BIG-IP Global Traffic Manager : Implementations. Version 11.3

BIG-IP Global Traffic Manager : Implementations Version 11.3

Table of Contents Table of Contents Legal Notices...11 Acknowledgments...13 Chapter 1: Upgrading BIG-IP GTM to Version 11.x...17 Converting a statistics collection server to a Prober pool automatically...18 Chapter 2: Sending Traffic Through BIG-IP GTM...19 Overview: Configuring GTM to screen traffic to an existing DNS server...20 About listeners...20 About wildcard listeners...20 Task summary...21 Placing GTM on your network to forward traffic...21 Creating a listener to forward traffic to a DNS server...21 Creating a wide IP...21 Implementation result...22 Chapter 3: Replacing a DNS Server with BIG-IP GTM...23 Overview: Replacing a DNS server with BIG-IP GTM...24 About listeners...24 Task summary...24 Configuring a back-end DNS server to allow zone file transfers...25 Acquiring zone files from the legacy DNS server...25 Creating a self IP address using the IP address of the legacy DNS server...25 Designating GTM as the primary server for the zone...26 Creating listeners to alert GTM to DNS traffic destined for the system...26 Creating a wide IP...27 Implementation result...27 Chapter 4: Load Balancing Non-Wide IP DNS Traffic to a Pool of DNS Servers...29 Overview: Screening and forwarding non-wide IP traffic to a pool of DNS servers...30 About listeners...30 Task summary...30 Creating a pool of local DNS servers...31 Creating a listener that alerts GTM to DNS queries for a pool of DNS servers...31 Implementation result...31 Chapter 5: Delegating DNS Traffic to Wide IPs...33 Overview: Delegating DNS traffic to wide IPs...34 3

Table of Contents About listeners...34 Task summary...34 Creating a delegated zone on a local DNS server...35 Creating a listener to handle traffic for wide IPs...35 Implementation result...35 Chapter 6: Integrating BIG-IP GTM with Other BIG-IP Systems...37 Overview: Integrating GTM with older BIG-IP systems on a network...38 About iquery and communications between BIG-IP systems...38 Task summary...38 Defining a data center...38 Defining BIG-IP GTM systems...39 Defining BIG-IP LTM systems...40 Running the big3d_install script...41 Implementation result...42 Chapter 7: Integrating BIG-IP LTM with BIG-IP GTM Systems...43 Overview: Integrating LTM systems with GTM systems on a network...44 Task summary...44 Defining a data center...44 Defining BIG-IP GTM systems...45 Defining BIG-IP LTM systems...46 Running the bigip_add utility...47 Implementation result...47 Chapter 8: Ensuring Correct Synchronization When Adding GTM to a Network...49 Overview: Ensuring correct synchronization when adding GTM to a network...50 About configuration synchronization...50 About adding an additional BIG-IP GTM to your network...50 Task summary...50 Defining an NTP server on the existing GTM...51 Enabling synchronization on the existing GTM...51 Creating a data center on the existing GTM...51 Defining a server on the existing GTM...52 Running the gtm_add script on the new GTM...53 Implementation result...53 Chapter 9: Configuring BIG-IP GTM VIPRION Systems...55 Overview: Configuring BIG-IP GTM VIPRION systems...56 Configuring virtual server status for clusters...56 Chapter 10: Setting Up a BIG-IP GTM Redundant System Configuration...57 Overview: Configuring a BIG-IP GTM redundant system...58 4

Table of Contents Task summary...58 Defining an NTP server...58 Creating listeners to identify DNS traffic...59 Defining a data center...59 Defining a server...60 Enabling global traffic configuration synchronization...60 Running the gtm_add script...61 Chapter 11: Configuring GTM on a Network with One Route Domain...63 Overview: How do I deploy BIG-IP GTM on a network with one route domain?...64 Task summary...64 Creating VLANs for a route domain on BIG-IP LTM...65 Creating a route domain on the BIG-IP system...65 Creating a self IP address for a route domain on BIG-IP LTM...66 Defining a server for a route domain on BIG-IP GTM...67 Implementation result...67 Chapter 12: Configuring GTM on a Network with Multiple Route Domains...69 Overview: How do I deploy BIG-IP GTM on a network with multiple route domains?...70 Task summary...71 Creating VLANs for a route domain on BIG-IP LTM...72 Creating a route domain on BIG-IP LTM...72 Creating a self IP address for a route domain on BIG-IP LTM...73 Disabling auto-discovery at the global-level on BIG-IP GTM...73 Defining a server for a route domain on BIG-IP GTM...73 Implementation result...74 Chapter 13: Authenticating with SSL Certificates Signed by a Third Party...75 Overview: Authenticating with SSL certificates signed by a third party...76 About SSL authentication levels...76 Configuring Level 1 SSL authentication...76 Importing the device certificate...76 Importing the root certificate for the gtmd agent...77 Importing the root certificate for the big3d agent...77 Verifying the certificate exchange...77 Implementation Results...78 Configuring certificate chain SSL authentication...78 Creating a certificate chain file...78 Importing the device certificate from the last CA server in the chain...78 Importing a certificate chain file for the gtmd agent...79 Importing a certificate chain for the big3d agent...79 Verifying the certificate chain exchange...79 Implementation result...80 5

Table of Contents Chapter 14: Configuring the Save Interval for GTM Configuration Changes...81 Overview: Configuring the interval at which GTM saves configuration changes...82 Task summary...82 Configuring the GTM save interval...82 Implementation result...82 Chapter 15: Configuring a TTL in a DNS NoError Response...83 Overview: Configuring a TTL in an IPv6 DNS NoError Response...84 About SOA records and negative caching...84 Task summary...84 Creating a pool...84 Creating a wide IP that provides for negative caching...85 Implementation result...85 Chapter 16: Configuring DNS64...87 Overview: Configuring DNS64...88 Task summary...88 Creating a custom DNS profile...88 Assigning a DNS profile to a virtual server...89 Implementation result...90 Chapter 17: Configuring DNSSEC...91 Overview: Configuring DNSSEC...92 How do I prepare for a manual rollover of a DNSSEC key?...92 About enhancing DNSSEC key security...92 Task summary...93 Creating listeners to identify DNS traffic...93 Creating DNSSEC key-signing keys...94 Creating DNSSEC zone-signing keys...95 Creating DNSSEC zones...96 Confirming that GTM is signing DNSSEC records...97 Viewing DNSSEC records in ZoneRunner...97 Implementation result...97 Chapter 18: Configuring DNS Express...99 How do I configure DNS Express?...100 What is DNS Express?...100 Task summary...100 Configuring a back-end DNS server to allow zone file transfers...100 Creating a DNS Express TSIG key...100 Creating a DNS Express zone...101 Enabling DNS Express...102 6

Table of Contents Assigning a DNS profile to a listener...103 Viewing information about DNS Express zones...103 Implementation result...103 Chapter 19: Caching DNS Responses from External Resolvers...105 Overview: Improving DNS performance by caching responses from external resolvers...106 Task summary...106 Creating a transparent DNS cache...107 Creating a custom DNS profile for transparent DNS caching...107 Assigning a custom DNS profile to a GTM listener...108 Creating a custom DNS monitor...108 Creating a pool of local DNS servers...108 Determining DNS cache performance...109 Clearing a DNS cache...110 Implementation result...111 Chapter 20: Resolving DNS Queries and Caching Responses...113 Overview: Improving DNS performance by resolving queries and caching responses...114 Task summary...115 Creating a resolver DNS cache...115 Creating a custom DNS profile for DNS resolving and caching...115 Assigning a custom DNS profile to a GTM listener...116 Determining DNS cache performance...116 Clearing a DNS cache...118 Implementation result...118 Chapter 21: Resolving DNS Queries and Caching Validated Responses...119 Overview: Resolving queries and caching validated responses...120 Task summary...121 Creating a validating resolver DNS cache...121 Creating a custom DNS profile for validating resolver DNS caching...122 Assigning a custom DNS profile to a GTM listener...123 Determining DNS cache performance...123 Clearing a DNS cache...125 Implementation result...126 Chapter 22: Customizing a DNS Cache...127 Overview: Customizing a DNS cache...128 Configuring a DNS cache to answer queries for local zones...128 Configuring a DNS cache to use specific root nameservers...128 Configuring a DNS cache alert for cache poisoning...128 7

Table of Contents Chapter 23: Configuring IP Anycast (Route Health Injection)...131 Overview: Configuring IP Anycast (Route Health Injection)...132 Task summary...132 Enabling the ZebOS dynamic routing protocol...132 Creating a custom DNS profile...132 Configuring a listener for route advertisement...133 Verifying advertisement of the route...134 Implementation result...134 Chapter 24: Redirecting a DNS Query Using a Wide IP with a CNAME Pool...135 Overview: Redirecting DNS queries using a wide IP with a CNAME pool...136 About CNAME records...136 Task summary...136 Creating a pool using a CNAME...136 Creating a wide IP with a CNAME pool...137 Implementation result...137 Chapter 25: Monitoring Third-Party Servers with SNMP...139 Overview: SNMP monitoring of third-party servers...140 Task summary...140 Creating an SNMP monitor...140 Defining a third-party host server that is running SNMP...140 Implementation result...141 Chapter 26: Configuring Remote High-Speed DNS Logging...143 Overview: Configuring remote high-speed DNS logging...144 Task summary...145 Creating a pool of remote logging servers...146 Creating a remote high-speed log destination...146 Creating a formatted remote high-speed log destination...147 Creating a publisher...147 Creating a custom DNS Logging profile for logging DNS queries...147 Creating a custom DNS Logging profile for logging DNS responses...148 Creating a custom DNS Logging profile for logging DNS queries and responses...148 Creating a custom DNS profile to enable DNS logging...149 Configuring a GTM listener for DNS logging...149 Disabling DNS logging...149 Implementation result...150 Chapter 27: Configuring Device-Specific Probing and Statistics Collection...151 Overview: Configuring device-specific probing and statistics collection...152 8

Table of Contents About Prober pools...152 About Prober pool status...153 About Prober pool statistics...153 Task summary...154 Creating a Prober pool...154 Assigning a Prober pool to a data center...154 Assigning a Prober pool to a server...155 Viewing Prober pool statistics and status...155 Determining which Prober pool member marked a resource down...156 Implementation result...156 Chapter 28: Setting Up and Viewing DNS Statistics...157 Overview: Setting up and viewing DNS statistics...158 Task summary...158 Creating a DNS profile for DNS AVR statistics collection...159 Configuring a GTM listener for DNS AVR statistics collection...159 Viewing DNS AVR statistics...159 Viewing DNS AVR statistics in tmsh...160 Viewing DNS global statistics...161 Viewing DNS statistics for a specific virtual server...161 Implementation result...161 Chapter 29: Diagnosing Network Connection Issues...163 Diagnosing network connection issues...164 Viewing iquery statistics...164 iquery statistics descriptions...164 9

Table of Contents 10

Legal Notices Publication Date This document was published on January 31, 2014. Publication Number MAN-0388-02 Copyright Copyright 2012-2014, F5 Networks, Inc. All rights reserved. F5 Networks, Inc. (F5) believes the information it furnishes to be accurate and reliable. However, F5 assumes no responsibility for the use of this information, nor any infringement of patents or other rights of third parties which may result from its use. No license is granted by implication or otherwise under any patent, copyright, or other intellectual property right of F5 except as specifically described by applicable user licenses. F5 reserves the right to change specifications at any time without notice. Trademarks Access Policy Manager, Advanced Client Authentication, Advanced Routing, APM, Application Security Manager, ARX, AskF5, ASM, BIG-IP, BIG-IQ, Cloud Extender, CloudFucious, Cloud Manager, Clustered Multiprocessing, CMP, COHESION, Data Manager, DevCentral, DevCentral [DESIGN], DNS Express, DSC, DSI, Edge Client, Edge Gateway, Edge Portal, ELEVATE, EM, Enterprise Manager, ENGAGE, F5, F5 [DESIGN], F5 Management Pack, F5 Networks, F5 World, Fast Application Proxy, Fast Cache, FirePass, Global Traffic Manager, GTM, GUARDIAN, IBR, Intelligent Browser Referencing, Intelligent Compression, IPv6 Gateway, iapps, icontrol, ihealth, iquery, irules, irules OnDemand, isession, L7 Rate Shaping, LC, Link Controller, Local Traffic Manager, LTM, Message Security Manager, MSM, OneConnect, OpenBloX, OpenBloX [DESIGN], Packet Velocity, Policy Enforcement Manager, PEM, Protocol Security Manager, PSM, Real Traffic Policy Builder, Rosetta Diameter Gateway, Scale N, Signaling Delivery Controller, SDC, SSL Acceleration, StrongBox, SuperVIP, SYN Check, TCP Express, TDR, TMOS, Traffic Management Operating System, Traffix Diameter Load Balancer, Traffix Systems, Traffix Systems (DESIGN), Transparent Data Reduction, UNITY, VAULT, VIPRION, vcmp, virtual Clustered Multiprocessing, WA, WAN Optimization Manager, WebAccelerator, WOM, and ZoneRunner, are trademarks or service marks of F5 Networks, Inc., in the U.S. and other countries, and may not be used without F5's express written consent. All other product and company names herein may be trademarks of their respective owners. Patents This product may be protected by U.S. Patents 6,374,300; 6,473,802; 6,970,733; 7,047,301; 7,707,289. This list is believed to be current as of January 31, 2014. Export Regulation Notice This product may include cryptographic software. Under the Export Administration Act, the United States government may consider it a criminal offense to export this product from the United States. RF Interference Warning This is a Class A product. In a domestic environment this product may cause radio interference, in which case the user may be required to take adequate measures.

Legal Notices FCC Compliance This equipment has been tested and found to comply with the limits for a Class A digital device pursuant to Part 15 of FCC rules. These limits are designed to provide reasonable protection against harmful interference when the equipment is operated in a commercial environment. This unit generates, uses, and can radiate radio frequency energy and, if not installed and used in accordance with the instruction manual, may cause harmful interference to radio communications. Operation of this equipment in a residential area is likely to cause harmful interference, in which case the user, at his own expense, will be required to take whatever measures may be required to correct the interference. Any modifications to this device, unless expressly approved by the manufacturer, can void the user's authority to operate this equipment under part 15 of the FCC rules. Canadian Regulatory Compliance This Class A digital apparatus complies with Canadian ICES-003. Standards Compliance This product conforms to the IEC, European Union, ANSI/UL and Canadian CSA standards applicable to Information Technology products at the time of manufacture. 12

Acknowledgments This product includes software developed by Gabriel Forté. This product includes software developed by Bill Paul. This product includes software developed by Jonathan Stone. This product includes software developed by Manuel Bouyer. This product includes software developed by Paul Richards. This product includes software developed by the NetBSD Foundation, Inc. and its contributors. This product includes software developed by the Politecnico di Torino, and its contributors. This product includes software developed by the Swedish Institute of Computer Science and its contributors. This product includes software developed by the University of California, Berkeley and its contributors. This product includes software developed by the Computer Systems Engineering Group at the Lawrence Berkeley Laboratory. This product includes software developed by Christopher G. Demetriou for the NetBSD Project. This product includes software developed by Adam Glass. This product includes software developed by Christian E. Hopps. This product includes software developed by Dean Huxley. This product includes software developed by John Kohl. This product includes software developed by Paul Kranenburg. This product includes software developed by Terrence R. Lambert. This product includes software developed by Philip A. Nelson. This product includes software developed by Herb Peyerl. This product includes software developed by Jochen Pohl for the NetBSD Project. This product includes software developed by Chris Provenzano. This product includes software developed by Theo de Raadt. This product includes software developed by David Muir Sharnoff. This product includes software developed by SigmaSoft, Th. Lockert. This product includes software developed for the NetBSD Project by Jason R. Thorpe. This product includes software developed by Jason R. Thorpe for And Communications, http://www.and.com. This product includes software developed for the NetBSD Project by Frank Van der Linden. This product includes software developed for the NetBSD Project by John M. Vinopal. This product includes software developed by Christos Zoulas. This product includes software developed by the University of Vermont and State Agricultural College and Garrett A. Wollman. This product includes software developed by Balazs Scheidler (bazsi@balabit.hu), which is protected under the GNU Public License.

Acknowledgments This product includes software developed by Niels Mueller (nisse@lysator.liu.se), which is protected under the GNU Public License. In the following statement, This software refers to the Mitsumi CD-ROM driver: This software was developed by Holger Veit and Brian Moore for use with 386BSD and similar operating systems. Similar operating systems includes mainly non-profit oriented systems for research and education, including but not restricted to NetBSD, FreeBSD, Mach (by CMU). This product includes software developed by the Apache Group for use in the Apache HTTP server project (http://www.apache.org/). This product includes software licensed from Richard H. Porter under the GNU Library General Public License ( 1998, Red Hat Software), www.gnu.org/copyleft/lgpl.html. This product includes the standard version of Perl software licensed under the Perl Artistic License ( 1997, 1998 Tom Christiansen and Nathan Torkington). All rights reserved. You may find the most current standard version of Perl at http://www.perl.com. This product includes software developed by Jared Minch. This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org/). This product includes cryptographic software written by Eric Young (eay@cryptsoft.com). This product contains software based on oprofile, which is protected under the GNU Public License. This product includes RRDtool software developed by Tobi Oetiker (http://www.rrdtool.com/index.html) and licensed under the GNU General Public License. This product contains software licensed from Dr. Brian Gladman under the GNU General Public License (GPL). This product includes software developed by the Apache Software Foundation (http://www.apache.org/). This product includes Hypersonic SQL. This product contains software developed by the Regents of the University of California, Sun Microsystems, Inc., Scriptics Corporation, and others. This product includes software developed by the Internet Software Consortium. This product includes software developed by Nominum, Inc. (http://www.nominum.com). This product contains software developed by Broadcom Corporation, which is protected under the GNU Public License. This product contains software developed by MaxMind LLC, and is protected under the GNU Lesser General Public License, as published by the Free Software Foundation. This product includes Intel QuickAssist kernel module, library, and headers software licensed under the GNU General Public License (GPL). This product includes software licensed from Gerald Combs (gerald@wireshark.org) under the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or any later version. Copyright 1998 Gerald Combs. This product includes software developed by Thomas Williams and Colin Kelley. Copyright 1986-1993, 1998, 2004, 2007 Permission to use, copy, and distribute this software and its documentation for any purpose with or without fee is hereby granted, provided that the above copyright notice appear in all copies and that both that copyright notice and this permission notice appear in supporting documentation. Permission to modify the software is granted, but not the right to distribute the complete modified source code. Modifications are to be distributed as patches to the released version. Permission to distribute binaries produced by compiling modified sources is granted, provided you 14

BIG-IP Global Traffic Manager : Implementations 1. distribute the corresponding source modifications from the released version in the form of a patch file along with the binaries, 2. add special version identification to distinguish your version in addition to the base release version number, 3. provide your name and address as the primary contact for the support of your modified version, and 4. retain our contact information in regard to use of the base software. Permission to distribute the released version of the source code along with corresponding source modifications in the form of a patch file is granted with same provisions 2 through 4 for binary distributions. This software is provided "as is" without express or implied warranty to the extent permitted by applicable law. This product contains software developed by Google, Inc. Copyright 2011 Google, Inc. Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. This product includes software developed by Digital Envoy, Inc. 15

Chapter 1 Upgrading BIG-IP GTM to Version 11.x Converting a statistics collection server to a Prober pool automatically

Upgrading BIG-IP GTM to Version 11.x Converting a statistics collection server to a Prober pool automatically In version 10.2 of BIG-IP Global Traffic Manager (GTM ), you could assign a single BIG-IP system to probe a server to gather health and performance data. You did this by specifying the IP address of the BIG-IP system (which you chose to perform probes of the server) in the Statistics Collection Server field of the server. In version 11.0, this feature was replaced by the Prober pool feature. When you upgrade from version 10.2.x to version 11.x, if a single BIG-IP system was assigned to probe a server, BIG-IP GTM converts the single server to a Prober pool with one member, and then assigns the Prober pool to the server to which the Statistics Collection server was originally assigned. The name of the new Prober pool is based on the IP address of the original Statistics Collection server. If the original Statistics Collection server had an IP address of 10.10.2.3, the name of the automatically created Prober pool is prober_pool_10_10_2_3. 18

Chapter 2 Sending Traffic Through BIG-IP GTM Overview: Configuring GTM to screen traffic to an existing DNS server Task summary Implementation result

Sending Traffic Through BIG-IP GTM Overview: Configuring GTM to screen traffic to an existing DNS server You can use BIG-IP Global Traffic Manager (GTM ) as a traffic screener in front of an existing DNS server. With this setup, all DNS traffic flows through BIG-IP GTM. Listeners that you configure on BIG-IP GTM verify incoming DNS queries. If the query is for a wide IP, BIG-IP GTM resolves the request. If the query is for a destination that does not match a wide IP or for an IP address that is not configured on BIG-IP GTM, the system forwards the query to the specified DNS server for resolution. When forwarding a query, BIG-IP GTM transforms the source address to a self IP address on BIG-IP GTM. Figure 1: Traffic flow when BIG-IP GTM screens traffic to a DNS server About listeners A listener is a specialized virtual server that uses port 53 and to which you assign a specific IP address. When a DNS name resolution request is sent to the IP address of a listener, BIG-IP GTM either handles the request locally or forwards the request to the appropriate resource. About wildcard listeners A wildcard listener is a special listener that is assigned an IP address of 0.0.0.0 and the DNS query port (port 53). When you want BIG-IP GTM to respond to DNS name resolution requests coming into your network, regardless of the destination IP address of the given request, you create a wildcard listener. BIG-IP GTM responds not only to wide IP requests, but also forwards other DNS name resolution requests to other DNS servers. 20

BIG-IP Global Traffic Manager : Implementations Task summary Perform these tasks to send traffic through BIG-IP GTM. Placing GTM on your network to forward traffic Creating a listener to forward traffic to a DNS server Creating a wide IP Placing GTM on your network to forward traffic Determine to which DNS server you want BIG-IP GTM to forward traffic. Place GTM on your network between LDNS servers and clients making DNS name resolution requests. 1. Physically connect GTM to your Internet connection. 2. Connect the LDNS to an Ethernet port on GTM (optional). 3. Connect the LDNS to a switch. Creating a listener to forward traffic to a DNS server Determine to which DNS server you want this listener to forward traffic. Create a listener that alerts the BIG-IP system to traffic destined for a DNS server. 1. On the Main tab, click Global Traffic > Listeners. The Listeners List screen opens. 2. Click Create. The new Listeners screen opens. 3. In the Destination field, type the IP address on which BIG-IP GTM listens for network traffic. The destination is the IP address of a DNS server to which you want the listener to route traffic. Important: The destination must not match a self IP address on BIG-IP GTM. 4. From the VLAN Traffic list, select All VLANs. 5. Click Finished. Creating a wide IP Ensure that at least one load balancing pool exists in the configuration before you start creating a wide IP. Create a wide IP to map a FQDN to one or more pools of virtual servers that host the content of the domain. 1. On the Main tab, click Global Traffic > Wide IPs. The Wide IPs List screen opens. 2. Click Create. The New Wide IP screen opens. 3. In the Name field, type a name for the wide IP. 21

Sending Traffic Through BIG-IP GTM Tip: You can use two different wildcard characters in the wide IP name: asterisk (*) to represent several characters and question mark (?) to represent a single character. This reduces the number of aliases you have to add to the configuration. 4. From the Pool list, select the pools that this wide IP uses for load balancing. The system evaluates the pools based on the wide IP load balancing method configured. a) From the Pool list, select a pool. A pool can belong to more than one wide IP. b) Click Add. 5. Click Finished. Implementation result You now have an implementation in which BIG-IP GTM receives all DNS queries. If the query is for a wide IP, BIG-IP GTM load balances the request to the appropriate resource. If the query is for an IP address of a DNS server, BIG-IP GTM either routes or forwards the query to the DNS server for resolution. 22

