BIG-IP Global Traffic Manager : Implementations. Version 11.0

Transcription

1 BIG-IP Global Traffic Manager : Implementations Version 11.0

2

3 Table of Contents Table of Contents Legal Notices...9 Acknowledgments...11 Chapter 1: Upgrading BIG-IP GTM to Version Converting a statistics collection server to a Prober pool automatically...14 Chapter 2: Delegating DNS Traffic to Wide IPs...15 Overview: Delegating DNS traffic to wide IPs...16 About listeners...17 Task summary...17 Creating a delegated zone on a local DNS server...17 Creating a self IP address using the IP address of the legacy DNS server...17 Designating GTM as the primary server for the zone...18 Creating a listener to handle traffic for wide IPs...18 Implementation results...19 Chapter 3: Replacing a DNS Server with BIG-IP GTM...21 Overview: Replacing a DNS server with BIG-IP GTM...22 About listeners...22 Task summary...23 Configuring the legacy DNS server to allow zone file transfers...23 Acquiring zone files from the legacy DNS server...23 Creating a self IP address using the IP address of the legacy DNS server...24 Designating GTM as the primary server for the zone...24 Creating listeners to identify DNS traffic...24 Implementation results...25 Chapter 4: Sending Traffic Through BIG-IP GTM...27 Overview: Configuring GTM to pass traffic to an existing DNS server...28 About listeners...29 About Router mode...29 About Bridge mode...29 Task summary...29 Placing GTM on your network to forward traffic...29 Creating a listener to forward traffic to a DNS server on a different network segment.29 Creating a listener to forward traffic to a DNS server on the same network segment..30 Implementation results

4 Table of Contents Chapter 5: Load Balancing Non-Wide IP DNS Traffic to a Pool of DNS Servers...31 Overview: Load balancing non-wide IP traffic to a pool of DNS servers...32 About listeners...32 Task summary...32 Creating a pool of local DNS servers...32 Creating a listener that alerts GTM to DNS queries for a pool of DNS servers...32 Implementation results...33 Chapter 6: Load Balancing DNS Traffic Between IPv-6 Only and IPv-4 Only Clouds...35 Overview: Load balancing IPv6-only connection requests to IPv4-only servers...36 Task summary...36 Creating a custom DNS profile...36 Assigning a DNS profile to a virtual server...37 Implementation results...38 Chapter 7: Configuring GTM on a Network with One Route Domain...39 Overview: How do I deploy BIG-IP GTM on a network with one route domain?...40 Task summary...40 Creating VLANs for a route domain on BIG-IP LTM...41 Creating a route domain on BIG-IP LTM...41 Creating a self IP address for a route domain on BIG-IP LTM...42 Defining a server for a route domain on BIG-IP GTM...42 Implementation results...43 Chapter 8: Configuring GTM on a Network with Multiple Route Domains...45 Overview: How do I deploy BIG-IP GTM on a network with multiple route domains?...46 Task summary...47 Creating VLANs for a route domain on BIG-IP LTM...48 Creating a route domain on BIG-IP LTM...48 Creating a self IP address for a route domain on BIG-IP LTM...49 Disabling auto-discovery at the global-level on BIG-IP GTM...49 Defining a server for a route domain on BIG-IP GTM...49 Implementation results...50 Chapter 9: Securing Your DNS Infrastructure...51 Overview: Securing your DNS infrastructure...52 How do I prepare for a manual rollover of a DNSSEC key?

5 Table of Contents Task summary...52 Creating DNSSEC key-signing keys...53 Creating DNSSEC zone-signing keys...53 Creating DNSSEC zones...54 Validating that a zone is correctly signed...55 Specifying which GTM creates new generations of DNSSEC keys...55 Implementation results...55 Chapter 10: Configuring DNS Express on BIG-IP Systems...57 Overview: How do I configure a BIG-IP system to mitigate DDoS attacks?...58 What is DNS Express?...58 Task summary...58 Creating a DNS Express TSIG key...58 Creating a DNS Express zone...58 Configuring the legacy DNS server to allow zone file transfers...59 Creating a DNS Express profile...59 Assigning a DNS Express profile to a virtual server...60 Assigning a DNS Express profile to a listener...60 Viewing information about DNS Express zones...60 Implementation results...61 Chapter 11: Configuring IP Anycast (Route Health Injection)...63 Overview: Configuring IP Anycast (Route Health Injection)...64 Task summary...64 Enabling the ZebOS dynamic routing protocol...64 Creating a custom DNS profile...64 Configuring a listener for route advertisement...65 Verifying advertisement of the route to a listener...66 Implementation results...66 Chapter 12: Configuring BIG-IP GTM VIPRION Systems...67 Overview: Configuring BIG-IP GTM VIPRION systems...68 Configuring dependency for virtual server status...68 Chapter 13: Ensuring Correct Synchronization When Adding GTM to a Network...69 Overview: Ensuring correct synchronization when adding GTM to a network...70 What is configuration synchronization?...70 About NTP Servers and Synchronization...70 About adding an additional BIG-IP GTM to your network...70 Task summary

