Professional Documents
Culture Documents
NIOS 4.3
for Infoblox Core Network Services Appliances
Copyright Statements
2008, Infoblox Inc. All rights reserved.
The contents of this document may not be copied or duplicated in any form, in whole or in part, without the prior
written permission of Infoblox, Inc.
The information in this document is subject to change without notice. Infoblox, Inc. shall not be liable for any
damages resulting from technical errors or omissions which may be present in this document, or from use of this
document.
This document is an unpublished work protected by the United States copyright laws and is proprietary to Infoblox,
Inc. Disclosure, copying, reproduction, merger, translation, modification, enhancement, or use of this document by
anyone other than authorized employees, authorized users, or licensees of Infoblox, Inc. without the prior written
consent of Infoblox, Inc. is prohibited.
For Open Source Copyright information, see Appendix C, "Open Source Copyright and License Statements", on page
695.
Trademark Statements
Infoblox, the Infoblox logo, DNSone, NIOS, Keystone, IDeal IP, bloxSDB, bloxHA and bloxSYNC are trademarks or
registered trademarks of Infoblox Inc.
All other trademarked names used herein are the properties of their respective owners and are used for identification
purposes only.
Company Information
Infoblox is located at:
4750 Patrick Henry Drive
Santa Clara, CA 95054-1851, USA
Web: www.infoblox.com
support.infoblox.com
Phone: 408.625.4200
Toll Free: 888.463.6259
Outside North America: +1.408.716.4300
Fax: 408.625.4201
Product Information
Hardware Models: Infoblox-250, -500, -550, -1000, -1200, -1050, -1550, and -1552, -2000
Document Number: 400-0172-000 Rev. A
Document Updated: July 27, 2008
Warranty Information
Your purchase includes a 90-day software warranty and a one year limited warranty on the Infoblox appliance, plus
an Infoblox Warranty Support Plan and Technical Support. For more information about Infoblox Warranty information,
refer to Infoblox Web site, or contact Infoblox Technical Support.
NIOS 4.3r1 Infoblox Administrator Guide (Rev. A) 3
Contents
Preface. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Document Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Documentation Organization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Documentation Conventions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Whats New . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Related Documentation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Customer Care . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
User Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
Software Upgrades . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
Technical Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
Part 1 Appliance Administration
Chapter 1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
NIOS Appliance Software Packages and Upgrades . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
Product Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
Deployment Scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
Scenario 1 Independent NIOS Appliances . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
Scenario 2 Basic Grid with Independent NIOS Appliances . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Scenario 3 Infoblox Grid with a NIOS Virtual Appliance as a Grid Member . . . . . . . . . . . . . . . . . . . . . . . . . . 34
Scenario 4 Multiple Grids . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
Scenario 5 Primary and Secondary NIOS Appliances . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
Chapter 2 Infoblox GUI. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
Management System Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
Accessing the Infoblox GUI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
Connecting to a NIOS Appliance with JWS (Java Web Start) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
About The Grid Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
Installing the Grid Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
Connecting to a NIOS Appliance Using the Grid Manager. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
Setting Login Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
SSL (Secure Sockets Layer) Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
Managing Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
Understanding the GUI Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
Main Interface Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
Customizing a Perspective Layout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
Creating a Login Banner on a NIOS Appliance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
Customizing Columns . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
Using Global Search . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
Printing from the GUI. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
Multilingual Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
UTF-8 Supported Fields. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
UTF-8 Support Limitations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
International Characters Support for RADIUS Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
4 Infoblox Administrator Guide NIOS 4.3r1
Exporting Data. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
Exporting Data from Panels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
Exporting Data to a CSV File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
Chapter 3 Managing Administrators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
About Admin Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
About Admin Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
Creating a Superuser Admin Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
About Limited-Access Admin Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
About Admin Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
Creating Limited-Access Admin Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
Deleting Admin Roles and Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
Viewing Admin Group Assignments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
About Administrative Permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74
Applying Permissions and Managing Conflicts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
Defining Permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
Viewing and Managing Permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
Modifying Permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
Removing Permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
Administrative Permissions for Grid Members . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82
Managing DNS Resource Permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83
Administrative Permissions for Views . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84
Administrative Permissions for Zones . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
Administrative Permissions for Resource Records . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87
Administrative Permissions for Shared Record Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88
Managing Administrative Permissions for DHCP Resources. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90
Administrative Permissions for Networks and Shared Networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91
Administrative Permissions for Fixed Addresses. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93
Administrative Permissions for DHCP Ranges . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94
Administrative Permissions for DHCP Templates. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
Administrative Permissions for MAC Address Filters. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96
Administrative Permissions for Network Discovery. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96
Administrative Permissions for the DHCP Lease History. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
Administrative Permissions for the RADIUS Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98
Administrative Permissions for File Distribution Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100
Authenticating Administrators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101
Creating Local Admins. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101
Modifying and Removing an Admin Account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102
About Remote Admins. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102
Authenticating Using RADIUS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104
Remote RADIUS Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105
Configuring RADIUS Authentication on the NIOS Appliance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105
Adding RADIUS Servers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106
Testing the RADIUS Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107
Maintaining the RADIUS Admins Server List on the NIOS Appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107
Disabling a RADIUS Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107
Configuring a RADIUS Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108
Configuring Admin Groups on the Remote RADIUS Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108
Configuring Remote Admin Accounts on the Remote RADIUS Server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108
Authorization Groups Using RADIUS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109
Accounting Activities Using RADIUS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109
NIOS 4.3r1 Infoblox Administrator Guide (Rev. A) 5
Authenticating Admin Accounts Using Active Directory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110
Admin Authentication Using Active Directory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111
Configuring Active Directory Authentication for Admins. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111
Defining the Admin Policy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112
Specifying a List of Remote Admin Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112
Configuring the Default Admin Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112
Configuring a List of Authentication Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113
Changing Password Length Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113
Notifying Administrators. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113
Chapter 4 Managing Appliance Operations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115
Managing Time Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117
Changing Time and Date Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117
Changing Time Zone Settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117
Monitoring Time Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118
Using NTP for Time Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119
Authenticating NTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120
NIOS Appliance as NTP Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122
NIOS Appliance as NTP Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125
Configuring a NIOS Appliance as an NTP Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126
Managing Security Operations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128
Enabling Support Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128
Enabling Remote Console Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128
Permanently Disabling Remote Console and Support Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129
Restricting HTTP Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129
Enabling HTTP Redirection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130
Modifying GUI Session Timeout Settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130
Disabling the LCD Input Buttons. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130
Modifying Security for a Grid Member . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131
Ethernet Port Usage. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132
Modifying Ethernet Port Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135
Using the MGMT Port. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136
Appliance Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137
Grid Communications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139
DNS Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142
Setting Static Routes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144
Enabling DNS Resolution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147
Managing Licenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148
Viewing the Installed Licenses on a NIOS Appliance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148
Obtaining a 60-Day Temporary License . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148
Obtaining and Adding a License. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149
Removing Licenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149