Chapter 3 Replacing a DNS Server with BIG-IP GTM Overview: Replacing a DNS server with BIG-IP GTM Task summary Implementation result

Replacing a DNS Server with BIG-IP GTM Overview: Replacing a DNS server with BIG-IP GTM BIG-IP Global Traffic Manager (GTM ) load balances incoming wide IP traffic to your network resources. BIG-IP GTM can also replace a local DNS server as the authoritative nameserver for wide IPs, zones, and all other DNS-related traffic. You can configure BIG-IP GTM to replace the DNS server that currently manages www.siterequest.com. BIG-IP GTM becomes the authoritative nameserver for www.siterequest.com and load balances traffic across the web-based applications store.siterequest.com and checkout.siterequest.com. Figure 2: Traffic flow when BIG-IP GTM replaces DNS server About listeners A listener is a specialized virtual server that uses port 53 and to which you assign a specific IP address. When a DNS name resolution request is sent to the IP address of a listener, BIG-IP GTM either handles the request locally or forwards the request to the appropriate resource. Task summary Perform these tasks to replace a DNS server with BIG-IP GTM. Configuring a back-end DNS server to allow zone file transfers Acquiring zone files from the legacy DNS server Creating a self IP address using the IP address of the legacy DNS server Designating GTM as the primary server for the zone Creating listeners to alert GTM to DNS traffic destined for the system Creating a wide IP 24

BIG-IP Global Traffic Manager : Implementations Configuring a back-end DNS server to allow zone file transfers If you are unfamiliar with how to modify DNS server files, review the fifth edition of DNS and BIND, available from O Reilly Media. To configure a back-end DNS server to allow zone file transfers to the BIG-IP system, add to the DNS server an allow-transfer statement that specifies a self IP address on the BIG-IP system. You can modify the following allow-transfer statement to use a self IP address on the BIG-IP system: allow-transfer { localhost; <self IP address of BIG-IP system>; }; Acquiring zone files from the legacy DNS server Ensure that you have configured the legacy DNS server with an allow-transfer statement that authorizes zone transfers to BIG-IP GTM. For BIG-IP GTM to acquire zone files from the legacy DNS server, create a new zone. 1. On the Main tab, click Global Traffic > ZoneRunner > Zone List. The Zone List screen opens. 2. Click Create. The New Zone screen opens. 3. From the View Name list, select the view that you want this zone to be a member of. The default view is external. 4. In the Zone Name field, type a name for the zone file in this format, including the trailing dot: db.[viewname].[zonename]. For example, db.external.siterequest.com. 5. From the Zone Type list, select Master. 6. From the Records Creation Method list, select Transfer from Server. 7. In the Source Server field, type the IP address of the DNS server (the server from which you want BIG-IP GTM to acquire zone files). 8. Click Finished. Creating a self IP address using the IP address of the legacy DNS server To avoid a conflict on your network, unplug BIG-IP GTM from the network. When you want BIG-IP GTM to handle DNS traffic previously handled by a DNS server, create a self IP address on BIG-IP GTM using the IP address of the legacy DNS server. 1. On the Main tab, click Network > Self IPs. The Self IPs screen opens. 2. Click Create. The New Self IP screen opens. 3. In the Name field, type a unique name for the self IP. 4. In the IP Address field, type the IP address of the legacy DNS server. 25

Replacing a DNS Server with BIG-IP GTM The system accepts IPv4 and IPv6 addresses. 5. In the Netmask field, type the network mask for the specified IP address. 6. Click Finished. The screen refreshes, and displays the new self IP address in the list. Designating GTM as the primary server for the zone Ensure that you have created a self IP address on BIG-IP GTM using the IP address of the legacy DNS server. Add this self IP address to the BIG-IP GTM server object. Then modify the DNS server based on your network configuration. 1. Log on to BIG-IP GTM. 2. On the Main tab, click Global Traffic > Servers. The Server List screen opens. 3. Click the name of the BIG-IP GTM system that you want to modify. The server settings and values display. 4. In the Address List area, add the new self IP address. 5. Click Update. 6. Do one of the following based on your network configuration: Modify the IP address of the legacy DNS server so that it becomes a secondary DNS server to BIG-IP GTM. Ensure that the IP address of the DNS server does not conflict with the self IP address that you added to the BIG-IP GTM server object. Note: If you are using BIND servers, and you are unfamiliar with how to change a DNS server from a primary to a secondary, refer to the fifth edition of DNS and BIND, available from O Reilly Media. Remove the legacy DNS server from your network. BIG-IP GTM is now the primary authoritative name server for the zone. The servers for the zone do not need to be updated, because the IP address of the legacy DNS server was assigned to BIG-IP GTM. Creating listeners to alert GTM to DNS traffic destined for the system To alert the BIG-IP GTM system to DNS traffic (previously handled by the DNS server), create two listeners: one that uses the UDP protocol, and one that uses the TCP protocol. Note: DNS zone transfers use TCP port 53. If you do not configure a listener for TCP the client might receive the error: connection refused or TCP RSTs. 1. On the Main tab, click Global Traffic > Listeners. The Listeners List screen opens. 2. Click Create. The new Listeners screen opens. 3. In the Destination field, type the IP address previously used by the legacy DNS server. 4. From the VLAN Traffic list, select All VLANs. 5. From the Protocol list, select UDP. 26

BIG-IP Global Traffic Manager : Implementations 6. Click Finished. Create another listener with the same IP address, but select TCP from the Protocol list. Creating a wide IP Ensure that at least one load balancing pool exists in the configuration before you start creating a wide IP. Create a wide IP to map a FQDN to one or more pools of virtual servers that host the content of the domain. 1. On the Main tab, click Global Traffic > Wide IPs. The Wide IPs List screen opens. 2. Click Create. The New Wide IP screen opens. 3. In the Name field, type a name for the wide IP. Tip: You can use two different wildcard characters in the wide IP name: asterisk (*) to represent several characters and question mark (?) to represent a single character. This reduces the number of aliases you have to add to the configuration. 4. From the Pool list, select the pools that this wide IP uses for load balancing. The system evaluates the pools based on the wide IP load balancing method configured. a) From the Pool list, select a pool. A pool can belong to more than one wide IP. b) Click Add. 5. Click Finished. Implementation result BIG-IP GTM replaces the legacy DNS server as the primary authoritative nameserver for the zone. BIG-IP GTM handles all incoming DNS traffic, whether destined for a wide IP or handled by the BIND instance on the system. 27

Chapter 4 Load Balancing Non-Wide IP DNS Traffic to a Pool of DNS Servers Overview: Screening and forwarding non-wide IP traffic to a pool of DNS servers Task summary Implementation result

Load Balancing Non-Wide IP DNS Traffic to a Pool of DNS Servers Overview: Screening and forwarding non-wide IP traffic to a pool of DNS servers BIG-IP Global Traffic Manager (GTM ) can function as a traffic screener in front of a pool of DNS servers. In this situation, BIG-IP GTM checks incoming DNS queries and if the query is for a wide IP, resolves the query. Otherwise, BIG-IP GTM forwards the DNS query to one of the servers in a pool of DNS servers, and that server handles the query. Figure 3: Traffic flow when BIG-IP GTM screens traffic to a pool of DNS servers About listeners A listener is a specialized virtual server that uses port 53 and to which you assign a specific IP address. When a DNS name resolution request is sent to the IP address of a listener, BIG-IP GTM either handles the request locally or forwards the request to the appropriate resource. Task summary Perform these tasks to screen non-wide IP traffic and forward the traffic to a pool of DNS servers. Creating a pool of local DNS servers Creating a listener that alerts GTM to DNS queries for a pool of DNS servers 30

BIG-IP Global Traffic Manager : Implementations Creating a pool of local DNS servers Ensure that at least one custom DNS monitor exists on the BIG-IP system. Gather the IP addresses of the DNS servers that you want to include in a pool to which the BIG-IP system load balances DNS traffic. Create a pool of local DNS servers when you want to load balance DNS requests to back end DNS servers. 1. On the Main tab, click Local Traffic > Pools. The Pool List screen opens. 2. Click Create. The New Pool screen opens. 3. In the Name field, type a unique name for the pool. 4. For the Health Monitors setting, from the Available list, select the custom DNS monitor you created, and click << to move the monitor to the Active list. 5. Using the New Members setting, add each resource that you want to include in the pool: a) Either type an IP address in the Address field, or select a node address from the Node List. b) Type a port number in the Service Port field, or select a service name from the list. c) To specify a priority group, type a priority number in the Priority field. d) Click Add. 6. Click Finished. Creating a listener that alerts GTM to DNS queries for a pool of DNS servers Configure a listener that alerts BIG-IP GTM to DNS queries destined for DNS servers that are members of a pool. 1. Log on to the command-line interface of BIG-IP GTM. 2. Type tmsh, to access the Traffic Management Shell. 3. Run this command sequence to create a listener: create /gtm listener <name of listener> address <IP address on which you want the listener to alert GTM to DNS traffic> ip-protocol udp pool <name of pool> translate-address enabled The system creates a listener with the specified name and IP address that alerts BIG-IP GTM to queries destined for the members of the specified pool. 4. Run this command sequence to save the listener: save /sys config 5. Run this command sequence to display the listener: list /gtm listener The system displays the new listener configuration. Implementation result You now have an implementation in which BIG-IP GTM receives DNS queries, handles wide IP requests, and forwards all other DNS queries to members of the pool of DNS servers. 31

Chapter 5 Delegating DNS Traffic to Wide IPs Overview: Delegating DNS traffic to wide IPs Task summary Implementation result

Delegating DNS Traffic to Wide IPs Overview: Delegating DNS traffic to wide IPs BIG-IP Global Traffic Manager (GTM ) resolves DNS queries that match a wide IP name. BIG-IP GTM can work in conjunction with an existing DNS server on your network. In this situation, you configure the DNS server to delegate wide IP-related requests to BIG-IP GTM for name resolution. Figure 4: Traffic flow when DNS server delegates traffic to BIG-IP GTM This implementation focuses on the fictional company SiteRequest that recently purchased BIG-IP GTM to help resolve queries for two web-based applications: store.siterequest.com and checkout.siterequest.com. These applications are delegated zones of www.siterequest.com. Currently, a DNS server manages www.siterequest.com. SiteRequest administrators have already configured BIG-IP GTM with two wide IPs, www.store.siterequest.com and www.checkout.siterequest.com. These wide IPs correspond to the two web applications. About listeners A listener is a specialized virtual server that uses port 53 and to which you assign a specific IP address. When a DNS name resolution request is sent to the IP address of a listener, BIG-IP GTM either handles the request locally or forwards the request to the appropriate resource. Task summary Perform these tasks to delegate DNS traffic to wide IPs. Creating a delegated zone on a local DNS server Creating a listener to handle traffic for wide IPs 34

BIG-IP Global Traffic Manager : Implementations Creating a delegated zone on a local DNS server Determine which DNS servers will delegate wide IP-related requests to BIG-IP GTM. If you are using BIND servers and you are unfamiliar with how to modify the files on these servers, consider reviewing the fifth edition of DNS and BIND, available from O Reilly Media. In order for BIG-IP GTM to manage the web applications of store.siterequest.com and checkout.siterequest.com, you must create a delegated zone on the DNS server that manages www.wip.siterequest.com. Perform the following steps on the selected DNS server. 1. Create an address record (A record) that defines the domain name and IP address of each BIG-IP GTM in your network. 2. Create a nameserver record (NS record) that defines the delegated zone for which BIG-IP GTM is responsible. 3. Create canonical name records (CNAME records) to forward requests for store.siterequest.com and checkout.siterequest.com to the wide IPs store.siterequest.com and checkout.siterequest.com, respectively. A delegated zone for store.siterequest.com and checkout.siterequest.com exists on each DNS server on which you performed this procedure. Creating a listener to handle traffic for wide IPs Determine the self IP address of BIG-IP GTM. Create a listener on BIG-IP GTM that identifies the wide IP traffic for which BIG-IP GTM is responsible. 1. On the Main tab, click Global Traffic > Listeners. The Listeners List screen opens. 2. Click Create. The new Listeners screen opens. 3. In the Destination field, type the IP address on which BIG-IP GTM listens for network traffic. The destination is a self IP address on BIG-IP GTM. 4. From the VLAN Traffic list, select All VLANs. 5. From the Protocol list, select either UDP or TCP. 6. Click Finished. Implementation result You now have an implementation of BIG-IP GTM in which the DNS server manages DNS traffic unless the query is for store.sitrequest.com or checkout.siterequest.com. When the DNS server receives these queries, it delegates them to BIG-IP GTM, which then load balances the queries to the appropriate wide IPs. 35

Chapter 6 Integrating BIG-IP GTM with Other BIG-IP Systems Overview: Integrating GTM with older BIG-IP systems on a network Task summary Implementation result

Integrating BIG-IP GTM with Other BIG-IP Systems Overview: Integrating GTM with older BIG-IP systems on a network You can add BIG-IP Global Traffic Manager (GTM ) systems to a network in which BIG-IP Local Traffic Manager (LTM ) systems are already present. This expands your load balancing and traffic management capabilities beyond the local area network. For this implementation to be successful, you must authorize communications between the systems. Note: The BIG-IP GTM systems in a synchronization group, and the BIG-IP LTM and BIG-IP Link Controller systems that are configured to communicate with the systems in the synchronization group must have TCP port 4353 open through the firewall between the systems. The BIG-IP systems connect and communicate through this port. About iquery and communications between BIG-IP systems The gtmd agent on BIG-IP Global Traffic Manager (GTM ) uses the iquery protocol to communicate with the local big3d agent, and the big3d agents installed on other BIG-IP systems. The gtmd agent monitors both the availability of the BIG-IP systems, and the integrity of the network paths between the systems that host a domain and the local DNS servers that attempt to connect to that domain. Figure 5: Communications between big3d and gtmd agents using iquery Task summary To authorize communications between BIG-IP systems, perform the following tasks on the BIG-IP GTM that you are adding to the network. Defining a data center Defining BIG-IP GTM systems Defining BIG-IP LTM systems Running the big3d_install script Defining a data center Create a data center to contain the servers that reside on a subnet of your network. 1. On the Main tab, click Global Traffic > Data Centers. 38

BIG-IP Global Traffic Manager : Implementations The Data Center List screen opens. 2. Click Create. The New Data Center screen opens. 3. Type a name for the data center. Important: The data center name is limited to 63 characters. 4. In the Location field, type the geographic location of the data center. 5. In the Contact field, type the name of either the administrator or the department that manages the data center. 6. From the State list, select Enabled. 7. Click Finished. You can now create server objects and assign them to this data center. Repeat this procedure to create additional data centers. Defining BIG-IP GTM systems Ensure that at least one data center exists in the configuration before you start creating a server. Create a server object for BIG-IP GTM. 1. On the Main tab, click Global Traffic > Servers. The Server List screen opens. 2. Click Create. The New Server screen opens. 3. In the Name field, type a name for the server. Important: Server names are limited to 63 characters. 4. From the Product list, select BIG-IP System (Single). The server type determines the metrics that the system can collect from the server. 5. In the Address List area, add the IP addresses of the server. You can add more than one IP address, depending on how the server interacts with the rest of your network. Important: You must use a self IP address for a BIG-IP system; you cannot use the management IP address. 6. From the Data Center list, select the data center where the server resides. 7. In the Health Monitors area, assign the bigip monitor to the server by moving it from the Available list to the Selected list. 8. From the Virtual Server Discovery list, select how you want virtual servers to be added to the system. Option Disabled Description The system does not use the discovery feature to automatically add virtual servers. This is the default value. Use this option for a standalone BIG-IP GTM or for a BIG-IP GTM/LTM combo system when you plan to manually add virtual servers to the system. 39

Integrating BIG-IP GTM with Other BIG-IP Systems Option Enabled Enabled (No Delete) Description The system uses the discovery feature to automatically add virtual servers. Use this option for a BIG-IP GTM/LTM combo system when you want BIG-IP GTM to discover BIG-IP LTM virtual servers. The system uses the discovery feature to automatically add virtual servers and does not delete any virtual servers that already exist. Use this option for a BIG-IP GTM/LTM combo system when you want BIG-IP GTM to discover BIG-IP LTM virtual servers. 9. From the Link Discovery list, select how you want links to be added to the system. Option Disabled Enabled Enabled (No Delete) Description The system does not use the discovery feature to automatically add links. This is the default value. Use this option for a standalone BIG-IP GTM or for a BIG-IP GTM/LTM combo system when you plan to manually add links to the system. The system uses the discovery feature to automatically add links. Use this option for a BIG-IP GTM/LTM combo system when you want BIG-IP GTM to discover links. The system uses the discovery feature to automatically add links and does not delete any links that already exist. Use this option for a BIG-IP GTM/LTM combo system when you want BIG-IP GTM to discover links. 10. Click Create. The Server List screen opens displaying the new server in the list. Defining BIG-IP LTM systems On BIG-IP GTM, define servers that represent the BIG-IP LTM systems in your network. 1. On the Main tab, click Global Traffic > Servers. The Server List screen opens. 2. Click Create. The New Server screen opens. 3. In the Name field, type a name for the server. Important: Server names are limited to 63 characters. 4. From the Product list, select either BIG-IP System (Single) or BIG-IP System (Redundant). The server type determines the metrics that the system can collect from the server. 5. In the Address List area, add the IP addresses of the server. You can add more than one IP address, depending on how the server interacts with the rest of your network. Important: You must use a self IP address for a BIG-IP system; you cannot use the management IP address. 6. From the Data Center list, select the data center where the server resides. 7. In the Health Monitors area, assign the bigip monitor to the server by moving it from the Available list to the Selected list. 40

BIG-IP Global Traffic Manager : Implementations 8. From the Virtual Server Discovery list, select how you want virtual servers to be added to the system. Option Disabled Enabled Enabled (No Delete) Description The system does not use the discovery feature to automatically add virtual servers. This is the default value. Use this option for a standalone BIG-IP GTM or for a BIG-IP GTM/LTM combo system when you plan to manually add virtual servers to the system. The system uses the discovery feature to automatically add virtual servers. Use this option for a BIG-IP GTM/LTM combo system when you want BIG-IP GTM to discover BIG-IP LTM virtual servers. The system uses the discovery feature to automatically add virtual servers and does not delete any virtual servers that already exist. Use this option for a BIG-IP GTM/LTM combo system when you want BIG-IP GTM to discover BIG-IP LTM virtual servers. 9. From the Link Discovery list, select how you want links to be added to the system. Option Disabled Enabled Enabled (No Delete) Description The system does not use the discovery feature to automatically add links. This is the default value. Use this option for a standalone BIG-IP GTM or for a BIG-IP GTM/LTM combo system when you plan to manually add links to the system. The system uses the discovery feature to automatically add links. Use this option for a BIG-IP GTM/LTM combo system when you want BIG-IP GTM to discover links. The system uses the discovery feature to automatically add links and does not delete any links that already exist. Use this option for a BIG-IP GTM/LTM combo system when you want BIG-IP GTM to discover links. 10. Click Create. The Server List screen opens displaying the new server in the list. Running the big3d_install script Determine the self IP addresses for the existing BIG-IP systems that you want to upgrade with the latest big3d agent. Ensure that port 22 is open. Run the big3d_install script to upgrade the big3d agents on the BIG-IP systems and instructs these systems to authenticate with the other systems through the exchange of SSL certificates. For additional information about running the script, see SOL8195 on AskF5.com (www.askf5.com). You must perform this task from the command-line interface. Important: Run the big3d_install script on BIG-IP GTM only for target systems that are running the same or an older version of BIG-IP software. 1. Log on to the command-line interface of the new BIG-IP GTM. 2. At the BASH prompt, type tmsh. 3. At the tmsh prompt, type run gtm big3d_install <IP_addresses_of_target_BIG-IP_systems>, and press Enter. The script instructs BIG-IP GTM to connect to each specified BIG-IP system. 41

Integrating BIG-IP GTM with Other BIG-IP Systems 4. If prompted, supply the root password for each system. The SSL certificates are exchanged, authorizing communications between the systems. The big3d agent on each system is upgraded to the same version as is installed on BIG-IP GTM from which you ran the script. Implementation result You now have an implementation in which the BIG-IP systems can communicate with each other. BIG-IP GTM can now use the other BIG-IP systems when load balancing DNS requests, and can acquire statistics and status information for the virtual servers these systems manage. 42

Chapter 7 Integrating BIG-IP LTM with BIG-IP GTM Systems Overview: Integrating LTM systems with GTM systems on a network Task summary Implementation result

Integrating BIG-IP LTM with BIG-IP GTM Systems Overview: Integrating LTM systems with GTM systems on a network You can add BIG-IP Local Traffic Manager (LTM ) systems to a network in which BIG-IP Global Traffic Manager (GTM ) systems are already present. This expands your load balancing and traffic management capabilities to include the local area network. For this implementation to be successful, you must authorize communications between the LTM and GTM systems. When the LTM and GTM systems use the same version of the big3d agent, you run the bigip_add utility to authorize communications between the systems. Note: The BIG-IP GTM and BIG-IP LTM systems must have TCP port 4353 open through the firewall between the systems. The BIG-IP systems connect and communicate through this port. Task summary To authorize communications between BIG-IP GTM and BIG-IP LTM systems, perform the following tasks on the BIG-IP GTM. Integrating BIG-IP LTM with BIG-IP GTM Systems Defining a data center Defining BIG-IP GTM systems Defining BIG-IP LTM systems Running the bigip_add utility Defining a data center Create a data center to contain the servers that reside on a subnet of your network. 1. On the Main tab, click Global Traffic > Data Centers. The Data Center List screen opens. 2. Click Create. The New Data Center screen opens. 3. Type a name for the data center. Important: The data center name is limited to 63 characters. 4. In the Location field, type the geographic location of the data center. 5. In the Contact field, type the name of either the administrator or the department that manages the data center. 6. From the State list, select Enabled. 7. Click Finished. You can now create server objects and assign them to this data center. Repeat this procedure to create additional data centers. 44

BIG-IP Global Traffic Manager : Implementations Defining BIG-IP GTM systems Ensure that at least one data center exists in the configuration before you start creating a server. Create a server object for BIG-IP GTM. 1. On the Main tab, click Global Traffic > Servers. The Server List screen opens. 2. Click Create. The New Server screen opens. 3. In the Name field, type a name for the server. Important: Server names are limited to 63 characters. 4. From the Product list, select BIG-IP System (Single). The server type determines the metrics that the system can collect from the server. 5. In the Address List area, add the IP addresses of the server. You can add more than one IP address, depending on how the server interacts with the rest of your network. Important: You must use a self IP address for a BIG-IP system; you cannot use the management IP address. 6. From the Data Center list, select the data center where the server resides. 7. In the Health Monitors area, assign the bigip monitor to the server by moving it from the Available list to the Selected list. 8. From the Virtual Server Discovery list, select how you want virtual servers to be added to the system. Option Disabled Enabled Enabled (No Delete) Description The system does not use the discovery feature to automatically add virtual servers. This is the default value. Use this option for a standalone BIG-IP GTM or for a BIG-IP GTM/LTM combo system when you plan to manually add virtual servers to the system. The system uses the discovery feature to automatically add virtual servers. Use this option for a BIG-IP GTM/LTM combo system when you want BIG-IP GTM to discover BIG-IP LTM virtual servers. The system uses the discovery feature to automatically add virtual servers and does not delete any virtual servers that already exist. Use this option for a BIG-IP GTM/LTM combo system when you want BIG-IP GTM to discover BIG-IP LTM virtual servers. 9. From the Link Discovery list, select how you want links to be added to the system. Option Disabled Enabled Description The system does not use the discovery feature to automatically add links. This is the default value. Use this option for a standalone BIG-IP GTM or for a BIG-IP GTM/LTM combo system when you plan to manually add links to the system. The system uses the discovery feature to automatically add links. Use this option for a BIG-IP GTM/LTM combo system when you want BIG-IP GTM to discover links. 45