6 Table of Contents Defining an NTP server on the existing GTM...71 Enabling synchronization on the existing GTM...71 Creating a data center on the existing GTM...71 Defining a server...72 Running the gtm_add script on the new GTM...73 Implementation results...73 Chapter 14: Integrating BIG-IP GTM with Other BIG-IP Systems...75 Overview: Integrating GTM with older BIG-IP systems on my network...76 About the iquery protocol and the big3d agent...76 Task summary...76 Defining a data center...77 Defining BIG-IP GTM...77 Defining the existing BIG-IP systems...78 Running the big3d_install script...79 Implementation results...79 Chapter 15: Setting Up a BIG-IP GTM Redundant System Configuration...81 Overview: Configuring a BIG-IP GTM redundant system...82 Task summary...82 Defining an NTP server...82 Creating listeners to identify DNS traffic...82 Defining a data center...83 Defining a server...83 Enabling global traffic configuration synchronization...84 Running the gtm_add script...85 Chapter 16: Authenticating with SSL Certificates Signed by a Third Party...87 Overview: Authenticating with SSL certificates signed by a third party...88 SSL Authentication...88 Configuring Level 1 SSL authentication...88 Importing the device certificate...88 Importing the root certificate for the gtmd agent...89 Importing the root certificate for the big3d agent...89 Verifying the certificate exchange...89 Implementation Results...90 Configuring certificate chain SSL authentication...90 Creating a certificate chain file...90 Importing the device certificate from the last CA server in the chain...90 Importing a certificate chain file for the gtmd agent

7 Table of Contents Importing a certificate chain for the big3d agent...91 Verifying the certificate chain exchange...91 Implementation results...92 Chapter 17: Monitoring Third-Party Servers with SNMP...93 Overview: SNMP monitoring of third-party servers...94 Task summary...94 Creating an SNMP monitor...94 Defining a third-party host server that is running SNMP...94 Implementation results...95 Chapter 18: Configuring Device-Specific Probing and Statistics Collection...97 Overview: Configuring device-specific probing and statistics collection...98 About Prober pools...98 About Prober pool status...99 About Prober pool statistics...99 Task summary Creating a Prober pool Assigning a Prober pool to a data center Assigning a Prober pool to a server Viewing Prober pool statistics and status Which Prober pool member marked my resource down? Implementation results Chapter 19: Diagnosing Network Connection Issues Diagnosing network connection issues Viewing information about connections between BIG-IP GTM and other BIG-IP systems iquery statistics descriptions

8 Table of Contents 8

9 Legal Notices Publication Date This document was published on August 17, Publication Number MAN Copyright Copyright 2011, F5 Networks, Inc. All rights reserved. F5 Networks, Inc. (F5) believes the information it furnishes to be accurate and reliable. However, F5 assumes no responsibility for the use of this information, nor any infringement of patents or other rights of third parties which may result from its use. No license is granted by implication or otherwise under any patent, copyright, or other intellectual property right of F5 except as specifically described by applicable user licenses. F5 reserves the right to change specifications at any time without notice. Trademarks 3DNS, Access Policy Manager, Acopia, Acopia Networks, Advanced Client Authentication, Advanced Routing, APM, Application Security Manager, ARX, AskF5, ASM, BIG-IP, Cloud Extender, CloudFucious, CMP, Data Manager, DevCentral, DevCentral [DESIGN], DNS Express, DSC, DSI, Edge Client, Edge Gateway, Edge Portal, EM, Enterprise Manager, F5, F5 [DESIGN], F5 Management Pack, F5 Networks, F5 World, Fast Application Proxy, Fast Cache, FirePass, Global Traffic Manager, GTM, IBR, Intelligent Browser Referencing, Intelligent Compression, IPv6 Gateway, iapps, icontrol, ihealth, iquery, irules, irules OnDemand, isession, IT agility. Your way., L7 Rate Shaping, LC, Link Controller, Local Traffic Manager, LTM, Message Security Module, MSM, Netcelera, OneConnect, Packet Velocity, Protocol Security Module, PSM, Real Traffic Policy Builder, Scale N, SSL Acceleration, StrongBox, SuperVIP, SYN Check, TCP Express, TDR, TMOS, Traffic Management Operating System, TrafficShield, Transparent Data Reduction, VIPRION, vcmp, WA, WAN Optimization Manager, WANJet, WebAccelerator, WOM, and ZoneRunner, are trademarks or service marks of F5 Networks, Inc., in the U.S. and other countries, and may not be used without F5's express written consent. All other product and company names herein may be trademarks of their respective owners. Patents This product may be protected by U.S. Patents 6,374,300; 6,473,802; 6,970,733; 7,047,301; 7,707,289. This list is believed to be current as of August 17, Export Regulation Notice This product may include cryptographic software. Under the Export Administration Act, the United States government may consider it a criminal offense to export this product from the United States. RF Interference Warning This is a Class A product. In a domestic environment this product may cause radio interference, in which case the user may be required to take adequate measures.

10 Legal Notices FCC Compliance This equipment has been tested and found to comply with the limits for a Class A digital device pursuant to Part 15 of FCC rules. These limits are designed to provide reasonable protection against harmful interference when the equipment is operated in a commercial environment. This unit generates, uses, and can radiate radio frequency energy and, if not installed and used in accordance with the instruction manual, may cause harmful interference to radio communications. Operation of this equipment in a residential area is likely to cause harmful interference, in which case the user, at his own expense, will be required to take whatever measures may be required to correct the interference. Any modifications to this device, unless expressly approved by the manufacturer, can void the user's authority to operate this equipment under part 15 of the FCC rules. Canadian Regulatory Compliance This Class A digital apparatus complies with Canadian ICES-003. Standards Compliance This product conforms to the IEC, European Union, ANSI/UL and Canadian CSA standards applicable to Information Technology products at the time of manufacture. 10

