Professional Documents
Culture Documents
version 10.2
MAN-0317-00
Product Version
This manual applies to product version 10.2 of the BIG-IP Global Traffic Manager.
Publication Date
This manual was published on October 25, 2011.
Legal Notices
Copyright
Copyright 2011, F5 Networks, Inc. All rights reserved. F5 Networks, Inc. (F5) believes the information it furnishes to be accurate and reliable. However, F5 assumes no responsibility for the use of this information, nor any infringement of patents or other rights of third parties which may result from its use. No license is granted by implication or otherwise under any patent, copyright, or other intellectual property right of F5 except as specifically described by applicable user licenses. F5 reserves the right to change specifications at any time without notice.
Trademarks
3DNS, Access Policy Manager, Acopia, Acopia Networks, Advanced Client Authentication, Advanced Routing, APM, Application Security Manager, ARX, AskF5, ASM, BIG-IP, Cloud Extender, CloudFucious, CMP, Data Manager, DevCentral, DevCentral [DESIGN], DNS Express, DSC, DSI, Edge Client, Edge Gateway, Edge Portal, EM, Enterprise Manager, F5, F5 [DESIGN], F5 Management Pack, F5 Networks, F5 World, Fast Application Proxy, Fast Cache, FirePass, Global Traffic Manager, GTM, IBR, Intelligent Browser Referencing, Intelligent Compression, IPv6 Gateway, iApps, iControl, iHealth, iQuery, iRules, iRules OnDemand, iSession, IT agility. Your way., L7 Rate Shaping, LC, Link Controller, Local Traffic Manager, LTM, Message Security Module, MSM, Netcelera, OneConnect, Packet Velocity, Protocol Security Module, PSM, Real Traffic Policy Builder, ScaleN, SSL Acceleration, StrongBox, SuperVIP, SYN Check, TCP Express, TDR, TMOS, Traffic Management Operating System, TrafficShield, Transparent Data Reduction, VIPRION, vCMP, WA, WAN Optimization Manager, WANJet, WebAccelerator, WOM, and ZoneRunner, are trademarks or service marks of F5 Networks, Inc., in the U.S. and other countries, and may not be used without F5's express written consent. All other product and company names herein may be trademarks of their respective owners.
Patents
This product may be protected by U.S. Patents 6,374,300; 6,473,802; 6,970,733; 7,047,301; 7,707,289. This list is believed to be current as of October 25, 2011.
RF Interference Warning
This is a Class A product. In a domestic environment this product may cause radio interference, in which case the user may be required to take adequate measures.
FCC Compliance
This equipment has been tested and found to comply with the limits for a Class A digital device pursuant to Part 15 of FCC rules. These limits are designed to provide reasonable protection against harmful interference when the equipment is operated in a commercial environment. This unit generates, uses, and can radiate radio frequency energy and, if not installed and used in accordance with the instruction manual, may cause harmful interference to radio communications. Operation of this equipment in a residential area is likely to cause harmful interference, in which case the user, at his own expense, will be required to take whatever measures may be required to correct the interference.
Any modifications to this device, unless expressly approved by the manufacturer, can void the user's authority to operate this equipment under part 15 of the FCC rules.
Standards Compliance
This product conforms to the IEC, European Union, ANSI/UL and Canadian CSA standards applicable to Information Technology products at the time of manufacture.
Acknowledgments
This product includes software developed by Gabriel Fort. This product includes software developed by Bill Paul. This product includes software developed by Jonathan Stone. This product includes software developed by Manuel Bouyer. This product includes software developed by Paul Richards. This product includes software developed by the NetBSD Foundation, Inc. and its contributors. This product includes software developed by the Politecnico di Torino, and its contributors. This product includes software developed by the Swedish Institute of Computer Science and its contributors. This product includes software developed by the University of California, Berkeley and its contributors. This product includes software developed by the Computer Systems Engineering Group at the Lawrence Berkeley Laboratory. This product includes software developed by Christopher G. Demetriou for the NetBSD Project. This product includes software developed by Adam Glass. This product includes software developed by Christian E. Hopps. This product includes software developed by Dean Huxley. This product includes software developed by John Kohl. This product includes software developed by Paul Kranenburg. This product includes software developed by Terrence R. Lambert. This product includes software developed by Philip A. Nelson. This product includes software developed by Herb Peyerl. This product includes software developed by Jochen Pohl for the NetBSD Project. This product includes software developed by Chris Provenzano. This product includes software developed by Theo de Raadt. This product includes software developed by David Muir Sharnoff. This product includes software developed by SigmaSoft, Th. Lockert. This product includes software developed for the NetBSD Project by Jason R. Thorpe. This product includes software developed by Jason R. Thorpe for And Communications, http://www.and.com. This product includes software developed for the NetBSD Project by Frank Van der Linden. This product includes software developed for the NetBSD Project by John M. Vinopal. This product includes software developed by Christos Zoulas. This product includes software developed by the University of Vermont and State Agricultural College and Garrett A. Wollman. In the following statement, "This software" refers to the Mitsumi CD-ROM driver: This software was developed by Holger Veit and Brian Moore for use with "386BSD" and similar operating systems. "Similar operating systems" includes mainly non-profit oriented systems for research and education, including but not restricted to "NetBSD," "FreeBSD," "Mach" (by CMU). This product includes software developed by the Apache Group for use in the Apache HTTP server project (http://www.apache.org/). This product includes software licensed from Richard H. Porter under the GNU Library General Public License ( 1998, Red Hat Software), www.gnu.org/copyleft/lgpl.html.
ii
This product includes the standard version of Perl software licensed under the Perl Artistic License ( 1997, 1998 Tom Christiansen and Nathan Torkington). All rights reserved. You may find the most current standard version of Perl at http://www.perl.com. This product includes software developed by Jared Minch. This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org/). This product includes cryptographic software written by Eric Young (eay@cryptsoft.com). This product contains software based on oprofile, which is protected under the GNU Public License. This product includes RRDtool software developed by Tobi Oetiker (http://www.rrdtool.com/index.html) and licensed under the GNU General Public License. This product contains software licensed from Dr. Brian Gladman under the GNU General Public License (GPL). This product includes software developed by the Apache Software Foundation <http://www.apache.org/>. This product includes Hypersonic SQL. This product contains software developed by the Regents of the University of California, Sun Microsystems, Inc., Scriptics Corporation, and others. This product includes software developed by the Internet Software Consortium. This product includes software developed by Nominum, Inc. (http://www.nominum.com). This product contains software developed by Broadcom Corporation, which is protected under the GNU Public License. This product contains software developed by MaxMind LLC, and is protected under the GNU Lesser General Public License, as published by the Free Software Foundation. This product includes the GeoPoint Database developed by Quova, Inc. and its contributors. This product includes software developed by Balazs Scheidler <bazsi@balabit.hu>, which is protected under the GNU Public License. This product includes software developed by NLnet Labs and its contributors. This product includes software written by Steffen Beyer and licensed under the Perl Artistic License and the GPL. This product includes software written by Makamaka Hannyaharamitu 2007-2008.