Integrating BIG-IP LTM with BIG-IP GTM Systems Option Enabled (No Delete) Description The system uses the discovery feature to automatically add links and does not delete any links that already exist. Use this option for a BIG-IP GTM/LTM combo system when you want BIG-IP GTM to discover links. 10. Click Create. The Server List screen opens displaying the new server in the list. Defining BIG-IP LTM systems On BIG-IP GTM, define servers that represent the BIG-IP LTM systems in your network. 1. On the Main tab, click Global Traffic > Servers. The Server List screen opens. 2. Click Create. The New Server screen opens. 3. In the Name field, type a name for the server. Important: Server names are limited to 63 characters. 4. From the Product list, select either BIG-IP System (Single) or BIG-IP System (Redundant). The server type determines the metrics that the system can collect from the server. 5. In the Address List area, add the IP addresses of the server. You can add more than one IP address, depending on how the server interacts with the rest of your network. Important: You must use a self IP address for a BIG-IP system; you cannot use the management IP address. 6. From the Data Center list, select the data center where the server resides. 7. In the Health Monitors area, assign the bigip monitor to the server by moving it from the Available list to the Selected list. 8. From the Virtual Server Discovery list, select how you want virtual servers to be added to the system. Option Disabled Enabled Enabled (No Delete) Description The system does not use the discovery feature to automatically add virtual servers. This is the default value. Use this option for a standalone BIG-IP GTM or for a BIG-IP GTM/LTM combo system when you plan to manually add virtual servers to the system. The system uses the discovery feature to automatically add virtual servers. Use this option for a BIG-IP GTM/LTM combo system when you want BIG-IP GTM to discover BIG-IP LTM virtual servers. The system uses the discovery feature to automatically add virtual servers and does not delete any virtual servers that already exist. Use this option for a BIG-IP GTM/LTM combo system when you want BIG-IP GTM to discover BIG-IP LTM virtual servers. 9. From the Link Discovery list, select how you want links to be added to the system. 46

BIG-IP Global Traffic Manager : Implementations Option Disabled Enabled Enabled (No Delete) Description The system does not use the discovery feature to automatically add links. This is the default value. Use this option for a standalone BIG-IP GTM or for a BIG-IP GTM/LTM combo system when you plan to manually add links to the system. The system uses the discovery feature to automatically add links. Use this option for a BIG-IP GTM/LTM combo system when you want BIG-IP GTM to discover links. The system uses the discovery feature to automatically add links and does not delete any links that already exist. Use this option for a BIG-IP GTM/LTM combo system when you want BIG-IP GTM to discover links. 10. Click Create. The Server List screen opens displaying the new server in the list. Running the bigip_add utility Determine the self IP addresses of the BIG-IP LTM systems that you want to communicate with BIG-IP GTM. Run the bigip_add utility on BIG-IP GTM. This utility exchanges SSL certificates so that each system is authorized to communicate with the other. You must perform this task from the command-line interface. 1. On BIG-IP GTM, log on to the command-line interface. 2. At the command prompt, type: bigip_add <IP_addresses_of_BIG-IP_LTM_systems>, and press Enter. The utility exchanges SSL certificates so that each system is authorized to communicate with the other. The specified BIG-IP systems can now communicate with BIG-IP GTM. Implementation result You now have an implementation in which the BIG-IP systems can communicate with each other. BIG-IP GTM can now use the other BIG-IP systems when load balancing DNS requests, and can acquire statistics and status information for the virtual servers these systems manage. 47

Chapter 8 Ensuring Correct Synchronization When Adding GTM to a Network Overview: Ensuring correct synchronization when adding GTM to a network Task summary Implementation result

Ensuring Correct Synchronization When Adding GTM to a Network Overview: Ensuring correct synchronization when adding GTM to a network You can configure BIG-IP Global Traffic Manager (GTM) systems in collections called synchronization groups. All BIG-IP GTM systems in the same synchronization group have the same rank, exchange heartbeat messages, and share probing responsibility. Figure 6: BIG-IP GTM systems in a synchronization group About configuration synchronization Configuration synchronization ensures the rapid distribution of BIG-IP Global Traffic Manager (GTM) settings to other BIG-IP systems that belong to the same synchronization group. A synchronization group might contain both BIG-IP GTM and BIG-IP Link Controller systems. Configuration synchronization occurs in the following manner: When a change is made to a BIG-IP GTM configuration, the system broadcasts the change to the other systems in the configuration synchronization group. When a configuration synchronization is in progress, the process must either complete or timeout, before another configuration synchronization can occur. About adding an additional BIG-IP GTM to your network BIG-IP GTM systems exchange heartbeat messages when different software versions are installed on the systems. However, configuration synchronization cannot occur when different software versions are installed on the systems. Therefore, when you upgrade BIG-IP GTM, the configuration of the upgraded system does not automatically synchronize with the configuration of the systems in the synchronization group that have an older software version. Task summary When adding an additional BIG-IP GTM system to your network, perform the following tasks. Defining an NTP server on the existing GTM Enabling synchronization on the existing GTM 50

BIG-IP Global Traffic Manager : Implementations Creating a data center on the existing GTM Defining a server on the existing GTM Running the gtm_add script on the new GTM Defining an NTP server on the existing GTM Define a Network Time Protocol (NTP) server on the existing BIG-IP GTM to ensure that each system in the synchronization group is referencing the same time when verifying configuration file timestamps. 1. On the Main tab, click System > Configuration > Device > NTP. The NTP Device configuration screen opens. 2. In the Time Server Lookup List area, in the Address field, type the IP address of the NTP that you want to add. Then, click Add. Note: If you did not disable DHCP before the first boot of the BIG-IP system, and if the DHCP server provides the information about your NTP server, then this field is automatically populated. 3. Click Update. The NTP server is defined. Enabling synchronization on the existing GTM To ensure that this system can share configuration changes with other systems that you add to the configuration synchronization group, enable synchronization on the existing BIG-IP GTM. 1. On the Main tab, click System > Configuration > Global Traffic > General. The General configuration screen opens. 2. Select the Synchronization check box. 3. In the Synchronization Time Tolerance field, type the maximum number of seconds allowed between the time settings on this system and the other systems in the synchronization group. The lower the value, the more often this system makes a log entry indicating that there is a difference. Tip: If you are using NTP, leave this setting at the default value of 10. In the event that NTP fails, the system uses the time_tolerance variable to maintain synchronization. 4. In the Synchronization Group Name field, type the name of the synchronization group to which you want this system to belong. 5. Click Update. Synchronization is enabled on the existing BIG-IP GTM. Creating a data center on the existing GTM Create a data center on the existing BIG-IP GTM system to represent the location where the new BIG-IP GTM system resides. 1. On the Main tab, click Global Traffic > Data Centers. The Data Center List screen opens. 51

Ensuring Correct Synchronization When Adding GTM to a Network 2. Click Create. The New Data Center screen opens. 3. Type a name for the data center. Important: The data center name is limited to 63 characters. 4. In the Location field, type the geographic location of the data center. 5. In the Contact field, type the name of either the administrator or the department that manages the data center. 6. Click Finished. Defining a server on the existing GTM Ensure that a data center where the new BIG-IP GTM system resides exists in the configuration of the existing BIG-IP GTM system. Define a new server, on the existing BIG-IP GTM, to represent the new BIG-IP GTM system. 1. On the Main tab, click Global Traffic > Servers. The Server List screen opens. 2. Click Create. The New Server screen opens. 3. In the Name field, type a name for the server. Important: Server names are limited to 63 characters. 4. From the Product list, select BIG-IP System (Single). The server type determines the metrics that the system can collect from the server. 5. In the Address List area, add the IP address of the server. Important: You must use a self IP address for a BIG-IP system; you cannot use the management IP address. 6. From the Data Center list, select the data center where the server resides. 7. From the Virtual Server Discovery list, select how you want virtual servers to be added to the system. Option Disabled Enabled Enabled (No Delete) 8. Click Create. Description The system does not use the discovery feature to automatically add virtual servers. This is the default value. Use this option for a standalone BIG-IP GTM or for a BIG-IP GTM/LTM combo system when you plan to manually add virtual servers to the system. The system uses the discovery feature to automatically add virtual servers. Use this option for a BIG-IP GTM/LTM combo system when you want BIG-IP GTM to discover BIG-IP LTM virtual servers. The system uses the discovery feature to automatically add virtual servers and does not delete any virtual servers that already exist. Use this option for a BIG-IP GTM/LTM combo system when you want BIG-IP GTM to discover BIG-IP LTM virtual servers. 52

BIG-IP Global Traffic Manager : Implementations The Server List screen opens displaying the new server in the list. The status of the newly defined BIG-IP GTM system is Unknown, because you have not yet run the gtm_add script. Running the gtm_add script on the new GTM Determine the self IP address of the existing BIG-IP GTM. Run the gtm_add script on the new BIG-IP GTM to acquire the configuration settings on the existing BIG-IP GTM. Note: You must perform this task from the command-line interface. 1. On the new BIG-IP GTM, log in to the command-line interface. 2. At the BASH prompt, type tmsh, and press Enter. 3. At the tmsh prompt, type run gtm gtm_add, and press Enter. 4. Press the y key to start the gtm_add script. 5. Type the IP address of the existing BIG-IP GTM, and press Enter. 6. If prompted, type the root password, and then press Enter. Implementation result The new BIG-IP GTM that you added to the network is a part of a synchronization group. Changes you make to any system in the synchronization group are automatically propagated to all other systems in the group. 53

Chapter 9 Configuring BIG-IP GTM VIPRION Systems Overview: Configuring BIG-IP GTM VIPRION systems

Configuring BIG-IP GTM VIPRION Systems Overview: Configuring BIG-IP GTM VIPRION systems You configure BIG-IP Global Traffic Manager (GTM ) on VIPRION systems in the same manner that you configure BIG-IP GTM on an appliance, with two notable exceptions. You can access BIG-IP Local Traffic Manager (LTM ) irules from within BIG-IP GTM irules. You can also access BIG-IP GTM irules from within BIG-IP LTM irules. It is important to change the general system configuration for virtual server status. Configuring virtual server status for clusters You can configure virtual server status to be dependent only on the timeout value of the monitor associated with the virtual server. This ensures that when the primary blade in a cluster becomes unavailable, the gtmd agent on the new primary blade has time to establish new iquery connections with and receive updated status from other BIG-IP systems. Tip: The big3d agent on the new primary blade must be up and functioning within 90 seconds (the timeout value of the BIG-IP monitor). 1. On the Main tab, click System > Configuration > Global Traffic > General. The General configuration screen opens. 2. Select Depends on Monitors Only from the Virtual Server Status list. 3. Click Update. 56

Chapter 10 Setting Up a BIG-IP GTM Redundant System Configuration Overview: Configuring a BIG-IP GTM redundant system Task summary

Setting Up a BIG-IP GTM Redundant System Configuration Overview: Configuring a BIG-IP GTM redundant system You can configure BIG-IP Global Traffic Manager (GTM) in a redundant system configuration, which is a set of two BIG-IP GTM systems: one operating as the active unit, the other operating as the standby unit. If the active unit goes offline, the standby unit immediately assumes responsibility for managing DNS traffic. The new active unit remains active until another event occurs that would cause the unit to go offline, or you manually reset the status of each unit. Task summary Perform the following tasks to configure a BIG-IP GTM redundant system configuration. Before you begin, ensure that the Setup utility was run on both devices. During the Setup process, you create VLANs internal and external and the associated floating and non-floating IP addresses, and VLAN HA and the associated non-floating self IP address. You also configure the devices to be in an active-standby redundant system configuration. Defining an NTP server Creating listeners to identify DNS traffic Defining a data center Defining a server Enabling global traffic configuration synchronization Running the gtm_add script Defining an NTP server Define a Network Time Protocol (NTP) server that both BIG-IP GTM systems use during configuration synchronization. Important: Perform the following procedure on both the active and standby systems. 1. On the Main tab, click System > Configuration > Device > NTP. The NTP Device configuration screen opens. 2. In the Time Server Lookup List area, in the Address field, type the IP address of the NTP that you want to add. Then, click Add. Note: If you did not disable DHCP before the first boot of the BIG-IP system, and if the DHCP server provides the information about your NTP server, then this field is automatically populated. 3. Click Update. During configuration synchronization, the systems use this time value to see if any newer configuration files exist. 58

BIG-IP Global Traffic Manager : Implementations Creating listeners to identify DNS traffic Create two listeners to identify DNS traffic for which BIG-IP GTM is responsible. Create one listener that uses the UDP protocol and one that uses the TCP protocol. Important: Perform the following procedure on only the active system. Note: DNS zone transfers use TCP port 53. If you do not configure a listener for TCP the client might receive the error: connection refused or TCP RSTs. 1. On the Main tab, click Global Traffic > Listeners. The Listeners List screen opens. 2. Click Create. The new Listeners screen opens. 3. In the Destination field, type the floating IP address of VLAN external. This is the IP address on which BIG-IP GTM listens for network traffic. 4. From the VLAN Traffic list, select All VLANs. 5. From the Protocol list, select UDP. 6. Click Finished. Create another listener with the same IP address, but select TCP from the Protocol list. Defining a data center Create a data center to contain the servers that reside on a subnet of your network. Important: Perform the following procedure on only the active system. 1. On the Main tab, click Global Traffic > Data Centers. The Data Center List screen opens. 2. Click Create. The New Data Center screen opens. 3. Type a name for the data center. Important: The data center name is limited to 63 characters. 4. In the Location field, type the geographic location of the data center. 5. In the Contact field, type the name of either the administrator or the department that manages the data center. 6. From the State list, select Enabled. 7. Click Finished. You can now create server objects and assign them to this data center. Repeat this procedure to create additional data centers. 59

Setting Up a BIG-IP GTM Redundant System Configuration Defining a server Ensure that the data centers where the BIG-IP GTM systems exist in the configuration. Using this procedure, create two servers on the active system, one that represents the active system and one that represents the standby system. Important: Perform this procedure on only the active system. 1. On the Main tab, click Global Traffic > Servers. The Server List screen opens. 2. Click Create. The New Server screen opens. 3. In the Name field, type a name for the server. Important: Server names are limited to 63 characters. 4. From the Product list, select BIG-IP System (Redundant). The server type determines the metrics that the system can collect from the server. 5. In the Address List area, add the IP address of the server. Important: You must use a self IP address for a BIG-IP system; you cannot use the management IP address. 6. In the Address List area, add the IP addresses of the back up system using the Peer Address List setting. a) Type an external (public) IP address in the Address field, and then click Add. b) Type an internal (private) IP address in the Translation field, and then click Add. You can add more than one IP address, depending on how the server interacts with the rest of your network. 7. From the Data Center list, select the data center where the server resides. 8. From the Virtual Server Discovery list, select Disabled. 9. From the Link Discovery list, select Disabled. 10. Click Create. The Server List screen opens displaying the new server in the list. Enabling global traffic configuration synchronization Enable global traffic configuration synchronization options and assign a name to the global traffic synchronization group. Important: Perform the following procedure on only the active system. 1. On the Main tab, click System > Configuration > Global Traffic > General. The General configuration screen opens. 2. Select the Synchronization check box. 3. Select the Synchronize DNS Files check box. 4. In the Synchronization Group Name field, type the name of the synchronization group. 60

BIG-IP Global Traffic Manager : Implementations 5. Click Update. The settings you selected will be transferred to the standby system during configuration synchronization. Running the gtm_add script You must run the gtm_add script from the standby system. Note: You must perform this task from the command-line interface. 1. On the new BIG-IP GTM, log in to the command-line interface. 2. Type gtm_add, and press Enter. 3. Press the y key to start the gtm_add script. 4. Type the IP address of the existing BIG-IP GTM, and press Enter. The gtm_add script acquires configuration data from the active system; Once this process completes, you have successfully created a redundant system consisting of two BIG-IP GTM systems. 61

Chapter 11 Configuring GTM on a Network with One Route Domain Overview: How do I deploy BIG-IP GTM on a network with one route domain? Task summary Implementation result

Configuring GTM on a Network with One Route Domain Overview: How do I deploy BIG-IP GTM on a network with one route domain? You can deploy BIG-IP Global Traffic Manager (GTM ) on a network where BIG-IP Local Traffic Manager (LTM ) is configured with one route domain and no overlapping IP addresses. Caution: For BIG-IP systems that include both LTM and GTM, you can configure route domains on internal interfaces only. F5 Networks does not support the configuration of route domains on a standalone BIG-IP GTM. Figure 7: BIG-IP GTM deployed on a network in front of a BIG-IP LTM configured with a route domain Task summary BIG-IP GTM can gather status and statistics for the virtual servers hosted on BIG-IP Local Traffic Manager (LTM) systems on your network that are configured on a route domain. The BIG-IP LTM systems must contain: VLANs through which traffic for the route domain passes. A self IP address that represents the address space of the route domain. 64

BIG-IP Global Traffic Manager : Implementations Additionally, BIG-IP GTM must contain a server object for each route domain. The server objects must be configured with a self IP address that represents the address space of the route domain. Perform the specified tasks to configure BIG-IP LTM systems with a route domain, and then to configure BIG-IP GTM to be able to monitor these systems. Creating VLANs for a route domain on BIG-IP LTM Creating a route domain on the BIG-IP system Creating a self IP address for a route domain on BIG-IP LTM Defining a server for a route domain on BIG-IP GTM Creating VLANs for a route domain on BIG-IP LTM You need to create two VLANs on BIG-IP Local Traffic Manager (LTM ) through which traffic can pass to a route domain. 1. On the Main tab, click Network > VLANs. The VLAN List screen opens. 2. Click Create. The New VLAN screen opens. 3. In the Name field, type external. 4. In the Tag field, type a numeric tag, from 1-4094, for the VLAN, or leave the field blank if you want the BIG-IP system to automatically assign a VLAN tag. The VLAN tag identifies the traffic from hosts in the associated VLAN. 5. For the Interfaces setting, from the Available list, click an interface number or trunk name and add the selected interface or trunk to the Untagged list. Repeat this step as necessary. 6. Select the Source Check check box if you want the system to verify that the return route to an initial packet is the same VLAN from which the packet originated. 7. Click Finished. The screen refreshes, and displays the new VLAN in the list. Repeat this procedure, but in Step 3, name the VLAN internal. Creating a route domain on the BIG-IP system Before you create a route domain: Ensure that an external and an internal VLAN exist on the BIG-IP system. If you intend to assign a static bandwidth controller policy to the route domain, you must first create the policy. You can do this using the BIG-IP Configuration utility. Verify that you have set the current partition on the system to the partition in which you want the route domain to reside. You can create a route domain on BIG-IP system to segment (isolate) traffic on your network. Route domains are useful for multi-tenant configurations. 1. On the Main tab, click Network > Route Domains. The Route Domain List screen opens. 2. Click Create. The New Route Domain screen opens. 3. In the Name field, type a name for the route domain. 65

Configuring GTM on a Network with One Route Domain This name must be unique within the administrative partition in which the route domain resides. 4. In the ID field, type an ID number for the route domain. This ID must be unique on the BIG-IP system; that is, no other route domain on the system can have this ID. 5. In the Description field, type a description of the route domain. For example: This route domain applies to traffic for application MyApp. 6. For the Strict Isolation setting, select the Enabled check box to restrict traffic in this route domain from crossing into another route domain. 7. For the Parent Name setting, retain the default value. 8. For the VLANs setting, from the Available list, select a VLAN name and move it to the Members list. Select the VLAN that processes the application traffic relevant to this route domain. Configuring this setting ensures that the BIG-IP system immediately associates any self IP addresses pertaining to the selected VLANs with this route domain. 9. For the Dynamic Routing Protocols setting, from the Available list, select one or more protocol names and move them to the Enabled list. You can enable any number of listed protocols for this route domain. This setting is optional. 10. From the Bandwidth Controller list, select a static bandwidth control policy to enforce a throughput limit on traffic for this route domain. 11. From the Partition Default Route Domain list, select either Another route domain (0) is the Partition Default Route Domain or Make this route domain the Partition Default Route Domain. This setting does not appear if the current administrative partition is partition Common. When you configure this setting, either route domain 0 or this route domain becomes the default route domain for the current administrative partition. 12. Click Finished. The system displays a list of route domains on the BIG-IP system. You now have another route domain on the BIG-IP system. Creating a self IP address for a route domain on BIG-IP LTM Ensure that external and internal VLANs exist on BIG-IP LTM, before you begin creating a self IP address for a route domain. Create a self IP address on BIG-IP LTM that resides in the address space of the route domain. 1. On the Main tab, click Network > Self IPs. The Self IPs screen opens. 2. Click Create. The New Self IP screen opens. 3. In the IP Address field, type an IP address. This IP address must represent a self IP address in a route domain. Use the format x.x.x.x%n, where n is the route domain ID, for example, 10.1.1.1%1. The system accepts IPv4 and IPv6 addresses. 4. In the Netmask field, type the network mask for the specified IP address. 5. From the VLAN/Tunnel list, select external. 6. From the Port Lockdown list, select Allow Default. 7. Click Finished. 66

BIG-IP Global Traffic Manager : Implementations The screen refreshes, and displays the new self IP address in the list. Repeat this procedure, but in Step 5, select VLAN internal. Defining a server for a route domain on BIG-IP GTM Ensure that at least one data center exists in the configuration. On a BIG-IP GTM system, define a server that represents the route domain. 1. On the Main tab, click Global Traffic > Servers. The Server List screen opens. 2. Click Create. The New Server screen opens. 3. In the Name field, type a name for the server. Important: Server names are limited to 63 characters. 4. From the Product list, select either BIG-IP System (Single) or BIG-IP System (Redundant). The server type determines the metrics that the system can collect from the server. 5. In the Address List area, add the self IP address that you assigned to the VLAN that you assigned to the route domain. Important: Do not include the route domain ID in this IP address. Use the format x.x.x.x, for example, 10.10.10.1. 6. From the Data Center list, select the data center where the server resides. 7. In the Health Monitors area, assign the bigip monitor to the server by moving it from the Available list to the Selected list. 8. From the Virtual Server Discovery list, select how you want virtual servers to be added to the system. Virtual server discovery is supported when you have only one route domain. Option Disabled Enabled Enabled (No Delete) Description Use this option when you plan to manually add virtual servers to the system. The system automatically adds virtual servers using the discovery feature. The system uses the discovery feature and does not delete any virtual servers that already exist. 9. Click Create. The Server List screen opens displaying the new server in the list. Implementation result You now have an implementation in which BIG-IP GTM can monitor virtual servers on BIG-IP LTM systems configured with one route domain. 67

Chapter 12 Configuring GTM on a Network with Multiple Route Domains Overview: How do I deploy BIG-IP GTM on a network with multiple route domains? Task summary Implementation result

Configuring GTM on a Network with Multiple Route Domains Overview: How do I deploy BIG-IP GTM on a network with multiple route domains? You can deploy BIG-IP Global Traffic Manager (GTM) on a network where BIG-IP Local Traffic Manager (LTM ) systems are configured with multiple route domains and overlapping IP addresses. Important: On a network with route domains, you must ensure that virtual server discovery (autoconf) is disabled, because virtual server discovery does not discover translation IP addresses. Caution: For BIG-IP systems that include both LTM and GTM, you can configure route domains on internal interfaces only. F5 Networks does not support the configuration of route domains on a standalone BIG-IP GTM. The following figure shows BIG-IP GTM deployed in a network with multiple BIG-IP Local Traffic Manager (LTM ) systems configured with the default route domain (zero), and two additional route domains. BIG-IP GTM can monitor the Application1 and Application2 servers that have overlapping IP addresses and reside in different route domains. The firewalls perform the required address translation between the BIG-IP GTM and BIG-IP LTM addresses; you must configure the firewalls to segment traffic and avoid improperly routing packets between route domain 1 and route domain 2. 70