11 Acknowledgments This product includes software developed by Gabriel Forté. This product includes software developed by Bill Paul. This product includes software developed by Jonathan Stone. This product includes software developed by Manuel Bouyer. This product includes software developed by Paul Richards. This product includes software developed by the NetBSD Foundation, Inc. and its contributors. This product includes software developed by the Politecnico di Torino, and its contributors. This product includes software developed by the Swedish Institute of Computer Science and its contributors. This product includes software developed by the University of California, Berkeley and its contributors. This product includes software developed by the Computer Systems Engineering Group at the Lawrence Berkeley Laboratory. This product includes software developed by Christopher G. Demetriou for the NetBSD Project. This product includes software developed by Adam Glass. This product includes software developed by Christian E. Hopps. This product includes software developed by Dean Huxley. This product includes software developed by John Kohl. This product includes software developed by Paul Kranenburg. This product includes software developed by Terrence R. Lambert. This product includes software developed by Philip A. Nelson. This product includes software developed by Herb Peyerl. This product includes software developed by Jochen Pohl for the NetBSD Project. This product includes software developed by Chris Provenzano. This product includes software developed by Theo de Raadt. This product includes software developed by David Muir Sharnoff. This product includes software developed by SigmaSoft, Th. Lockert. This product includes software developed for the NetBSD Project by Jason R. Thorpe. This product includes software developed by Jason R. Thorpe for And Communications, This product includes software developed for the NetBSD Project by Frank Van der Linden. This product includes software developed for the NetBSD Project by John M. Vinopal. This product includes software developed by Christos Zoulas. This product includes software developed by the University of Vermont and State Agricultural College and Garrett A. Wollman. This product includes software developed by Balazs Scheidler which is protected under the GNU Public License.

12 Acknowledgments This product includes software developed by Niels Mueller which is protected under the GNU Public License. In the following statement, This software refers to the Mitsumi CD-ROM driver: This software was developed by Holger Veit and Brian Moore for use with 386BSD and similar operating systems. Similar operating systems includes mainly non-profit oriented systems for research and education, including but not restricted to NetBSD, FreeBSD, Mach (by CMU). This product includes software developed by the Apache Group for use in the Apache HTTP server project ( This product includes software licensed from Richard H. Porter under the GNU Library General Public License ( 1998, Red Hat Software), This product includes the standard version of Perl software licensed under the Perl Artistic License ( 1997, 1998 Tom Christiansen and Nathan Torkington). All rights reserved. You may find the most current standard version of Perl at This product includes software developed by Jared Minch. This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit ( This product includes cryptographic software written by Eric Young (eay@cryptsoft.com). This product contains software based on oprofile, which is protected under the GNU Public License. This product includes RRDtool software developed by Tobi Oetiker ( and licensed under the GNU General Public License. This product contains software licensed from Dr. Brian Gladman under the GNU General Public License (GPL). This product includes software developed by the Apache Software Foundation ( This product includes Hypersonic SQL. This product contains software developed by the Regents of the University of California, Sun Microsystems, Inc., Scriptics Corporation, and others. This product includes software developed by the Internet Software Consortium. This product includes software developed by Nominum, Inc. ( This product contains software developed by Broadcom Corporation, which is protected under the GNU Public License. This product contains software developed by MaxMind LLC, and is protected under the GNU Lesser General Public License, as published by the Free Software Foundation. This product includes the GeoPoint Database developed by Quova, Inc. and its contributors. 12

13 Chapter 1 Upgrading BIG-IP GTM to Version 11 Topics: Converting a statistics collection server to a Prober pool automatically

14 Upgrading BIG-IP GTM to Version 11 Converting a statistics collection server to a Prober pool automatically In version 10.2 of BIG-IP Global Traffic Manager (GTM ), you could assign a single BIG-IP system to probe a server to gather health and performance data. You did this by specifying the IP address of the BIG-IP system (which you chose to perform probes of the server) in the Statistics Collection Server field of the server. In version 11.0, this feature is replaced by the Prober pool feature. When you upgrade from version 10.2.x to version 11.0, if a single BIG-IP system was assigned to probe a server, BIG-IP GTM converts the single server to a Prober pool with one member, and then assigns the Prober pool to the server to which the Statistics Collection server was originally assigned. The name of the new Prober pool is based on the IP address of the original Statistics Collection server. If the original Statistics Collection server had an IP address of , the name of the automatically created Prober pool is prober_pool_10_10_2_3. 14

15 Chapter 2 Delegating DNS Traffic to Wide IPs Topics: Overview: Delegating DNS traffic to wide IPs Task summary Implementation results

16 Delegating DNS Traffic to Wide IPs Overview: Delegating DNS traffic to wide IPs BIG-IP Global Traffic Manager (GTM ) load balances incoming wide IP traffic to your network resources. BIG-IP GTM can work in conjunction with an existing DNS server on your network. In this situation, you configure the DNS server to delegate wide IP-related requests to the BIG-IP GTM for name resolution. Figure 1: Traffic flow when DNS server delegates traffic to BIG-IP GTM This implementation focuses on the fictional company SiteRequest, which recently purchased BIG-IP GTM to help load balance traffic across two of its web-based applications: store.siterequest.com and checkout.siterequest.com. These applications are delegated zones of which an existing DNS server manages. They have already configured BIG-IP GTM with two wide IPs, store.wip.siterequest.com and checkout.wip.siterequest.com, which correspond to these two web applications. 16