Shutting Down, Rebooting, and Resetting a NIOS Appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151
Rebooting a NIOS Appliance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151
Shutting Down a NIOS Appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151
Resetting a NIOS Appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151
Managing the Disk Subsystem on the Infoblox-2000 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153
About RAID 10 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153
Evaluating the Status of the Disk Subsystem . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154
Replacing a Failed Disk Drive . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154
Disk Array Guidelines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155
6 Infoblox Administrator Guide NIOS 4.3r1
Restarting Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156
Canceling a Scheduled Restart . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158
Chapter 5 Monitoring the Appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159
Viewing Detailed Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160
Appliance Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160
Service Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160
DB Capacity Used . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161
Disk Usage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161
FAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161
HA, LAN, or MGMT Port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162
LCD . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162
Memory Usage. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162
Power Supply. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162
RAID . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163
RAID Battery. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163
Temperatures. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163
Replication. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163
Using a Syslog Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165
Specifying Syslog Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165
Configuring Syslog for a Grid Member . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166
Setting DNS Logging Categories. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167
Viewing the Syslog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168
Searching for Text . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168
Downloading the Syslog File. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169
Monitoring Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170
Using the Audit Log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170
Using the Replication Log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172
Using the Traffic Capture Tool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173
Using the Capacity Report. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174
Chapter 6 Monitoring with SNMP. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175
Understanding SNMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176
SNMP MIB Hierarchy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177
MIB Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178
Infoblox MIBs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179
Loading the Infoblox MIBs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179
RADIUS MIBs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179
ibTrap MIB . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180
ibPlatformOne MIB . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202
ibDHCPOne MIB. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207
ibDNSOne MIB. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 210
ibIPWC MIB . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212
Configuring SNMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217
Accepting SNMP Queries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217
Setting System Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217
Adding SNMP Trap Receivers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 218
Configuring SNMP for a Grid Member . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 218
NIOS 4.3r1 Infoblox Administrator Guide (Rev. A) 7
Chapter 7 Changing Software and Merging Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219
Upgrading NIOS Software. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220
Downgrading Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220
Reverting to the Previously Running Software Version . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221
Backing Up and Restoring a Configuration File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222
Back Up and Restore Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222
Automatically Backing Up a Data File. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223
Downloading a Backup File. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 224
Restoring a Configuration File. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225
Loading a Configuration File on a Different Appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 226
Downloading a Support Bundle . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227
Part 2 Appliance Deployment
Chapter 8 Deploying Independent Appliances . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 231
Independent Deployment Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 232
Deploying a Single Independent Appliance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 233
Method 1 Using the LCD. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 234
Method 2 Using the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 234
Method 3 Using the Infoblox NIOS Startup Wizard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 236
Method 4 Using the GUI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 237
Configuration Example: Deploying a NIOS Appliance for External DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 238
Cable the Appliance to the Network and Turn On Power . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 239
Specify Initial Network Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 239
Specify Appliance Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 240
Define a NAT Address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 241
Enable Zone Transfers on the Legacy Name Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 241
Import Zone Data. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 242
Designate the New Primary on the Secondary Name Server (at the ISP Site) . . . . . . . . . . . . . . . . . . . . . . . . . 244
Configure NAT and Policies on the Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 244
Deploying an Independent HA Pair. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 245
Method 1 Using the Infoblox NIOS Startup Wizard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247
Method 2 Using the GUI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249
Configuration Example: Configuring an HA Pair for Internal DNS and DHCP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 251
Cable Appliances to the Network and Turn On Power . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 252
Specify Initial Network Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 253
Specify Appliance Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 253
Enable Zone Transfers on the Legacy Name Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 255
Import Zone Data. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 255
Define Networks, Reverse-Mapping Zones, DHCP Ranges, and Infoblox Hosts. . . . . . . . . . . . . . . . . . . . . . . . 257
Define Multiple Forwarders. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 259
Enable Recursion on External DNS Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 260
Modify the Firewall and Router Configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 260
Enable DHCP and Switch Service to the NIOS Appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 261
Manage and Monitor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 262
Verifying the Deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 263
Single Independent Appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 263
Independent HA Pair . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 263
8 Infoblox Administrator Guide NIOS 4.3r1
Forcing an HA Failover . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 263
Infoblox Tools for Migrating Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 264
Upgrading Software on an Independent Appliance or HA Pair . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 265
Acquiring Software Upgrade Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 265
Distributing Software Upgrade Files. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 265
Running the Software Upgrade. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 265
Chapter 9 Deploying a Grid . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 267
Introduction to Grids. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 269
Grid Communications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 270
NAT Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 271
Automatic Software Version Coordination. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 274
Grid Bandwidth Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 276
Creating a Grid Master . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 278
VRRP Advertisements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 280
Port Numbers for Grid Communication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 281
Creating an HA Grid Master. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 282
Creating a Single Grid Master. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 284
Adding Grid Members . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 288
Adding a Single Member. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 288
Adding an HA Member . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 289
Configuration Example: Configuring a Grid . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 291
Cable All Appliances to the Network and Turn On Power . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 292
Create the Grid Master . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 293
Define Members on the Grid Master . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 295
Join Appliances to the Grid . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 296
Import DHCP Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 298
Import DNS Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 299
Using the Wizard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 300
After Using the Wizard. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 302
Enabling IPv6 On a Grid Member . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 304
About IPv6 Addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 304
Configuring IPv6 on a Grid Member . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 305
Configuration Example: Configuring IPv6 on a Grid Member . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 305
Managing a Grid . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 308
Changing Grid Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 308
Setting the MTU for VPN Tunnels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 308
Removing a Grid Member . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 309
Promoting a Master Candidate. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 309
Replacing a Failed Grid Master . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 309
Using the Recycle Bin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 310
Disabling the Recycle Bin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 310
Enabling the Recycle Bin. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 311
Viewing the Recycle Bin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 311
Restoring Items in the Recycle Bin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 311
Emptying the Recycle Bin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 312
Upgrading NIOS Software on a Grid. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 313
Lite Upgrades. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 313
Uploading NIOS Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 314
About Upgrade Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 314
Distributing Software Upgrade Files. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 315
Testing a Software Upgrade . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 319
Performing a Software Upgrade . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 320
Monitoring Distribution and Upgrade Status. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 324
NIOS 4.3r1 Infoblox Administrator Guide (Rev. A) 9
Part 3 Service Configuration
Chapter 10 Managing DNS Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 331
Configuring DNS Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 334