BIG-IP Global Traffic Manager : Implementations Figure 8: BIG-IP GTM deployed on a network with multiple route domains Task summary Before BIG-IP GTM can gather status and statistics for the virtual servers hosted on BIG-IP LTM systems on your network that are configured with route domains, you must configure the following on each BIG-IP LTM that handles traffic for route domains: VLANs through which traffic for your route domains passes Route domains that represent each network segment Self IP addresses that represent the address spaces of the route domains Additionally, on BIG-IP GTM you must: Configure, for each route domain, a server object with virtual server discovery disabled Disable virtual server discovery globally 71

Configuring GTM on a Network with Multiple Route Domains Perform the following tasks to configure BIG-IP GTM to monitor BIG-IP LTM systems with route domains. Creating VLANs for a route domain on BIG-IP LTM Creating a route domain on BIG-IP LTM Creating a self IP address for a route domain on BIG-IP LTM Disabling auto-discovery at the global-level on BIG-IP GTM Defining a server for a route domain on BIG-IP GTM Creating VLANs for a route domain on BIG-IP LTM Create two VLANs on BIG-IP LTM through which traffic can pass to a route domain. 1. On the Main tab, click Network > VLANs. The VLAN List screen opens. 2. Click Create. The New VLAN screen opens. 3. In the Name field, type external. 4. In the Tag field, type a numeric tag, from 1-4094, for the VLAN, or leave the field blank if you want the BIG-IP system to automatically assign a VLAN tag. The VLAN tag identifies the traffic from hosts in the associated VLAN. 5. For the Interfaces setting, from the Available list, click an interface number or trunk name and add the selected interface or trunk to the Untagged list. Repeat this step as necessary. 6. Select the Source Check check box if you want the system to verify that the return route to an initial packet is the same VLAN from which the packet originated. 7. Click Finished. The screen refreshes, and displays the new VLAN in the list. Repeat this procedure, but in Step 3, name the second VLAN internal. Creating a route domain on BIG-IP LTM Ensure that VLANs exist on BIG-IP LTM, before you create a route domain. You can create a route domain on a BIG-IP system to segment (isolate) network traffic on your network. 1. On the Main tab, click Network > Route Domains. The Route Domain List screen opens. 2. Click Create. The New Route Domain screen opens. 3. In the ID field, type an ID number for the route domain. This ID must be unique on the BIG-IP system; that is, no other route domain on the system can have this ID. 4. In the Description field, type a description of the route domain. For example: This route domain applies to traffic for application MyApp. 5. For the Strict Isolation setting, select the Enabled check box to restrict traffic in this route domain from crossing into another route domain. 6. For the Parent Name setting, retain the default value. 7. For the VLANs setting, move the external and internal VLANs from the Available list, to the Members list. 72

BIG-IP Global Traffic Manager : Implementations Configuring this setting ensures that the BIG-IP system immediately associates any self IP addresses pertaining to the selected VLANs with this route domain. 8. Click Finished. The system displays a list of route domains on the BIG-IP system. Create additional route domains based on your network configuration. Creating a self IP address for a route domain on BIG-IP LTM Ensure that VLANs exist on BIG-IP LTM, before you begin creating a self IP address for a route domain. Create a self IP address on the BIG-IP system that resides in the address space of the route domain. 1. On the Main tab, click Network > Self IPs. The Self IPs screen opens. 2. Click Create. The New Self IP screen opens. 3. In the IP Address field, type an IP address. This IP address must represent a self IP address in a route domain. Use the format x.x.x.x%n, where n is the route domain ID, for example, 10.1.1.1%1. The system accepts IPv4 and IPv6 addresses. 4. In the Netmask field, type the network mask for the specified IP address. 5. From the VLAN/Tunnel list, select the VLAN that you assigned to the route domain that contains this self IP address. 6. From the Port Lockdown list, select Allow Default. 7. Click Finished. The screen refreshes, and displays the new self IP address in the list. Create additional self IP addresses based on your network configuration. Disabling auto-discovery at the global-level on BIG-IP GTM On BIG-IP GTM, disable auto-discovery at the global-level. 1. On the Main tab, click System > Configuration > Global Traffic > General. The general Configuration screen opens. 2. Clear the Auto-Discovery check box. 3. Click Update. Defining a server for a route domain on BIG-IP GTM Ensure that at least one data center exists in the configuration. On BIG-IP GTM, define a server that represents the route domain. 1. On the Main tab, click Global Traffic > Servers. The Server List screen opens. 2. Click Create. 73

Configuring GTM on a Network with Multiple Route Domains The New Server screen opens. 3. In the Name field, type a name for the server. Important: Server names are limited to 63 characters. 4. From the Product list, select either BIG-IP System (Single) or BIG-IP System (Redundant). The server type determines the metrics that the system can collect from the server. 5. In the Address List area, add the self IP address that you assigned to the VLAN that you assigned to the route domain. Important: Do not include the route domain ID in this IP address. Use the format x.x.x.x, for example, 10.10.10.1. 6. From the Data Center list, select the data center where the server resides. 7. From the Prober Pool list, select one of the following. Option Description Inherit from Data Center Prober pool name By default, a server inherits the Prober pool assigned to the data center in which the server resides. Select the Prober pool that contains the BIG-IP systems that you want to perform monitor probes of this server. Note: The selected Prober pool must reside in the same route domain as the servers you want the pool members to probe. 8. In the Health Monitors area, assign the bigip monitor to the server by moving it from the Available list to the Selected list. 9. From the Virtual Server Discovery list, select Disabled. 10. Click Create. The New Server screen opens. Implementation result You now have an implementation in which BIG-IP GTM monitors BIG-IP LTM virtual servers on the various route domains in your network. 74

Chapter 13 Authenticating with SSL Certificates Signed by a Third Party Overview: Authenticating with SSL certificates signed by a third party Configuring Level 1 SSL authentication Implementation Results Configuring certificate chain SSL authentication Implementation result

Authenticating with SSL Certificates Signed by a Third Party Overview: Authenticating with SSL certificates signed by a third party BIG-IP systems use Secure Sockets Layer (SSL) authentication to verify the authenticity of the credentials of systems with which data exchange is necessary. BIG-IP software includes a self-signed SSL certificate. If your network includes one or more certificate authority (CA) servers, you can also install SSL certificates that are signed by a third party. The BIG-IP systems exchange SSL certificates, and use a CA server to verify the authenticity of the certificates. The big3d agent on all BIG-IP systems and the gtmd agent on BIG-IP Global Traffic Manager (GTM ) systems use the certificates to authenticate communication between the systems. About SSL authentication levels SSL supports ten levels of authentication (also known as certificate depth): Level 0 certificates (self-signed certificates) are verified by the system to which they belong. Level 1 certificates are authenticated by a CA server that is separate from the system. Levels 2-9 certificates are authenticated by additional CA servers that verify the authenticity of other servers. These multiple levels of authentication (referred to as certificate chains) allow for a tiered verification system that ensures that only authorized communications occur between servers. Configuring Level 1 SSL authentication You can configure BIG-IP systems for Level 1 SSL authentication. Before you begin, ensure that the systems you are configuring include the following: A signed certificate/key pair. The root certificate from the CA server. Task Summary Importing the device certificate Importing the root certificate for the gtmd agent Importing the root certificate for the big3d agent Verifying the certificate exchange Importing the device certificate To configure the BIG-IP system for Level 1 SSL authentication, import the device certificate signed by the CA server. Note: Perform this procedure on all BIG-IP systems that you want to handle Level 1 SSL authentication. 1. On the Main tab, click System > Device Certificates. The Device Certificate screen opens. 2. Click Import. 76

BIG-IP Global Traffic Manager : Implementations 3. From the Import Type list, select Certificate and Key. 4. For the Certificate Source setting, select Upload File and browse to select the certificate signed by the CA server. 5. For the Key Source setting, select Upload File and browse to select the device key file. 6. Click Import. Importing the root certificate for the gtmd agent Before you start this procedure, ensure that you have the root certificate from your CA server available. To set up the system to use a third-party certificate signed by a CA server, replace the existing certificate file for the gtmd agent with the root certificate of your CA server. Note: Perform this procedure on only one BIG-IP GTM system in the synchronization group. The system automatically synchronizes the setting with the other systems in the group. 1. On the Main tab, click Global Traffic > Servers > Trusted Server Certificates. The Trusted Server Certificates screen opens. 2. Click Import. 3. From the Import Method list, select Replace. 4. For the Certificate Source setting, select Upload File and browse to select the root certificate file. 5. Click Import. Importing the root certificate for the big3d agent Before you start this procedure, ensure that the root certificate from your CA server is available. Note: Perform this procedure on all BIG-IP systems that you want to configure for Level 1 SSL authentication. 1. On the Main tab, click System > Device Certificates > Trusted Device Certificates. The Trusted Device Certificates screen opens. 2. Click Import. 3. From the Import Method list, select Replace. 4. For the Certificate Source setting, select Upload File and browse to select the certificate signed by the CA server. 5. Click Import. Verifying the certificate exchange You can verify that you installed the certificate correctly, by running the following commands on all BIG-IP systems that you configured for Level 1 SSL authentication. iqdump <IP address of BIG-IP you are testing> iqdump <IP address of BIG-IP peer system, if testing a redundant system configuration> 77

Authenticating with SSL Certificates Signed by a Third Party If the certificate was installed correctly, these commands display a continuous stream of information. Implementation Results The BIG-IP systems are now configured for Level 1 SSL authentication. Configuring certificate chain SSL authentication You can configure BIG-IP systems for certificate chain SSL authentication. Task Summary Creating a certificate chain file Importing the device certificate from the last CA server in the chain Importing a certificate chain file for the gtmd agent Importing a certificate chain for the big3d agent Verifying the certificate chain exchange Creating a certificate chain file Before you start this procedure, ensure that you have the certificate files from your CA servers available. Create a certificate chain file that you can use to replace the existing certificate file. 1. Using a text editor, create an empty file for the certificate chain. 2. Still using a text editor, copy an individual certificate from its own certificate file and paste the certificate into the file you created in step 1. 3. Repeat step 2 for each certificate that you want to include in the certificate chain. You now have a certificate chain file. Importing the device certificate from the last CA server in the chain Import the device certificate signed by the last CA in the certificate chain. Note: Perform this procedure on all BIG-IP systems that you want to configure for certificate chain SSL authentication. 1. On the Main tab, click System > Device Certificates. The Device Certificate screen opens. 2. Click Import. 3. From the Import Type list, select Certificate and Key. 4. For the Certificate Source setting, select Upload File and browse to select the certificate signed by the CA server. 5. For the Key Source setting, select Upload File and browse to select the device key file. 78

BIG-IP Global Traffic Manager : Implementations 6. Click Import. Importing a certificate chain file for the gtmd agent Before you start this procedure, ensure that you have the certificate chain file available. Replace the existing certificate file on the system with a certificate chain file. Note: Perform this procedure on only one BIG-IP GTM in a synchronization group. The system automatically synchronizes the setting with the other systems in the group. 1. On the Main tab, click Global Traffic > Servers > Trusted Server Certificates. The Trusted Server Certificates screen opens. 2. Click Import. 3. From the Import Method list, select Replace. 4. For the Certificate Source setting, select Upload File and browse to select the device certificate for the last CA in the certificate chain. 5. Click Import. Importing a certificate chain for the big3d agent Before you start this procedure, ensure that the certificate chain file is available. Note: Perform this procedure on all BIG-IP systems that you want to configure for certificate chain SSL authentication. 1. On the Main tab, click System > Device Certificates > Trusted Device Certificates. The Trusted Device Certificates screen opens. 2. Click Import. 3. From the Import Method list, select Replace. 4. For the Certificate Source setting, select Upload File and browse to select the certificate chain file. 5. Click Import. Verifying the certificate chain exchange You can verify that you installed the certificate chain correctly, by running the following commands on all the systems you configure for certificate chain SSL authentication. iqdump <IP address of BIG-IP you are testing> iqdump <IP address of BIG-IP peer system, if testing a redundant system configuration> If the certificate chain was installed correctly, these commands display a continuous stream of information. 79

Authenticating with SSL Certificates Signed by a Third Party Implementation result The BIG-IP systems are now configured for certificate chain SSL authentication. For information about troubleshooting BIG-IP device certificates, see SOL8187 on AskF5.com (www.askf5.com). 80

Chapter 14 Configuring the Save Interval for GTM Configuration Changes Overview: Configuring the interval at which GTM saves configuration changes Task summary Implementation result

Configuring the Save Interval for GTM Configuration Changes Overview: Configuring the interval at which GTM saves configuration changes By default, configuration changes to the BIG-IP Global Traffic Manager (GTM ) are saved every 15 seconds. The changes are saved in the bigip_gtm.conf file. You can change how often GTM saves configuration changes. Task summary Perform this task to configure the interval at which GTM automatically saves configuration changes. Configuring the Save Interval for GTM Configuration Changes Configuring the GTM save interval Configuring the GTM save interval Ensure that GTM is provisioned, and that your user role provides access to tmsh. Configure the BIG-IP GTM system to automatically save configuration changes made in the Configuration utility and tmsh at a user-specified interval. 1. Log on to the command-line interface of the BIG-IP system. 2. At the BASH prompt, type tmsh. 3. At the tmsh prompt, type modify gtm global-settings general automatic-configuration-save-timeout <desired automatic save interval in seconds>, and then press Enter. The following options are worth noting: 0 (zero) = immediately save changes -1 = never save changes 86400 = maximum interval between automatic saves 15 = default interval between automatic saves Warning: Setting automatic-configuration-save-timeout to less than 10 seconds can impact system performance. Implementation result You now have an implementation in which the BIG-IP system automatically saves GTM configuration changes at an interval you specified. 82

Chapter 15 Configuring a TTL in a DNS NoError Response Overview: Configuring a TTL in an IPv6 DNS NoError Response About SOA records and negative caching Task summary Implementation result

Configuring a TTL in a DNS NoError Response Overview: Configuring a TTL in an IPv6 DNS NoError Response You can configure BIG-IP GTM to return IPv6 DNS NoError responses that include a TTL. This allows local DNS servers to cache the negative response. Negative caching reduces both the response time for negative DNS responses and the number of messages that must be sent between resolvers and local DNS servers. About SOA records and negative caching A start of authority SOA record contains a TTL that allows a local DNS server to cache a DNS NoError response to an IPv6 query. Task summary You can configure GTM to provide a negative caching TTL for a domain name by performing these specific tasks. Configuring a TTL in a DNS NoError Response Creating a pool Creating a wide IP that provides for negative caching Creating a pool Ensure that at least one virtual server exists in the configuration before you start to create a load balancing pool. Create a pool to which the system can load balance global traffic. 1. On the Main tab, click Global Traffic > Pools. The Pools list screen opens. 2. Click Create. 3. Type a name for the pool. Names must begin with a letter, and can contain only letters, numbers, and the underscore (_) character. Important: The pool name is limited to 63 characters. 4. Add virtual servers as members of this load balancing pool. The system evaluates the virtual servers (pool members) in the order in which they are listed. A virtual server can belong to more than one pool. a) Select a virtual server from the Virtual Server list. b) Click Add. 5. Click Finished. 84

BIG-IP Global Traffic Manager : Implementations Creating a wide IP that provides for negative caching Ensure that at least one global load balancing pool exists in the configuration before you create a wide IP. Create a wide IP configured in a manner where GTM returns an SOA record, containing a TTL with an IPv6 DNS NoError response. This allows the local DNS servers to cache the negative response, and thus provide faster responses to DNS queries. 1. On the Main tab, click Global Traffic > Wide IPs. The Wide IPs List screen opens. 2. Click Create. The New Wide IP screen opens. 3. From the General Properties list, select Advanced. This selection allows you to modify additional default settings. 4. In the Name field, type a name for the wide IP. Tip: You can use two different wildcard characters in the wide IP name: asterisk (*) to represent several characters and question mark (?) to represent a single character. This reduces the number of aliases you have to add to the configuration. 5. From the IPv6 NoError Response list, select Enabled. With this option enabled, the system responds faster to IPv6 requests for which it does not have AAAA records configured. 6. In the IPv6 NoError TTL field, type the number of seconds that the local DNS servers consider the IPv6 NoError response to be valid. When you set this value, you must enable the IPv6 NoError Response setting as well. 7. From the Pool list, select the pools that this wide IP uses for load balancing. The system evaluates the pools based on the wide IP load balancing method configured. a) From the Pool list, select a pool. A pool can belong to more than one wide IP. b) Click Add. 8. Click Finished. Implementation result You now have an implementation in which GTM returns a TTL in an IPv6 DNS NoError response for a web site represented by a wide IP in the GTM configuration. 85

Chapter 16 Configuring DNS64 Overview: Configuring DNS64 Task summary Implementation result

Configuring DNS64 Overview: Configuring DNS64 You can configure BIG-IP Local Traffic Manager (LTM) and BIG-IP Global Traffic Manager (GTM) systems to handle IPv6-only client connection requests to IPv4-only servers on your network by returning an AAAA record response to the client. Figure 9: Mapping IPv6 addresses to IPv4 addresses Task summary Perform these tasks to configure DNS64 on a BIG-IP system. Creating a custom DNS profile Assigning a DNS profile to a virtual server Creating a custom DNS profile You can create a custom DNS profile to configure how the BIG-IP system handles DNS connection requests. 1. On the Main tab, click Local Traffic > Profiles > Services > DNS. The DNS profile list screen opens. 2. Click Create. The New DNS profile screen opens. 3. In the Name field, type a unique name for the profile. 4. In the Parent Profile list, accept the default dns profile. 5. Select the Custom check box. 6. In the Global Traffic Management list, accept the default value Enabled. 7. From the DNS IPv6 to IPv4 list, select how you want the system to handle IPv6 to IPv4 address mapping in DNS queries and responses. 88

BIG-IP Global Traffic Manager : Implementations Option Disabled Description The BIG-IP system does not map IPv4 addresses to IPv6 addresses. Immediate The BIG-IP system receives an AAAA query and forwards the query to a DNS server. The BIG-IP system then forwards the first good response from the DNS server to the client. If the system receives an A response first, it appends a 96-bit prefix to the record and forwards it to the client. If the system receives an AAAA response first, it simply forwards the response to the client. The system disregards the second response from the DNS server. Secondary The BIG-IP system receives an AAAA query and forwards the query to a DNS server. Only if the server fails to return a response does the BIG-IP system send an A query. If the BIG-IP system receives an A response, it appends a 96-bit user-configured prefix to the record and forwards it to the client. v4 Only The BIG-IP system receives an AAAA query, but forwards an A query to a DNS server. After receiving an A response from the server, the BIG-IP system appends a 96-bit user-configured prefix to the record and forwards it to the client. Important: Select this option only if you know that all your DNS servers are IPv4 only servers. If you selected Immediate, Secondary, or V4 Only two new fields display. 8. In the IPv6 to IPv4 Prefix field, specify the prefix the BIG-IP system appends to all A query responses to an IPv6 request. 9. From the IPv6 to IPv4 Additional Section Rewrite list, select an option to allow improved network efficiency for both Unicast and Multicast DNS-SD responses. Option Disabled v4 Only v6 Only Any Description The BIG-IP system does not perform additional rewrite. The BIG-IP system accepts only A records. The system appends the 96-bit user-configured prefix to a record and returns an IPv6 response to the client. The BIG-IP system accepts only AAAA records and returns an IPv6 response to the client. The BIG-IP system accepts and returns both A and AAAA records. If the DNS server returns an A record in the Additional section of a DNS message, the BIG-IP system appends the 96-bit user-configured prefix to the record and returns an IPv6 response to the client. 10. From the Use BIND Server on BIG-IP list, select Enabled. Note: Enable this setting only when you want the system to forward non-wide IP queries to the local BIND server on BIG-IP GTM. 11. Click Finished. Assigning a DNS profile to a virtual server 1. On the Main tab, click Local Traffic > Virtual Servers. The Virtual Server List screen opens. 2. Click the name of the virtual server you want to modify. 89

Configuring DNS64 3. From the DNS Profile list, select the profile you created to manage IPv6 to IPv4 address mapping. 4. Click Update. This virtual server can now pass traffic between an IPv6-only client and an IPv4-only DNS server. Implementation result You now have an implementation of DNS64 on the BIG-IP system. 90

Chapter 17 Configuring DNSSEC Overview: Configuring DNSSEC Task summary Implementation result

Configuring DNSSEC Overview: Configuring DNSSEC You can use BIG-IP Global Traffic Manager (GTM ) to ensure that all responses to DNS-related traffic comply with the DNSSEC security protocol. To configure DNSSEC compliance, you create DNSSEC key-signing and zone-signing keys and a DNSSEC zone. Then you assign at least one enabled key-signing key and one enabled zone-signing key to the zone. Figure 10: Traffic flow when BIG-IP GTM is DNSSEC authoritative nameserver How do I prepare for a manual rollover of a DNSSEC key? When you create DNSSEC key-signing keys and DNSSEC zone-signing keys, it is important to create a disabled standby version of each key that has a similar name. To do so, associate both pairs of keys with the same zone. This prepares you to easily perform a manual rollover of the keys should an enabled key become compromised. About enhancing DNSSEC key security To enhance DNSSEC key security, BIG-IP Global Traffic Manager (GTM ) uses an automatic key rollover process that uses overlapping generations of a key to ensure that BIG-IP GTM can always respond to queries with DNSSEC-compliant responses. BIG-IP GTM dynamically creates new generations of each key based on the values of the Rollover Period and Expiration Period of the key. The first generation of a key has an ID of 0 (zero). Each time BIG-IP GTM dynamically creates a new generation of a key, the ID increments by one. Over time, each generation of a key overlaps the previous generation of the key. When a generation of a key expires, BIG-IP GTM automatically removes that generation of the key from the configuration. The value of the TTL (time-to-live) of a key specifies how long a client resolver can cache the key. 92

BIG-IP Global Traffic Manager : Implementations Figure 11: Overlapping generations of a key Task summary Perform these tasks on BIG-IP GTM to secure your DNS infrastructure. Creating listeners to identify DNS traffic Creating DNSSEC key-signing keys Creating DNSSEC zone-signing keys Creating DNSSEC zones Confirming that GTM is signing DNSSEC records Viewing DNSSEC records in ZoneRunner Creating listeners to identify DNS traffic Create two listeners to identify DNS traffic for which BIG-IP GTM is responsible. Create one listener that uses the UDP protocol and one that uses the TCP protocol. Note: DNS zone transfers use TCP port 53. If you do not configure a listener for TCP the client might receive the error: connection refused or TCP RSTs. 1. On the Main tab, click Global Traffic > Listeners. The Listeners List screen opens. 2. Click Create. The new Listeners screen opens. 93