17 BIG-IP Global Traffic Manager : Implementations About listeners Listeners control how BIG-IP GTM handles network traffic. A listener is a specialized virtual server that is assigned a specific IP address. A wildcard listener is a special listener that is assigned an IP address of and DNS query port (port 53). When traffic is sent to the IP address of a listener, BIG-IP GTM either handles the traffic locally or sends the traffic to the appropriate resource. Task summary Perform these tasks to delegate DNS traffic to wide IPs. Creating a delegated zone on a local DNS server Creating a self IP address using the IP address of the legacy DNS server Designating GTM as the primary server for the zone Creating a listener to handle traffic for wide IPs Creating a delegated zone on a local DNS server If you are unfamiliar with how to modify the files on DNS servers, review the fifth edition of DNS and BIND, available from O Reilly Media. Determine which DNS servers will delegate wide IP-related requests to BIG-IP GTM. In order for BIG-IP GTM to manage the web applications of store.siterequest.com and checkout.siterequest.com, you must create a delegated zone on the existing DNS server. Perform the following steps on the selected DNS servers. 1. Create an address record (A record) that defines the domain name and IP address of BIG-IP GTM. 2. Create a nameserver record (NS record) that defines the delegated zone for which BIG-IP GTM is responsible. 3. Create canonical name records (CNAME records) for each web application, which forwards requests to store.siterequest.com and checkout.siterequest.com to the wide IP addresses of store.wip.siterequest.com and checkout.wip.siterequest.com, respectively. A delegated zone exists on each DNS server on which you performed this procedure. Creating a self IP address using the IP address of the legacy DNS server Create a self IP address on BIG-IP GTM using the IP address of the legacy DNS server. 1. On the Main tab, click Network > Self IPs. 2. Click Create. The New Self IP screen opens. 3. In the IP Address field, type the IP address of the legacy DNS server. The system accepts IP addresses in both the IPv4 and IPv6 formats. 4. In the Netmask field, type the network mask for the specified IP address. 5. Click Finished. 17

18 Delegating DNS Traffic to Wide IPs The screen refreshes, and displays the new self IP address in the list. Designating GTM as the primary server for the zone Ensure that you have created a self IP address on BIG-IP GTM using the IP address of the legacy DNS server. Add the new self IP address to the BIG-IP GTM server object. Then modify the DNS server based on your network configuration. 1. Log on to BIG-IP GTM. 2. On the Main tab, click Global Traffic > Servers. The Server List screen opens. 3. Click the name of the BIG-IP GTM system that you want to modify. The server settings and values display. 4. In the Address List area, add the new self IP address. 5. Click Update. 6. Do one of the following based on your network configuration: Modify the IP address of the legacy DNS server so that it becomes a secondary DNS server to BIG-IP GTM. Ensure that the IP address of the DNS server does not conflict with the self IP address that you added to the BIG-IP GTM server object. Note: If you are unfamiliar with how to change a DNS server from a primary to a secondary, refer to the fifth edition of DNS and BIND, available from O Reilly Media. Remove the legacy DNS server from your network. BIG-IP GTM is now the authoritative name server for the zone. The root servers for the zone do not need to be updated, because the IP address of the legacy DNS server was added to BIG-IP GTM. Creating a listener to handle traffic for wide IPs You need to create a listener that corresponds to a delegated zone that you create on your existing DNS server. This listener will identify DNS traffic that is destined for BIG-IP GTM. 1. On the Main tab, click Global Traffic > Listeners. The Listeners List screen opens. 2. Click Create. The new Listeners screen opens. 3. In the Destination field, type the IP address on which BIG-IP GTM listens for network traffic. The destination is a self IP address on BIG-IP GTM. 4. From the VLAN Traffic list, select All VLANs. 5. From the Protocol list, select either UDP or TCP. 6. Click Finished. 18

19 BIG-IP Global Traffic Manager : Implementations Implementation results You now have an implementation of BIG-IP GTM in which a DNS server manages DNS traffic unless a query is for a wide IP configured on BIG-IP GTM. When the DNS server receives queries for store.siterequest.com or checkout.siterequest.com, it delegates the queries to BIG-IP GTM, which then load balances the traffic to the appropriate wide IPs. 19

20 Delegating DNS Traffic to Wide IPs 20

21 Chapter 3 Replacing a DNS Server with BIG-IP GTM Topics: Overview: Replacing a DNS server with BIG-IP GTM Task summary Implementation results

22 Replacing a DNS Server with BIG-IP GTM Overview: Replacing a DNS server with BIG-IP GTM BIG-IP Global Traffic Manager (GTM ) load balances incoming wide IP traffic to your network resources. BIG-IP GTM can also replace a local DNS server as the authoritative nameserver for wide IPs, zones, and all other DNS-related traffic. You can configure BIG-IP GTM to replace the DNS server that currently manages BIG-IP GTM becomes the authoritative nameserver for and load balances traffic across the web-based applications store.siterequest.com and checkout.siterequest.com. Figure 2: Traffic flow when BIG-IP GTM replaces DNS server About listeners Listeners control how BIG-IP GTM handles network traffic. A listener is a specialized virtual server that is assigned a specific IP address. A wildcard listener is a special listener that is assigned an IP address of and DNS query port (port 53). When traffic is sent to the IP address of a listener, BIG-IP GTM either handles the traffic locally or sends the traffic to the appropriate resource. 22