DNS Configuration Checklist. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 335
Restarting Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 336
Using Infoblox DNS Views. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 337
Default View. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 339
Creating Views. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 339
Specifying Match Lists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 341
Adding Zones to a View. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 342
Adding Records to a Zone . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 342
Managing Views . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 344
Configuration Example: Configuring a View. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 345
Understanding DNS for IPv6. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 347
IPv6 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 347
Configuring DNS for IPv6 Addressing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 348
Delegating Zone Authority to Name Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 349
Specifying a Primary Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 349
Specifying a Secondary Server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 350
Configuring Authoritative Zones. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 353
Creating an Authoritative Forward-Mapping Zone. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 353
Creating an Authoritative Reverse-Mapping Zone. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 354
Adding an Authoritative Subzone. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 356
Creating a Root Zone . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 358
Importing Zone Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 359
Allowing Zone Transfers to an Appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 362
Importing Data into Zones . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 362
How Specific Zones and Records Are Imported . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 363
Restoring Zone Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 363
Restoring Zone Data After a Zone Import Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 364
Restoring Zone Data After a Zone Reimport Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 364
Configuring Delegated, Forward, and Stub Zones. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 365
Configuring a Delegated Zone . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 365
Configuring a Forward Zone . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 366
Configuring Stub Zones. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 368
Using Name Server Groups. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 376
Creating Name Server Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 376
Applying Name Server Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 378
Managing Zones . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 379
Locking and Unlocking Zones . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 379
Modifying Zones . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 380
Removing Zones . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 380
Enabling and Disabling Zones . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 382
Using the Recycle Bin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 382
Viewing the Recycle Bin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 383
Restoring Items in the Recycle Bin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 383
Emptying the Recycle Bin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 383
Specifying Host Name Restrictions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 384
Grid Level . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 384
Member Level . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 385
Zone Level . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 385
Obtaining a List of Invalid Record Names . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 386
10 Infoblox Administrator Guide NIOS 4.3r1
Adding Hosts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 387
Adding Bulk Hosts. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 389
Specifying Bulk Host Name Formats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 389
Before Defining Bulk Host Name Formats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 389
Configuring Bulk Hosts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 391
Associating Shared Record Groups With Zones. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 393
Adding Resource Records . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 394
Adding A Records . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 394
Adding NS Records . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 395
Adding AAAA Records . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 395
Adding PTR Records. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 396
Adding MX Records . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 397
Adding SRV Records . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 398
Adding TXT Records. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 399
Adding CNAME Records. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 400
Adding DNAME Records . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 402
Specifying Time To Live Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 407
Managing Hosts and Resource Records. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 408
Modifying, Disabling, or Removing a Host or Record . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 408
Viewing DNS Record Listings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 409
Chapter 11 Shared Records. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 411
Understanding Shared Records . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 412
Shared Records Benefits. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 413
Shared Records Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 413
Shared Records Limitations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 413
Using Shared Records. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 414
Configuring Shared Record Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 414
Viewing Records in Shared Record Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 415
Associating Shared Record Groups With Zones. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 415
Viewing Zones Associated With Shared Record Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 415
Removing Shared Record Group Zone Associations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 416
Deleting and Recovering Shared Record Groups. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 416
Using the Shared Record Group API . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 416
Adding Shared Records. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 417
Adding Shared A Records . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 417
Adding Shared AAAA Records. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 417
Adding Shared MX Records. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 418
Adding Shared SRV Records . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 418
Adding Shared TXT Records . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 419
Configuration Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 420
Chapter 12 Configuring DNS Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 423
Configuring DNS Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 424
Changing General DNS Properties for a Grid . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 424
Enabling Zone Transfers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 426
Specifying DNS Queries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 428
Specifying Root Name Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 430
Specifying Sort Lists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 431
Using Forwarders with a Grid . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 432
Using Forwarders with a Member . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 432
Specifying Minimal Response Returns. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 432
NIOS 4.3r1 Infoblox Administrator Guide (Rev. A) 11
Disabling and Enabling DNS Service for a Grid Member . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 433
Configuring Additional IP Addresses for a Grid Member. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 433
Configuring DNS Zone Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 434
Disabling Forwarding for a Zone. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 434
Specifying TTL Settings for a Zone . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 434
Changing the SOA Name for a Zone . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 435
Setting the Serial Number in the SOA Record . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 435
Adding an E-mail Address to the SOA Record . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 435
Allowing Zone Transfers for a Zone. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 436
Allowing Query Access for a Zone. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 437
Supporting Active Directory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 438
Active Directory and Unauthenticated DDNS Updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 439
Active Directory and GSS-TSIG-Authenticated DDNS Updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 441
Importing the Keytab File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 445
Viewing DNS Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 447
Viewing DNS Cache Files. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 447
Viewing a DNS Configuration File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 447
Viewing DNS Zone Statistics. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 447
Chapter 13 Configuring IP Routing Options. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 449
Multiple IP Addresses on an Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 450
IP Addressing on an Interface. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 450
Configuring IP Addresses on the Loopback Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 450
Advertising Loopback IP Addresses to the Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 451
Configuration Example: Configuring IP Addresses on the Loopback Interface . . . . . . . . . . . . . . . . . . . . . . . . 451
Anycast Addressing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 452
Network Communication Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 452
OSPF. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 454
Configure OSPF on an Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 454
Configure an Anycast Address on an Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 456
Configuration Example: Configuring Anycast Addressing on the Appliance . . . . . . . . . . . . . . . . . . . . . . . . . . 456
Chapter 14 Managing DHCP Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 459
Configuring a DHCP Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 461
Adding a Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 461
Splitting a Network into Subnets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 462
Expanding/Joining a Network. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 464
Adding a Shared Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 466
Modifying a Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 466
Removing a Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 466
Enabling and Disabling a Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 467
Configuring IP Addresses and DHCP Address Ranges. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 467
Creating and Managing Templates. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 470
About Network Templates. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 471
Creating and Managing Network Templates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 471
Creating and Managing DHCP Range Templates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 473
Creating and Managing Fixed Address Templates. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 476
Configuration Example: Creating a Network Using a Template. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 478
Using the Recycle Bin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 481
Viewing the Recycle Bin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 481
Restoring Items in the Recycle Bin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 481
Emptying the Recycle Bin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 482
12 Infoblox Administrator Guide NIOS 4.3r1
Chapter 15 Configuring DHCP Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 483
Configuring DHCP Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 485
DHCP Configuration Checklist. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 487