Configuring DNSSEC 3. In the Destination field, type the IP address on which BIG-IP GTM listens for network traffic. The destination is a self IP address on BIG-IP GTM. 4. Click Finished. Create another listener with the same IP address, but select TCP from the Protocol list. Creating DNSSEC key-signing keys Ensure that the time setting on GTM is synchronized with the NTP servers on your network. This ensures that each GTM in a synchronization group is referencing the same time when generating keys. Determine the values you want to configure for the rollover period, expiration period, and TTL of the key, using the following criteria: The amount of time required to send the DS records for the zone to which this key is associated to the organization that manages the parent zone. The value of the rollover period must be greater than half the value of the expiration period, as well as less than the value of the expiration period. The difference between the values of the rollover and expiration periods must be more than the value of the TTL. Note: The values recommended in this procedure are based on the values in the NIST Secure Domain Name System (DNS) Deployment Guide. Create key-signing keys for BIG-IP GTM to use in the DNSSEC authentication process. 1. On the Main tab, click Global Traffic > DNSSEC Key List. The DNSSEC Key List screen opens. 2. Click Create. The New DNSSEC Key screen opens. 3. In the Name field, type a name for the key. Zone names are limited to 63 characters. 4. From the Algorithm list, select the algorithm the system uses to create the key. Your options are RSA/SHA1, RSA/SHA256, and RSA/SHA512. 5. In the Bit Width field, type 2048. 6. From the Use FIPS list, if your system has a FIPS hardware security module (HSM), select Enabled. 7. From the Type list, select Key Signing Key. 8. From the State list, select Enabled. 9. In the TTL field, accept the default value of 86400 (the number of seconds in one day.) This value specifies how long a client resolver can cache the key. This value must be less than the difference between the values of the rollover and expiration periods of the key; otherwise, a client can make a query and the system can send a valid key that the client cannot recognize. 10. For the Rollover Period setting, in the Days field, type 340. 11. For the Expiration Period setting, in the Days field, type 365. Zero seconds indicates not set, and thus the key does not expire. Tip: The National Institute of Standards and Technology (NIST) recommends that a key-signing key expire once a year. 12. For the Signature Validity Period setting, accept the default value of seven days. 94

BIG-IP Global Traffic Manager : Implementations This value must be greater than the value of the signature publication period. Zero seconds indicates not set, and thus the server verifying the signature never succeeds, because the signature is always expired. 13. For the Signature Publication Period setting, accept the default value of four days and 16 hours. This value must be less than the value of the signature validity period. Zero seconds indicates not set, and thus the signature is not cached. 14. Click Finished. 15. To create a standby key for emergency rollover purposes, repeat this procedure using a similar name, and select Disabled from the State list. Creating DNSSEC zone-signing keys Ensure that the time setting on GTM is synchronized with the NTP servers on your network. This ensures that each GTM in a synchronization group is referencing the same time when generating keys. Determine the values you want to configure for the rollover period, expiration period, and TTL of the key, using the following criteria: The amount of time required to send the DS records for the zone to which this key is associated to the organization that manages the parent zone. The value of the rollover period must be greater than half the value of the expiration period, as well as less than the value of the expiration period. The difference between the values of the rollover and expiration periods must be more than the value of the TTL. Note: The values recommended in this procedure are based on the values in the NIST Secure Domain Name System (DNS) Deployment Guide. Create zone-signing keys for BIG-IP GTM to use in the DNSSEC authentication process. 1. On the Main tab, click Global Traffic > DNSSEC Key List. The DNSSEC Key List screen opens. 2. Click Create. The New DNSSEC Key screen opens. 3. In the Name field, type a name for the key. Zone names are limited to 63 characters. 4. In the Bit Width field, type 1024. 5. From the Use FIPS list, if your system has a FIPS hardware security module (HSM), select Enabled. 6. From the Type list, select Zone Signing Key. 7. From the State list, select Enabled. 8. In the TTL field, accept the default value of 86400 (the number of seconds in one day.) This value specifies how long a client resolver can cache the key. This value must be less than the difference between the values of the rollover and expiration periods of the key; otherwise, a client can make a query and the system can send a valid key that the client cannot recognize. 9. For the Rollover Period setting, in the Days field, type 21. 10. For the Expiration Period setting, in the Days field, type 30. Zero seconds indicates not set, and thus the key does not expire. 11. For the Signature Validity Period setting, accept the default value of seven days. 95

Configuring DNSSEC This value must be greater than the value of the signature publication period. Zero seconds indicates not set, and thus the server verifying the signature never succeeds, because the signature is always expired. 12. For the Signature Publication Period setting, accept the default value of four days and 16 hours. This value must be less than the value of the signature validity period. Zero seconds indicates not set, and thus the signature is not cached. 13. Click Finished. 14. To create a standby key for emergency rollover purposes, repeat this procedure using a similar name, and select Disabled from the State list. Creating DNSSEC zones Before BIG-IP GTM can sign zone requests, you must assign at least one enabled zone-signing and one enabled key-signing key to the zone. 1. On the Main tab, click Global Traffic > DNSSEC Zone List. The DNSSEC Zone List screen opens. 2. Click Create. The New DNSSEC Zone screen opens. 3. In the Name field, type a domain name. For example, use a zone name of siterequest.com to handle DNSSEC requests for www.siterequest.com and *.www.sitrequest.com. 4. From the State list, select Enabled. 5. For the Zone Signing Key setting, assign at least one enabled zone-signing key to the zone. You can associate the same zone-signing key with multiple zones. 6. For the Key Signing Key setting, assign at least one enabled key-signing key to the zone. You can associate the same key-signing key with multiple zones. 7. Click Finished. Even if you selected Enabled from the State list, if there are not at least one zone-signing and one key-signing key in the Active column, the status of the zone changes to offline. 8. Upload the DS records for this zone to the organization that manages the parent zone. The administrators of the parent zone sign the DS record with their own key and upload it to their zone. You can find the DS records in the file /config/gtm/dsset-[dnssec.zone.name] (where zone is the name of the zone you are configuring). 9. Upload the DS records for this zone to the organization that manages the parent zone. The administrators of the parent zone sign the DS record with their own key and upload it to their zone. You can find the DS records in the file /config/gtm/dsset-[dnssec.zone.name] (where zone is the name of the zone you are configuring). Upload the DS records for this zone to the organization that manages the parent zone. The administrators of the parent zone sign the DS record with their own key and upload it to their zone. You can find the DS records in the file /config/gtm/dsset-[dnssec.zone.name] (where zone is the name of the zone you are configuring). 96

BIG-IP Global Traffic Manager : Implementations Confirming that GTM is signing DNSSEC records After you create DNSSEC zones and zone-signing keys, you can confirm that GTM is signing the DNSSEC records. 1. Log on to the command-line interface of a client. 2. At the prompt, type: dig @<IP address of GTM listener> +dnssec siterequest.com GTM returns the signed RRSIG records for the zone. Viewing DNSSEC records in ZoneRunner Ensure that all DNSSEC records are added to the BIND configuration. View the DNSSEC records using ZoneRunner. 1. On the Main tab, click Global Traffic > ZoneRunner > Resource Record List. The Resource Record List screen opens. 2. From the View Name list, select the name of the view that contains the resource records you want to view. 3. From the Zone Name list, select the zone for which you want to view resource records. 4. From the Type list, select the type of resource records you want to view. 5. Click Search. View the resource records that display. Implementation result BIG-IP GTM is now configured to respond to DNS queries with DNSSEC-compliant responses. 97

Chapter 18 Configuring DNS Express How do I configure DNS Express? Task summary Implementation result

Configuring DNS Express How do I configure DNS Express? You can configure DNS Express on BIG-IP systems to mitigate distributed denial-of-service attacks (DDoS) and increase the volume of DNS request resolutions on both the local BIND server on the BIG-IP system and any back-end DNS servers. What is DNS Express? DNS Express provides the ability for a BIG-IP system to act as a high-speed, authoritative secondary DNS server. This makes if possible for the system to: Perform zone transfers from multiple primary DNS servers that are responsible for different zones. Perform a zone transfer from the local BIND server on the BIG-IP system. Serve DNS records faster than the primary DNS servers. Task summary Perform these tasks to configure DNS Express on your BIG-IP system. Configuring a back-end DNS server to allow zone file transfers Creating a DNS Express TSIG key Creating a DNS Express zone Enabling DNS Express Assigning a DNS profile to a listener Viewing information about DNS Express zones Configuring a back-end DNS server to allow zone file transfers If you are unfamiliar with how to modify DNS server files, review the fifth edition of DNS and BIND, available from O Reilly Media. To configure a back-end DNS server to allow zone file transfers to the BIG-IP system, add to the DNS server an allow-transfer statement that specifies a self IP address on the BIG-IP system. You can modify the following allow-transfer statement to use a self IP address on the BIG-IP system: allow-transfer { localhost; <self IP address of BIG-IP system>; }; Creating a DNS Express TSIG key Ensure that your back-end DNS servers are configured for zone file transfers using TSIG keys. 100

BIG-IP Global Traffic Manager : Implementations When you want to verify the identity of the authoritative server that is sending information about the zone, create a DNS Express TSIG key. Note: This step is optional. 1. On the Main tab, click Local Traffic > DNS Express Zones > DNS Express TSIG Key List. The DNS Express TSIG Key List screen opens. 2. Click Create. The New DNS Express TSIG Key screen opens. 3. In the Name field, type a name for the key. 4. From the Algorithm list, select one of the following. The system uses the algorithm that you select to authenticate updates from an approved client and responses from an approved recursive nameserver. The algorithm is a hash function in combination with the secret key. Algorithm Name HMAC MD5 HMAC SHA-1 HMAC SHA-256 Description Produces a 128-bit hash sequence Produces a 160-bit hash sequence Produces a 256-bit hash sequence 5. In the Secret field, type the phrase required for authentication of the key. Note: The secret key is created by a third party tool such as BIND s keygen utility. 6. Click Finished. Creating a DNS Express zone If you are using back-end DNS servers, ensure that those servers are configured for zone transfers. To implement DNS Express on a BIG-IP system, create a DNS Express zone. 1. On the Main tab, click Local Traffic > DNS Express Zones > DNS Express Zone List. The DNS Express Zone List screen opens. 2. Click Create. The New DNS Express Zone screen opens. 3. In the Name field, type a name for the DNS Express zone. 4. In the Target IP Address field, type the IP address of the current master DNS server for the zone from which you want to transfer records. The default value 127.0.0.1 is for the BIND server on the BIG-IP system. 5. To configure the system to verify the identity of the authoritative server that is sending information about the zone, from the TSIG Key list, select a key. 6. To specify an action for the BIG-IP system to take when it receives a NOTIFY message from a DNS server on which a zone has been updated, from the Notify Action list, select one of the following. Action Description Consume The BIG-IP system processes the NOTIFY message and does not pass the NOTIFY message to the back end DNS server. 101

Configuring DNS Express Action Bypass Repeat Description The BIG-IP system does not process the NOTIFY message, but instead sends the NOTIFY message to a back end DNS server (subject to DNS profile unhandled-query-action). The BIG-IP system processes the NOTIFY message and sends the NOTIFY message to a back end DNS server. Tip: If a TSIG Key is configured, the signature is only validated for Consume and Repeat actions. NOTIFY responses are assumed to be sent by a backend DNS resource, except when the action is Consume and DNS Express generates a response. 7. Click Finished. Enabling DNS Express Create a custom DNS profile that enables DNS Express, only if you want to use a back-end DNS server for name resolution while the BIG-IP system handles queries for wide IPs and DNS Express zones. Note: If you plan to use the BIND server on BIG-IP GTM, you can use the default dns profile. 1. On the Main tab, click Local Traffic > Profiles > Services > DNS. The DNS profile list screen opens. 2. Click Create. The New DNS profile screen opens. 3. Name the profile dns_express. 4. In the Parent Profile list, accept the default dns profile. 5. Select the Custom check box. 6. In the Global Traffic Management list, accept the default value Enabled. 7. From the DNS Express list, select Enabled. 8. From the Unhandled Query Actions list, select how you want the BIG-IP system to handle a query that is not for a wide IP or DNS Express zone. Option Allow Drop Reject Hint No Error Description The BIG-IP system forwards the connection request to another DNS server or DNS server pool. Note that if a DNS server pool is not associated with a listener and the Use BIND Server on BIG-IP option is set to enabled, connection requests are forwarded to the local BIND server. (Allow is the default value.) The BIG-IP system does not respond to the query. The BIG-IP system returns the query with the REFUSED return code. The BIG-IP system returns the query with a list of root name servers. The BIG-IP system returns the query with the NOERROR return code. 9. From the Use BIND Server on BIG-IP list, select Disabled. 10. Click Finished. Assign the profile to virtual servers or listeners. 102

BIG-IP Global Traffic Manager : Implementations Assigning a DNS profile to a listener If you plan to use the BIND server on the BIG-IP system, you can assign the default DNS profile (dns) to the listener. If you plan to use a back-end DNS server and you created a custom DNS Express profile, you can assign it to the listener. 1. On the Main tab, click Global Traffic > Listeners. The Listeners List screen opens. 2. Click the name of the listener you want to modify. 3. From the DNS Profile list, select either dns or a custom DNS profile configured for DNS Express. 4. Click Finished. Viewing information about DNS Express zones You can view information about the zones that are protected by DNS Express. 1. On the Main tab, click Statistics > Module Statistics > Local Traffic. The Local Traffic statistics screen opens. 2. From the Statistics Type list, select DNS Express Zones. Information displays about the DNS Express zones. Record type SOA Records Resource Records Description Displays start of authority record information. Displays the number of resource records for the zone. Implementation result You now have an implementation in which the BIG-IP system helps to mitigate DDoS attacks on your network and to resolve more DNS queries faster. 103

Chapter 19 Caching DNS Responses from External Resolvers Overview: Improving DNS performance by caching responses from external resolvers Task summary Implementation result

Caching DNS Responses from External Resolvers Overview: Improving DNS performance by caching responses from external resolvers You can configure a transparent cache on the BIG-IP system to use external DNS resolvers to resolve queries, and then cache the responses from the resolvers. The next time the system receives a query for a response that exists in the cache, the system immediately returns the response from the cache. The transparent cache contains messages and resource records. A transparent cache in the BIG-IP system consolidates content that would otherwise be cached across multiple external resolvers. When a consolidated cache is in front of external resolvers (each with their own cache), it can produce a much higher cache hit percentage. F5 Networks recommends that you configure the BIG-IP system to forward queries, which cannot be answered from the cache, to a pool of local DNS servers rather than the local BIND instance because BIND performance is slower than using multiple external resolvers. Note: For systems using the DNS Express feature, the BIG-IP system first processes the requests through DNS Express, and then caches the responses. Important: The DNS Cache feature is available only when the BIG-IP system is licensed for DNS Services. Figure 12: BIG-IP system using transparent cache Task summary Perform these tasks to configure a transparent cache on the BIG-IP system. 106

BIG-IP Global Traffic Manager : Implementations Caching DNS Responses from External Resolvers Creating a transparent DNS cache Creating a custom DNS profile for transparent DNS caching Assigning a custom DNS profile to a GTM listener Creating a custom DNS monitor Creating a pool of local DNS servers Determining DNS cache performance Clearing a DNS cache Creating a transparent DNS cache Ensure that the BIG-IP system is licensed for DNS Services. Create a transparent cache on the BIG-IP system when you want the system to cache DNS responses from external DNS resolvers. 1. On the Main tab, click Local Traffic > DNS Caches > DNS Cache List. The DNS Cache List screen opens. 2. Click Create. The New DNS Cache screen opens. 3. In the Name field, type a name for the cache. 4. From the Resolver Type list, select Transparent. 5. Click Finished. Associate the DNS cache with a custom DNS profile. Creating a custom DNS profile for transparent DNS caching Ensure that at least one transparent cache exists on the BIG-IP system. You can create a custom DNS profile to configure the BIG-IP system to cache responses to DNS queries. 1. On the Main tab, click Local Traffic > Profiles > Services > DNS. The DNS profile list screen opens. 2. Click Create. The New DNS profile screen opens. 3. In the Name field, type a unique name for the profile. 4. In the Parent Profile list, accept the default dns profile. 5. Select the Custom check box. 6. From the Use BIND Server on BIG-IP list, select Disabled. 7. From the DNS Cache list, select Enabled. When you enable the DNS Cache option, you must also select a DNS cache from the DNS Cache Name list. 8. From the DNS Cache Name list, select the DNS cache that you want to associate with this profile. You can associate a DNS cache with a profile, even when the DNS Cache option, is Disabled. Use this option to enable and disable the cache for debugging purposes. 9. Click Finished. 107

Caching DNS Responses from External Resolvers Assign the custom DNS profile to the virtual server that handles the DNS traffic from which you want to cache responses. Assigning a custom DNS profile to a GTM listener Ensure that at least one custom DNS profile that is configured for DNS caching exists on the BIG-IP system. Assign a custom DNS profile to a listener when you want the BIG-IP system to perform DNS caching on traffic that the listener handles. Note: This task applies only to GTM -provisioned systems. 1. On the Main tab, click Global Traffic > Listeners. The Listeners List screen opens. 2. Click the name of the listener you want to modify. 3. From the DNS Profile list, select a custom DNS profile configured for DNS caching. 4. Click Update. Creating a custom DNS monitor Create a custom DNS monitor to send DNS requests, generated using the settings you specify, to a pool of DNS servers and validate the DNS responses. Important: When defining values for custom monitors, make sure you avoid using any values that are on the list of reserved keywords. For more information, see solution number 3653 (for version 9.0 systems and later) on the AskF5 technical support web site. 1. On the Main tab, click Local Traffic > Monitors. The Monitor List screen opens. 2. Click Create. The New Monitor screen opens. 3. Type a name for the monitor in the Name field. 4. From the Type list, select DNS. 5. In the Query Name field, type the domain name that you want the monitor to query. 6. From the Configuration list, select Advanced. This selection makes it possible for you to modify additional default settings. 7. Configure settings based on your network requirements. 8. Click Finished. Creating a pool of local DNS servers Ensure that at least one custom DNS monitor exists on the BIG-IP system. Gather the IP addresses of the DNS servers that you want to include in a pool to which the BIG-IP system load balances DNS traffic. Create a pool of local DNS servers when you want to load balance DNS requests to back end DNS servers. 108

BIG-IP Global Traffic Manager : Implementations 1. On the Main tab, click Local Traffic > Pools. The Pool List screen opens. 2. Click Create. The New Pool screen opens. 3. In the Name field, type a unique name for the pool. 4. For the Health Monitors setting, from the Available list, select the custom DNS monitor you created, and click << to move the monitor to the Active list. 5. Using the New Members setting, add each resource that you want to include in the pool: a) Either type an IP address in the Address field, or select a node address from the Node List. b) Type a port number in the Service Port field, or select a service name from the list. c) To specify a priority group, type a priority number in the Priority field. d) Click Add. 6. Click Finished. Determining DNS cache performance You can view statistics to determine how well a DNS cache on the BIG-IP system is performing. 1. On the Main tab, click Statistics > Module Statistics > Local Traffic. The Local Traffic statistics screen opens. 2. From the Statistics Type list, select DNS Cache. 3. In the Details column for a cache, click View, to display detailed information about the cache. 4. To return to the Local Traffic Statistics screen, click Back. Viewing records in a DNS cache You can view records in a DNS cache to determine how well a specific cache on the BIG-IP system is performing. 1. Log in to the command-line interface of the BIG-IP system. 2. At the BASH prompt, type: tmsh. 3. At the tmsh prompt, type: show ltm dns cache records rrset cache <cache name>, and press Enter. For example, the command sequence: show ltm dns cache records rrset cache my_transparent_cache, displays the resource records in the cache named my_transparent_cache. Viewing DNS cache statistics using tmsh You can view DNS cache statistics using tmsh to determine how well a specific cache on the BIG-IP system is performing. 1. Log in to the command-line interface of the BIG-IP system. 2. At the BASH prompt, type tmsh. 3. At the tmsh prompt, type show ltm dns cache, and press Enter. Statistics for all of the DNS caches on the BIG-IP system display. 4. At the tmsh prompt, type show ltm dns cache <cache-type>, and press Enter. 109

Caching DNS Responses from External Resolvers For example, the command sequence show ltm dns cache transparent, displays statistics for each of the transparent caches on the system. 5. At the tmsh prompt, type show ltm dns cache <cache type> <cache name>, and press Enter. For example, the command sequence, show ltm dns cache transparent my_t1, displays statistics for the transparent cache on the system named my_t1. Managing transparent cache size Determine the amount of memory the BIG-IP system has and how much of that memory you want to commit to DNS caching. View the statistics for a cache to determine how well the cache is working. You can change the size of a DNS cache to fix cache performance issues. 1. On the Main tab, click Local Traffic > DNS Caches > DNS Cache List. The DNS Cache List screen opens. 2. Click the name of the cache you want to modify. The Properties screen opens. 3. In the Message Cache Size field, type the maximum size in bytes for the DNS message cache. The BIG-IP system caches the messages in a DNS response in the message cache. A higher maximum size makes it possible for more DNS responses to be cached and increases the cache hit percentage. A lower maximum size forces earlier eviction of cached content, but can lower the cache hit percentage. Important: The message cache size includes all tmms on the BIG-IP system; therefore, if there are eight tmms, multiply the size by eight and put that value in this field. 4. In the Resource Record Cache Size field, type the maximum size in bytes for the DNS resource record cache. The BIG-IP system caches the supporting records in a DNS response in the Resource Record cache. A higher maximum size makes it possible for more DNS responses to be cached and increases the cache hit percentage. A lower maximum size forces earlier eviction of cached content, but can lower the cache hit percentage. Important: The resource record cache size includes all tmms on the BIG-IP system; therefore, if there are eight tmms, multiply the size by eight and put that value in this field. 5. Click Finished. Clearing a DNS cache You can clear all records from a specific DNS cache on the BIG-IP system. 1. On the Main tab, click Local Traffic > DNS Caches > DNS Cache List. The DNS Cache List screen opens. 2. On the menu bar, click Statistics. The Local Traffic Statistics screen opens. 3. Select the check box next to the cache you want to clear, and then click Clear Cache. 110

BIG-IP Global Traffic Manager : Implementations Clearing specific records from a DNS cache You can clear specific records from a DNS cache using tmsh. For example, you can delete all RRSET records or only the A records in the specified cache. Tip: In tmsh, you can use the command completion feature to discover the types of records that are available for deletion. 1. Log in to the command-line interface of the BIG-IP system. 2. At the BASH prompt, type tmsh. 3. At the tmsh prompt, type ltm dns cache records, and press Enter to navigate to the dns cache records module. 4. Type delete <cache-type> type <record-type> cache <cache-name>, and press Enter. For example, the command sequence delete rrset type a cache my_resolver_cache, deletes the A records from the resource record cache of the resolver cache named my_resolver_cache. Implementation result You now have an implementation in which the BIG-IP system caches DNS responses from external DNS resolvers, and answers queries for a cached response. Additionally, the system forwards DNS queries that cannot be answered from the cache to a pool of local DNS servers. 111

Chapter 20 Resolving DNS Queries and Caching Responses Overview: Improving DNS performance by resolving queries and caching responses Task summary Implementation result

Resolving DNS Queries and Caching Responses Overview: Improving DNS performance by resolving queries and caching responses You can configure a resolver cache on the BIG-IP system to resolve DNS queries and cache the responses. The next time the system receives a query for a response that exists in the cache, the system returns the response from the cache. The resolver cache contains messages, resource records, and the nameservers the system queries to resolve DNS queries. Important: The DNS Cache feature is available only when the BIG-IP system is licensed for DNS Services. Figure 13: BIG-IP system using resolver cache 114