23 BIG-IP Global Traffic Manager : Implementations Task summary Perform these tasks to replace a DNS server with BIG-IP GTM. Configuring the legacy DNS server to allow zone file transfers Acquiring zone files from the legacy DNS server Creating a self IP address using the IP address of the legacy DNS server Designating GTM as the primary server for the zone Creating listeners to identify DNS traffic Configuring the legacy DNS server to allow zone file transfers If you are unfamiliar with how to modify DNS server files, review the fifth edition of DNS and BIND, available from O Reilly Media. To configure the legacy DNS server to allow zone file transfers to BIG-IP GTM, add to the DNS server an allow-transfer statement that specifies the IP address of the new BIG-IP GTM system. You can modify the following allow-transfer statement to use the IP address of your BIG-IP GTM: allow-transfer { localhost; <IP address of BIG-IP GTM>; }; Acquiring zone files from the legacy DNS server Ensure that you have configured the legacy DNS server with an allow-transfer statement that authorizes zone transfers to BIG-IP GTM. For BIG-IP GTM to acquire zone files from the legacy DNS server, create a new zone. 1. On the Main tab, click Global Traffic > ZoneRunner > Zone List. The Zone List screen opens. 2. Click Create. 3. From the View Name list, select the view that you want this zone to be a member of. The default view is external. 4. In the Zone Name field, type a name for the zone file in this format, including the trailing dot: db.[viewname].[zonename]. For example, db.external.siterequest.com. 5. From the Zone Type list, select Master. 6. From the Records Creation Method list, select Transfer from Server. 7. In the Source Server field, type the IP address of the DNS server (the server from which you want BIG-IP GTM to acquire zone files). 8. Click Finished. 23

24 Replacing a DNS Server with BIG-IP GTM Creating a self IP address using the IP address of the legacy DNS server Create a self IP address on BIG-IP GTM using the IP address of the legacy DNS server. 1. On the Main tab, click Network > Self IPs. 2. Click Create. The New Self IP screen opens. 3. In the IP Address field, type the IP address of the legacy DNS server. The system accepts IP addresses in both the IPv4 and IPv6 formats. 4. In the Netmask field, type the network mask for the specified IP address. 5. Click Finished. The screen refreshes, and displays the new self IP address in the list. Designating GTM as the primary server for the zone Ensure that you have created a self IP address on BIG-IP GTM using the IP address of the legacy DNS server. Add the new self IP address to the BIG-IP GTM server object. Then modify the DNS server based on your network configuration. 1. Log on to BIG-IP GTM. 2. On the Main tab, click Global Traffic > Servers. The Server List screen opens. 3. Click the name of the BIG-IP GTM system that you want to modify. The server settings and values display. 4. In the Address List area, add the new self IP address. 5. Click Update. 6. Do one of the following based on your network configuration: Modify the IP address of the legacy DNS server so that it becomes a secondary DNS server to BIG-IP GTM. Ensure that the IP address of the DNS server does not conflict with the self IP address that you added to the BIG-IP GTM server object. Note: If you are unfamiliar with how to change a DNS server from a primary to a secondary, refer to the fifth edition of DNS and BIND, available from O Reilly Media. Remove the legacy DNS server from your network. BIG-IP GTM is now the authoritative name server for the zone. The root servers for the zone do not need to be updated, because the IP address of the legacy DNS server was added to BIG-IP GTM. Creating listeners to identify DNS traffic Create two listeners to identify the DNS traffic, which was previously handled by the DNS server, for which BIG-IP GTM is now responsible. Create one listener that uses the UDP protocol and one that uses the TCP protocol. 24

25 BIG-IP Global Traffic Manager : Implementations Note: DNS zone transfers use TCP port 53. If you do not configure a listener for TCP the client may receive the error: connection refused or TCP RSTs. 1. On the Main tab, click Global Traffic > Listeners. The Listeners List screen opens. 2. Click Create. The new Listeners screen opens. 3. In the Destination field, type the IP address previously used by the legacy DNS server. 4. From the VLAN Traffic list, select All VLANs. 5. From the Protocol list, select UDP. 6. Click Finished. Create another listener with the same IP address, but select TCP from the Protocol list. Implementation results BIG-IP GTM replaces the legacy DNS server as the authoritative nameserver for the zone. BIG-IP GTM handles all incoming DNS traffic, whether destined for a wide IP or handled by the BIND instance on the system. 25

26 Replacing a DNS Server with BIG-IP GTM 26

27 Chapter 4 Sending Traffic Through BIG-IP GTM Topics: Overview: Configuring GTM to pass traffic to an existing DNS server Task summary Implementation results

28 Sending Traffic Through BIG-IP GTM Overview: Configuring GTM to pass traffic to an existing DNS server You can use BIG-IP Global Traffic Manager (GTM ) as a router or forwarder in front of an existing DNS server. With this setup, all DNS traffic flows through BIG-IP GTM. Listeners that you configure on BIG-IP GTM verify incoming DNS queries. If the query is for a wide IP, BIG-IP GTM load balances the request to the appropriate resource. If the query is for a destination that does not match a wide IP or for an IP address that is not configured on BIG-IP GTM, the system routes or forwards the query to the specified DNS server for resolution. When forwarding a query, BIG-IP GTM transforms the source address to a self IP address on BIG-IP GTM. This ensures that BIG-IP GTM returns responses through the system before forwarding the response to the client. Figure 3: Traffic flow through the BIG-IP GTM routing or forwarding traffic to DNS server 28