Configuring DHCP Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 488
Enabling DHCP and Setting Member Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 489
Specifying Ping Settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 490
Specifying DHCP Lease Times. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 491
Specifying BOOTP Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 492
Specifying Custom DHCP Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 494
Defining Option 60 (Vendor-Class-Identifier) Match Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 495
Defining Custom Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 495
Configuring Advanced DHCP Options. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 497
Configuring the DHCP Option Space . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 497
Adding Vendor Option Spaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 497
Configuring DNS Updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 498
Enabling DHCP Logging. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 498
Defining Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 499
Configuring a MAC Address Filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 503
Configuring Option Filters. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 505
Configuration Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 508
Example DHCP Configuration File. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 509
Configuring User Class Filters. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 510
Configuring a Relay Agent Filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 511
Managing DHCP Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 513
Configuring DHCP Failover . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 514
DHCP Failover Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 514
Creating a Failover Association. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 515
Monitoring the Failover Association. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 516
Failover Association Operations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 516
Viewing DHCP Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 517
Viewing a DHCP Configuration File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 517
Viewing DHCP Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 517
Chapter 16 Using Network Discovery. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 519
About Network Discovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 520
Administrative Permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 521
Discovery Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 522
Supported Discovery Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 523
Configuring Network Discovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 525
Updating the Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 526
Starting a Discovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 527
Monitoring Discovery Status. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 528
Viewing Discovered Data. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 529
Attributes of Discovered Data. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 529
Types of Discovered Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 529
Display of Discovered Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 530
Filtering Discovered Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 530
Searching Discovered Data. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 531
Managing Discovered Data. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 531
Managing Unmanaged Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 531
Resolving Conflicting Addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 533
NIOS 4.3r1 Infoblox Administrator Guide (Rev. A) 13
Configuring DNS and DHCP for a Host . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 534
Clearing the Discovered Timestamp. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 535
Chapter 17 Configuring DDNS Updates
from DHCP. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 537
Understanding DDNS Updates from DHCP. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 538
Configuring DHCP for DDNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 541
Specifying a Domain Name for DHCP Clients. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 542
Configuring DDNS on the DHCP Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 543
Sending Updates to DNS Servers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 544
Client FQDN Option (Option 81) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 545
Generating Host Names for DNS Updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 547
Updating DNS for Clients with Fixed Addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 548
Resending DNS Updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 548
Configuring DNS Update Verification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 549
Configuring DNS for DDNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 552
Enabling the DNS Server to Receive Updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 552
Forwarding Updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 554
Authenticating Updates with TSIG . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 555
Chapter 18 Managing IP Data IPAM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 557
Viewing and Modifying IP Address Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 558
Classifying an IPAM Device . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 558
Configuring IPAM Device Types. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 560
Configuration Example: Configuring a Device Type. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 562
Adding, Modifying, and Removing Host Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 564
Adding, Modifying, and Removing DNS Records. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 564
Modifying DHCP Options. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 564
Converting DHCP Leases, Fixed Addresses, and Reserved Addresses. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 564
Monitoring Overall DHCP Address Usage. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 567
Setting Watermark Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 567
Viewing IPAM Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 571
Downloading IPAM Status Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 571
Viewing IPAM Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 571
Viewing DHCP and DNS Usage and Device Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 572
Searching and Sorting IPAM Data. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 572
Viewing DHCP Lease Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 574
Viewing Historical DHCP Lease Records. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 575
Logging Member and Selective Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 575
Searching DHCP Lease Event Records . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 577
Viewing Lease Event Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 578
Exporting and Importing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 579
Chapter 19 NAC Foundation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 581
About the NAC Foundation Module . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 583
DHCP Authentication Process. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 583
Configuring the NAC Foundation Module. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 586
Configuring DHCP Ranges for Authorization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 587
Quarantined DHCP Range . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 587
Guest DHCP Range . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 587
14 Infoblox Administrator Guide NIOS 4.3r1
Authorized DHCP Range . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 587
User Class Assignments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 588
Binding DHCP Ranges to the Quarantined and Authorized Levels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 588
Uploading Files for Customization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 589
Uploading Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 589
Creating Subdirectories . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 589
Managing the Image Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 590
Configuring the Captive Portal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 590
About Client Validation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 591
Configuring the McAfee Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 591
Enabling Validation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 592
About Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 592
Managing the Local User Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 592
Configuring the Self Service Portal. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 593
Importing Accounts from an Active Directory Server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 594
Configuring Active Directory Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 594
Configuring LDAP/LDAPS Authentication Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 594
Configuring the Authentication Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 595
Specifying an External Authentication Home RADIUS Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 596
About Guest Access. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 596
Configuring Guest Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 597
Viewing Guest and Authenticated Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 598
Configuration Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 600
Configure a Loopback Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 600
Configure a Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 600
Create DHCP Address Ranges in the Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 601
Configure AD Servers for Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 601
Bind DHCP Ranges to the Quarantined and Authorized Levels. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 601
Configure the Captive Portal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 602
Configure Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 603
Enable DHCP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 603
Verifying Your Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 603
Chapter 20 File Distribution Services. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 605
File Distribution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 606
Enabling and Configuring TFTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 607
Enabling and Configuring HTTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 608
Enabling and Configuring FTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 609
Managing Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 610
Uploading Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 610
Creating a Directory Structure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 610
Modifying File Distribution Storage Settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 611
Viewing Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 611
Chapter 21 RADIUS Services. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 613
Understanding RADIUS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 615
Infoblox RADIUS Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 616
RADIUS Servers in a Grid . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 617
Authentication Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 618
Accounting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 618
Configuring RADIUS Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 619
NIOS 4.3r1 Infoblox Administrator Guide (Rev. A) 15
Managing User Accounts in the Local Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 620
Adding Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 620
Importing Users From a Microsoft Active Directory Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 620
Viewing Imported Users and Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 622
Configuration Example: Importing Users from AD Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 622
Troubleshooting AD Error Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 624
Configuring LDAP Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 625
Managing Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 626
Generating a Self-Signed EAP Certificate. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 626
Generating a Certificate Signing Request . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 626
Uploading Certificates to the Appliance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 627
Downloading Certificates from the Appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 627
About RADIUS Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 628