iii
iv
Table of Contents
Table of Contents
1
Introducing Implementations for the Global Traffic Manager
Introducing the Global Traffic Manager .................................................................................... 1-1 Introducing implementations ....................................................................................................... 1-2
2
Delegating DNS Traffic to Wide IPs
Working with the Global Traffic Manager and DNS traffic ....................................................................................................................................... 2-1 Delegating DNS traffic to wide IPs ............................................................................................ 2-2 Modifying the existing DNS server ................................................................................... 2-2 Configuring a listener ........................................................................................................... 2-3
3
Replacing a DNS Server with the Global Traffic Manager
Working with the Global Traffic Manager and DNS traffic ....................................................................................................................................... 3-1 Replacing a DNS server with the Global Traffic Manager .................................................... 3-2 Configuring the DNS server for zone transfers ............................................................ 3-3 Creating a hint zone ............................................................................................................. 3-3 Acquiring zone files .............................................................................................................. 3-4 Designating the Global Traffic Manager as the primary DNS server ....................... 3-5 Configuring a listener ........................................................................................................... 3-5
4
Securing Your DNS Infrastructure
Introducing DNSSEC compliance ............................................................................................... 4-1 Configuring DNSSEC compliance .............................................................................................. 4-3 Adding a Global Traffic Manager system to a network that contains other BIG-IP systems ....................................................................................................................... 4-4 Adding an additional Global Traffic Manager system to a network .......................... 4-8 Configuring DNSSEC keys and zones ............................................................................ 4-10
5
Load Balancing Non-Wide IP Traffic to a Pool of DNS Servers
About using the Global Traffic Manager as a load balancer in front of a pool of DNS servers .................................................................................................................................... 5-1 Creating a pool of DNS servers ................................................................................................. 5-2 Creating a listener .......................................................................................................................... 5-3
6
Sending Traffic Through the Global Traffic Manager
Working with the Global Traffic Manager as a router or forwarder ................................ 6-1 Forwarding traffic through the Global Traffic Manager ........................................................ 6-2 Placing the Global Traffic Manager to forward traffic .................................................. 6-2 Configuring a VLAN group ................................................................................................. 6-3 Forwarding traffic to a DNS server .................................................................................. 6-3 Routing traffic through the Global Traffic Manager ............................................................... 6-4 Placing the Global Traffic Manager to route traffic ....................................................... 6-5 Routing traffic to a DNS server ......................................................................................... 6-5
Table of Contents
7
Ensuring Correct Synchronization When Adding a New Global Traffic Manager
Understanding synchronization in the Global Traffic Manager ........................................... 7-1 Adding a new Global Traffic Manager to a synchronization group safely ......................... 7-2 Adding the Global Traffic Manager ................................................................................... 7-3 Enabling synchronization ..................................................................................................... 7-4 Running the gtm_add script ................................................................................................ 7-4 Running the bigip_add script .............................................................................................. 7-5
8
Integrating the Global Traffic Manager with BIG-IP Systems
Understanding the interactions between BIG-IP systems .................................................... 8-1 Integrating the Global Traffic Manager with other BIG-IP systems ................................... 8-3 Defining a data center .......................................................................................................... 8-4 Defining the Global Traffic Manager ................................................................................. 8-4 Adding BIG-IP systems ......................................................................................................... 8-5 Running the big3d_install script ......................................................................................... 8-6
9
Setting Up a Global Traffic Manager Redundant System Configuration
Understanding Global Traffic Manager redundant system configurations ........................ 9-1 Setting up a Global Traffic Manager redundant system configuration ............................... 9-2 Configuring the redundant system settings .................................................................... 9-2 Creating VLANs .................................................................................................................... 9-3 Assigning self IP addresses .................................................................................................. 9-3 Creating a floating IP address ............................................................................................. 9-4 Configuring the high availability options .......................................................................... 9-5 Defining an NTP server ....................................................................................................... 9-5 Defining the default gateway route ................................................................................... 9-6 Defining a listener ................................................................................................................. 9-6 Running a config sync operation ........................................................................................ 9-7 Defining a data center .......................................................................................................... 9-7 Defining the Global Traffic Manager systems ................................................................. 9-8 Enabling synchronization ..................................................................................................... 9-9 Running the gtm_add script ................................................................................................ 9-9
10
Authenticating with SSL Certificates Signed by a Third Party
Understanding SSL authentication ............................................................................................ 10-1 Understanding BIG-IP system certificate authentication .................................................... 10-2 Configuring a level one SSL authentication for a Global Traffic Manager ....................... 10-3 Importing the root certificate for the gtmd agent ...................................................... 10-3 Setting the certificate depth for the gtmd agent .......................................................... 10-4 Importing the root certificate for the big3d agent on the Global Traffic Manager ................................................................................................................................. 10-5 Setting the Big3d.CertificateDepth variable for the Global Traffic Manager ........ 10-5 Importing the device certificate signed by the CA server onto the Global Traffic Manager ...................................................................................................... 10-5 Verifying the certificate exchange ................................................................................... 10-6 Configuring a certificate chain for a Global Traffic Manager system ............................... 10-7 Importing a certificate chain for the gtmd agent ......................................................... 10-8 Setting the certificate depth for the gtmd agent .......................................................... 10-9 Setting the Big3d.CertificateDepth variable .................................................................. 10-9 4
Table of Contents
Importing the certificate chain for the big3d agent ..................................................... 10-9 Importing a device certificate .........................................................................................10-10 Verifying the certificate chain exchange ......................................................................10-11 Configuring SSL authentication for a BIG-IP system that includes a Local Traffic Manager ........................................................................................................................................10-12 Setting certificate depth for the big3d agent on the Local Traffic Manager ........10-13 Replacing the self-signed certificate for the big3d agent on the Local Traffic Manager ...............................................................................................................................10-13 Importing a device certificate onto the Local Traffic Manager ..............................10-15
11
Monitoring Third-Party Servers with SNMP
Overview of SNMP ...................................................................................................................... 11-1 Assigning the SNMP monitor to a third-party server ......................................................... 11-1 Adding the server ............................................................................................................... 11-1 Adding a virtual server ....................................................................................................... 11-2 Creating an SNMP monitor .............................................................................................. 11-3 Assigning the monitor ........................................................................................................ 11-3
12
Using tmsh to Set Up Implementations
Using tmsh for different implementations .............................................................................. 12-1 Setting up a stand-alone system ................................................................................................ 12-2 Provisioning the system ..................................................................................................... 12-3 Configuring the global settings ......................................................................................... 12-4 Creating a data center ....................................................................................................... 12-4 Defining a server ................................................................................................................. 12-5 Creating virtual servers to host the site content ........................................................ 12-6 Creating a pool .................................................................................................................... 12-7 Creating a wide IP ............................................................................................................... 12-8 Creating a listener .............................................................................................................. 12-9 Adding a system to a network that contains Local Traffic Manager systems ..............12-10 Provisioning the system ...................................................................................................12-11 Creating a data center .....................................................................................................12-12 Defining a server for the system ...................................................................................12-13 Defining servers for the Local Traffic Manager systems ..........................................12-14 Running the bigip_add or big3d_install utility .............................................................12-15 Creating a listener ............................................................................................................12-16 Adding a system to a network that contains other Global Traffic Manager systems .........................................................................................................................................12-17 Provisioning the new system ..........................................................................................12-18 Creating a data center on an existing system ............................................................12-19 Defining a server for the new system on an existing system .................................12-20 Adding a synchronization group to an existing system ............................................12-21 Running the gtm_add utility ............................................................................................12-21 Creating a listener ............................................................................................................12-22
Glossary Index
Table of Contents
1
Introducing Implementations for the Global Traffic Manager
1-1
Chapter 1
Introducing implementations
This guide is designed to help you accomplish specific configuration tasks associated with the Global Traffic Manager. Each chapter focuses on a specific implementation, providing an overview of the situation and a detailed example of how to configure the system to accomplish the objectives outlined in the implementation. The tasks outlined in each chapter are designed so that you can quickly apply them to your own network.
Getting started
The Global Traffic Manager runs on the Traffic Management Operating System, commonly referred to as TMOS. Before you begin configuring an implementation, F5 Networks recommends that you familiarize yourself with these additional resource:
BIG-IP Systems: Getting Started Guide This guide provides detailed information about licensing and provisioning the BIG-IP system, as well as installing upgrades. The guide also provides a brief introduction to the features of BIG-IP system and the tools for configuring the system. TMOS Management Guide for BIG-IP Systems This guide contains any information you need to configure and maintain the network and system-related components of the BIG-IP system, such as routes, VLANs, and user accounts. Configuration Guide for BIG-IP Global Traffic Manager This guide contains any information you need for configuring specific features of the BIG-IP system to manage global network traffic. Traffic Management Shell (tmsh) Reference Guide This guide contains information about using the Traffic Management Shell (tmsh) commands to manage the BIG-IP systems.
F5 Networks recommends that you then run the Setup utility to configure basic network elements such as self IP addresses, interfaces, and VLANs. After running the Setup utility, you can use this guide to configure specific implementations. For information on running the Setup utility, see the BIG-IP Systems: Getting Started Guide.
1-2
2
Delegating DNS Traffic to Wide IPs
Working with the Global Traffic Manager and DNS traffic Delegating DNS traffic to wide IPs
Figure 2.1 Example of the flow of traffic for a Global Traffic Manager with an existing DNS server
To control how the Global Traffic Manager responds to DNS requests, you must configure a listener. A listener is a specialized resource to which you assign a specific IP address and that uses port 53, the DNS query port. When
2-1
Chapter 2
traffic is sent to that IP address, the listener alerts the Global Traffic Manager, allowing it to handle the traffic locally or forward the traffic to the appropriate resource. In this implementation, you create a listener that corresponds to the self IP address of the Global Traffic Manager.
Note
This implementation also contains recommendations for modifying the files on your existing DNS server. However, detailing how to implement these modifications is beyond the scope of this implementation. If you are unfamiliar with how to modify the files on your DNS server, F5 Networks recommends that you review the 5th edition of DNS and BIND, available from OReilly.
2-2
Again, if you are unfamiliar with how to create these zones, F5 Networks recommends that you review the 5th edition of DNS and BIND, available from OReilly.
Configuring a listener
Now you set up a listener on the Global Traffic Manager. A listener is a specialized resource to which you assign a specific IP address and that uses port 53, the DNS query port. The Global Traffic Manager employs this listener to identify the DNS traffic for which it is responsible. For this example, the listener you create is the same as the self IP address of the Global Traffic Manager: 192.168.5.17.
You now have an implementation of the Global Traffic Manager in which the existing DNS server manages DNS traffic unless the query is for store.siterequest.com or checkout.siterequest.com. When the DNS server receives these queries, it delegates them to the Global Traffic Manager, which then load balances them on the appropriate wide IPs.
2-3
Chapter 2
2-4
3
Replacing a DNS Server with the Global Traffic Manager
Working with the Global Traffic Manager and DNS traffic Replacing a DNS server with the Global Traffic Manager
Figure 3.1 Example of the flow of traffic when the Global Traffic Manager replaces an existing DNS server
To control how the Global Traffic Manager responds to DNS requests, you must configure a listener. A listener is a specialized resource to which you assign a specific IP address and that uses port 53, the DNS query port. When traffic is sent to that IP address, the listener alerts the Global Traffic Manager, allowing it to handle the traffic locally or forward the traffic to the appropriate resource.