29 BIG-IP Global Traffic Manager : Implementations About listeners Listeners control how BIG-IP GTM handles network traffic. A listener is a specialized virtual server that is assigned a specific IP address. A wildcard listener is a special listener that is assigned an IP address of and DNS query port (port 53). When traffic is sent to the IP address of a listener, BIG-IP GTM either handles the traffic locally or sends the traffic to the appropriate resource. About Router mode When BIG-IP GTM is in Router mode, a listener alerts the system when it receives requests destined for a DNS server on a different subnet. BIG-IP GTM routes these requests to the specified DNS server. About Bridge mode When BIG-IP GTM is in Bridge mode, a listener alerts the system when it receives requests destined for a DNS server on the same network segment. The BIG-IP GTM forwards these requests to the specified DNS server. Task summary Perform these tasks to send traffic through BIG-IP GTM. Placing GTM on your network to forward traffic Creating a listener to forward traffic to a DNS server on a different network segment Creating a listener to forward traffic to a DNS server on the same network segment Placing GTM on your network to forward traffic You need to determine to which DNS server you want this BIG-IP GTM system to forward traffic. Now you want to place BIG-IP GTM between the existing DNS server and the Internet. 1. Physically connect BIG-IP GTM to your Internet connection. 2. Connect the DNS server to an Ethernet port on BIG-IP GTM. Creating a listener to forward traffic to a DNS server on a different network segment You need to determine to which DNS server you want this listener to forward traffic. 1. On the Main tab, click Global Traffic > Listeners. The Listeners List screen opens. 2. Click Create. The new Listeners screen opens. 3. In the Destination field, type the IP address on which BIG-IP GTM listens for network traffic. The destination is the IP address of a DNS server to which you want the listener to route traffic. 29

30 Sending Traffic Through BIG-IP GTM Important: The destination must not match a self IP address on BIG-IP GTM. 4. From the VLAN Traffic list, select All VLANs. 5. Click Finished. Creating a listener to forward traffic to a DNS server on the same network segment You need to determine to which DNS server you want this listener to forward traffic. 1. On the Main tab, click Global Traffic > Listeners. The Listeners List screen opens. 2. Click Create. The new Listeners screen opens. 3. In the Destination field, type the IP address on which BIG-IP GTM listens for network traffic. The destination is the IP address of a DNS server to which you want the listener to forward traffic. Important: The destination must not match a self IP address on BIG-IP GTM. 4. From the VLAN Traffic list, select All VLANs. 5. Click Finished. Implementation results You now have an implementation in which BIG-IP GTM receives all DNS queries. If the query is for a wide IP, BIG-IP GTM load balances the request to the appropriate resource. If the query is for an IP address of a DNS server, BIG-IP GTM either routes or forwards the query to the DNS server for resolution. 30

31 Chapter 5 Load Balancing Non-Wide IP DNS Traffic to a Pool of DNS Servers Topics: Overview: Load balancing non-wide IP traffic to a pool of DNS servers Task summary Implementation results

32 Load Balancing Non-Wide IP DNS Traffic to a Pool of DNS Servers Overview: Load balancing non-wide IP traffic to a pool of DNS servers BIG-IP Global Traffic Manager (GTM ) can function as a load balancer in front of a pool of DNS servers. In this situation, BIG-IP GTM checks incoming DNS queries and if the query is for a wide IP, load balances it to the appropriate resource. Otherwise, BIG-IP GTM forwards the DNS query to one of the servers in a pool of DNS servers, and that server handles the query. About listeners Listeners control how BIG-IP GTM handles network traffic. A listener is a specialized virtual server that is assigned a specific IP address. A wildcard listener is a special listener that is assigned an IP address of and DNS query port (port 53). When traffic is sent to the IP address of a listener, BIG-IP GTM either handles the traffic locally or sends the traffic to the appropriate resource. Task summary Perform these tasks to load balance non-wide IP traffic to a pool of DNS servers. Creating a pool of local DNS servers Creating a listener that alerts GTM to DNS queries for a pool of DNS servers Creating a pool of local DNS servers Gather the IP addresses of the DNS servers that you want to include in a pool to which BIG-IP GTM load balances DNS traffic. 1. Log on to the command line interface of BIG-IP GTM. 2. Type tmsh, to access the Traffic Management Shell. 3. Run a variation on this command sequence to create a pool using the IP addresses of the DNS servers on your network: create /ltm pool DNS_pool members add { :domain :domain :domain } monitor udp When you run the above example command, the system creates a BIG-IP LTM pool named DNS_pool that includes three DNS servers with the following IP addresses , , and A UDP monitor is assigned to the pool to determine the availability of the pool members. 4. Run this command sequence to save the pool: save /sys config 5. Run this command sequence to display the pool: list /ltm pool 6. Verify that the pool is configured correctly. Creating a listener that alerts GTM to DNS queries for a pool of DNS servers Configure a listener that alerts BIG-IP GTM to DNS queries destined for DNS servers that are members of a pool. 1. Log on to the command line interface of BIG-IP GTM. 32

33 BIG-IP Global Traffic Manager : Implementations 2. Type tmsh, to access the Traffic Management Shell. 3. Run this command sequence to create a listener: create /gtm listener DNS_listener address ip-protocol udp pool DNS_pool translate-address enabled When you run the above example command, the system creates a listener named DNS_pool with an IP address of that alerts BIG-IP GTM to queries destined for the members of DNS_pool. 4. Run this command sequence to save the listener: save /sys config 5. Run this command sequence to display the listener: list /gtm listener The system displays the new listener configuration. Implementation results You now have an implementation in which BIG-IP GTM receives DNS queries, load balances wide IP requests to the appropriate resource, and load balances all other DNS queries to the members of the pool of DNS servers. 33

34 Load Balancing Non-Wide IP DNS Traffic to a Pool of DNS Servers 34

35 Chapter 6 Load Balancing DNS Traffic Between IPv-6 Only and IPv-4 Only Clouds Topics: Overview: Load balancing IPv6-only connection requests to IPv4-only servers Task summary Implementation results