Defining Policies for User Groups. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 629
Using RADIUS Policies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 630
Configuring RADIUS Policies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 630
Managing Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 631
Configuring RADIUS Policy Groups. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 631
Managing Policy Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 631
Assigning a Policy Group to a Grid Member. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 631
Network Access Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 632
Enabling RADIUS Services. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 633
RADIUS Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 633
RADIUS Accounting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 634
Understanding RADIUS Proxy Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 635
RADIUS Home Servers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 637
Configuring a RADIUS Authentication Home Server Object . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 638
Configuring a RADIUS Accounting Home Server Object . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 638
Managing RADIUS Proxy Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 639
Proxying RADIUS Access-Requests. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 640
Viewing the RADIUS Configuration File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 640
Proxying RADIUS Accounting-Requests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 640
Removing Home Servers and Shared Secret Relationships . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 641
Chapter 22 IPAM WinConnect . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 643
Configuring IPAM WinConnect . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 644
Uploading a WinConnect Bundle . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 644
Viewing Bundle Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 644
Managing the WinConnect Bundles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 644
Configuring the WinConnect Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 645
Backing Up and Restoring Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 646
Monitoring WinConnect Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 646
Chapter 23 VitalQIP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 647
About VitalQIP on a Grid . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 648
HA Pair Grid Members. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 650
Deploying Grid Members as VitalQIP Remote Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 651
Uploading and Enabling VitalQIP Files. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 651
Launching VitalQIP on the Grid. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 655
Configuring Grid Members on the VitalQIP Enterprise Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 656
Using LDRM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 659
DHCP API . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 660
16 Infoblox Administrator Guide NIOS 4.3r1
Monitoring VitalQIP Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 660
SNMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 661
Troubleshooting Tools. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 661
Part 4 API Interface
Chapter 24 Infoblox DMAPI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 665
Introduction to Infoblox DMAPI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 666
Required Tools. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 667
Installing Perl and Infoblox DMAPI Packages. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 668
Infoblox DMAPI Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 668
Infoblox Scripting Pack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 668
Running a Script . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 671
Testing the Connection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 671
Backing Up the Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 672
Writing a Script . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 673
Perl Information Resources. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 683
Infoblox-Specific Perl Resources. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 683
Perl Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 683
Part 5 Reference Material
Appendix A Product Compliance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 687
Power Safety Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 688
AC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 688
DC. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 688
Agency Compliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 689
FCC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 689
Canadian Compliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 689
VCCI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 690
RFC Compliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 690
DNS RFC Compliance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 690
DHCP RFC Compliance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 692
Appendix B Regular Expressions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 693
Supported Expressions for Search Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 693
NIOS 4.3r1 Infoblox Administrator Guide (Rev. A) 17
Appendix C Open Source Copyright and License Statements . . . . . . . . . . . . . . . . . . . . 695
GNU General Public License . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 696
GNU Lesser General Public License . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 699
Apache Software License version 1.1. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 705
perl Artistic License. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 706
ISC BIND Copyright . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 708
ISC DHCP Copyright. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 709
Julian Seward Copyright . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 709
Carnegie Mellon University Copyright . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 710
Thai Open Source Software Center Copyright . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 711
Ian F. Darwin Copyright . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 711
Lawrence Berkeley Copyright . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 712
MIT Kerberos Copyright. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 712
BSD License . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 713
David L. Mills Copyright . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 714
OpenLDAP License. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 714
OpenSSL License. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 715
VIM License . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 716
ZLIB License. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 717
Wietse Venema Copyright . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 718
ECLIPSE SOFTWARE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 718
Appendix D Hardware Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 721
About the Hardware Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 722
Identifying the Front Panel Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 722
Using the LCD Panel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 723
Using the Serial Console. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 723
Ports. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 724
About Back Panel Components. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 725
Connecting the Ethernet Cables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 725
Independent Appliance Cabling Using the LAN or Serial Port. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 725
HA Pair Appliance Cabling Using the LAN and HA Ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 726
Cabling for the MGMT Port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 727
Rack Mounting Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 731
Chassis Warning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 731
Rack Mounting and Safety . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 731
Hardware Platform Specifications and Requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 732
System Specifications. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 732
Environmental Specifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 732
AC Electrical Power Specifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 732
DC Electrical Power Specifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 732
Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 733
18 Infoblox Administrator Guide NIOS 4.3r1
NIOS 4.3r1 Infoblox Administrator Guide (Rev. A) 19
Preface
This guide explains how to install, configure, and manage a NIOS appliance. This preface describes the content and
organization of this guide, and provides information about how to find additional product information, including
accessing Technical Support:
Document Overview on page 20
Documentation Organization on page 20
Documentation Conventions on page 22
Whats New on page 24
Related Documentation on page 24
Customer Care on page 25
User Accounts on page 25
Software Upgrades on page 25
Technical Support on page 25
Preface
20 Infoblox Administrator Guide (Rev. A) NIOS 4.3r1
Document Overview
This guide describes how to install, configure, and manage NIOS appliances using NIOS 4.3r1. This manual was last
updated on July 27, 2008. For updated documentation, visit our Support site at: http://support.infoblox.com.
Documentation Organization
This guide consists of five parts, as described in the following table.
Section Content
Part 1 Appliance Administration Chapters 1 7
Chapter 1, Overview, on page 29 Provides general information about the NIOS software, plus
provides definitions of the terms used to explain how NIOS
appliances operate. It provides examples of how the appliances
can be used in your network.
Chapter 2, Infoblox GUI, on page 37 Explains how to use the GUI of the NIOS appliance by defining
what the GUI components are and how to use them.
Chapter 3, Managing Administrators, on
page 65
Explains how to configure and manage administrator groups and
accounts in the local database and on external RADIUS servers.
Chapter 4, Managing Appliance
Operations, on page 115
Explains how to configure NTP, secure administrative access, set
routes, enable DNS resolution, activate licenses, and reset the
NIOS appliance. It also provides information about ethernet and
service port usage.
Chapter 5, Monitoring the Appliance, on
page 159
Explains the purpose of the various logs and provides
information on using syslog to monitor the NIOS appliance.
Chapter 6, Monitoring with SNMP, on page
175
Explains how to configure SNMP to monitor the NIOS appliance.
It also describes the SNMP traps that the NIOS appliance can
send and the Infoblox MIBs.
Chapter 7, Changing Software and
Merging Files, on page 219
Explains how to upgrade and downgrade software, and how to
backup, merge, revert, and restore configuration files.
Part 2 Appliance Deployment Chapters 8 9
Chapter 8, Deploying Independent
Appliances, on page 231
Explains how to deploy single independent appliances and
independent HA (high availability) pairs.
Chapter 9, Deploying a Grid, on page 267 Addresses grid deployment considerations and explains how to
deploy single NIOS appliances and HA pairs as grid masters and
members.
Part 3 Service Configuration Chapters 10 18
Chapter 10, Managing DNS Data, on page
331
Explains how to manage grid data configurations that are
inherited by DNS members and zones, such as zone type and
mapping information. This chapter also describes how to
configure Infoblox views and how to modify, remove and disable
authoritative, delegated, and forward zones. It concludes with
how to add, modify, remove, and disable hosts and records.
Document Overview
NIOS 4.3r1 Infoblox Administrator Guide (Rev. A) 21
Chapter 11, Shared Records, on page 411 Explains how to configure and use shared records. Shared
records are groups of DNS resource records that you can assign
to one or more zones. Use shared records to create and update
multiple resource records shared by different zones.
Chapter 12, Configuring DNS Services, on
page 423
Explains how to configure the DNS services provided by the grid,
which includes time-to-live (TTL) settings, zone transfers,
queries, root name servers, dynamic updates, sort lists, and
Transaction Signatures (TSIG) for DNS. This chapter also
describes how to specify broadcast addresses, routers, and DNS
servers. It describes how to specify and update zones on
external servers and for fixed addresses. This chapter concludes
with how to use the view DNS configuration files and statistical
reports.
Chapter 13, Configuring IP Routing Options,
on page 449
Explains how to enable and configure anycast addressing as well
as configure multiple IP address on loopback interfaces on the
NIOS appliance.