3-1
Chapter 3
In this implementation, you create a listener that corresponds to the self IP address of the Global Traffic Manager. Since the Global Traffic Manager replaces an existing DNS server, this self IP address must correspond with the IP address that denotes the authoritative nameserver for the appropriate domain.
Note
The tasks in this implementation are based on the assumption that you understand BIND and CNAME records. If you are unfamiliar with these topics, F5 Networks recommends that you review the 5th edition of DNS and BIND, available from OReilly.
3-2
3-3
Chapter 3
This task requires that you have added an allow-transfer statement to the existing DNS server that authorizes zone transfers to the Global Traffic Manager.
6. From the Zone Type list, select Master. 7. From the Records Creation Method list, select Transfer from Server. 8. In the Zone File Name box, type the zone file name. For this example, type db.external.siterequest.com. 9. In the Source Server box, type the IP address of the existing DNS server. For this example, type 192.168.5.73. 10. Click Finished.
3-4
If you are unfamiliar with how to change a DNS server from a primary DNS server to a secondary DNS server, refer to the 5th edition of DNS and BIND, available from OReilly.
Configuring a listener
The final task requires you to set up a listener on the Global Traffic Manager. The Global Traffic Manager employs this listener to identify the DNS traffic for which it is responsible. In this implementation, the listener you create is the same as the self IP address of the Global Traffic Manager: 192.168.5.73.
You now have an implementation of the Global Traffic Manager that is also the authoritative nameserver for siterequest.com. This system handles any incoming DNS traffic, whether destined for a wide IP or another node of siterequest.com.
3-5
Chapter 3
3-6
4
Securing Your DNS Infrastructure
Figure 4.1 Example of the flow of traffic when the Global Traffic Manager is a DNSSEC authoritative nameserver
This implementation covers the tasks necessary to configure a BIG-IP system to be DNSSEC-compliant. This implementation begins after you run the Setup utility and configure the network and system settings for the BIG-IP system that you are adding to the network.
4-1
Chapter 4
The Setup utility guides you through licensing the product, assigning an IP address to the management port of the system, and configuring the passwords for the root and administrator accounts. While using the Setup utility, you also configure some of the basic network and system settings for the system, such as setting a self IP address and assigning the system to a VLAN. The network and system settings form the basis of a BIG-IP system configuration. Because these settings have a variety of applications, they are discussed in the TMOS Management Guide for BIG-IP Systems. F5 Networks highly recommends that you review this guide to ensure that you configure the basic network and system settings in a way that best fits the needs of your network and your DNS traffic.
Important
Only users with Administrator or Resource Administrator roles assigned to their user accounts on the BIG-IP system can perform these tasks.
Note
All examples in this document use only private class IP addresses. When you set up the configurations we describe, you must use valid IP addresses suitable to your own network in place of our sample addresses.
4-2
The first scenario describes the tasks that you perform if you want to add a new Global Traffic Manager system to a network that contains other BIG-IP systems. To begin the tasks to configure this scenario, see Adding a Global Traffic Manager system to a network that contains other BIG-IP systems, on page 4-4. The second scenario describes the tasks that you perform if you want to add a new Global Traffic Manager system to a network that already contains a Global Traffic Manager system. To begin the tasks to configure this scenario, see Adding an additional Global Traffic Manager system to a network, on page 4-8.
In these two cases, after you perform the tasks necessary to add the new system to your network, you configure the DNSSEC keys and zones that the system uses to ensure that all responses to DNS-related traffic comply with the DNSSEC security protocol.
The third scenario describes the tasks that you perform if you are upgrading an existing Global Traffic Manager system, which is already set up and configured on the network, and you want to add DNSSEC signing of DNS responses. To begin the tasks to configure this scenario, see Configuring DNSSEC keys and zones, on page 4-10.
4-3
Chapter 4
Adding a Global Traffic Manager system to a network that contains other BIG-IP systems
If you are adding a Global Traffic Manager system to a network that contains other BIG-IP systems, perform the following tasks.
Defining a server
The next task that you perform to add a Global Traffic Manager system to a network that contains other BIG-IP systems is to define a server on the Global Traffic Manager system that you are adding to the network.
To define a server
1. Expand Global Traffic and click Servers. 2. Click Create. 3. In the Name box, type a unique name for the Global Traffic Manager system that you are currently configuring. For example, type DNSSEC server. 4. From the Product list, select your product type: If the unit you are configuring is a single device, select BIG-IP System (Single). If the unit you are configuring is a redundant system configuration, select BIG-IP System (Redundant).
4-4
5. For the Address List setting, in the Address box, type the self IP address that corresponds to an external VLAN on the system that you are currently configuring. Then click Add. For example, type 192.168.34.1. 6. From the Data Center list, select the name of the data center that you specified in Specifying a data center, on page 4-4. For example, select Secure Los Angeles. 7. Click Finished.
4-5
Chapter 4
Activating synchronization
The next task that you perform to add a Global Traffic Manager system to a network that contains other BIG-IP systems is to activate synchronization on the Global Traffic Manager system. This turns on synchronization for the synchronization group you just created.
To activate synchronization
1. Expand System and then click Configuration. 2. From the Global Traffic menu, choose General. 3. Check the Synchronization box. 4. Click Update.
4-6
3. Press the Enter key. The utility exchanges the appropriate SSL certificates, authorizes communications between the systems, and automatically updates the big3d agents on all the devices. You can now go to the next task in this implementation, Creating listeners.
Creating listeners
The next task that you perform is to configure how the Global Traffic Manager system responds to DNS traffic. To do this, you create a listener. A listener is a specialized resource that is assigned a specific IP address and uses port 53, the DNS query port. When traffic is sent to that IP address, the listener alerts the system, allowing it to handle the traffic locally or forward the traffic to the appropriate resource. You configure a listener using the self IP address of the Global Traffic Manager system that you are configuring when you want the system to sign the responses that it handles. You can also configure the system to sign the responses from another DNS server on your network. To do this, you create a listener using the IP address of the DNS server.
To create a listener
1. Expand Global Traffic and click Listeners. 2. Click Create. 3. In the Destination box, type the IP address on which the Global Traffic Manager system listens for network traffic based on what you want the system to do: If you are configuring the system to sign only wide IP responses, type the self IP address of the system that you are configuring. If you are configuring the system as the authoritative nameserver for another DNS server on your network, type the IP address of the DNS server. For example, type 192.168.34.17, the self IP address of the Global Traffic Manager system that you are configuring. 4. From the VLAN Traffic list, select the VLAN or VLANs on which this system listens for DNS requests. For example, select VLAN external.
4-7
Chapter 4
5. Click Finished. 6. To configure the system as the authoritative nameserver for another DNS server, repeat steps 1 - 5, but enter the IP address of the DNS server in the Destination box.
You are now ready to configure the DNSSEC feature. For more information, refer to Configuring DNSSEC keys and zones, on page 4-10.
4-8
3. In the Name box, type the name of the Global Traffic Manager system that you are adding to the network. For example, type DNSSEC server. 4. From the Product list, select your product type: If the new system is a single device, select BIG-IP System (Single). If the new system is a redundant system configuration, select BIG-IP System (Redundant). For example, select BIG-IP System (Single). 5. For the Address List setting, in the Address box, type the self IP address that corresponds to an external VLAN on the new Global Traffic Manager system. Then click Add. For example, type 192.168.34.1. 6. From the Data Center list, select the name of the data center that you specified in Creating a data center, on page 4-8. For example, select Secure Los Angeles. 7. Click Finished.
2. Based on your network configuration, respond to the prompts that display. Note: If your system has a FIPS hardware security module (HSM), the utility detects the card and prompts you for a series of responses. The utility adds the new Global Traffic Manager system to the network.
Creating a listener
The last task to add an additional Global Traffic Manager system to a network is to configure a listener on the new system using the self IP address of the new system.
To create a listener
1. Expand Global Traffic and click Listeners. 2. Click Create.
4-9
Chapter 4
3. In the Destination box, type the self IP address of the new Global Traffic Manager system. For example, type 192.168.34.17. 4. From the VLAN Traffic list, select the VLAN or VLANs on which this system listens for DNS requests. For example, select VLAN external. 5. Click Finished. You are now ready to configure the DNSSEC feature on the new Global Traffic Manager system.