36 Load Balancing DNS Traffic Between IPv-6 Only and IPv-4 Only Clouds Overview: Load balancing IPv6-only connection requests to IPv4-only servers You can configure the BIG-IP Local Traffic Manager (LTM) and BIG-IP Global Traffic Manager (GTM) system to load balance IPv6-only client connection requests to IPv4-only servers on your network by returning an AAAA record response to the client. Task summary Perform these tasks to configure load balancing of IPv6-only connection requests to IPv4-only servers on your network. Creating a custom DNS profile Assigning a DNS profile to a virtual server Creating a custom DNS profile You can create a custom DNS profile to configure how the BIG-IP system handles DNS connection requests. 1. On the Main tab, click Local Traffic > Profiles > Services > DNS. The DNS profile list screen opens. 2. Click Create. The New Fast L4 Profile screen opens. 3. In the Name field, type a name for the profile. Names must begin with a letter, and can contain only letters, numbers, and the underscore (_) character. 4. In the Parent Profile list, accept the default dns profile. 5. Select the Custom check box. The fields in the Settings area become available for configuring. 6. In the Global Traffic Management list, accept the default value Enabled. 7. From the DNS IPv6 to IPv4 list, select how you want the system to handle IPv6 to IPv4 address mapping in DNS queries and responses. Option Disabled Immediate Secondary Description The BIG-IP system does not map IPv4 addresses to IPv6 addresses. The BIG-IP system forwards the first good response from the DNS server to the client. If the system receives an A response first, it appends a 96-bit prefix to the record and forwards it to the client. If the system receives an AAAA response first, it simply forwards the response to the client. The system disregards the second response from the DNS server. The BIG-IP system sends an AAAA query to the DNS server. Only if the response fails, does the BIG-IP system send an A query. If the BIG-IP system receives an A response, it appends a 96-bit user-configured prefix to the record and forwards it to the client. 36

37 BIG-IP Global Traffic Manager : Implementations Option v4 Only Description The BIG-IP system receives an AAAA query and translates it into an A query and forwards the query to a DNS server. After receiving the response, the system appends a 96-bit user-configured prefix to the record and forwards it to the IPv6 client. Important: Select this option only if you know that no DNS AAAA queries will be sent to the BIG-IP system. If you selected Immediate, Secondary, or V4 Only two new fields display. 8. In the IPv6 to IPv4 Prefix field, specify the prefix the BIG-IP system appends to all A query responses to an IPv6 request. 9. From the IPv6 to IPv4 Additional Section Rewrite list, select an option to allow improved network efficiency for both Unicast and Multicast DNS-SD responses. Option Disabled v4 Only v6 Only Any Description The BIG-IP system does not perform additional rewrite. The BIG-IP system accepts only A records. The system appends the 96-bit user-configured prefix to a record and returns an IPv6 response to the client. The BIG-IP system accepts only AAAA records and returns those records to the client. The BIG-IP system accepts and returns both A and AAAA records. If the DNS server returns an A record in the Additional section of a DNS message, the BIG-IP system appends the 96-bit user-configured prefix to the record and returns an IPv6 response to the client. 10. From the Use BIND Server on BIG-IP list, select Enabled. Note: Enable this setting only when you want the system to forward non-wide IP queries to the local BIND server on BIG-IP GTM. 11. Click Finished. Assigning a DNS profile to a virtual server 1. On the Main tab, click Local Traffic > Virtual Servers. The Virtual Server List screen displays a list of existing virtual servers. 2. Click the name of the virtual server you want to modify. 3. From the DNS Profile list, select the profile you created to manage IPv6 to IPv4 address mapping. 4. Click Update. This virtual server can now pass traffic between an IPv6-only client and an IPv4-only DNS server. 37

38 Load Balancing DNS Traffic Between IPv-6 Only and IPv-4 Only Clouds Implementation results You now have an implementation in which the BIG-IP system handles connection requests from an IPv6-only client to an IPv4-only server. 38

39 Chapter 7 Configuring GTM on a Network with One Route Domain Topics: Overview: How do I deploy BIG-IP GTM on a network with one route domain? Task summary Implementation results

40 Configuring GTM on a Network with One Route Domain Overview: How do I deploy BIG-IP GTM on a network with one route domain? You can deploy BIG-IP Global Traffic Manager (GTM ) on a network where BIG-IP Local Traffic Manager (LTM ) is configured with one route domain and no overlapping IP addresses. Caution: F5 Networks does not support the configuration of route domains on a standalone BIG-IP GTM. Figure 4: BIG-IP GTM deployed on a network in front of a BIG-IP LTM configured with a route domain Task summary BIG-IP GTM can gather status and statistics for the virtual servers hosted on BIG-IP Local Traffic Manager (LTM) systems on your network that are configured on a route domain. The BIG-IP LTM systems must contain: VLANs through which traffic for the route domain passes. 40