Chapter 14, Managing DHCP Data, on page
459
Explains how to configure networks, and features such as
creating split and shared networks. This chapter also describes
how to modify, remove and disable networks. This chapter
concludes with how to add, modify, remove, and disable fixed
addresses and DHCP address ranges. Templates are provided for
creating networks, ranges, and fixed addresses.
Chapter 15, Configuring DHCP Services, on
page 483
Explains how to manage grid data configurations that are
inherited by DHCP members and networks, DHCP address
ranges, and fixed addresses. This chapter explains how to
configure the DHCP services provided by each member, which
includes lease times, BOOT servers, and custom options. This
chapter concludes with how to use the view DHCP configuration
files and statistical reports.
Chapter 16, Using Network Discovery, on
page 519
Explains how to configure and manage the network discovery
feature.
Chapter 17, Configuring DDNS Updates
from DHCP, on page 537
Explains how to set up DHCP and DNS services to work together
to support DDNS (dynamic DNS) updates.
Chapter 18, Managing IP Data IPAM, on
page 557
Explains how to monitor IP address usage using the IPAM (IP
address management) software module.
Chapter 19, NAC Foundation, on page 581 Provides an overview of the NAC Foundation module and its
components, and describes how to set parameters and
configure various security functions.
Chapter 20, File Distribution Services, on
page 605
Explains the TFTP, HTTP and FTP services that the NIOS appliance
provides for uploading and downloading data to and from a NIOS
appliance.
Chapter 21, RADIUS Services, on page 613 Explains how to configure RADIUS services on a NIOS appliance.
Chapter 22, IPAM WinConnect, on page
643
Explains how to configure a NIOS appliance to run the IPAM
WinConnect service. This chapter describes how to upload an
IPAM WinConnect bundle, set operational parameters, and
monitor the WinConnect service.
Section Content
Preface
22 Infoblox Administrator Guide (Rev. A) NIOS 4.3r1
Documentation Conventions
The text in this guide follows these style conventions.
Variables
Infoblox uses the following variables to represent values that you type, such as file names and IP addresses:
Chapter 23, VitalQIP, on page 647 Explains how to configure NIOS appliances as VitalQIP DNS
and DHCP remote servers. This chapter describes how to
configure NIOS appliances to upload and manage VitalQIP
binary bundles and policy files in a grid.
Part 4 API Interface Chapter 22
Chapter 24, Infoblox DMAPI, on page 665 Provides an overview of the DMAPI interface and describes how
to set up and use the Infoblox API.
Part 5 Reference Material Appendices A D
Appendix A, "Product Compliance", on
page 687
Provides product information, such as hardware and software
specification and requirements. This appendix also supplies
agency compliance and safety information and concludes with
RFC compliance information for the product.
Appendix B, "Regular Expressions", on
page 693
Lists regular expressions that the NIOS appliance supports for
searches.
Appendix C, "Open Source Copyright and
License Statements", on page 695
Provides the Open Source copyright and license information for
the product.
Appendix D, "Hardware Information", on
page 721
Describes the hardware components and explains how to
rackmount and cable an Infoblox appliance. It also lists the
hardware requirements and specifications.
Style Usage
bold Indicates anything that you input by clicking, choosing, selecting, or typing in the GUI, or by
pressing on the keyboard.
input Signifies command line entries that you type.
variable Signifies variables typed into the GUI that you need to modify specifically for your
configuration, such as command line variables, file names, and keyboard characters.
+ (for tabname)
> (for tabname)
Indicates that you will select the named tab.
Variable Value
admin_group Name of a group of administrators
admin_name Name of the appliance administrator
addr_range IP address range
DHCP_template DHCP template
Section Content
Document Overview
NIOS 4.3r1 Infoblox Administrator Guide (Rev. A) 23
Navigation
Infoblox technical documentation uses an arrow -> to represent navigation through the GUI. For example, to access
Grid Properties, the description is as follows:
From the Grid perspective, click grid -> Edit -> Grid Properties.
domain_name Domain name
directory Directory name
filter_name Filter name
fixed_address_template Fixed address template
grid_master Grid Master
grid_member Grid Member
hostname Host name of an independent appliance
grid Grid name
ip_addr IPv4 address
member Grid member name
netmask Subnet mask
network IP address of a network
network_access_server Name of a NAS
network_template Network template
policy Name of a policy on RADIUSone
policy_group Name of a Policy Group
port Number of a port; predefined for certain protocols
RADIUS_server Name of a RADIUS server
service One of the services available from the Grid Manager
template_type DHCP template
view Infoblox view
zone DNS zone
Variable Value
Preface
24 Infoblox Administrator Guide (Rev. A) NIOS 4.3r1
Whats New
The following sections are new or have been updated in this version of this guide:
NIOS Virtual Appliance for Riverbed You can now install the Infoblox NIOS software on Riverbed Steelhead
appliances running the Riverbed RiOS Services Platform (RSP), and configure them as single virtual grid
members.
The joint Infoblox-Riverbed solution supports hybrid environments that include a mix of physical Infoblox
appliances and NIOS virtual appliances depending on branch office requirements. Each NIOS virtual appliance
appears to the grid as any other grid member, with all of the benefits of distributed services and centralized
management. This includes centralized backup and restoration of user data, DHCP failover capabilities,
one-touch software upgrades, local RADIUS authentication, DNS without latency, and many other benefits of
the Infoblox solution. For information, see Scenario 3 Infoblox Grid with a NIOS Virtual Appliance as a Grid
Member on page 34 and Adding Grid Members on page 288.
For information on supported features and how to install the NIOS software on the RSP, refer to the Quick Start
Guide for Installing NIOS Software on Riverbed Services Platforms.
Network Discovery You can use network discovery to obtain and manage information about your networks.
When you use network discovery, the NIOS appliance detects all active hosts on the networks you select for
discovery. After a discovery, the appliance returns information such as the MAC address, OS, and NetBIOS name
of the detected hosts, depending on which discovery method you use. You can then convert unmanaged IP
addresses to host records or other object types. You can also resolve network conflicts, troubleshoot network
problems, reclaim unused IP addresses, and view unauthorized devices in your network. For information, see
Chapter 16, Using Network Discovery, on page 519.
Role Based Administration You can now group global and object-level permissions into roles and assign up to
20 roles to an admin group. The NIOS appliance provides five pre-defined roles and you can create additional
roles to emulate the job functions in your organization, e.g., DHCP administrators for the Boston data center.
You can also view any conflicting permissions and easily resolve conflicts by reordering roles or adjusting
permissions. For information, see Chapter 3, Managing Administrators, on page 65.
Upgrade Test After you successfully distribute the software upgrade to the grid master, you can test the
upgrade on the grid master before actually implementing it. Therefore you can resolve potential data migration
issues before the actual upgrade. For information, see Testing a Software Upgrade on page 319.