4 - 10
7. From the State list, make a selection based on whether you are creating the enabled or standby key. For example: If you are creating the enabled key, select Enabled. If you are creating the standby key, type Disabled. 8. In the TTL box, accept the default value of 86400 (the number of seconds in one day). Note: The value of the TTL specifies how long a client resolver can cache the key. This value must be less than the difference between the values of the rollover period and expiration period of the key; otherwise, a client can make a query and the system can send a valid key that the client cannot recognize. 9. In the Rollover Period box, type 28987147 (the number of seconds in 11 months). Important: The value of the rollover period must be greater than or equal to one third of the value of the expiration period, and less than the value of the expiration period. Additionally, the difference between the values of the rollover and expiration periods must be more than the value of the TTL. Note: After the key rolls over, you must send the DS records for the zone to which this key is associated to the organization that manages the parent zone. Therefore, F5 Networks recommends that you base the values that you specify for the rollover and expiration periods on the time required for that communication cycle to complete. 10. In the Expiration Period box, type 31556952 (the number of seconds in one year). Important: The value of the expiration period must be more than the value of the rollover period. Additionally, the difference between the values of the rollover and expiration periods must be more than the value of the TTL. The National Institute of Standards and Technology (NIST) recommends that a key-signing key expire once a year. Note: After the key rolls over, you must send the DS records for the zone to which the key is associated to the organization that manages the parent zone. Therefore, F5 Networks recommends that you base the values that you specify for the rollover and expiration periods on the time required for that communication cycle to complete. 11. Click Finished. 12. To create a standby key for emergency rollover purposes, repeat steps 1 - 11, but name the key ksk2, and select Disabled from the State list.
BIG-IP Global Traffic ManagerTM: Implementations
4 - 11
Chapter 4
4 - 12
9. In the Rollover Period box, type 1814400 (the number of seconds in 21 days). Important: The value of the rollover period must be greater than or equal to one third of the value of the expiration period, and less than the value of the expiration period. Additionally, the difference between the values of the rollover and expiration periods must be more than the value of the TTL. Note: After the key rolls over, you must send the DS records for the zone to which this key is associated to the organization that manages the parent zone. Therefore, F5 Networks recommends that you base the values that you specify for the rollover and expiration periods on the time required for that communication cycle to complete. 10. In the Expiration Period box, type 2592000 (the number of seconds in 30 days). Tip: The National Institute of Standards and Technology (NIST) recommends that a zone-signing key expire every 30 days. Note: After the key rolls over, you must send the DS records for the zone to which this key is associated to the organization that manages the parent zone. Therefore, F5 Networks recommends that you base the values that you specify for the rollover and expiration periods on the time required for that communication cycle to complete. 11. Click Finished. 12. To create a standby key for emergency rollover purposes, repeat steps 1 - 11, but name the key zsk2, and select Disabled from the State list.
4 - 13
Chapter 4
The Global Traffic Manager system is now configured to handle incoming DNS traffic and to respond to DNS queries with DNSSEC-compliant responses.
4 - 14
5
Load Balancing Non-Wide IP Traffic to a Pool of DNS Servers
About using the Global Traffic Manager as a load balancer in front of a pool of DNS servers Creating a pool of DNS servers Creating a listener
About using the Global Traffic Manager as a load balancer in front of a pool of DNS servers
This implementation focuses on using a BIG-IP Global Traffic Manager system as a load balancer in front of a pool of DNS servers. The Global Traffic Manager checks incoming DNS queries. If the query is for a wide IP, the Global Traffic Manager load balances it to the appropriate resource. Otherwise, the Global Traffic Manager forwards the DNS query to one of the servers in a pool of DNS servers, and that server handles the query as needed. To control how the Global Traffic Manager responds to DNS requests, you must configure a listener. A listener is a specialized resource that you assign to a specific IP address, which uses port 53, the DNS query port. When traffic is sent to that IP address, the listener alerts the Global Traffic Manager, allowing it to handle the traffic locally or forward the traffic to the appropriate resource. Once again, for our example we use the fictional company SiteRequest. SiteRequest recently purchased a Global Traffic Manager to help load balance traffic across two of its web-based applications: store.siterequest.com and checkout.siterequest.com. These applications are subdomains of www.siterequest.com, which is managed by a pool of existing DNS servers. SiteRequest has already configured the Global Traffic Manager with two wide IPs, store.siterequest.com and checkout.siterequest.com, which correspond to these two web applications. For the purposes of this implementation, the IP address of the Global Traffic Manager is 192.168.5.10, while the IP addresses of the DNS servers are 10.10.1.1, 10.10.1.2, and 10.10.1.3. For this implementation, perform the following tasks: Create a pool of DNS servers Create a listener
5-1
Chapter 5
The system displays the new pool configuration, as shown in Figure 5.1.
root@gtm1(Active)(tmos)# ltm pool DNS_pool { members { 10.10.1.1:domain 10.10.1.2:domain 10.10.1.3:domain } } root@gtm1(Active)(tmos)# list /ltm pool
{} {} {}
Figure 5.1 Results of list command for sample Local Traffic Manager pool
5-2
Creating a listener
The next task in this implementation is to configure a listener that listens for DNS queries and load balances non-wide IP traffic destined for the DNS servers to a member of the pool you created in the previous task.
To create a listener
1. Log on to the command line interface of the Global Traffic Manager. 2. Type tmsh, to access the Traffic Management Shell. 3. Run this command sequence:
create /gtm listener DNS_listener address 192.168.5.10 ip-protocol udp pool DNS_pool translate-address enabled save sys config list /gtm listener
Figure 5.2 Results of list command for sample Global Traffic Manager listener You now have an implementation of the Global Traffic Manager in which the Global Traffic Manager receives DNS queries. If the query is for a wide IP, the Global Traffic Manager load balances the request to the appropriate resource. Otherwise, the Global Traffic Manager load balances queries to the pool of DNS servers.
5-3
Chapter 5
5-4
6
Sending Traffic Through the Global Traffic Manager
Working with the Global Traffic Manager as a router or forwarder Forwarding traffic through the Global Traffic Manager Routing traffic through the Global Traffic Manager
Figure 6.1 Example of the traffic flow through a Global Traffic Manager routing traffic to a DNS server
6-1
Chapter 6
To control how the Global Traffic Manager responds to DNS requests, you must configure a listener. A listener is a specialized resource that you assign to a specific IP address, which uses port 53, the DNS query port. When traffic is sent to that IP address, the listener alerts the Global Traffic Manager, allowing it to handle the traffic locally or forward the traffic to the appropriate resource. Depending on how you configure the listeners, the Global Traffic Manager operates as either a router or a bridge: If the listener points to a DNS server that exists on the same subnet, the Global Traffic Manager acts as a bridge. If the listener points to a DNS server that exists on a different subnet, the Global Traffic Manager acts a router. For this implementation, you create two different listeners. First, you create a listener that allows the Global Traffic Manager to act as a bridge. Then you create a second listener that allows the Global Traffic Manager to act as a router for a different set of DNS traffic.
Note
To ensure that the Global Traffic Manager forwards or routes requests to the external DNS server instead of using BIND to process those requests, when you create a listener be sure to use an IP address other than the self IP address of the Global Traffic Manager.
6-2
Tip
If you prefer to implement the Global Traffic Manager as a redundant system configuration, see Chapter 9, Setting Up a Global Traffic Manager Redundant System Configuration.
6-3
Chapter 6
3. In the Destination box, type the IP address on which the Global Traffic Manager listens for network traffic. For this example, type the IP address 192.168.5.23. Tip: To ensure that requests are bridged to the external DNS server rather than processed by BIND on the Global Traffic Manager system, do not use a self IP address of the system as the destination. 4. From the VLAN Traffic list, select All VLANs. 5. Click Finished.
You now have an implementation of the Global Traffic Manager in which the Global Traffic Manager receives all DNS queries. If the query is for a wide IP, the Global Traffic Manager load balances the request to the appropriate resource. Otherwise, the Global Traffic Manager forwards the query to the DNS server for resolution.
6-4
To place the Global Traffic Manager on the network for routing traffic
1. Connect the Global Traffic Manager to your Internet connection. 2. Connect the DNS server to an Ethernet port on the Global Traffic Manager.
You now have an implementation of the Global Traffic Manager in which the Global Traffic Manager receives all DNS queries. If the query is for a wide IP, the Global Traffic Manager load balances the request to the appropriate resource. If the traffic has a destination IP address of 172.15.23.23, the Global Traffic Manager routes the query to the DNS server for resolution.
6-5
Chapter 6
6-6
7
Ensuring Correct Synchronization When Adding a New Global Traffic Manager
Understanding synchronization in the Global Traffic Manager Adding a new Global Traffic Manager to a synchronization group safely
You can modify the settings of all Global Traffic Manager systems from any Global Traffic Manager. The changes you make on one Global Traffic Manager are sent to all other Global Traffic Manager systems within the same synchronization group. When you enable the Synchronization setting for each Global Traffic Manager in the group, the systems automatically synchronize their configuration files. Additionally, when you enable the
7-1
Chapter 7
Synchronize DNS Zone Files setting for each system in the group, the systems automatically synchronize their Domain Name System (DNS) zone files.
Important
Global Traffic Manager systems only exchange heartbeat messages if they have the same software version installed. When you upgrade one Global Traffic Manager system in a synchronization group, the configuration of the upgraded system does not automatically synchronize with the configuration of the systems with an older version of software. One exception to this process occurs when you add a new Global Traffic Manager to the network. In this scenario, there is a chance that the timestamp of the new systems configuration file is newer than the files on the already-installed Global Traffic Manager. If you enable synchronization at this point, the unconfigured configuration file is distributed to the existing Global Traffic Manager systems, effectively removing your existing configurations. You can avoid the accidental synchronization of an unconfigured configuration file to existing Global Traffic Manager systems by using the gtm_add script when you add a new Global Traffic Manager to your network. This script acquires the configuration file from an existing Global Traffic Manager and applies it to the new system. As a result, the new system acquires the current configuration for your network.