BIG-IP Global Traffic Manager : Implementations Task summary Perform these tasks to configure a resolver cache on the BIG-IP system. Creating a resolver DNS cache Creating a custom DNS profile for DNS resolving and caching Assigning a custom DNS profile to a GTM listener Determining DNS cache performance Clearing a DNS cache Creating a resolver DNS cache Ensure that the BIG-IP system is licensed for DNS Services. Create a resolver cache on the BIG-IP system when you want the system to resolve DNS queries and cache responses. 1. On the Main tab, click Local Traffic > DNS Caches > DNS Cache List. The DNS Cache List screen opens. 2. Click Create. The New DNS Cache screen opens. 3. In the Name field, type a name for the cache. 4. From the Resolver Type list, select Resolver. 5. Click Finished. Associate the DNS cache with a custom DNS profile. Creating a custom DNS profile for DNS resolving and caching Ensure that at least one DNS cache exists on the BIG-IP system. You can create a custom DNS profile to configure the BIG-IP system to cache responses to DNS connection requests. 1. On the Main tab, click Local Traffic > Profiles > Services > DNS. The DNS profile list screen opens. 2. Click Create. The New DNS profile screen opens. 3. In the Name field, type a unique name for the profile. 4. Select the Custom check box. 5. From the Use BIND Server on BIG-IP list, select Disabled. 6. From the DNS Cache list, select Enabled. When you enable the DNS Cache option, you must also select a DNS cache from the DNS Cache Name list. 7. From the DNS Cache Name list, select the DNS cache that you want to associate with this profile. You can associate a DNS cache with a profile, even when the DNS Cache option, is Disabled. Use this option to enable and disable the cache for debugging purposes. 115

Resolving DNS Queries and Caching Responses 8. Click Finished. Assign the custom DNS profile to the virtual server handling the DNS traffic, which includes the responses to queries that you want to cache. Assigning a custom DNS profile to a GTM listener Ensure that at least one custom DNS profile that is configured for DNS caching exists on the BIG-IP system. Assign a custom DNS profile to a listener when you want the BIG-IP system to perform DNS caching on traffic that the listener handles. Note: This task applies only to GTM -provisioned systems. 1. On the Main tab, click Global Traffic > Listeners. The Listeners List screen opens. 2. Click the name of the listener you want to modify. 3. From the DNS Profile list, select a custom DNS profile configured for DNS caching. 4. Click Update. Determining DNS cache performance You can view statistics to determine how well a DNS cache on the BIG-IP system is performing. 1. On the Main tab, click Statistics > Module Statistics > Local Traffic. The Local Traffic statistics screen opens. 2. From the Statistics Type list, select DNS Cache. 3. In the Details column for a cache, click View, to display detailed information about the cache. 4. To return to the Local Traffic Statistics screen, click Back. Viewing records in a DNS cache You can view records in a DNS cache to determine how well a specific cache on the BIG-IP system is performing. 1. Log in to the command-line interface of the BIG-IP system. 2. At the BASH prompt, type: tmsh. 3. At the tmsh prompt, type: show ltm dns cache records rrset cache <cache name>, and press Enter. For example, the command sequence: show ltm dns cache records rrset cache my_transparent_cache, displays the resource records in the cache named my_transparent_cache. Viewing DNS cache statistics using tmsh You can view DNS cache statistics using tmsh to determine how well a specific cache on the BIG-IP system is performing. 116

BIG-IP Global Traffic Manager : Implementations 1. Log in to the command-line interface of the BIG-IP system. 2. At the BASH prompt, type tmsh. 3. At the tmsh prompt, type show ltm dns cache, and press Enter. Statistics for all of the DNS caches on the BIG-IP system display. 4. At the tmsh prompt, type show ltm dns cache <cache-type>, and press Enter. For example, the command sequence show ltm dns cache transparent, displays statistics for each of the transparent caches on the system. 5. At the tmsh prompt, type show ltm dns cache <cache type> <cache name>, and press Enter. For example, the command sequence, show ltm dns cache transparent my_t1, displays statistics for the transparent cache on the system named my_t1. Managing cache size Determine the amount of memory the BIG-IP system has and how much you want to commit to DNS caching. View the statistics for a cache to determine how well the cache is working. You can change the size of a DNS cache to fix cache performance issues. 1. On the Main tab, click Local Traffic > DNS Caches > DNS Cache List. The DNS Cache List screen opens. 2. Click the name of the cache you want to modify. The Properties screen opens. 3. In the Message Cache Size field, type the maximum size in bytes for the DNS message cache. The BIG-IP system caches the messages in a DNS response in the message cache. A higher maximum size makes it possible for more DNS responses to be cached and increases the cache hit percentage. A lower maximum size forces earlier eviction of cached content, but can lower the cache hit percentage. Important: The message cache size includes all tmms on the BIG-IP system; therefore, if there are eight tmms, multiply the size by eight and put that value in this field. 4. In the Resource Record Cache Size field, type the maximum size in bytes for the DNS resource record cache. The BIG-IP system caches the supporting records in a DNS response in the Resource Record cache. A higher maximum size makes it possible for more DNS responses to be cached and increases the cache hit percentage. A lower maximum size forces earlier eviction of cached content, but can lower the cache hit percentage. Important: The resource record cache size includes all tmms on the BIG-IP system; therefore, if there are eight tmms, multiply the size by eight and put that value in this field. 5. In the Nameserver Cache Count field, type the maximum number of DNS nameservers for which the BIG-IP system caches connection and capability data. Important: The nameserver cache count includes all tmms on the BIG-IP system; therefore, if there are eight tmms, multiply the count by eight and put that value in this field. 6. In the Unsolicited Reply Threshold field, change the default value if you are using the BIG-IP system to monitor for unsolicited replies using SNMP. The system always rejects unsolicited replies. The default value of 0 (off) indicates the system does not generate SNMP traps or log messages when rejecting unsolicited replies. Changing the default value alerts you to a potential security attack, such as cache poisoning or DOS. For example, if you specify 117

Resolving DNS Queries and Caching Responses 1,000,000 unsolicited replies, each time the system receives 1,000,000 unsolicited replies, it generates an SNMP trap and log message. 7. Click Update. Clearing a DNS cache You can clear all records from a specific DNS cache on the BIG-IP system. 1. On the Main tab, click Local Traffic > DNS Caches > DNS Cache List. The DNS Cache List screen opens. 2. On the menu bar, click Statistics. The Local Traffic Statistics screen opens. 3. Select the check box next to the cache you want to clear, and then click Clear Cache. Clearing specific records from a DNS cache You can clear specific records from a DNS cache using tmsh. For example, you can delete all RRSET records or only the A records in the specified cache. Tip: In tmsh, you can use the command completion feature to discover the types of records that are available for deletion. 1. Log in to the command-line interface of the BIG-IP system. 2. At the BASH prompt, type tmsh. 3. At the tmsh prompt, type ltm dns cache records, and press Enter to navigate to the dns cache records module. 4. Type delete <cache-type> type <record-type> cache <cache-name>, and press Enter. For example, the command sequence delete rrset type a cache my_resolver_cache, deletes the A records from the resource record cache of the resolver cache named my_resolver_cache. Implementation result You now have an implementation in which the BIG-IP system acts as a DNS resolver, caches DNS responses, and answers queries for a cached response from the cache. 118

Chapter 21 Resolving DNS Queries and Caching Validated Responses Overview: Resolving queries and caching validated responses Task summary Implementation result

Resolving DNS Queries and Caching Validated Responses Overview: Resolving queries and caching validated responses You can configure a validating resolver cache on the BIG-IP system to recursively query public DNS servers, validate the identity of the DNS server sending the responses, and then cache the responses. The next time the system receives a query for a response that exists in the cache, the system returns the DNSSEC-compliant response from the cache. The validating resolver cache contains messages, resource records, the nameservers the system queries to resolve DNS queries, and DNSSEC keys. Using the validating resolver cache, the BIG-IP system mitigates cache poisoning by validating DNS responses using DNSSEC validation. This is important, because attackers can attempt to populate a DNS cache with erroneous data that redirects clients to fake web sites, or downloads malware and viruses to client computers. When an authoritative server signs a DNS response, the validating resolver verifies the data before entering the data into the cache. Additionally, the validating resolver cache includes a built-in filter and detection mechanism that rejects unsolicited DNS responses. Important: The DNS Cache feature is available only when the BIG-IP system is licensed for DNS Services. Figure 14: BIG-IP system using validating resolver cache 120

BIG-IP Global Traffic Manager : Implementations Task summary Perform these tasks to configure a validating resolver cache on the BIG-IP system. Creating a validating resolver DNS cache Creating a custom DNS profile for validating resolver DNS caching Assigning a custom DNS profile to a GTM listener Determining DNS cache performance Clearing a DNS cache Creating a validating resolver DNS cache Ensure that the BIG-IP system is licensed for DNS Services. Create a validating resolver cache on the BIG-IP system when you want the system to resolve DNS queries, use DNSSEC to validate the responses, and cache the responses. 1. On the Main tab, click Local Traffic > DNS Caches > DNS Cache List. The DNS Cache List screen opens. 2. Click Create. The New DNS Cache screen opens. 3. In the Name field, type a name for the cache. 4. From the Resolver Type list, select Validating Resolver. 5. Click Finished. Associate the DNS cache with a custom DNS profile. Obtaining a trust or DLV anchor Gather the IP addresses of the resources that are authoritative name servers for the signed zones from which you want to obtain a trust or DLV anchors. Obtain a trust or DLV anchor for the signed zones for which you want the BIG-IP system to cache a validated response. 1. From the BASH prompt of a BIG-IP system, type dig @<IP address of resource that contains the trust or DLV anchor>. DNSKEY The system returns a trust anchor. 2. Copy the anchor. Adding a trust anchor to a validating resolver DNS cache Ensure that you have copied trust anchors in the format required by the BIG-IP system, for any signed zones that you want to add to a validating resolver. A validating resolver uses at least one trust anchor to validate DNS responses. 1. On the Main tab, click Local Traffic > DNS Caches > DNS Cache List. The DNS Cache List screen opens. 121

Resolving DNS Queries and Caching Validated Responses 2. Click the name of the cache you want to modify. The Properties screen opens. 3. On the menu bar, click Trust Anchors. The Trust Anchors screen opens. 4. Click Add. 5. In the Trust Anchor field, paste the trust anchor that you copied from the signed zone. Important: The trust anchor must be in the format required by the BIG-IP system. 6. Click Finished. 7. For each additional trust anchor that you want to add to the validating resolver, repeat steps 4-6. The validating resolver can now validate the content of DNS responses from the zones for which you added trust anchors. Adding a DLV anchor to a validating resolver DNS cache A validating resolver needs a DLV anchor to validate DNS responses from outside a zone. Note: Ensure that you have copied trust anchors in the format required by the BIG-IP system, for any signed zones that you add to a validating resolver. 1. On the Main tab, click Local Traffic > DNS Caches > DNS Cache List. The DNS Cache List screen opens. 2. Click the name of the cache you want to modify. The Properties screen opens. 3. On the menu bar, click DLV Anchors. The DLV Anchors screen opens. 4. Click Add. 5. In the DLV Anchor field, paste the DLV anchor that you want to add to the validating resolver. Important: The DLV anchor must be in the format required by the BIG-IP system. 6. Click Finished. 7. For each additional DLV anchor that you want to add to the validating resolver, repeat steps 4-6. The validating resolver can now validate the content of DNS responses from the zones for which you added DLV anchors. Creating a custom DNS profile for validating resolver DNS caching Ensure that at least one DNS cache exists on the BIG-IP system. You can create a custom DNS profile to configure the BIG-IP system to cache responses to DNS connection requests. 1. On the Main tab, click Local Traffic > Profiles > Services > DNS. The DNS profile list screen opens. 2. Click Create. The New DNS profile screen opens. 122

BIG-IP Global Traffic Manager : Implementations 3. In the Name field, type a unique name for the profile. 4. In the Parent Profile list, accept the default dns profile. 5. Select the Custom check box. 6. From the Use BIND Server on BIG-IP list, select Disabled. 7. From the DNS Cache list, select Enabled. When you enable the DNS Cache option, you must also select a DNS cache from the DNS Cache Name list. 8. From the DNS Cache Name list, select the DNS cache that you want to associate with this profile. You can associate a DNS cache with a profile, even when the DNS Cache option, is Disabled. Use this option to enable and disable the cache for debugging purposes. 9. Click Finished. Assign the custom DNS profile to the virtual server that handles the DNS traffic that includes the responses to queries that you want to cache. Assigning a custom DNS profile to a GTM listener Ensure that at least one custom DNS profile that is configured for DNS caching exists on the BIG-IP system. Assign a custom DNS profile to a listener when you want the BIG-IP system to perform DNS caching on traffic that the listener handles. Note: This task applies only to GTM -provisioned systems. 1. On the Main tab, click Global Traffic > Listeners. The Listeners List screen opens. 2. Click the name of the listener you want to modify. 3. From the DNS Profile list, select a custom DNS profile configured for DNS caching. 4. Click Update. Determining DNS cache performance You can view statistics to determine how well a DNS cache on the BIG-IP system is performing. 1. On the Main tab, click Statistics > Module Statistics > Local Traffic. The Local Traffic statistics screen opens. 2. From the Statistics Type list, select DNS Cache. 3. In the Details column for a cache, click View, to display detailed information about the cache. 4. To return to the Local Traffic Statistics screen, click Back. Viewing records in a DNS cache You can view records in a DNS cache to determine how well a specific cache on the BIG-IP system is performing. 1. Log in to the command-line interface of the BIG-IP system. 123

Resolving DNS Queries and Caching Validated Responses 2. At the BASH prompt, type: tmsh. 3. At the tmsh prompt, type: show ltm dns cache records rrset cache <cache name>, and press Enter. For example, the command sequence: show ltm dns cache records rrset cache my_transparent_cache, displays the resource records in the cache named my_transparent_cache. Viewing DNS cache statistics using tmsh You can view DNS cache statistics using tmsh to determine how well a specific cache on the BIG-IP system is performing. 1. Log in to the command-line interface of the BIG-IP system. 2. At the BASH prompt, type tmsh. 3. At the tmsh prompt, type show ltm dns cache, and press Enter. Statistics for all of the DNS caches on the BIG-IP system display. 4. At the tmsh prompt, type show ltm dns cache <cache-type>, and press Enter. For example, the command sequence show ltm dns cache transparent, displays statistics for each of the transparent caches on the system. 5. At the tmsh prompt, type show ltm dns cache <cache type> <cache name>, and press Enter. For example, the command sequence, show ltm dns cache transparent my_t1, displays statistics for the transparent cache on the system named my_t1. Viewing DNS cache statistics in the Configuration utility Ensure that you have created a DNS cache and a DNS profile and have assigned the profile to either an LTM virtual server or a GTM listener. You can view DNS cache statistics to determine how well a specific cache on the BIG-IP system is performing. 1. On the Main tab, click Statistics > Module Statistics > Local Traffic. The Local Traffic statistics screen opens. 2. From the Statistics Type list, select DNS Cache. 3. In the Details column for a cache, click View, to display detailed information about the cache. 4. To determine if the cache is too small, view the number in the Evictions column. 5. To return to the Local Traffic Statistics screen, click Back. Managing cache size Determine the amount of memory the BIG-IP system has and how much you want to commit to DNS caching. View the statistics for a cache to determine how well the cache is working. You can change the size of a DNS cache to fix cache performance issues. 1. On the Main tab, click Local Traffic > DNS Caches > DNS Cache List. The DNS Cache List screen opens. 2. Click the name of the cache you want to modify. The Properties screen opens. 3. In the Message Cache Size field, type the maximum size in bytes for the DNS message cache. 124

BIG-IP Global Traffic Manager : Implementations The BIG-IP system caches the messages in a DNS response in the message cache. A higher maximum size makes it possible for more DNS responses to be cached and increases the cache hit percentage. A lower maximum size forces earlier eviction of cached content, but can lower the cache hit percentage. Important: The message cache size includes all tmms on the BIG-IP system; therefore, if there are eight tmms, multiply the size by eight and put that value in this field. 4. In the Resource Record Cache Size field, type the maximum size in bytes for the DNS resource record cache. The BIG-IP system caches the supporting records in a DNS response in the Resource Record cache. A higher maximum size makes it possible for more DNS responses to be cached and increases the cache hit percentage. A lower maximum size forces earlier eviction of cached content, but can lower the cache hit percentage. Important: The resource record cache size includes all tmms on the BIG-IP system; therefore, if there are eight tmms, multiply the size by eight and put that value in this field. 5. In the Nameserver Cache Count field, type the maximum number of DNS nameservers for which the BIG-IP system caches connection and capability data. Important: The nameserver cache count includes all tmms on the BIG-IP system; therefore, if there are eight tmms, multiply the count by eight and put that value in this field. 6. In the Unsolicited Reply Threshold field, change the default value if you are using the BIG-IP system to monitor for unsolicited replies using SNMP. The system always rejects unsolicited replies. The default value of 0 (off) indicates the system does not generate SNMP traps or log messages when rejecting unsolicited replies. Changing the default value alerts you to a potential security attack, such as cache poisoning or DOS. For example, if you specify 1,000,000 unsolicited replies, each time the system receives 1,000,000 unsolicited replies, it generates an SNMP trap and log message. 7. Click Update. Clearing a DNS cache You can clear all records from a specific DNS cache on the BIG-IP system. 1. On the Main tab, click Local Traffic > DNS Caches > DNS Cache List. The DNS Cache List screen opens. 2. On the menu bar, click Statistics. The Local Traffic Statistics screen opens. 3. Select the check box next to the cache you want to clear, and then click Clear Cache. Clearing specific records from a DNS cache You can clear specific records from a DNS cache using tmsh. For example, you can delete all RRSET records or only the A records in the specified cache. Tip: In tmsh, you can use the command completion feature to discover the types of records that are available for deletion. 125

Resolving DNS Queries and Caching Validated Responses 1. Log in to the command-line interface of the BIG-IP system. 2. At the BASH prompt, type tmsh. 3. At the tmsh prompt, type ltm dns cache records, and press Enter to navigate to the dns cache records module. 4. Type delete <cache-type> type <record-type> cache <cache-name>, and press Enter. For example, the command sequence delete rrset type a cache my_resolver_cache, deletes the A records from the resource record cache of the resolver cache named my_resolver_cache. Implementation result You now have an implementation in which the BIG-IP system acts as a DNS resolver, verifies the validity of the responses, caches DNSSEC-compliant responses, and answers queries for a cached response with a DNSSEC-compliant response from the cache. 126

Chapter 22 Customizing a DNS Cache Overview: Customizing a DNS cache

Customizing a DNS Cache Overview: Customizing a DNS cache You can customize a DNS cache on the BIG-IP system to meet specific network needs by changing the default values on the DNS cache settings. Configuring a DNS cache to answer queries for local zones You can configure a DNS cache on the BIG-IP system to answer client requests for local zones. 1. On the Main tab, click Local Traffic > DNS Caches > DNS Cache List. The DNS Cache List screen opens. 2. Click the name of the cache you want to modify. The Properties screen opens. 3. Select the Enabled check box for the Answer Default Zones setting, when you want the BIG-IP system to answer queries for the default zones: localhost, reverse 127.0.0.1 and ::1, and AS112 zones. 4. Click Update. Configuring a DNS cache to use specific root nameservers You can configure a resolver or validating resolver DNS cache on the BIG-IP system to use a specific server as an authoritative nameserver for the DNS root nameservers. 1. On the Main tab, click Local Traffic > DNS Caches > DNS Cache List. The DNS Cache List screen opens. 2. Click the name of the cache you want to modify. The Properties screen opens. 3. In the Root Hints area, in the IP address field, type the IP address of a DNS server that the system considers authoritative for the DNS root nameservers, and then click Add. Caution: By default, the system uses the DNS root nameservers published by InterNIC. When you add DNS root nameservers, the BIG-IP system no longer uses the default nameservers published by InterNIC, but uses the nameservers you add as authoritative for the DNS root nameservers. Based on your network configuration, add IPv4 or IPv6 addresses or both. 4. Click Update. Configuring a DNS cache alert for cache poisoning You can configure a resolver or validating resolver DNS cache on the BIG-IP system to generate SNMP alerts and log messages when the cache receives unsolicited replies. This is helpful as an alert to a potential security attack, such as cache poisoning or DDoS. 1. On the Main tab, click Local Traffic > DNS Caches > DNS Cache List. The DNS Cache List screen opens. 2. Click the name of the cache you want to modify. 128

BIG-IP Global Traffic Manager : Implementations The Properties screen opens. 3. In the Unsolicited Reply Threshold field, change the default value if you are using the BIG-IP system to monitor for unsolicited replies using SNMP. The system always rejects unsolicited replies. The default value of 0 (off) indicates the system does not generate SNMP traps or log messages when rejecting unsolicited replies. Changing the default value alerts you to a potential security attack, such as cache poisoning or DOS. For example, if you specify 1,000,000 unsolicited replies, each time the system receives 1,000,000 unsolicited replies, it generates an SNMP trap and log message. 4. Click Update. 129

Chapter 23 Configuring IP Anycast (Route Health Injection) Overview: Configuring IP Anycast (Route Health Injection) Task summary Implementation result

Configuring IP Anycast (Route Health Injection) Overview: Configuring IP Anycast (Route Health Injection) You can configure IP Anycast for DNS services on the BIG-IP system to help mitigate distributed denial-of-service attacks (DDoS), reduce DNS latency, improve the scalability of your network, and assist with traffic management. This configuration adds routes to and removes routes from the routing table based on availability. Advertising routes to virtual addresses based on the status of attached listeners is known as Route Health Injection (RHI). Task summary Perform these tasks to configure the BIG-IP system for IP Anycast. Enabling the ZebOS dynamic routing protocol Creating a custom DNS profile Configuring a listener for route advertisement Verifying advertisement of the route Enabling the ZebOS dynamic routing protocol Before you enable ZebOS dynamic routing on the BIG-IP system: Ensure that the system license includes the Routing Bundle add-on. Ensure that ZebOS is configured correctly. If you need help, refer to the following resources on AskF5 : TMOS Management Guide for BIG-IP Systems Configuration Guide for the VIPRION System ZebOS Advanced Routing Suite Configuration Guide Enable ZebOS protocols to allow the BIG-IP system to dynamically learn routes. 1. Log on to the command-line interface of the BIG-IP system. 2. At the command prompt, type zebos enable <protocol_type> and press Enter. The system returns an enabled response. 3. To verify that the ZebOS dynamic routing protocol is enabled, at the command prompt, type zebos check and press Enter. The system returns a list of all enabled protocols. Creating a custom DNS profile Create a custom DNS profile based on your network configuration, to specify how you want the BIG-IP system to handle non-wide IP DNS queries. 1. On the Main tab, click Local Traffic > Profiles > Services > DNS. The DNS profile list screen opens. 2. Click Create. The New DNS profile screen opens. 132

BIG-IP Global Traffic Manager : Implementations 3. In the Name field, type a unique name for the profile. 4. In the Parent Profile list, accept the default dns profile. 5. Select the Custom check box. 6. In the Global Traffic Management list, accept the default value Enabled. 7. From the Unhandled Query Actions list, select how you want the BIG-IP system to handle a query that is not for a wide IP or DNS Express zone. Option Allow Drop Reject Hint No Error Description The BIG-IP system forwards the connection request to another DNS server or DNS server pool. Note that if a DNS server pool is not associated with a listener and the Use BIND Server on BIG-IP option is set to enabled, connection requests are forwarded to the local BIND server. (Allow is the default value.) The BIG-IP system does not respond to the query. The BIG-IP system returns the query with the REFUSED return code. The BIG-IP system returns the query with a list of root name servers. The BIG-IP system returns the query with the NOERROR return code. 8. From the Use BIND Server on BIG-IP list, select Enabled. Note: Enable this setting only when you want the system to forward non-wide IP queries to the local BIND server on BIG-IP GTM. 9. Click Finished. Configuring a listener for route advertisement Ensure that ZebOS dynamic routing is enabled on BIG-IP Global Traffic Manager (GTM). To allow BIG-IP GTM to advertise the virtual address of a listener to the routers on your network, configure the listener for route advertisement. 1. On the Main tab, click Global Traffic > Listeners. The Listeners List screen opens. 2. Click Create. The new Listeners screen opens. 3. In the Destination field, type the IP address on which BIG-IP GTM listens for network traffic. Caution: The destination cannot be a self IP address on the system, because a listener with the same IP address as a self IP address cannot be advertised. 4. From the VLAN/Tunnel Traffic list, select one of the following options: Option All VLANs Description When you want this listener to handle traffic from VLANs within the network segment. Note: Use this option if BIG-IP GTM is handling traffic for the destination IP address locally. This option also applies when the system resides on a network segment that does not use VLANs. 133