41 BIG-IP Global Traffic Manager : Implementations A self IP address that represents the address space of the route domain. Additionally, BIG-IP GTM must contain a server object for each route domain. The server objects must be configured with a self IP address that represents the address space of the route domain. Perform the specified tasks to configure BIG-IP LTM systems with a route domain, and then to configure BIG-IP GTM to be able to monitor these systems. Creating VLANs for a route domain on BIG-IP LTM Creating a route domain on BIG-IP LTM Creating a self IP address for a route domain on BIG-IP LTM Defining a server for a route domain on BIG-IP GTM Creating VLANs for a route domain on BIG-IP LTM You need to create two VLANs on BIG-IP Local Traffic Manager (LTM ) through which traffic can pass to a route domain. 1. On the Main tab, click Network > VLANs. The VLAN List screen opens. 2. Click Create. The New VLAN screen opens. 3. In the Name field, type external. 4. In the Tag field, type a numeric tag, from 1 to 4094, for the VLAN. Leave the field blank if you want the BIG-IP system to automatically assign a VLAN tag. The VLAN tag identifies the traffic from hosts in the associated VLAN. 5. For the Interfaces setting, in the Available list, click an interface number or trunk name and add the selected interface or trunk to the Untagged list. Repeat this step as necessary. 6. Select the Source Check check box if you want the system to verify that the return route to an initial packet is the same VLAN from which the packet originated. 7. Click Finished. The screen refreshes, and displays the new VLAN in the list. Repeat this procedure, but in Step 3, name the VLAN internal. Creating a route domain on BIG-IP LTM Ensure that an external and internal VLAN exist on BIG-IP LTM, before you create a route domain. You can create a route domain on BIG-IP LTM to segment (isolate) network traffic on your network. 1. On the Main tab, click Network > Route Domains. 2. Click Create. The New Route Domain screen opens. 3. Type an ID number for the route domain. This is the ID number that you will append later to any relevant IP addresses that you create on the BIG-IP system, such as virtual addresses, pool member addresses, and self IP addresses. 4. In the Description field, type a description of the route domain. This route domain applies to traffic for application MyApp. 5. In the Strict Isolation area, select the Enabled check box to restrict traffic in this route domain from crossing into another route domain. 41

42 Configuring GTM on a Network with One Route Domain 6. From the Parent Name list, retain the default value. 7. For the VLANs setting, move the external and internal VLANs from the Available list, to the Members list. 8. Click Finished. The system displays a list of route domains on the BIG-IP system. Creating a self IP address for a route domain on BIG-IP LTM Ensure that external and internal VLANs exist on BIG-IP LTM, before you begin creating a self IP address for a route domain. Create a self IP address on BIG-IP LTM that resides in the address space of the route domain. 1. On the Main tab, click Network > Self IPs. 2. Click Create. The New Self IP screen opens. 3. In the IP Address field, type an IP address. This IP address must represent a self IP address in a route domain. Use the format x.x.x.x%n, where n is the route domain ID, for example, %1. The system accepts IP addresses in both the IPv4 and IPv6 formats. 4. In the Netmask field, type the network mask for the specified IP address. 5. From the VLAN/Tunnel list, select external. 6. From the Port Lockdown list, select Allow Default. 7. Click Finished. The screen refreshes, and displays the new self IP address in the list. Repeat this procedure, but in Step 5, select VLAN internal. Defining a server for a route domain on BIG-IP GTM On a BIG-IP GTM system, define a server that represents the route domain. 1. On the Main tab, click Global Traffic > Servers. The Server List screen opens. 2. Click Create. The New Server screen displays. 3. In the Name field, type a name for the server. Names must begin with a letter, and can contain only letters, numbers, and the underscore (_) character. Important: Server names are limited to 63 characters. 4. From the Product list, select either BIG-IP System (Single) or BIG-IP System (Redundant). The server type determines the metrics that the system can collect from the server. 5. In the Address List area, add the self IP address that you assigned to the VLAN that you assigned to the route domain. Important: Do not include the route domain ID in this IP address. Use the format x.x.x.x, for example,

43 BIG-IP Global Traffic Manager : Implementations 6. From the Data Center list, select the data center where the server resides. 7. In the Health Monitors area, assign the bigip monitor to the server by moving it from the Available list to the Selected list. 8. From the Virtual Server Discovery list, select how you want virtual servers to be added to the system. Virtual server discovery is supported when you have only one route domain. Options Disabled Enabled Enabled (No Delete) Description Use this option when you plan to manually add virtual servers to the system. The system automatically adds virtual servers using the discovery feature. The system uses the discovery feature and does not delete any virtual servers that already exist. 9. Click Create. The Server List screen opens displaying the new server in the list. Implementation results You now have an implementation in which BIG-IP GTM can monitor virtual servers on BIG-IP LTM systems configured with one route domain. 43

44 Configuring GTM on a Network with One Route Domain 44

45 Chapter 8 Configuring GTM on a Network with Multiple Route Domains Topics: Overview: How do I deploy BIG-IP GTM on a network with multiple route domains? Task summary Implementation results

46 Configuring GTM on a Network with Multiple Route Domains Overview: How do I deploy BIG-IP GTM on a network with multiple route domains? You can deploy BIG-IP Global Traffic Manager (GTM) on a network where BIG-IP Local Traffic Manager (LTM) systems are configured with multiple route domains and overlapping IP addresses. Important: On a network with route domains, you must ensure that virtual server discovery (autoconf) is disabled, because virtual server discovery does not discover translation IP addresses. Caution: F5 Networks does not support the configuration of route domains on a standalone BIG-IP GTM. The following figure shows BIG-IP GTM deployed in a network with multiple BIG-IP Local Traffic Manager (LTM) systems configured with the default route domain (zero), and two additional route domains. BIG-IP GTM can monitor the Application1 and Application2 servers that have overlapping IP addresses and reside in different route domains. The firewalls perform the required address translation between the BIG-IP GTM and BIG-IP LTM addresses; you must configure the firewalls to segment traffic and avoid improperly routing packets between route domain 1 and route domain 2. 46