7-2
that reside in Los Angeles. Finally, you have two Local Traffic Manager systems; one at each data center. The Local Traffic Manager in New York has an IP address of 192.168.5.10; the one in Los Angeles has an IP address of 10.10.5.20. The tasks you must complete to add a new Global Traffic Manager to a synchronization group are: Add the Global Traffic Manager to the configuration Enable synchronization Run the gtm_add script Run the bigip_add script
The newly added Global Traffic Manager displays a red status marker, because you have not yet run the bigip_add script. For more information about running this script, see Running the bigip_add script, on page 7-5.
7-3
Chapter 7
Enabling synchronization
For the next task, you enable the Synchronization option, and assign an appropriate name for the synchronization group. For this implementation, use the synchronization group name North America.
To enable synchronization
1. On the Main tab of the navigation pane, expand System and then click Configuration. 2. From the Global Traffic menu, choose General. 3. Check the Synchronization check box. 4. Check the Synchronize DNS Zone Files check box. 5. In the Synchronization Group Name box, type the name of the group. In this example, type North America. 6. Click Update.
At this point, both Global Traffic Manager systems share the same configuration. In addition, they also belong to the same synchronization group, because the gtm_add script copied the settings from the existing Global Traffic Manager to the new Global Traffic Manager.
7-4
7-5
Chapter 7
7-6
8
Integrating the Global Traffic Manager with BIG-IP Systems
Understanding the interactions between BIG-IP systems Integrating the Global Traffic Manager with other BIG-IP systems
8-1
Chapter 8
You must also authorize the communication between the Global Traffic Manager systems and Local Traffic Manager systems. You authorize this communication through the use of SSL certificates. These certificates ensure that each BIG-IP system, whether Global Traffic Manager or Local Traffic Manager, trusts the communications sent from any other BIG-IP system. Consequently, the two tasks you must accomplish when integrating a Global Traffic Manager with BIG-IP systems are: Enable communications between the different BIG-IP systems. Install the latest version of the big3d agent.
Tip
For more information about the big3d agent, see Appendix A, Working with the big3d Agent, of the Configuration Guide for BIG-IP Global Traffic Manager. In this implementation, we use the Configuration utility; however, if you prefer to use tmsh, see Chapter 12, Using tmsh to Set Up Implementations.
8-2
8-3
Chapter 8
The tasks associated with integrating the Global Traffic Manager are: Define a data center. Define the Global Traffic Manager. Add the BIG-IP systems. Run the big3d_install script.
8-4
4. From the Product list, select a server type. For this example, select BIG-IP System (Single). 5. For the Address List setting, complete the following tasks: In the Address box, type the IP address of the server. For this example, type: 192.168.5.30 Click Add. 6. From the Data Center list, select New York Data Center. 7. For the Health Monitors setting, assign the bigip monitor to the server by moving it from the Available list to the Selected list. 8. From the Virtual Server Discovery list, select Disabled. 9. Click Create.
A BIG-IP system is a specific F5 product, that can include Local Traffic Manager systems, Global Traffic Manager systems, and Link Controller systems.
Important
The IP addresses that you use in the following procedure cannot be the IP addresses assigned to the management port.
8-5
Chapter 8
In the Address box, type the IP address of the second BIG-IP system that completes the redundant system configuration. In this example, type: 192.168.5.11. Click Add. 7. For the Health Monitors setting, assign the bigip monitor to the server by moving it from the Available list to the Selected list. 8. From the Virtual Server Discovery list, select Enabled. 9. Click Create.
Repeat this procedure to add the BIG-IP systems located in the Los Angeles data center.
The big3d_install script installs the big3d agent and runs the bigip_add script. Run the big3d_install script only on a system that is configured with the most current BIG-IP system software on your network, because big3d is only backward compatible.
8-6
When the script has completed its operations, the following changes take effect on each BIG-IP system: The appropriate SSL certificates are exchanged between each system, authorizing communications between each system. The big3d agent on each system is upgraded to the same version as installed on the Global Traffic Manager. You have now successfully configured the BIG-IP systems on this network, including the Global Traffic Manager, to communicate with each other. The Global Traffic Manager can now use the BIG-IP systems when load balancing DNS requests, as well as when acquiring statistical or status information for the virtual servers these systems manage.
8-7
Chapter 8
8-8
9
Setting Up a Global Traffic Manager Redundant System Configuration
Understanding Global Traffic Manager redundant system configurations Setting up a Global Traffic Manager redundant system configuration
9-1
Chapter 9
For this example, SiteRequest already has both Global Traffic Manager systems connected to the network; however, they have not yet assigned IP addresses to the systems.
You can also complete the following procedure by running the Setup Utility. You can access this utility through the main page of the Configuration utility of the Global Traffic Manager.
9-2
Creating VLANs
The next task in this implementation requires you to set up a VLAN. This VLAN encompasses the IP addresses associated with the Global Traffic Manager systems and the other network components that help manage DNS traffic. You must apply the following procedures to both the active and standby systems.
To create a VLAN
1. On the Main tab of the navigation pane, expand Network and then click VLANs. 2. Click Create. 3. In the Name box, type dns_requests. 4. For the Interfaces setting, use the Move buttons to assign interface 1.1 to the Untagged list. 5. Click Finished.
9-3
Chapter 9
You must apply the following procedure to both the active and standby systems.
In this example, for the gtm2.siterequest.com, use 192.168.15.16 for the Peer Management Address, and reverse the values of the Local Address and Remote Address settings.
9-5
Chapter 9
Defining a listener
The Global Traffic Manager employs a listener to identify the DNS traffic for which it is responsible. In this implementation, you need to create a listener that corresponds to the floating IP address shared between the two Global Traffic Manager systems. For this task, you configure only the active system. The settings you create are transferred to the standby system during a synchronization that you initiate later in this process.
9-6
3. In the Destination box, type the IP address on which the system will listen for traffic. In this example, type 10.1.1.50. 4. From the VLAN Traffic list, select All VLANs. 5. Click Finished.
9-7
Chapter 9
You now repeat this procedure on the second Global Traffic Manager, reversing the IP addresses in the Address List and Peer Address List options. In this example, you repeat this procedure for the gtm2.siterequest.com system.
9-8
Enabling synchronization
For the next task, you enable the synchronization options and assign an appropriate name for the synchronization group. For this implementation, the synchronization group name is North America. For this task, you configure only the active system. The settings you create are transferred to the standby system during a synchronization that you initiate later in this process.
To enable synchronization
1. On the Main tab of the navigation pane, expand System, and then click Configuration. 2. From the Global Traffic menu, choose General. 3. Check the Synchronization check box. 4. Check the Synchronize DNS Zone Files check box. 5. In the Synchronization Group Name box, type the name of the synchronization group. In this example, type North America. 6. Click Update.
You must run the gtm_add script from the currently unconfigured Global Traffic Manager.
9-9
Chapter 9
The gtm_add process begins, acquiring configuration data from the active Global Traffic Manager; In this example gtn1.sitequrest.com. Once the process completes, you have successfully created a redundant system consisting of two Global Traffic Manager systems.
9 - 10
10
Authenticating with SSL Certificates Signed by a Third Party
Understanding SSL authentication Understanding BIG-IP system certificate authentication Configuring a level one SSL authentication for a Global Traffic Manager Configuring a certificate chain for a Global Traffic Manager system Configuring SSL authentication for a BIG-IP system that includes a Local Traffic Manager
10 - 1
Chapter 10
Import to each BIG-IP system the certificates that are necessary to authenticate communications with other BIG-IP systems. In addition, you must also modify the following two settings. Set the Certificate Depth for the gtmd agent This setting determines the number of CA servers (often referred to as the authentication chain) that the gtmd agent can traverse to validate the authenticity of another BIG-IP system. You can access this setting through the Configuration utility. Set the Big3d.CertificateDepth variable This variable determines the number of CA servers that the big3d agent can traverse to validate the authenticity of another BIG-IP system. You access this setting through the command line.
Important
The specified number of certificate levels (certificate depth) that the gtmd agent can traverse must match the specified number for the big3d agent. For example, if the Certificate Depth setting for the gtmd agent is set to 2, then the Big3d.CertificateDepth variable for the big3d agent must also be set to 2. For more information about SSL certificates, see the TMOS Management Guide for BIG-IP Systems.
10 - 2
If you have a Local Traffic Manager system that you want to be able to communicate with the Global Traffic Manager systems, you must also configure the Local Traffic Manager. For more information, see Configuring SSL authentication for a BIG-IP system that includes a Local Traffic Manager, on page 10-12.
10 - 3
Chapter 10
For this task, perform the following procedure on only one Global Traffic Manager in a synchronization group. The system automatically synchronizes these settings with the other Global Traffic Manager systems in the group.
Important
In this procedure, you must import the root certificate from your CA server into the Configuration utility. Before you start this procedure, ensure that you have this certificate available.
10 - 4
Importing the root certificate for the big3d agent on the Global Traffic Manager
The next task to set up the Global Traffic Manager to use a third-party certificate signed by a CA server is to import the root certificate of the CA server for the big3d agent. For this task, perform the following procedure on all Global Traffic Manager systems.