Multilingual Support NIOS appliances now support UTF-8 encoding in certain fields, such as all comment
fields, IPAM fields that you use to classify devices, and file name fields for FTP and TFTP backup and restore
operations. Administrators can now use characters other than English to input information in those fields thus
simplifying administration in non-English speaking geographies. For information, see Multilingual Support on
page 58.
Related Documentation
Other NIOS appliance documentation:
Infoblox CLI Guide
Infoblox-500, Infoblox-1000 and Infoblox-1200 Quick Start
Infoblox User Guide for the Infoblox-1050, 1550, and 1552 Appliances
Infoblox User Guide for the Infoblox-500, 550 Appliance
Infoblox Installation Guide for the Infoblox--550, -1050, 1550, and 1552 Appliances
Infoblox Installation Guide for the Infoblox-250 Appliance
Infoblox Installation Guide for the Infoblox-2000 Appliance
Quick Start Guide for Installing NIOS Software on Riverbed Services Platforms
Infoblox Safety Guide
To provide feedback on any of the Infoblox technical documents, please e-mail techpubs@infoblox.com.
Customer Care
NIOS 4.3r1 Infoblox Administrator Guide (Rev. A) 25
Customer Care
This section addresses user accounts, software upgrades, licenses and warranties, and technical support.
User Accounts
The Infoblox appliance ships with a default user name and password. Change the default admi n account password
immediately after the system is installed to safeguard its use. Make sure that the NIOS appliance has at least one
administrator account with superuser privileges at all times, and keep a record of your account information in a safe
place. If you lose the admi n account password, and did not already create another superuser account, the system will
need to be reset to factory defaults, causing you to lose all existing data on the NIOS appliance. You can create new
administrator accounts, with or without superuser privileges. For more information, refer to Managing Administrators
on page 41.
Software Upgrades
Software upgrades are available according to the Terms of Sale for your system. Infoblox notifies you when an
upgrade is available. Register immediately with Infoblox Technical Support at
http://www.infoblox.com/support/product_registration.cfm to maximize your Technical Support.
Technical Support
Infoblox Technical Support provides assistance via the Web, e-mail, and telephone. The Infoblox Support web site at
http://support.infoblox.com provides access to product documentation and release notes, but requires the user ID
and password you receive when you register your product online at:
http://www.infoblox.com/support/product_registration.cfm.
Preface
26 Infoblox Administrator Guide (Rev. A) NIOS 4.3r1
NIOS 4.3r1 Infoblox Administrator Guide (Rev. A) 27
Part 1 Appliance Administration
This section provides basic information about the NIOS appliance, including a description of the various modules
and a list of product terminology, a description of the user interface and information about basic configuration tasks.
It includes the following chapters:
Chapter 1, "Overview", on page 29
Chapter 2, "Infoblox GUI", on page 37
Chapter 3, "Managing Administrators", on page 65
Chapter 4, "Managing Appliance Operations", on page 115
Chapter 5, "Monitoring the Appliance", on page 159
Chapter 6, "Monitoring with SNMP", on page 175
Chapter 7, "Changing Software and Merging Files", on page 219
28 Infoblox Administrator Guide (Rev. A) NIOS 4.3r1
NIOS 4.3r1 Infoblox Administrator Guide (Rev. A) 29
Chapter 1 Overview
This chapter provides general information about the NIOS appliance operating system and software modules. It
defines terms used in this manual and describes various deployment scenarios. The topics in this chapter include:
NIOS Appliance Software Packages and Upgrades on page 30
Product Terminology on page 30
Deployment Scenarios on page 32
Scenario 1 Independent NIOS Appliances on page 32
Scenario 2 Basic Grid with Independent NIOS Appliances on page 33
Scenario 3 Infoblox Grid with a NIOS Virtual Appliance as a Grid Member on page 34
Scenario 4 Multiple Grids on page 35
Scenario 5 Primary and Secondary NIOS Appliances on page 36
Overview
30 Infoblox Administrator Guide (Rev. A) NIOS 4.3r1
NIOS Appliance Software Packages and Upgrades
All NIOS appliances run the NIOS operating system. NIOS appliances provide core services and a framework for
integrating all the components of the modular Infoblox solution. The appliances support local HA (high availability)
both at the appliance and database levels via bloxHA failover and bloxSYNC database synchronization. For
information about HA pairs, see Deploying an Independent HA Pair on page 245 and Adding an HA Member on page
289.
NIOS appliances support the following software packages:
The DNSone software package is fully-BIND compliant. It provides integrated DNS and DHCP services with
built-in IPAM services. DNSone stores all DNS and DHCP data in the integrated bloxSDB semantic database,
which is built into NIOS. It includes a TFTP server for downloading firmware and configuration files to VoIP
phones.
The NSQ (Network Services for Alcatel-Lucent VitalQIP)software package provides support for Lucents
VitalQIP IP address management software.
The Keystone upgrade provides a real-time, integrated services and data management framework that
integrates a collection of distributed appliances into a unified grid.
The Network Services for VoIP package provides integrated DNS, DHCP, TFPT, and RADIUS proxy services.
The NSA (Network Services for Authentication) software package provides support for the RADIUS (Remote
Authentication Dial-In User Service) protocol and the underlying authentication methods required for 802.1X
authentication, as well as the Infoblox grid module.
The Network Services Suite (NSS) provides integrated DNS, DHCP, TFPT, RADIUS, and the grid services.
The IPAM WinConnect package provides powerful tools and capabilities for managing your IP environment and
IP address data at an enterprise level.
Product Terminology
Before you begin, review Table 1.1 for a description of some key terminology. Some terms, such as grids and high
availability, are used in different ways by other networking-product vendors. The alphabetically arranged table can
help you understand the terms and concepts as Infoblox uses them and as they are used in this guide.
Table 1.1 Product Terminology
Term Description
DNSone The software package that enables the NIOS appliance to provide DNS, DHCP and TFTP
services. You can add the Keystone upgrade to NIOS appliances running DNSone.
Gateway The default router for the immediate network segment of an interface.
HA address The IP address of the HA port. The active node of the grid master uses this address for
grid communications, network data and services, andif the MGMT port is disabledGUI
access. See Ethernet Port Usage on page 132.
HA pair Two physical Infoblox appliances that are linked to perform as a single virtual appliance
in an HA (high availability) configuration. In this configuration, one appliance is the active
node and the other is the passive node.
Host name The fully qualified domain name(s) of the NIOS appliance that you are configuring.
Grid A group of NIOS appliances that are connected together to provide a single point of
appliance administration and service configuration in a secure, highly available
environment.