Configuring IP Anycast (Route Health Injection) Option Enabled on Disabled on Description When you want this listener to handle traffic from only the VLANs that you move from the Available list to the Selected list. When you want this listener to exclude the traffic from the VLANs that you move from the Available list to the Selected list. 5. From the Protocol list, select either UDP or TCP. 6. From the DNS Profile list, select: Option Description dns <custom profile> This is the default DNS profile. With the default dns profile, BIG-IP GTM forwards non-wide IP queries to the BIND server on the BIG-IP GTM system itself. If you have created a custom DNS profile to handle non-wide IP queries in a way that works for your network configuration, select it. 7. For Route Advertisement, select the Enabled check box. 8. Click Finished. Configure other listeners for route advertisement. Verifying advertisement of the route Ensure that ZebOS dynamic routing is enabled on the BIG-IP system. Run a command to verify that the BIG-IP system is advertising the virtual address. 1. Log on to the command-line interface of the BIG-IP system. 2. At the command prompt, type zebos cmd sh ip route grep <listener IP address> and press Enter. An advertised route displays with a code of K and a 32 bit kernel, for example: K 127.0.0.1/32 Implementation result You now have an implementation in which the BIG-IP system broadcasts virtual IP addresses that you configured for route advertisement. 134

Chapter 24 Redirecting a DNS Query Using a Wide IP with a CNAME Pool Overview: Redirecting DNS queries using a wide IP with a CNAME pool About CNAME records Task summary Implementation result

Redirecting a DNS Query Using a Wide IP with a CNAME Pool Overview: Redirecting DNS queries using a wide IP with a CNAME pool When you want to redirect DNS queries for a web site to a different web site, create a wide IP that represents the original web site and add a CNAME pool to the wide IP to redirect the queries to the new destination. The executives at siterequest.com recently purchased a competitor. Site Request's administrator wants to redirect DNS queries for competitor.com to a rebranded web site named competitor.siterequest.com. About CNAME records A CNAME record specifies that a domain name is an alias of another domain. When you create a pool with a canonical name, BIG-IP GTM responds to DNS queries for the CNAME with the real fully qualified domain name (FQDN). Task summary Perform these tasks to redirect a DNS query using a wide IP with a CNAME pool. Redirecting a DNS Query Using a Wide IP with a CNAME Pool Creating a pool using a CNAME Creating a wide IP with a CNAME pool Creating a pool using a CNAME Create a pool to which the system can load balance DNS queries using a CNAME record, rather than pool members. For our example, name the pool competitor_redirect and use a CNAME of competitor.siterequest.com. 1. On the Main tab, click Global Traffic > Pools. The Pools list screen opens. 2. Click Create. 3. Type a name for the pool. Names must begin with a letter, and can contain only letters, numbers, and the underscore (_) character. Important: The pool name is limited to 63 characters. 4. From the Configuration list, select Advanced. 5. In the CNAME field, type the canonical name of the zone to which you want BIG-IP GTM to send DNS queries. 136

BIG-IP Global Traffic Manager : Implementations Tip: When you provide a canonical name, you do not add members to the pool, because the CNAME record always takes precedence over pool members. Additionally, a pool with a CNAME is not monitored for availability. 6. Click Finished. Creating a wide IP with a CNAME pool Create a wide IP with a CNAME pool to redirect DNS queries for a web site to a different web site. For our example, create a wide IP named www.competitor.siterequest.com and add the CNAME pool competitor_redirect. 1. On the Main tab, click Global Traffic > Wide IPs. The Wide IPs List screen opens. 2. Click Create. The New Wide IP screen opens. 3. In the Name field, type a name for the wide IP. Tip: You can use two different wildcard characters in the wide IP name: asterisk (*) to represent several characters and question mark (?) to represent a single character. This reduces the number of aliases you have to add to the configuration. 4. From the Pool list, select the CNAME pool, and then click Add. 5. Click Finished. Implementation result You now have an implementation in which when a client sends a DNS query for www.siterequest_competitor.com, the CNAME record redirects the LDNS to siterequest2.com. The LDNS performs an IP address lookup for siterequest2.com, and the BIG-IP GTM returns the correct IP address, which is forwarded to the client. 137

Chapter 25 Monitoring Third-Party Servers with SNMP Overview: SNMP monitoring of third-party servers Task summary Implementation result

Monitoring Third-Party Servers with SNMP Overview: SNMP monitoring of third-party servers You can configure the BIG-IP Global Traffic Manager (GTM ) to acquire information about the health of a third-party server using SNMP. The server must be running an SNMP agent. Task summary To configure BIG-IP GTM to acquire information about the health of a third-party server using SNMP, perform the following tasks. Creating an SNMP monitor Defining a third-party host server that is running SNMP Creating an SNMP monitor Create an SNMP monitor that BIG-IP Global Traffic Manager can use to monitor a third-party server running SNMP. 1. On the Main tab, click Global Traffic > Monitors. The Monitor List screen opens. 2. Click Create. The New Monitor screen opens. 3. Type a name for the monitor. Important: Monitor names are limited to 63 characters. 4. From the Type list, select one of the following: Option Description SNMP DCA SNMP DCA Base Use this monitor to specify new values for CPU, memory, and disk metrics. Use this monitor to specify values for metrics other than CPU, memory, and disk usage. 5. Click Finished. Defining a third-party host server that is running SNMP Ensure that the third-party host server is running SNMP. During this procedure, you assign a virtual server to the server; therefore, determine the IP address that you want to assign to the virtual server. Define the third-party host server. 1. On the Main tab, click Global Traffic > Servers. The Server List screen opens. 140

BIG-IP Global Traffic Manager : Implementations 2. Click Create. The New Server screen opens. 3. In the Name field, type a name for the server. Important: Server names are limited to 63 characters. 4. From the Product list, select a third-party host server or select Generic Host. The server type determines the metrics that the system can collect from the server. 5. In the Address List area, add the IP addresses of the server. a) Type an external (public) IP address in the Address field, and then click Add. b) If you use NAT, type an internal (private) IP address in the Translation field, and then click Add. You can add more than one IP address, depending on how the server interacts with the rest of your network. 6. From the Data Center list, select the data center where the server resides. 7. From the Prober Pool list, select one of the following. Option Description Inherit from Data Center Prober pool name By default, a server inherits the Prober pool assigned to the data center in which the server resides. Select the Prober pool that contains the BIG-IP systems that you want to perform monitor probes of this server. 8. In the Health Monitors area, assign an SNMP monitor to the server by moving it from the Available list to the Selected list. 9. From the Virtual Server Discovery list, select Disabled. 10. Click Create. 11. In the Server List, click a server name. The server settings and values display. 12. On the menu bar, click Virtual Servers. A list of the virtual servers configured on the server displays. 13. Click Add. The IP addresses display in the list. 14. In the Virtual Server List area, specify the virtual servers that are resources on this server. a) In the Name field, type the name of the virtual server. b) In the Address field, type the IP address of the virtual server. 15. Click Create. The Server List screen opens displaying the new server in the list. Implementation result BIG-IP GTM can now use the SNMP monitor to verify the availability of and to collect statistics about the generic host. 141

Chapter 26 Configuring Remote High-Speed DNS Logging Overview: Configuring remote high-speed DNS logging Task summary Implementation result

Configuring Remote High-Speed DNS Logging Overview: Configuring remote high-speed DNS logging You can configure the BIG-IP system to log information about DNS traffic and send the log messages to remote high-speed log servers. You can choose to log either DNS queries or DNS responses, or both. In addition, you can configure the system to perform logging on DNS traffic differently for specific resources. For example, you can configure logging for a specific resource, and then disable and re-enable logging for the resource based on your network administration needs. When configuring remote high-speed DNS logging, it is helpful to understand the objects you need to create and why, as described here: Object to create in implementation Pool of remote log servers Destination (unformatted) Destination (formatted) Publisher DNS Logging profile DNS profile LTM virtual server GTM listener Reason Create a pool of remote log servers to which the BIG-IP system can send log messages. Create a log destination of Remote High-Speed Log type that specifies a pool of remote log servers. If your remote log servers are the ArcSight, Splunk, or Remote Syslog type, create an additional log destination to format the logs in the required format and forward the logs to a remote high-speed log destination. Create a log publisher to send logs to a set of specified log destinations. Create a custom DNS Logging profile to define the data you want the BIG-IP system to include in the DNS logs and associate a log publisher with the profile. Create a custom DNS profile to enable DNS logging, and associate a DNS Logging profile with the DNS profile. Associate a custom DNS profile with a virtual server to define how the BIG-IP system logs the DNS traffic that the virtual server processes. Associate a custom DNS profile with a listener to define how the BIG-IP system logs the DNS traffic that the listener processes. 144

BIG-IP Global Traffic Manager : Implementations Figure 15: Association of remote high-speed logging configuration objects Task summary Perform these tasks to configure DNS logging on the BIG-IP system. Note: Enabling either DNS query logging or DNS response logging, or both, impacts BIG-IP system performance. Configuring Remote High-Speed DNS Logging Creating a pool of remote logging servers Creating a remote high-speed log destination Creating a formatted remote high-speed log destination Creating a publisher Creating a custom DNS Logging profile for logging DNS queries Creating a custom DNS Logging profile for logging DNS responses Creating a custom DNS Logging profile for logging DNS queries and responses Creating a custom DNS profile to enable DNS logging Configuring a GTM listener for DNS logging Disabling DNS logging 145

Configuring Remote High-Speed DNS Logging Creating a pool of remote logging servers Before creating a pool of log servers, gather the IP addresses of the servers that you want to include in the pool. Ensure that the remote log servers are configured to listen to and receive log messages from the BIG-IP system. Create a pool of remote log servers to which the BIG-IP system can send log messages. 1. On the Main tab, click Local Traffic > Pools. The Pool List screen opens. 2. Click Create. The New Pool screen opens. 3. In the Name field, type a unique name for the pool. 4. Using the New Members setting, add the IP address for each remote logging server that you want to include in the pool: a) Type an IP address in the Address field, or select a node address from the Node List. b) Type a service number in the Service Port field, or select a service name from the list. Note: Typical remote logging servers require port 514. c) Click Add. 5. Click Finished. Creating a remote high-speed log destination Before creating a remote high-speed log destination, ensure that at least one pool of remote log servers exists on the BIG-IP system. Create a log destination of the Remote High-Speed Log type to specify that log messages are sent to a pool of remote log servers. 1. On the Main tab, click System > Logs > Configuration > Log Destinations. The Log Destinations screen opens. 2. Click Create. 3. In the Name field, type a unique, identifiable name for this destination. 4. From the Type list, select Remote High-Speed Log. Important: If you use log servers such as Remote Syslog, Splunk, or ArcSight, which require data be sent to the servers in a specific format, you must create an additional log destination of the required type, and associate it with a log destination of the Remote High-Speed Log type. This allows the BIG-IP system to send data to the servers in the required format. The BIG-IP system is configured to send an unformatted string of text to the log servers. 5. From the Pool Name list, select the pool of remote log servers to which you want the BIG-IP system to send log messages. 6. From the Protocol list, select the protocol used by the high-speed logging pool members. 7. Click Finished. 146

BIG-IP Global Traffic Manager : Implementations Creating a formatted remote high-speed log destination Ensure that at least one remote high-speed log destination exists on the BIG-IP system. Create a formatted logging destination to specify that log messages are sent to a pool of remote log servers, such as Remote Syslog, Splunk, or ArcSight servers. 1. On the Main tab, click System > Logs > Configuration > Log Destinations. The Log Destinations screen opens. 2. Click Create. 3. In the Name field, type a unique, identifiable name for this destination. 4. From the Type list, select a formatted logging destination, such as Remote Syslog, Splunk, or ArcSight. Important: ArcSight formatting is only available for logs coming from the network Application Firewall Module (AFM) and the Application Security Manager (ASM ). The BIG-IP system is configured to send a formatted string of text to the log servers. 5. From the Forward To list: For ArcSight or Splunk, from the Forward To list, select the destination that points to a pool of high-speed log servers to which you want the BIG-IP system to send log messages. For Remote Syslog, from the Syslog Format list, select a format for the logs, and then from the High-Speed Log Destination list, select the destination that points to a pool of remote Syslog servers to which you want the BIG-IP system to send log messages. 6. Click Finished. Creating a publisher Ensure that at least one destination associated with a pool of remote log servers exists on the BIG-IP system. Create a publisher to specify where the BIG-IP system sends log messages for specific resources. 1. On the Main tab, click System > Logs > Configuration > Log Publishers. The Log Publishers screen opens. 2. Click Create. 3. In the Name field, type a unique, identifiable name for this publisher. 4. For the Destinations setting, in the Available list, select a destination, and click << to move the destination to the Selected list. Note: If you are using a formatted destination, select the destination that matches your log servers, such as Remote Syslog, Splunk, or ArcSight. 5. Click Finished. Creating a custom DNS Logging profile for logging DNS queries Create a custom DNS logging profile to log DNS queries, when you want to log only DNS queries. 147

Configuring Remote High-Speed DNS Logging 1. On the Main tab, click Local Traffic > Profiles > Other > DNS Logging. The DNS Logging profile list screen opens. 2. Click Create. The New DNS Logging profile screen opens. 3. In the Name field, type a unique name for the profile. 4. From the Log Publisher list, select a destination to which the BIG-IP system sends DNS log entries. 5. For the Log Queries setting, ensure that the Enabled check box is selected, if you want the BIG-IP system to log all DNS queries. 6. For the Include Query ID setting, select the Enabled check box, if you want the BIG-IP system to include the query ID sent by the client in the log messages. 7. Click Finished. Assign this custom DNS Logging profile to a custom DNS profile. Creating a custom DNS Logging profile for logging DNS responses Create a custom DNS logging profile to log DNS responses when you want to determine how the BIG-IP system is responding to a given query. 1. On the Main tab, click Local Traffic > Profiles > Other > DNS Logging. The DNS Logging profile list screen opens. 2. Click Create. The New DNS Logging profile screen opens. 3. In the Name field, type a unique name for the profile. 4. From the Log Publisher list, select a destination to which the BIG-IP system sends DNS log entries. 5. For the Log Responses setting, select the Enabled check box, if you want the BIG-IP system to log all DNS responses. 6. For the Include Query ID setting, select the Enabled check box, if you want the BIG-IP system to include the query ID sent by the client in the log messages. 7. Click Finished. Assign this custom DNS Logging profile to a custom DNS profile. Creating a custom DNS Logging profile for logging DNS queries and responses Create a custom DNS logging profile to log both DNS queries and responses when troubleshooting a DDoS attack. Note: Logging both DNS queries and responses has an impact on the BIG-IP system performance. 1. On the Main tab, click Local Traffic > Profiles > Other > DNS Logging. The DNS Logging profile list screen opens. 2. Click Create. The New DNS Logging profile screen opens. 3. In the Name field, type a unique name for the profile. 4. From the Log Publisher list, select a destination to which the BIG-IP system sends DNS log entries. 5. For the Log Queries setting, ensure that the Enabled check box is selected, if you want the BIG-IP system to log all DNS queries. 148

BIG-IP Global Traffic Manager : Implementations 6. For the Log Responses setting, select the Enabled check box, if you want the BIG-IP system to log all DNS responses. 7. For the Include Query ID setting, select the Enabled check box, if you want the BIG-IP system to include the query ID sent by the client in the log messages. 8. Click Finished. Assign this custom DNS Logging profile to a custom DNS profile. Creating a custom DNS profile to enable DNS logging Ensure that at least one custom DNS Logging profile exists on the BIG-IP system. Create a custom DNS profile to log specific information about DNS traffic processed by the resources to which the DNS profile is assigned. Depending upon what information you want the BIG-IP system to log, attach a custom DNS Logging profile configured to log DNS queries, to log DNS responses, or to log both. 1. On the Main tab, click Local Traffic > Profiles > Services > DNS. The DNS profile list screen opens. 2. Click Create. The New DNS profile screen opens. 3. In the Name field, type a unique name for the profile. 4. Select the Custom check box. 5. From the Logging list, select Enabled. 6. From the Logging Profile list, select a custom DNS Logging profile. 7. Click Finished. You must assign this custom DNS profile to a resource before the BIG-IP system can log information about the DNS traffic handled by the resource. Configuring a GTM listener for DNS logging Ensure that at least one custom DNS profile with logging configured exists on the BIG-IP system. Assign a custom DNS profile to a listener when you want the BIG-IP system to log the DNS traffic the listener handles. Note: This task applies only to GTM -provisioned systems. 1. On the Main tab, click Global Traffic > Listeners. The Listeners List screen opens. 2. Click the name of the listener you want to modify. 3. From the DNS Profile list, select a custom DNS profile that is associated with a DNS Logging profile. 4. Click Update. Disabling DNS logging Disable DNS logging on a custom DNS profile when you no longer want the BIG-IP system to log information about the DNS traffic handled by the resources to which the profile is assigned. 149

Configuring Remote High-Speed DNS Logging Note: You can disable and re-enable DNS logging for a specific resource based on your network administration needs. 1. On the Main tab, click Local Traffic > Profiles > Services > DNS. The DNS profile list screen opens. 2. Click the name of a profile. 3. Select the Custom check box. 4. From the Logging list, select Disabled. 5. Click Update. The BIG-IP system does not perform DNS logging on the DNS traffic handled by the resources to which this profile is assigned. Implementation result You now have an implementation in which the BIG-IP system performs DNS logging on specific DNS traffic and sends the log messages to a pool of remote log servers. 150

Chapter 27 Configuring Device-Specific Probing and Statistics Collection Overview: Configuring device-specific probing and statistics collection Task summary Implementation result

Configuring Device-Specific Probing and Statistics Collection Overview: Configuring device-specific probing and statistics collection BIG-IP Global Traffic Manager (GTM) performs intelligent probing of your network resources to determine whether the resources are up or down. In some circumstances, for example, if your network contains firewalls, you might want to set up device-specific probing to specify which BIG-IP systems probe specific servers for health and performance data. About Prober pools A Prober pool is an ordered collection of one or more BIG-IP systems. BIG-IP Global Traffic Manager (GTM ) can be a member of more than one Prober pool, and a Prober pool can be assigned to an individual server or a data center. When you assign a Prober pool to a data center, by default, the servers in that data center inherit that Prober pool. The members of a Prober pool perform monitor probes of servers to gather data about the health and performance of the resources on the servers. BIG-IP GTM makes load balancing decisions based on the gathered data. If all of the members of a Prober pool are marked down, or if a server has no Prober pool assigned, BIG-IP GTM reverts to a default intelligent probing algorithm to gather data about the resources on the server. This figure illustrates how Prober pools work. BIG-IP GTM contains two BIG-IP Local Traffic Manager (LTM ) systems that are assigned Prober pools and one BIG-IP LTM system that is not assigned a Prober pool: Figure 16: BIG-IP systems with prober pools Prober Pool 1 is assigned to a generic host server BIG-IP LTM3 is the only member of Prober Pool 1, and performs all HTTPS monitor probes of the server. Prober Pool 2 is assigned to generic load balancers BIG-IP LTM1 and BIG-IP LTM2 are members of Prober Pool 2. These two systems perform HTTP monitor probes of generic load balancers based on the load balancing method assigned to Prober Pool 2. The generic load balancers on the left side of the graphic are not assigned a Prober pool BIG-IP GTM can solicit any BIG-IP system to perform FTP monitor probes of these load balancers, including systems that are Prober pool members. 152

BIG-IP Global Traffic Manager : Implementations About Prober pool status The status of a Prober pool also indicates the status of the members of the pool. If at least one member of a Prober pool has green status (Available), the Prober pool has green status. The status of a Prober pool member indicates whether the BIG-IP GTM system, on which you are viewing status, can establish an iquery connection with the member. Note: If a Prober pool member has red status (Offline), no iquery connection exists between the member and the BIG-IP GTM system on which you are viewing status. Therefore, that BIG-IP GTM system cannot request that member to perform probes, and the Prober pool will not select the member for load balancing. About Prober pool statistics You can view the number of successful and failed probe requests that the BIG-IP GTM system (on which you are viewing statistics) made to the Prober pools. These statistics reflect only the number of Probe requests and their success or failure. These statistics do not reflect the actual probes that the pool members made to servers on your network. Prober pool statistics are not aggregated among the BIG-IP GTM systems in a synchronization group. The statistics on one BIG-IP GTM include only the requests made from that BIG-IP GTM system. In this figure, the Prober pool statistics that display on BIG-IP GTM1 are the probe requests made only by that system. Figure 17: Prober pool statistics displayed per system 153

Configuring Device-Specific Probing and Statistics Collection Task summary Perform these tasks to configure device-specific probing and statistics collection. Creating a Prober pool Assigning a Prober pool to a data center Assigning a Prober pool to a server Viewing Prober pool statistics and status Determining which Prober pool member marked a resource down Creating a Prober pool Obtain a list of the BIG-IP systems in your network and ensure that a server object is configured on the BIG-IP GTM for each system. Create a Prober pool that contains the BIG-IP systems that you want to perform monitor probes of a specific server or the servers in a data center. 1. On the Main tab, click Global Traffic > Prober Pools. The Prober Pool List screen opens. 2. Click Create. The New Prober Pool screen opens. 3. In the Name field, type a name for the Prober pool. Important: Prober pool names are limited to 63 characters. 4. Select a method from the Load Balancing Method list. Option Description Round Robin Global Availability BIG-IP GTM load balances monitor probes among the members of a Prober pool in a circular and sequential pattern. BIG-IP GTM selects the first available Prober pool member to perform a monitor probe. 5. Assign members to the pool by moving servers from the Available list to the Selected list. 6. To reorder the members in the Selected list, choose a server and use the Up and Down buttons to move the server to a different location in the list. The order of the servers in the list is important in relation to the load balancing method you selected. 7. Click Finished. Assign the Prober pool to a data center or a server. Assigning a Prober pool to a data center Ensure that a Prober pool is available on the system. To make a specific collection of BIG-IP systems available to probe the servers in a data center, assign a Prober pool to the data center. 154

BIG-IP Global Traffic Manager : Implementations 1. On the Main tab, click Global Traffic > Data Centers. The Data Center List screen opens. 2. Click a data center name in the list. The data center settings and values display. 3. From the Prober Pool list, select the Prober pool that contains the BIG-IP systems that you want to perform monitor probes of the servers in this data center. By default, all of the servers in the data center inherit this Prober pool. 4. Click Update. Assigning a Prober pool to a server Ensure that a Prober pool is available on the system. To specify which BIG-IP systems perform monitor probes of a server, assign a Prober pool to the server. 1. On the Main tab, click Global Traffic > Servers. The Server List screen opens. 2. In the Server List, click a server name. The server settings and values display. 3. From the Prober Pool list, select one of the following. Option Description Inherit from Data Center Prober pool name By default, a server inherits the Prober pool assigned to the data center in which the server resides. Select the Prober pool that contains the BIG-IP systems that you want to perform monitor probes of this server. 4. Click Update. Viewing Prober pool statistics and status You can view status and statistics for Prober pools and the members of the pools. 1. On the Main tab, click Global Traffic > Prober Pools. The Prober Pool List screen opens. 2. On the menu bar, click Statistics. The Global Traffic Statistics screen opens. 3. Click the Refresh button. The statistics are updated. 4. To view additional information about the status of a Prober pool, place your cursor over the icon in the Status column. 5. To view additional information about the status of a Prober pool member, click View in the Members column, and then place your cursor over the icon in the Status column of a specific member. 155