To import the root certificate for the big3d agent on the Global Traffic Manager
1. On the Main tab of the navigation pane, expand System and then click Device Certificates. 2. On the menu bar, click Trusted Device Certificates. 3. Click Import. 4. From the Import Method list, select Replace. 5. In the Certificate Source box, select the Upload File option and then use the Browse button to navigate and select the root certificate file. 6. Click Import.
Importing the device certificate signed by the CA server onto the Global Traffic Manager
The final task is to import the device certificate signed by the CA server. For this task, perform the following procedure on all Global Traffic Manager systems.
10 - 5
Chapter 10
If the certificate was installed correctly, these commands display a continuous stream of information on the console window.
10 - 6
10 - 7
Chapter 10
When you are finished, you should have a certificate chain file that contains all certificates that you want to include in the certificate chain.
Important
Before you perform the following procedure, ensure that the file containing the certificate chain is accessible from the Global Traffic Manager system that you want to configure.
10 - 8
10 - 9
Chapter 10
For this task, perform the following procedure on all Global Traffic Manager systems.
Important
Before you start this procedure, make sure that the file containing the certificate chain is accessible from all of the Global Traffic Managers that you want to configure.
10 - 10
If you installed the certificate chain correctly, these commands display a continuous stream of information in the console window.
10 - 11
Chapter 10
Configuring SSL authentication for a BIG-IP system that includes a Local Traffic Manager
If you are configuring SSL authentication for a BIG-IP system that includes a Local Traffic Manager system, you must configure the Local Traffic Manager system so that it can communicate with the Global Traffic Manager system using SSL authentication. Before you import SSL certificates to a Local Traffic Manager. You must perform the following tasks for the big3d agent on each Local Traffic Manager system: Set the certificate depth for the big3d agent. Replace the self-signed certificate for the big3d agent on the Local Traffic Manager with a root certificate or a certificate chain. Import a device certificate signed by the last CA server in the chain. Before you import SSL certificates onto the Local Traffic Manager, make sure that: Self-signed certificates are installed on all Local Traffic Manager systems on your network. Your network includes its own CA server to generate certificates signed by a third party. You want to replace the self-signed certificates on the Local Traffic Manager systems with certificates that the CA server has generated. The remainder of this chapter describes how to configure SSL certificates on a Local Traffic Manager system for the purpose of communicating with Global Traffic Manager systems.
10 - 12
Setting certificate depth for the big3d agent on the Local Traffic Manager
For BIG-IP systems to communicate successfully, the specified number of certificate levels that the big3d agent on the Local Traffic Manager can traverse must match the number of certificate levels that the gtmd agent on the Global Traffic Manager can traverse. For example, if the Certificate Depth setting for gtmd is set to 2, then the Big3d.CertificateDepth variable for big3d must also be set to 2. For more information about setting the certificate depth for the gtmd agent, see Setting the certificate depth for the gtmd agent, on page 10-4. You must set the certificate depth on all Local Traffic Manager systems on the network.
After you configure the certificate depth for the big3d agent, you must import either a root certificate or a certificate chain, but not both.
Replacing the self-signed certificate for the big3d agent on the Local Traffic Manager
You can replace the existing self-signed certificate for the big3d agent by importing either the root certificate of a CA server or a certificate chain.
To import the root certificate for the big3d agent on the Local Traffic Manager
1. On the Main tab of the navigation pane, expand System and then click Device Certificates. 2. On the menu bar, click Trusted Device Certificates. 3. Click Import. 4. From the Import Method list, select Replace. 5. For the Certificate Source setting, select the Upload File option and then use the Browse button to navigate to and select the root certificate file. 6. Click Import.
10 - 13
Chapter 10
If you choose to import a certificate chain, you need to first create a certificate chain file, and then import the entire certificate chain on to the Local Traffic Manager system.
Before you perform the following procedure, ensure that the file containing the certificate chain is accessible from all of the Local Traffic Manager systems that you want to configure.
To import the certificate chain for the big3d agent on the Local Traffic Manager
1. On the Main tab of the navigation pane, expand System, and then click Device Certificates. 2. On the menu bar, click Trusted Device Certificates. 3. Click Import. 4. From the Import Method list, select Replace. 5. For the Certificate Source setting, select the Upload File option and then use the Browse button to navigate and select the certificate chain file that you created in the previous the procedure, To create a certificate chain file for the Local Traffic Manager. 6. Click Import.
10 - 14
10 - 15
Chapter 10
10 - 16
11
Monitoring Third-Party Servers with SNMP
Overview of SNMP
SNMP, or Simple Network Management Protocol, is frequently used to acquire data from different network systems. At the core of SNMP is a MIB, or Management Information Base, which specifies the data available on a given system. In a BIG-IP system environment, you typically use SNMP for acquiring information about the health of a third-party server. To accomplish this, you assign an SNMP monitor to a server currently running SNMP. This monitor can then provide information on the availability of that server.
11 - 1
Chapter 11
You now have an SNMP monitor assigned to a third-party server within the Global Traffic Manager configuration. The system can now use this monitor to verify that the server is available for load balancing DNS requests.
11 - 3
Chapter 11
11 - 4
12
Using tmsh to Set Up Implementations
Using tmsh for different implementations Setting up a stand-alone system Adding a system to a network that contains Local Traffic Manager systems Adding a system to a network that contains other Global Traffic Manager systems
You must provision the Global Traffic Manager before you configure it; otherwise, you lose the system configuration when you provision the system.
12 - 1
Chapter 12
12 - 2
A stand-alone Global Traffic Manager includes a Local Traffic Manager that is provisioned at the nominal level by default.
12 - 3
Chapter 12
You must configure at least one data center before you can add servers to the Global Traffic Manager configuration.
The system displays the data center configuration, as shown in Figure 12.2.
root@big-ip1(Active)(tmos.gtm)# list datacenter north_america gtm datacenter north_america { contact none enabled location none } root@big-ip1(Active)(tmos.gtm)#
12 - 4
Defining a server
After you create a data center, the next task is to configure the Global Traffic Manager to respond to DNS requests with the IP address 192.168.5.17. To do this, create a server in the north_america data center that represents the system itself. Assign a bigip monitor to the server to track the status of the server.
Important
To define a server
1. Navigate to the tmsh gtm module. 2. Run this command sequence:
create server gtm1 datacenter north_america monitor bigip addresses add { 192.168.5.17 } list server gtm1 all-properties
12 - 5
Chapter 12
Figure 12.4 Results of list command for sample server with virtual servers
12 - 6
Creating a pool
Now that you have created virtual servers, create a pool that the Global Traffic Manager uses to load balance traffic to those virtual servers.
To create a pool
1. Navigate to the tmsh gtm module. 2. Run this command sequence:
create pool my_pool members add { 10.1.6.100:http 10.1.6.101:80 } list pool my_pool all-properties
12 - 7
Chapter 12
Creating a wide IP
After you create a pool, create a wide IP that maps www.siterequest.com to the virtual servers you previously created. To do this, add the pool with the virtual servers to the wide IP. You can also add aliases for the domain name to the wide IP. SiteRequest wants to create the wide IP www.siterequest.com and add to it the aliases www.store.siterequest.com and www.checkout.siterrequest.com.
To create a wide IP
1. Navigate to the tmsh gtm module. 2. Run this command sequence:
create wideip www.siterequest.com pools add {my_pool} aliases add { www.store.siterequest.com www.checkout.siterequest.com } list wideip www.siterequest.com all-properties
12 - 8
Creating a listener
To configure the Global Traffic Manager to communicate with the rest of your network, create a listener that monitors the network for DNS queries that are destined for its IP address 192.168.5.17.
Note
To create a listener
1. Navigate to the tmsh gtm module. 2. Run this command sequence:
create listener gtm1_listener address 192.168.5.17
The IP address 192.168.5.17 does not match a self IP address on the system; therefore, the system saves the listener in the file bigip.conf. Note: The system saves listeners with IP addresses that match a self IP address on the system in the file bigip_local.conf.
list listener gtm1_listener all-properties
Figure 12.7 Results of list command for sample listener The Global Traffic Manager is now configured to process DNS requests for and load balance traffic to www.siterequest.com.
12 - 9
Chapter 12
12 - 10
12 - 11
Chapter 12
The system displays the data center configuration, as shown in Figure 12.9.
root@big-ip2(Active)(tmos.gtm)# list datacenter south_america gtm datacenter south_america { contact none enabled location none } root@big-ip2(Active)(tmos.gtm)#
12 - 12
12 - 13
Chapter 12
12 - 14
The utility exchanges the appropriate SSL certificates, authorizes communications between the Global Traffic Manager and the BIG-IP systems specified in the command sequence, and automatically updates the big3d agents on all the devices.
12 - 15
Chapter 12
Creating a listener
The last task is to configure the Global Traffic Manager to communicate with the rest of the network. To do this, create a listener that monitors the network for DNS queries that are destined for its IP address 192.168.5.18.
Note
When you create a listener, the system automatically saves the listener.
