the iquery connection from the specified server. Displays the amount of data in bytes sent from the BIG-IP GTM over the iquery connection to the specified server. Displays the number of times the iquery connection between the BIG-IP GTM and the specified server was blocked, because iquery had to send out more messages than the connection could handle. Displays the amount of data in bytes that the iquery connection dropped. Displays the date the SSL certificate expires. Displays the date and time that the BIG-IP GTM configuration was last modified. The timestamps should be the same for all devices in a configuration synchronization group. 105

106 Diagnosing Network Connection Issues 106

107 Index Index A address mapping, about IPv6 to IPv4 36 allow-transfer statement, modifying for zone file transfers 23, 59 Anycast, See IP Anycast. 64, 65 authentication and SSL certificate chains 92 and SSL certificates 88 authoritative name server, designating GTM 18, 24 authorizing BIG-IP communications 76 auto-discovery, disabling at the global-level 49 B big3d_install script, running 79 big3d agent and iquery 76 and monitor timeout values 68 and SSL certificates 88 importing certificate chains 91 importing root certificate 89 upgrading 79 BIG-IP communications 76 BIG-IP LTM and route domains 40 and server definition 78 BIG-IP systems, and iquery connections 104 BIND server and default DNS profiles 60 and GTM 60 Bridge mode and global traffic management 29 and listeners 29 defined 29 C CA servers, and device certificates 90 certificate chains and SSL authentication 90 creating 90 verifying exchange 91 certificate exchange, verifying 89 certificates importing device 88, 90 clusters, configuring 68 configuration files, acquiring 73 configuration synchronization about 70 enabling for GTM 84 connection refused error and listeners 24 and TCP protocol 24 connections viewing iquery statistics 104 viewing status 104 custom DNS profiles See also DNS profiles. creating 64 enabling DNS Express 59 See also DNS profiles. D data centers assigning Prober pools 100 creating 71 defining 77, 83 DDoS attacks, about mitigating 58 default DNS profiles, and listeners 60 delegated zones and listeners 18 creating on local DNS servers 17 deterministic probing, implementing 98 device certificates and CA servers 88 importing 88, 90 DNS Express about 58 enabling 59 DNS Express profiles assigning to listener 60 assigning to virtual servers 60 DNS Express TSIG key, creating 58 DNS Express zones and statistics 60 creating 58 DNS profiles and IPv6 to IPv4 mapping 37 and listeners configured for route advertisement 64 assigning to virtual servers 37 creating 64 customizing to handle IPV6 to IPv4 address mapping 36 enabling DNS Express 59 handling non-wide IP queries 64 DNS requests for GTM, load balancing 79 DNSSEC about manual rollover of keys 52 and DNS infrastructure illustrated 52 configuring compliance 52 DNSSEC keys about manual rollover 52 and synchronization groups 55 creating for emergency rollover 53 creating for key signing 53 creating for zone signing

108 Index DNSSEC zones and signature validation 55 assigning keys 54 creating 54 DNS server pools, and listeners 32 DNS servers and custom DNS Express profiles 60 and GTM 28 and pools 32 and wide IPs 16 configuring to allow zone file transfers 23, 59 creating pools 32 delegating wide IP requests 16 identifying legacy 17, 24 modifying 18, 24 replacing with GTM 22 DNS services, about IP Anycast 64 DNS traffic and GTM 28 and wide IPs 28 creating listeners to forward 29, 30 creating listeners to identify 24 forwarding 28 identifying 18 routing 28 E emergency rollover and DNSSEC key-signing keys 53 and DNSSEC zone-signing keys 53 F file transfers, See zone file transfers. 23, 59 forwarding traffic to DNS servers 28 G global traffic management and Bridge mode 29 and Router mode 29 load balancing to a pool of DNS servers 32 gtm_add script and server status 72 running 73 using 85 gtmd agent and importing root certificates 89 and iquery 76 and SSL certificates 88 importing certificate chains 91 H hosts, defining 94 I important considerations, adding GTM to network 70 integrating with existing DNS servers 16 integration of GTM with older systems 76 intelligent probing, about 98 IP Anycast about 64 and listeners 65 IPv4-only servers and mapping to IPv6-only clients 36 passing traffic from IPv6-only clients 37 IPv6-only clients about mapping to IPv4-only servers 36 passing traffic to IPv4-only DNS servers 37 IPv6 to IPv4 mapping and DNS profiles 36, 37 configuring virtual servers 37 iquery and big3d agent 76 and gtmd agent 76 and statistics 104 viewing statistics about connections 104 viewing status of connections 104 iquery connections and statistics 104 and status 104 irules, accessing 68 K key generations See also DNSSEC keys. and creating new generations 55 See also DNSSEC keys. key-signing keys about manual rollover 52 creating 53 L LDNS, creating delegated zones 17 legacy DNS servers and zone files 23 identifying by self IP addresses on BIG-IP GTM 17, 24 Level 1, about SSL authentication 88 listeners about wildcard 17, 22, 29, 32 advertising virtual addresses 66 and Bridge mode 29 and network traffic 17, 22, 29, 32 and pools of DNS servers 32 and refused connection error 24 and route advertisement 66 and Router mode 29 and TCP protocol 24 and UDP protocol 24 and ZebOS 64 assigning a DNS Express profile 60 configuring for route advertisement