Configuring Device-Specific Probing and Statistics Collection Determining which Prober pool member marked a resource down When a resource is marked down, you can open the BIG-IP GTM log to view the SNMP trap and determine which member of a Prober pool marked the resource down. 1. On the Main tab, click System > Logs. The System logs screen opens. 2. On the menu bar, click Local Traffic. The Local Traffic logs screen opens. 3. You can either scroll through the log or search for a log entry about a specific event. Implementation result You now have an implementation in which a specific BIG-IP system probes the resources on a specific server, or the servers in a specific data center. 156

Chapter 28 Setting Up and Viewing DNS Statistics Overview: Setting up and viewing DNS statistics Task summary Implementation result

Setting Up and Viewing DNS Statistics Overview: Setting up and viewing DNS statistics You can view DNS AVR and DNS global statistics on the BIG-IP system to help you manage and report on the DNS traffic on your network. DNS AVR Statistics You must configure an AVR sampling rate on a DNS profile and assign it to a virtual server before the BIG-IP system can gather DNS AVR statistics. An AVR Analytics profile is not required for the BIG-IP system to gather and display DNS AVR statistics. Important: When the Protocol Security module is licensed and provisioned, the DNS AVR statistics that display include Protocol Security statistics. The DNS AVR statistics include DNS requests per: Virtual server Query name Query type Client IP address (You can also filter the statistics by time period.) DNS Global Statistics The BIG-IP system automatically collects DNS global statistics about the DNS traffic the system processes. The DNS global statistics include: Total DNS requests and responses Details about the DNS queries and responses The number of wide IP requests The number of DNS Express requests and NOTIFY announcements and messages The number of DNS cache requests The number of DNS IPv6 to IPv4 requests, rewrites, and failures The number of unhandled query actions per specific actions Task summary Perform these tasks to set up DNS AVR statistics and to view DNS AVR and DNS global statistics on the BIG-IP system. Setting Up and Viewing DNS Statistics Creating a DNS profile for DNS AVR statistics collection Configuring a GTM listener for DNS AVR statistics collection Viewing DNS AVR statistics Viewing DNS AVR statistics in tmsh Viewing DNS global statistics Viewing DNS statistics for a specific virtual server 158

BIG-IP Global Traffic Manager : Implementations Creating a DNS profile for DNS AVR statistics collection Ensure that Application Visibility and Reporting (AVR) is provisioned. Configure the BIG-IP system to collect DNS statistics on a sampling of the DNS traffic that the BIG-IP system handles. You must use tmsh to configure the AVR sampling rate for DNS statistics collection. 1. Log on to the command-line interface of the BIG-IP system. 2. At the BASH prompt, type: tmsh. 3. At the tmsh prompt, to create a DNS profile that enables DNS AVR statistics collection, type: create ltm profile dns [my_dns_profile_name] avr-dnsstat-sample-rate [sampling rate], and then press Enter. Option my_dns_profile_name sampling_rate Description A unique name for this profile. Specifies the number of DNS queries the BIG-IP system stores in the Analytics database. The default value of zero (0) indicates that no DNS queries are stored. A value of one (1) indicates that all DNS queries are stored. A value of N, where N>1, indicates that every Nth query is stored. Important: The BIG-IP system samples one query out of the number you set for the sampling rate, and then records that the number of queries that have passed through the BIG-IP are the sampling rate times one. Configuring a GTM listener for DNS AVR statistics collection Ensure that at least one custom DNS profile configured with an AVR sampling rate exists on the BIG-IP system. Assign a custom DNS profile to a listener when you want the BIG-IP system to collect AVR statistics on a sampling of the DNS traffic the listener handles. Note: This task applies only to GTM -provisioned systems. 1. On the Main tab, click Global Traffic > Listeners. The Listeners List screen opens. 2. Click the name of the listener you want to modify. 3. From the DNS Profile list, select a custom DNS profile configured with an AVR sampling rate. 4. Click Update. Viewing DNS AVR statistics Ensure that Application Visibility and Reporting (AVR) is provisioned. Ensure that the BIG-IP system is configured to collect DNS statistics on a sampling of the DNS traffic that the BIG-IP system handles. View DNS AVR statistics to help you manage the DNS traffic on your network. 1. On the Main tab, click Statistics > Analytics > DNS. 159

Setting Up and Viewing DNS Statistics The DNS Analytics screen opens. Important: When the Protocol Security Module is licensed and provisioned, the DNS AVR statistics that display include Protocol Security statistics. 2. From the View By list, select the specific network object type for which you want to display statistics. You can also click Expand Advanced Filters to filter the information that displays. 3. From the Time Period list, select the amount of time for which you want to view statistics. Tip: To display reports for a specific time period, select Custom and specify beginning and end dates. 4. Click Export to create a report of this information. Note: The timestamp on the report reflects a publishing interval of five minutes; therefore, a time period request of 12:40-13:40 actually displays data between 12:35-13:35. By default, the BIG-IP system displays one hour of data. Viewing DNS AVR statistics in tmsh Ensure that Application Visibility and Reporting (AVR) is provisioned. Ensure that the BIG-IP system is configured to collect DNS statistics on a sampling of the DNS traffic that the BIG-IP system handles. View DNS analytics statistics to help you manage the DNS traffic on your network. Important: When the Protocol Security module is licensed and provisioned, the DNS AVR statistics that display include Protocol Security statistics. 1. Log on to the command-line interface of the BIG-IP system. 2. At the BASH prompt, type tmsh. 3. At the tmsh prompt, type one of these commands and then press Enter. Option Description show analytics dns report view-by query-name limit 3 show analytics dns report view-by query-type limit 3 show analytics dns report view-by client-ip limit 3 show analytics dns report view-by query-name drilldown { { entity query-type values {A}}} limit 3 show analytics dns report view-by query-type drilldown { { entity query-name values {www.f5.com}}} limit 3 show analytics dns report view-by client-ip drilldown { { entity query-type values {A}}} limit 3 Displays the three most common query names. Displays the three most common query types. Displays the three client IP addresses from which the most DNS queries originate. Displays the three most common query names for query type A records. Displays the three most common query types for query name www.f5.com. Displays the three most common client IP addresses requesting query type A records. 160

BIG-IP Global Traffic Manager : Implementations Viewing DNS global statistics Ensure that at least one DNS profile exists on the BIG-IP system and that this profile is assigned to an LTM virtual server or a GTM listener that is configured to use the TCP protocol. Note: If you want to view AXFR and IXFR statistics, the listener or virtual server must be configured to use the TCP protocol. This is because zone transfers occur over the TCP protocol. View DNS global statistics to determine how to fine tune your network configuration or troubleshoot DNS traffic processing problems. 1. On the Main tab, click Statistics > Module Statistics > Local Traffic. The Local Traffic statistics screen opens. 2. From the Statistics Type list, select Profiles Summary. 3. In the Details column for the DNS profile, click View. Viewing DNS statistics for a specific virtual server Ensure that at least one virtual server associated with a DNS profile exists on the BIG-IP system. Note: If you want to view AXFR and IXFR statistics, the virtual server must be configured to use the TCP protocol. This is because zone transfers occur over the TCP protocol. You can view DNS statistics per virtual server when you want to analyze how the BIG-IP system is handling specific DNS traffic. 1. On the Main tab, click Statistics > Module Statistics > Local Traffic. The Local Traffic statistics screen opens. 2. From the Statistics Type list, select Virtual Servers. 3. In the Details column for the virtual server, click View. Implementation result You now have an implementation in which the BIG-IP system gathers both DNS AVR and DNS global statistics. You can view these statistics to help you understand DNS traffic patterns and manage the flow of your DNS traffic, especially when your network is under a DDoS attack. 161

Chapter 29 Diagnosing Network Connection Issues Diagnosing network connection issues

Diagnosing Network Connection Issues Diagnosing network connection issues To help you diagnose network connection issues, you can view the status of and statistics about the iquery connections between BIG-IP Global Traffic Manager (GTM) and other BIG-IP systems on your network. iquery connection information displays for IP addresses that are configured on BIG-IP server objects. Viewing iquery statistics Ensure that the BIG-IP GTM configuration contains at least one BIG-IP server object with a self IP address. To view information about the connections between BIG-IP GTM and other BIG-IP systems, view iquery statistics. 1. On the Main tab, click Statistics > Module Statistics > Global Traffic. The Global Traffic statistics screen opens. 2. From the Statistics Type list, select iquery. Information about the iquery connections between this system and other BIG-IP systems in your network displays. 3. When you want to estimate iquery traffic throughput, click Reset. The following statistics are reset to zero: iquery Reconnects Bytes In Bytes Out Backlogs Bytes Dropped To view information about the iquery connections between a different BIG-IP GTM and the BIG-IP systems in your network, log in to that BIG-IP GTM and repeat this procedure. iquery statistics descriptions The information in the table describes the iquery statistics. iquery Statistics IP Address Server Data Center iquery State Description Displays the IP addresses of the servers that have an iquery connection with this BIG-IP GTM. Displays the name of the server with the specified IP address. Displays the data center to which the specified server belongs. Displays the state of the iquery connection between the specified server and the BIG-IP GTM. Possible states are: Not Connected Connecting 164

BIG-IP Global Traffic Manager : Implementations iquery Statistics iquery Reconnects Bytes In Bytes Out Backlogs Bytes Dropped SSL Certificate Expiration Configuration Time Description Connected Backlogged (indicates messages are queued and waiting to be sent) Displays the number of times the BIG-IP GTM re-established an iquery connection with the specified server. Displays the amount of data in bytes received by the BIG-IP GTM over the iquery connection from the specified server. Displays the amount of data in bytes sent from the BIG-IP GTM over the iquery connection to the specified server. Displays the number of times the iquery connection between the BIG-IP GTM and the specified server was blocked, because iquery had to send out more messages than the connection could handle. Displays the amount of data in bytes that the iquery connection dropped. Displays the date the SSL certificate expires. Displays the date and time that the BIG-IP GTM configuration was last modified. The timestamps should be the same for all devices in a configuration synchronization group. 165

Index Index A address mapping, about IPv6 to IPv4 88 allow-transfer statement, modifying for zone file transfers 25, 100 Analytics and viewing DNS statistics 159 and viewing DNS statistics in tmsh 160 creating profile for DNS AVR statistics collection 159 Anycast, See IP Anycast. 132 133 Application Visibility and Reporting (AVR) and DNS statistics collection 159 and viewing DNS statistics 159 authentication and SSL certificate chains 80 and SSL certificates 76 authoritative name server, designating GTM 26 authorizing BIG-IP communications 38, 44 auto-discovery, disabling at the global-level 73 automatic save interval for GTM, configuring 82 AVR, and viewing DNS statistics 159 B big3d_install script, running 41 big3d agent and iquery 38 and monitor timeout values 56 and SSL certificates 76 importing certificate chains 79 importing root certificate 77 upgrading 41 bigip_add utility and integrating LTM with GTM 44 running 47 BIG-IP communications 38, 44 BIG-IP LTM and route domains 64 and server definition 40, 46 BIG-IP systems, and iquery connections 164 BIND server and default DNS profiles 103 and GTM 103 Bridge mode, and global traffic management 21 C cache clearing 110, 118, 125 cache poisoning, and configuring SNMP alerts 128 cache size, managing 117, 124 caching, and DNS profiles 107, 115, 122 canonical names, and creating pools 136 canonical pool names 136 CA servers, and device certificates 78 certificate chains and SSL authentication 78 creating 78 verifying exchange 79 certificate exchange, verifying 77 certificates importing device 76 certificates, importing device 78 clusters, configuring 56 CNAME, and redirecting DNS queries 136 configuration changes in GTM, and configuring automatic save interval 82 configuration files, acquiring 53 configuration synchronization enabling for GTM 60 configuration synchronization, about 50 connection refused error and listeners 26 and TCP protocol 26 connections viewing iquery statistics 164 viewing status 164 custom DNS profiles and disabling DNS logging 149 and enabling DNS Express 102 and enabling high-speed DNS logging 149 and logging DNS querieis and responses 148 and logging DNS queries and responses 147 and logging DNS responses 148 creating 132 custom DNS profiles, and caching DNS responses 107 custom monitors, creating DNS 108 D data centers assigning Prober pools 154 creating 51 defining 38, 44, 59 DDoS attacks, about mitigating 100 default DNS profiles, and listeners 103 delegated zones and listeners 35 creating on local DNS servers 35 destinations for logging 147 for remote high-speed logging 146 deterministic probing, implementing 152 device certificates and CA servers 76 importing 76, 78 DLV anchors and adding to validating resolvers 122 obtaining for validating resolvers 121 DNS64, configuring 88 DNS AVR statistics and listeners 159 overview 82, 158 DNS cache about configuring for specific needs 128 about resolver 114 about transparent 106 167

Index DNS cache (continued) about validating resolver 120 and adding DLV anchors to validating resolvers 122 and adding trust anchors to validating resolvers 121 and creating validating resolvers 121 and obtaining trust and DLV anchors for validating resolvers 121 clearing 110, 118, 125 configuring to alert for cache poisoning 128 configuring to answer queries for local zones 128 configuring to generate SNMP alerts 128 configuring to use specific root nameservers 128 creating resolver 115 creating transparent 107 managing cache size 117, 124 managing transparent cache size 110 viewing 109, 116, 123 viewing statistics 109, 111, 116, 118, 123 125 viewing statistics using tmsh 109, 116, 124 DNS cache profiles customizing to cache DNS responses 107, 115, 122 DNS cache profiles, assigning to listeners 108, 116, 123 DNS Express about 100 enabling 102 DNS Express profiles assigning to listener 103 DNS Express TSIG key, creating 100 DNS Express zones and statistics 103 creating 101 DNS global statistics, overview 82, 158 DNS high-speed logging, overview 144 DNS Logging disabling 149 enabling 149 DNS Logging profile assigning to listener 149 DNS logging profiles, customizing 147 148 DNS monitor, creating 108 DNS profiles and disabling DNS logging 149 and enabling high-speed DNS logging 149 and global statistics 161 and IPv6 to IPv4 mapping 89 and listeners configured for route advertisement 132 assigning to listener 159 assigning to listeners 108, 116, 123 assigning to virtual servers 89 creating 132 customizing to cache DNS responses 107, 115, 122 customizing to handle IPV6 to IPv4 address mapping 88 enabling DNS Express 102 handling non-wide IP queries 132 DNS requests for GTM, load balancing 42 DNSSEC about manual rollover of keys 92 and DNS infrastructure illustrated 92 configuring compliance 92 DNSSEC keys about manual rollover 92 creating for emergency rollover 94 95 DNSSEC keys (continued) creating for key signing 94 creating for zone signing 95 DNSSEC keys, about 92 DNSSEC records, viewing 97 DNSSEC zones and signature validation 97 assigning keys 96 creating 96 DNS server pools, and listeners 31 DNS servers and creating pools 31, 108 and GTM 20 and pools 30 and wide IPs 34 configuring to allow zone file transfers 25, 100 delegating wide IP requests 34 identifying legacy 25 modifying 26 replacing with GTM 24 DNS services, about IP Anycast 132 DNS statistics collecting AVR statistics 159 viewing analytics in tmsh 160 viewing global 161 viewing in AVR 159 viewing per virtual server 161 DNS traffic and GTM 20 and statistics per virtual server 161 and wide IPs 20 creating listeners to forward 21 creating listeners to identify 26 forwarding 20 identifying 35 routing 20 E emergency rollover and DNSSEC key-signing keys 94 and DNSSEC zone-signing keys 95 F file transfers, See zone file transfers. 25, 100 forwarding traffic to DNS servers 20 G global traffic management and wildcard listeners 20 load balancing to a pool of DNS servers 30 global traffic management, and Bridge mode 21 GTM and bigip_add utility 47 integrating with LTM 44 gtm_add script and server status 52 running 53 using 61 168

Index gtmd agent and importing root certificates 77 and SSL certificates 76 importing certificate chains 79 gtmd agent, and iquery 38 H high-speed logging and DNS 144 and server pools 146 hosts, defining 140 I important considerations, adding GTM to network 50 integrating with existing DNS servers 34 integration of GTM with older systems 38 integration of LTM and GTM systems 44 intelligent probing, about 152 IP Anycast about 132 and listeners 133 IPv4-only servers and mapping to IPv6-only clients 88 passing traffic from IPv6-only clients 89 IPv6-only clients about mapping to IPv4-only servers 88 passing traffic to IPv4-only DNS servers 89 IPv6 to IPv4 mapping and DNS profiles 88 89 configuring virtual servers 89 iquery and big3d agent 38 and gtmd agent 38 and statistics 164 viewing statistics about connections 164 viewing status of connections 164 iquery connections and statistics 164 and status 164 irules, accessing 56 K key-signing keys about manual rollover 92 creating 94 L LDNS, creating delegated zones 35 legacy DNS servers and zone files 25 identifying by self IP addresses on BIG-IP GTM 25 Level 1, about SSL authentication 76 listeners about wildcard 20 advertising virtual addresses 134 and pools of DNS servers 31 and refused connection error 26 listeners (continued) and route advertisement 134 and TCP protocol 26 and UDP protocol 26 and ZebOS 132 assigning a DNS Express profile 103 assigning custom DNS profile for DNS caching 108, 116, 123 assigning DNS Logging profile 149 assigning DNS profile 159 configuring for route advertisement 133 creating to forward DNS traffic 21 creating to handle wide IP traffic locally 35 creating to identify DNS traffic 26, 59, 93 dynamic routing protocol 132 listeners, defined 20, 24, 30, 34 load balancing DNS requests for GTM 42 load balancing process about Prober pool status 153 about traffic management capabilities 38 and non-wide IP traffic 30 and Prober pools 152 load balancing traffic to a pool of DNS servers 30 local BIND servers, and DNS profiles 132 local DNS servers, and replacing with GTM 24 local zones, and configuring cache to answer queries 128 logging and destinations 146 147 and pools 146 and publishers 147 DNS queries and responses 147 148 DNS responses 148 logical network components, and creating wide IPs 21, 27 logs, and Prober pool data 156 LTM and bigip_add utility 47 and route domains 64, 70 and server definition 40, 46 integrating with GTM 44 M manual rollover, and DNSSEC keys 92 message cache managing size 117, 124 managing size for transparent cache 110 mitigation of DDoS attacks 100 monitor timeout, and virtual server status 56 N nameserver cache, managing size 117, 124 negative DNS responses, and GTM 84 network, deploying GTM for single route domain 64 network connection issues, diagnosing 164 network placement of GTM forwarding traffic 21 network traffic, and listeners 20, 24, 30, 34 non-wide IP queries, and custom DNS profiles 132 NTP servers, defining 51, 58 169

Index P placement of GTM on network to forward traffic 21 pools and canonical names 136 and CNAME 136 and DNS servers 30 31, 108 creating 84 creating with canonical name 136 for high-speed logging 146 primary servers, defining for zones 26 Prober pools about 152 about statistics 153 about status 153 and data centers 154 and deterministic probing 152 and logs 156 and servers 155 and statistics 155 and upgrading to version 11.x 18 creating 154 profiles and disabling DNS logging 149 creating custom DNS 107, 115, 122 creating custom DNS logging 147 creating custom DNS query and response logging 148 creating custom DNS response logging 148 creating DNS 88 creating for DNS AVR statistics collection 159 creating for DNS Express 102 creating for DNS logging 149 publishers, and logging 147 R redirect using CNAME pool, overview 136 redundant system configurations and GTM 58 defining servers 60 refused connection error 26 remote servers and destinations for log messages 146 147 and publishers for log messages 147 for high-speed logging 146 replacing local DNS servers 24 resolver cache about 114 creating 115 resource record cache managing size 117, 124 managing size for transparent cache 110 rollover, See emergency rollover. 58 root certificates, importing 77 root nameservers, and DNS cache 128 root servers, and zones 26 route advertisement, and listeners 133 134 route domains and GTM 64 and LTM 64, 70 and self IP addresses 66, 73 and server definition 67, 73 route domains (continued) and VLANs 65, 72 creating 65, 72 deploying GTM on network with multiple route domains 70 route health injection about 132 routing traffic to DNS servers 20 S saving changes, and GTM 82 scripts running big3d_install script 41 running gtm_add script 52 self IP addresses and route domains 73 creating for route domains 66 creating on GTM for legacy DNS servers 25 self-signed SSL certificates, about 76 server pools, and listeners 31 servers and destinations for log messages 146 147 and publishers for log messages 147 assigning Prober pools 155 defining BIG-IP LTM systems 40, 46 defining for BIG-IP GTM 39, 45 defining for route domains 67, 73 defining GTM redundant system configurations 60 defining new BIG-IP GTM 52 defining third-party host servers 140 for high-speed logging 146 signature validation, of DNSSEC zones 97 single route domain, deploying GTM on network 64 SNMP alerts and cache poisoning 128 configuring cache to generate 117, 124 SNMP monitoring and third-party host servers 140 creating monitors 140 SOA records about 84 and wide IPs 84 SSL authentication about 76 and certificate chains 80 defined 76 SSL certificates about Level 1 SSL authentication 76 about self-signed 76 and big3d agent 77, 79 and CA servers 76 and certificate chain authentication 78 and gtmd agent 77, 79 and verifying chain exchange 79 creating chains 78 signed by third party 76 verifying exchange 77 statistics about iquery 164 viewing DNS global 161 viewing for cache 109, 116, 123 170

Index statistics (continued) viewing for DNS cache 109, 116, 124 viewing for DNS Express zones 103 viewing for DNS traffic per virtual server 161 viewing for Prober pools 155 viewing per virtual server 161 statistics, and Prober pools 153 status, and Prober pools 153 synchronization about 50 enabling 51 enabling for GTM 60 synchronization groups about 50 adding new GTM 50 illustrated 50 system upgrades, and Prober pools 18 T TCP protocol and connection refused error 26 and listeners 26 third-party servers, and SNMP monitoring 140 tmsh, and viewing cache statistics 109, 116, 124 traffic forwarding, placement of GTM 21 transparent cache about 106 creating 107 managing size 110 trust anchors adding to validating resolvers 121 obtaining for validating resolvers 121 TSIG key, creating for DNS Express 100 U UDP protocol, and listeners 26 Unsolicited Replies Threshold setting, modifying 117, 124 upgrades, and Prober pools 18 V validating resolver caches about 120 and adding DLV anchors 122 validating resolver caches (continued) and adding trust anchors 121 and obtaining trust and DLV anchors 121 creating 121 VIPRION systems, and GTM 56 virtual addresses, advertising 134 virtual servers and IPv6 to IPv4 mapping 89 assigning DNS profiles 89 configuring status dependency 56 disabling auto-discovery at the global-level 73 passing traffic between IPv6-only clients and IPv4-only DNS servers 89 virtual server status, setting for clusters 56 VLANs creating for a route domain on BIG-IP LTM 72 creating for route domains 65 W wide IPs and DNS servers 20, 34 and DNS traffic 35 and SOA records 84 creating 21, 27 wildcard listeners, defined 20 Z ZebOS dynamic routing protocol and listeners 133 enabling 132 verifying route advertisement 134 zone files, acquiring from legacy DNS servers 25 zone file transfers, and configuring DNS servers 25, 100 ZoneRunner and viewing DNSSEC records 97 zones and GTM as primary server 26 and root servers 26 zones creating DNSSEC 96 See also DNSSEC zones. zone-signing keys about manual rollover 92 creating 95 zones protecting from DDoS attacks creating for DNS Express 101 171

Index 172