To create a listener
1. Navigate to the tmsh gtm module. 2. Run this command sequence:
create listener gtm2_listener address 192.168.5.18
The system saves the listener in the file bigip_local.conf, because the listener has an IP address that matches a self IP address on the system. Note: The system saves, to the file bigip.conf, listeners with IP addresses that do not match self IP addresses on the system.
list listener gtm2_listener
Figure 12.12 Results of list command for sample listener You have successfully added the Global Traffic Manager to a network that contains BIG-IP systems. The systems are synchronized and the Global Traffic Manager is configured to respond to DNS requests on 192.168.5.18.
12 - 16
Adding a system to a network that contains other Global Traffic Manager systems
In the third implementation, SiteRequest purchased another Global Traffic Manager to use in its Asian data center. SiteRequest wants to add the new system to a synchronization group that contains the original Global Traffic Manager. It wants to configure the new system to respond to DNS requests on the IP address 192.168.5.18. To add a Global Traffic Manager using tmsh, complete the following tasks. Provision the new system On an existing Global Traffic Manager that you want to be in the same synchronization group as the new system: Create a data center Define a server for the new system Add a synchronization group On the new system: Run the gtm_add utility Create a listener
12 - 17
Chapter 12
Figure 12.13 Results of the list command for sample system provision
12 - 18
The system displays the data center configuration, as shown in Figure 12.14.
root@big-ip4(Active)(tmos.gtm)# list datacenter asia gtm datacenter asia { contact none enabled location none } root@big-ip4(Active)(tmos.gtm)#
12 - 19
Chapter 12
12 - 20
Run the gtm_add utility on only the new Global Traffic Manager. If you run this utility on existing systems, you will replace the existing systems configurations with that of the minimally configured new system.
3. Based on your network configuration, respond to the prompts that display. Note that if your system has a FIPS hardware security module (HSM), the utility detects the card and prompts you for a series of responses. The utility adds the new Global Traffic Manager to the network. The new system has the same configuration as the other systems in the synchronization group.
12 - 21
Chapter 12
Creating a listener
To configure the new Global Traffic Manager to communicate with the rest of your network, create a listener that monitors the network for DNS queries that are destined for its IP address 192.168.5.19.
Note
To create a listener
1. Navigate to the tmsh gtm module. 2. Run these commands:
create listener gtm3_listener address 192.168.5.19
The system automatically saves the listener in the file bigip_local.conf, because the listener has an IP address that matches a self IP address on the system. Note: The system saves to the file bigip.conf listeners with IP addresses that do not match self IP addresses on the system.
list listener gtm1_listener
Figure 12.16 Results of list command for sample listener You have successfully added the Global Traffic Manager to a network that contains a Global Traffic Manager system. The systems are synchronized and the new Global Traffic Manager is configured to respond to DNS requests on 192.168.5.19.
12 - 22
Glossary
Glossary
A record The A record is the ADDRESS resource record that a Global Traffic Manager returns to a local DNS server in response to a name resolution request. The A record contains a variety of information, including one or more IP addresses that resolve to the requested domain name. See also DNS. active unit In a redundant system configuration, the active unit is the system that currently load balances connections. If the active unit fails, the standby unit assumes control and begins to load balance connections. See also redundant system. authentication chain Authentication chain is a term used to describe several web certificates that Global Traffic Manager must follow to verify the authenticity of another system. With an authentication chain, Global Traffic Manager requests additional web certificates until it identifies one that is verified by a trusted certificate authority server. authoritative DNS The authoritative DNS is a nameserver that is authoritative for the DNS zone. See also DNS, secondary DNS, and zone. big3d agent The big3d agent is a monitoring agent that collects metrics information about server performance and network paths between a data center and a specific local DNS server. The Global Traffic Manager uses the information collected by the big3d agent for dynamic load balancing. BIND (Berkeley Internet Name Domain) BIND is the most common implementation of the Domain Name System (DNS). BIND provides a system for matching domain names to IP addresses. For more information, refer to http://www.isc.org/products/BIND. certificate A certificate is an online credential signed by a trusted certificate authority and used for SSL network traffic as a method of authentication. certificate chain Certificate chains are multiple levels of certificates authenticated by additional CA servers, which verify the authenticity of other servers. This allows for a tiered verification system that ensures only authorized communications occur between servers.
Glossary - 1
Glossary
certificate authority (CA) A certificate authority is an external, trusted organization that issues a signed digital certificate to a requesting computer system for use as a credential to obtain authentication for SSL network traffic. certificate depth Certificate depth refers to the number of web certificates Global Traffic Manager can use to verify the authenticity of another BIG-IP system. Also referred to as authentication chain. CNAME record A canonical name (CNAME) record acts as an alias to another domain name. A canonical name and its alias can belong to different zones, so the CNAME record must always be entered as a fully qualified domain name. CNAME records are useful for setting up logical names for network services so that they can be easily relocated to different physical hosts. See also DNS and domain name. Configuration utility The Configuration utility is the browser-based application that you use to configure the BIG-IP system. data center A data center is a physical location that houses one or more Global Traffic Manager systems, BIG-IP systems, or host machines. DNS The Domain Name System protocol is an industry-standard protocol that maps hostnames to IP addresses. DNSSEC The Domain Name System Security Extensions (DNSSEC) is an industry-standard protocol that functions as an extension to the Domain Name System (DNS) protocol. See also DNS, key-signing key, TTL, and zone-signing key. domain name A domain name is a unique name that is associated with one or more IP addresses. Domain names are used in URLs to identify particular Web pages. For example, in the URL http://www.siterequest.com/index.html, the domain name is siterequest.com. See also DNS.
Glossary - 2
Glossary
external VLAN The external VLAN is a default VLAN on the BIG-IP system. In a basic configuration, this VLAN has the administration ports locked down. In a normal configuration, this is typically a VLAN on which external clients request connections to internal servers. See also VLAN. fail-over Fail-over is the process whereby a standby unit in a redundant system configuration takes over when a software failure or a hardware failure is detected on the active unit. FIPS hardware security module A FIPS hardware security module (HSM) is a hard drive that processes key signing tasks. floating IP address A floating self IP address is an additional self IP address for a VLAN that serves as a shared address by both units of a BIG-IP redundant system configuration. health monitor A health monitor checks a node to see if it is up and functioning for a given service. If the node fails the check, it is marked down. Different monitors exist for checking different services. hint zone A hint zone designates a subset of root nameservers in the root nameservers list. When the local nameserver starts (or restarts), it queries the list of root nameservers in the hint zone for the most current list of root nameservers. interface The physical port on a BIG-IP system is called an interface. iQuery The iQuery protocol is used to exchange information between Global Traffic Manager systems and BIG-IP systems. The iQuery protocol is officially registered with IANA for port 4353, and works on UDP and TCP connections. iRule An iRule is a user-written script that controls the behavior of a connection passing through the Link Controller. iRules are an F5 Networks feature and are frequently used to direct certain connections to a non-default load balancing pool. However, iRules can perform other tasks, such as implementing secure network address translation and enabling session persistence.
Glossary - 3
Glossary
key-signing key The system uses a key-signing key that you create and assign to a DNSSEC zone to sign the DNSKEY record for a zone. Creating a key-signing key is one step in configuring a BIG-IP system to be DNSSEC-compliant. See also DNSSEC, TTL, and zone-signing key. listener A listener is a specialized resource that is assigned a specific IP address and uses port 53, the DNS query port. When traffic is sent to that IP address, the listener alerts the Global Traffic Manager, allowing it to handle the traffic locally or forward the traffic to the appropriate resource. load balancing pool See pool. local DNS A local DNS is a server that makes name resolution requests on behalf of a client. With respect to the Global Traffic Manager, local DNS servers are the source of name resolution requests. Local DNS is also referred to as LDNS. member Member is a reference to a node when it is included in a particular load balancing pool. Pools typically include multiple member nodes. named The named daemon manages domain nameserver software. nameserver A nameserver is a server that maintains a DNS database, and resolves domain name requests to IP addresses using that database. A nameserver is considered authoritative for some given zone when it has a complete set of data for the zone, allowing it to answer queries about the zone on its own, without needing to consult another nameserver. name resolution Name resolution is the process by which a nameserver matches a domain name request to an IP address, and sends the information to the client requesting the resolution. Network Time Protocol (NTP) Network Time Protocol functions over the Internet to synchronize system clocks to Universal Coordinated Time. NTP provides a mechanism to set and maintain clock synchronization within milliseconds.
Glossary - 4
Glossary
NS record A nameserver (NS) record is used to define a set of authoritative nameservers for a DNS zone. See also DNS. pool A pool is composed of a group of network devices (called members). The Link Controller load balances requests to the nodes within a pool based on the load balancing method and persistence method you choose when you create the pool or edit its properties. pool member A pool member is a server that is a member of a load balancing pool. port A port can be represented by a number that is associated with a specific service supported by a host. Refer to the Services and Port Index for a list of port numbers and corresponding services. redundant system configuration Redundant system configuration refers to a pair of units that are configured for fail-over. In a redundant system, there are two units, one running as the active unit and one running as the standby unit. If the active unit fails, the standby unit takes over and manages connection requests. resource record A resource record is a record in a DNS database that stores data associated with domain names. A resource record typically includes a domain name, a TTL, a record type, and data specific to that record type. See also A record, CNAME record, DNS, and NS record. root certificate A root certificate is a special instance of a certificate chain that has only one level of certificate depth. secondary DNS The secondary DNS is a nameserver that retrieves DNS data from the nameserver that is authoritative for the DNS zone. See also DNS, authoritative DNS, and zone. self IP address Self IP addresses are the IP addresses owned by the BIG-IP system that you use to access the internal and external VLANs. service Service refers to services such as TCP, UDP, HTTP, and FTP.