109 Index listeners (continued) creating to forward DNS traffic 29, 30 creating to handle wide IP traffic locally 18 creating to identify DNS traffic 24, 82 defined 17, 22, 29, 32 dynamic routing protocol 64 load balancing DNS requests for GTM 79 load balancing process about Prober pool status 99 about traffic management capabilities 76 and non-wide IP traffic 32 and Prober pools 98 load balancing traffic to a pool of DNS servers 32 local BIND servers, and DNS profiles 64 local DNS servers, and replacing with GTM 22 logs, and Prober pool data 101 LTM and route domains 40, 46 and server definition 78 M manual rollover, and DNSSEC keys 52 mitigation of DDos attacks 58 monitor timeout, and virtual server status 68 N network, deploying GTM for single route domain 40 network connection issues, diagnosing 104 network placement of GTM forwarding traffic 29 network traffic, and listeners 17, 22, 29, 32 non-wide IP queries, and custom DNS profiles 64 NTP servers and synchronization groups 70 defining 71, 82 P placement of GTM on network to forward traffic 29 pools, and DNS servers 32 primary servers, defining for zones 18, 24 Prober pools about 98 about statistics 99 about status 99 and data centers 100 and deterministic probing 98 and logs 101 and servers 101 and statistics 101 and upgrading to version creating 100 profiles creating DNS 36 creating for DNS Express 59 R redundant system configurations and GTM 82 defining servers 83 refused connection error 24 replacing local DNS servers 22 rollover, See emergency rollover. 82 root certificates, importing 89 root servers, and zones 18, 24 route advertisement, and listeners 65, 66 route domains and GTM 40 and LTM 40, 46 and self IP addresses 42, 49 and server definition 42, 49 and VLANs 41, 48 creating 41, 48 deploying GTM on network with multiple route domains 46 route health injection See also IP Anycast. about 64 See also IP Anycast. Router mode and global traffic management 29 and listeners 29 routing traffic to DNS servers 28 S scripts running big3d_install script 79 running gtm_add script 72 self IP addresses and route domains 49 creating for route domains 42 creating on GTM for legacy DNS servers 17, 24 self-signed SSL certificates, about 88 server pools, and listeners 32 servers assigning Prober pools 101 defining BIG-IP LTM systems 78 defining for BIG-IP GTM 77 defining for route domains 42, 49 defining GTM redundant system configurations 83 defining new BIG-IP GTM 72 defining third-party host servers 94 signature validation, of DNSSEC zones 55 single route domain, deploying GTM on network 40 SNMP monitoring and third-party host servers 94 creating monitors 94 SSL authentication about 88 and certificate chains 92 defined 88 SSL certificates about Level 1 SSL authentication 88 about self-signed 88 and big3d agent 89,

110 Index SSL certificates (continued) and CA servers 88 and certificate chain authentication 90 and gtmd agent 89, 91 and verifying chain exchange 91 creating chains 90 signed by third party 88 verifying exchange 89 statistics about iquery 104 and Prober pools 99 viewing for DNS Express zones 60 viewing for Prober pools 101 status, and Prober pools 99 synchronization about 70 and NTP servers 70 enabling 71 enabling for GTM 84 synchronization groups about 70 adding new GTM 70 and DNSSEC key generations 55 illustrated 70 system upgrades, and Prober pools 14 T TCP protocol and connection refused error 24 and listeners 24 third-party servers, and SNMP monitoring 94 traffic forwarding, placement of GTM 29 TSIG key, creating for DNS Express 58 U UDP protocol, and listeners 24 upgrades, and Prober pools 14 V VIPRION systems, and GTM 68 virtual addresses, advertising 66 virtual servers and IPv6 to IPv4 mapping 37 assigning DNS Express profiles 60 assigning DNS profiles 37 configuring status dependency 68 disabling auto-discovery at the global-level 49 passing traffic between IPv6-only clients and IPv4-only DNS servers 37 virtual server status, setting for clusters 68 VLANs creating for a route domain on BIG-IP LTM 48 creating for route domains 41 W wide IPs and DNS servers 16, 28 and DNS traffic 18 wildcard listeners, defined 17, 22, 29, 32 Z ZebOS dynamic routing protocol and listeners 65 enabling 64 verifying route advertisement 66 zone files, acquiring from legacy DNS servers 23 zone file transfers, and configuring DNS servers 23, 59 zones 54 See also DNSSEC zones. and GTM as primary server 18, 24 and root servers 18, 24 creating for DNS Express 58 See also DNSSEC zones. zone-signing keys about manual rollover 52 creating