Glossary - 5
Glossary
Setup utility The Setup utility walks you through the initial system configuration process. You can run the Setup utility from the Configuration utility start screen. SNMP (Simple Network Management Protocol) SNMP is the Internet standard protocol, defined in STD 15, RFC 1157, developed to manage nodes on an IP network. SSL (Secure Sockets Layer) SSL is a network communications protocol that uses public-key technology as a way to transmit data in a secure manner. standby unit A standby unit in a redundant system configuration is a unit that is always prepared to become the active unit if the active unit fails. synchronization group A synchronization group is a group of Global Traffic Manager systems that synchronize system configurations and zone files (if applicable). All synchronization group members receive broadcasts of metrics data from the big3d agents throughout the network. All synchronization group members also receive broadcasts of updated configuration settings from the Global Traffic Manager that has the latest configuration changes. virtual server Virtual servers are a specific combination of virtual address and virtual port, associated with a content site that is managed by an Link Controller or other type of host server. TTL The value of the TTL setting that you assign to a key-signing key or zon-signing key specifies how long a client resolver can cache the key. See also DNSSEC, key-signing key, and zone-signing key. VLAN VLAN stands for virtual local area network. A VLAN is a logical grouping of network devices. You can use a VLAN to logically group devices that are on different network segments. wide IP A wide IP is a collection of one or more fully-qualified domain names that maps to one or more pools of virtual servers that host the content of the domains, and that are managed either by BIG-IP systems, or by host servers. The Global Traffic Manager load balances name resolution requests across the virtual servers that are defined in the wide IP that is associated with the requested domain name.
Glossary - 6
Glossary
zone In DNS terms, a zone is a subset of DNS records for one or more domains. See also DNS, authoritative DNS, and secondary DNS. zone file In DNS terms, a zone file is a database set of domains with one or many domain names, designated mail servers, a list of other nameservers that can answer resolution requests, and a set of zone attributes, which are contained in an SOA record. zone-signing key The system uses a zone-signing key that you create and assign to a DNSSEC zone to sign all of the record sets in a zone. Creating a zone-signing key is one step in configuring a BIG-IP system to be DNSSEC-compliant. See also DNSSEC, key-signing key, and TTL.
Glossary - 7
Glossary
Glossary - 8
Index
Index
A
A record See Address record, creating. Address record, creating 2-2 allow-transfer statement, adding to DNS server 3-4 authoritative nameserver 3-1, 3-2, 4-1
B
big3d agent described 8-1 importing root certificates 10-5 big3d_install utility, running 4-7, 8-6, 12-15 Big3d.CertificateDepth variable setting 10-5, 10-9 setting for Global Traffic Manager systems 10-2 bigip monitor 12-20 BIG-IP system adding to global traffic configuration 8-4 integrating with global traffic configuration 8-1 bigip_add utility, running 4-6, 7-5, 12-15 bridge 6-2
DNS query port 2-1, 2-3, 3-1, 5-1, 6-2 DNS server pools creating 5-2 load balancing to 5-1 DNS servers adding allow-transfer statement 3-4 and delegated zones 2-1 and zone transfers 3-3 creating pools 5-2 forwarding to 6-3 load balancing traffic to pools 5-3 modifying for delegating traffic 2-2 replacing 3-1 using existing 2-1 DNS traffic delegating to wide IPs 2-2 forwarding 6-3 managing 2-1 routing 6-5 DNSSEC (Domain Name System Security Extensions) 4-1 DNSSEC key signing keys 4-10 DNSSEC zone 4-14 DNSSEC zone signing keys 4-12
F
features of Global Traffic Manager 1-1 FIPS hardware security module (HSM) and gtm_add utility 4-9, 12-21 floating IP addresses 9-4 forwarder, using Global Traffic Manager as 6-1
C
cache poisoning 4-1 certificate chains 10-1 certificate depth defined 10-2 setting 10-4, 10-9 certificates, SSL 8-2 CNAME record, creating 2-2 communication, authorizing 8-2 config sync, running 9-7 configuration files, synchronizing 7-2
G
global settings, configuring with tmsh 12-21 Global Traffic Manager adding to another system 7-3, 12-17 adding to synchronization group 7-2 and forwarder system placement 6-2 and redundant systems 9-1 as a forwarder 6-1 as a router 6-1 defining for BIG-IP system integration 8-4 defining for redundant system 9-8 for router system placement 6-5 forwarding traffic 6-3 provisioning with tmsh 12-3, 12-11, 12-18 routing traffic 6-5 with other systems 12-17 gtm_add script and redundant systems 9-9 and synchronization 7-2 running 7-4 gtm_add utility, running 4-9, 12-21 gtmd and root certificates 10-3
D
data centers creating with tmsh 12-4, 12-12, 12-19 defining for BIG-IP system integration 8-4 defining for redundant systems 9-7 default gateway route 9-6 delegated zones and listeners 2-1 and web-based applications 2-2 and wide IPs 2-1 creating 2-2 denial of service, preventing 4-1 DNS protocol 4-1 DNS queries forwarding 6-4 load balancing to a pool 5-3
Index - 3
Index
H
high availability options 9-5
I
ID hacking, preventing 4-1 install utility running big3d_install 12-15 running bigip_add 12-15 IP address and listeners 2-3, 3-1 iQuery protocol 7-1
port 53 See DNS query port. protocol, iQuery 8-1 provisioning process 12-3, 12-11, 12-18 provisioning with tmsh 12-3, 12-11, 12-18
R
redundant systems and configuration settings 9-2 and default gateway routes 9-6 and floating IP addresses 9-4 and Global Traffic Manager 9-1 and high availability options 9-5 and listeners 9-6 and NTP servers 9-5 defined 9-1 running config sync 9-7 router 6-1, 6-2
K
key signing keys 4-10 keys DNSSEC key signing keys 4-10 DNSSEC zone signing keys 4-12
L
listeners and delegated zones 2-1 and primary DNS servers 3-5 and redundant systems 9-6 configuring 2-3, 3-2 creating 4-7, 5-3 creating with tmsh 12-9, 12-16, 12-22 defined 5-1, 6-2 load balancing and multiple systems 8-1 and web-based applications 2-2 for non-wide IP traffic 5-1 Local Traffic Manager defining servers for 12-14 integrating with Global Traffic Manager 8-1, 12-10
S
scripts running big3d_install 8-6 running bigip_add 7-5 running gtm_add 7-4 secondary DNS server 3-5 self IP addresses and VLANs 9-3 self-signed certificates 10-2 servers defining NTP 4-5 defining with tmsh 12-5, 12-13 defining with tmsh on existing system 12-20 Simple Network Management Protocol. See SNMP. slave server See secondary DNS server. SNMP monitor 11-1 SNMP, defined 11-1 spoofing, preventing 4-1 SSL authentication 10-1 SSL certificates and authorizing communications 8-2 and BIG-IP systems 10-2 and levels 10-1 assigning third-party certificates 10-3, 10-7 stand-alone system, configuring with tmsh 12-2 synchronization activating 4-6 and NTP 4-5 and redundant systems 9-9 and time 4-5 creating groups 4-5 enabling 7-4 synchronization group, adding 12-21
M
manual key rollover, preparing for 4-14
N
name resolution 2-1 non-wide IP traffic 5-1 NS record, creating 2-2 NTP defining 4-5 synchronizing systems 4-5 NTP server 9-5
P
pool of DNS servers creating 5-2 creating with tmsh 12-7 load balancing to 5-3 Index - 4
Index
synchronization groups 4-5 adding Global Traffic Manager systems 7-2 defined 7-1 systems adding BIG-IP to data centers 8-5
T
third-party servers and SNMP 11-1 timestamps, and configuration files 7-2 tmsh adding a new Global Traffic Manager with 12-17 configuring a new Global Traffic Manager with 12-10 configuring a stand-alone Global Traffic Manager with 12-2 configuring Global Traffic Manager with 12-1 traffic and load balancing 2-1, 3-1 and load balancing non-wide IP traffic 5-1 and wide IPs 2-1, 3-1 bridging 6-2 for name resolution 2-1 forwarding 6-2 managing DNS data 2-1 routing 6-5
U
utilities big3d_install, running 4-7, 12-15 bigip_add, running 4-6, 12-15 gtm_add, running 4-9
V
virtual servers and SNMP monitors 11-2 creating with tmsh 12-6 VLANs assigning self IP addresses 9-3 creating 9-3
W
web certificates, exchanging 8-6 web-based applications 2-2, 3-2 wide IP and delegated zones 2-1 and delegating traffic 2-2 creating with tmsh 12-8
Z
zone files, acquiring 3-4 zone for DNSSEC 4-14 zone signing keys 4-12 BIG-IP Global Traffic ManagerTM: Implementations Index - 5