Product Terminology
NIOS 4.3r1 Infoblox Administrator Guide (Rev. A) 31
Grid Master The grid member that maintains the semantic database that is distributed among all
members of the grid. You connect to the GUI of the grid master to configure and monitor
the entire grid.
Grid Member Any single NIOS appliance or HA pair of Infoblox appliances that belong to a grid. Each
member can use the data and the services of the grid. You can also modify settings so
that a member can use unique data and member-specific services.
Keystone The Keystone upgrade provides grid capabilities.
LAN address The IP address of the LAN port. The active node of the grid master uses this address for
management protocols if the MGMT port is disabled. The passive node uses its LAN port
for grid communications and management protocols if the MGMT port is disabled. See
Ethernet Port Usage on page 132.
Master Candidate Enables a grid member to assume the role of grid master as a disaster recovery measure.
MGMT Address The IP address that both nodes comprising the grid master use for management
protocols. Also, when you enable the MGMT port, the active node of the grid master uses
the MGMT address for GUI access. See Ethernet Port Usage on page 132.
NIOS appliance Infoblox appliances and Infoblox Virtual Appliances that run NIOS software.
NIOS virtual appliance A Riverbed Steelhead appliance with the Riverbed Services Platform module that runs the
NIOS software.
Node A single component of an HA (high availability) pair. An HA pair consists of an active node
and a passive node.
Service configuration Specifying the services provided by your NIOS appliances, such as enabling DNS and
DHCP, configuring dynamic updates, creating sort lists, using custom options and filters
at the grid, member, zone, and network level.
Virtual IP The shared IP address of an HA pair. A VIP address links to the HA port on the active node.
Virtual Router ID The VRID (virtual router ID) identifies the VRRP (Virtual Router Redundancy Protocol) HA
pair to which the NIOS appliance belongs. Through this ID, two HA nodes identify each
other as belonging to the same HA pair and they obtain a virtual MAC address to share
together with a VIP (virtual IP address). The VRID can be any number between 1 and 255,
and it must be unique on the local LAN so that it does not conflict with any other NIOS
appliances using VRRP on the same subnet.
Zone A portion of the domain name space for which a NIOS appliance or another name server
is authoritative (for example, has the SOA [start of authority] record). A zone can also be
delegated or forwarded. Zones are the primary objects used to manage DNS data and
DNS services.
Term Description
Overview
32 Infoblox Administrator Guide (Rev. A) NIOS 4.3r1
Deployment Scenarios
The NIOS appliances can fit into network topologies in a variety of ways, and can provide DNS and DHCP services in
a variety of ways. This section introduces some typical ways that you can deploy your NIOS appliances:
Scenario 1 Independent NIOS Appliances on page 32
Scenario 2 Basic Grid with Independent NIOS Appliances on page 33
Scenario 4 Multiple Grids on page 35
Scenario 5 Primary and Secondary NIOS Appliances on page 36
Scenario 1 Independent NIOS Appliances
The simplest type of deployment is one that uses independent appliances, as shown in Figure 1.1.
Figure 1.1 Independent NIOS Appliances
In the sample deployment that is shown above, three appliances are deployed as independent appliances as follows:
An independent HA pair of Infoblox appliances that provides DNS services
An independent standalone Infoblox appliance that provides DHCP services
An Infoblox appliance can provide network services as an HA pair or as an independent appliance without being part
of a grid. Independent appliances can provide DNS and DHCP services at the same time.
Note: When an Infoblox appliance is used as an independent appliance, that appliance assumes the identity of the
grid master in the GUI, even though it is not part of an actual grid.
GUI Client
Independent HA Pair
Providing DNS
Services
Internet
Network
Clients
Independent Appliance
Providing DHCP
Services
Deployment Scenarios
NIOS 4.3r1 Infoblox Administrator Guide (Rev. A) 33
Scenario 2 Basic Grid with Independent NIOS Appliances
Multiple NIOS appliances can be deployed within a grid (see Figure 1.2). A grid consists of a master and at least one
member. A member can be a single NIOS appliance or an HA pair that provides DNS and DHCP services seamlessly
across an entire network. The NIOS appliance also provides connectivity for external primary name servers that
operate independently from a grid.
Figure 1.2 Grid and Independent Appliances
A grid is controlled through a single GUI. The Infoblox GUI allows you to centrally configure and monitor any or all grid
members. This approach reduces the time normally required to configure multiple network appliances and services
because you can enter all of the settings, appliance data, and network services for each member using one interface,
not all the individual interfaces of each member on a recurring basis.
The Infoblox distributed database architecture enables all grid members to instantaneously receive changes to the
grid configuration settings because there is automatic synchronization between all of the NIOS appliances via a
secure link.
Grid Master
Grid Member
Internet
Network
Clients
HA Grid Member
Independent Primary
Server
Independent DNS
Secondary Server
GUI
Client
Grid
Overview
34 Infoblox Administrator Guide (Rev. A) NIOS 4.3r1
Scenario 3 Infoblox Grid with a NIOS Virtual Appliance as a Grid Member
You can install Infoblox NIOS software on a Riverbed Steelhead appliance running RSP (Riverbed Services Platform)
and configure it as a NIOS virtual appliance. You can configure the NIOS virtual appliance as a grid member, but not
as an HA pair, a grid master, or a grid master candidate.
Figure 1.3 illustrates the NIOS virtual appliance in a grid. In the illustration, the grid master and the grid master
candidate are Infoblox HA pairs in the data center. The NIOS virtual appliance is a grid member in a branch office, and
the other grid members are Infoblox appliances.
Figure 1.3 Infoblox Grid with a NIOS Virtual Appliance
Data Center
Branch Office - East
Branch Office - South
Grid Master
Branch Office - West
Grid Master Candidate
Branch Office - North
NIOS Virtual Appliance
Deployment Scenarios
NIOS 4.3r1 Infoblox Administrator Guide (Rev. A) 35
Scenario 4 Multiple Grids
The NIOS appliance is designed to manage independently-controlled grids, each from a unique location (see
Figure 1.4). For example, a global network could be managed by four independent grids. The NIOS appliance is
designed for scalable implementations to ease your network management needs. Each grid is centrally managed,
which significantly reduces costs associated with DNS and DHCP management tasks.
Figure 1.4 Multiple Grids
Asia/PAC
Grid
Australian
Grid
Americas
Grid
European
Grid
GUI Clients
Overview
36 Infoblox Administrator Guide (Rev. A) NIOS 4.3r1
Scenario 5 Primary and Secondary NIOS Appliances
NIOS appliances can also be deployed with other network servers. For example, Figure 1.5 shows how a NIOS
appliance can operate as the primary DNS server along with two secondary name servers (a local secondary name
server and a NIOS appliance external secondary server) without the NIOS appliances being part of a grid.
The primary DNS server is deployed inside the corporate internal firewall. In this case, the primary DNS server is an
HA pair of Infoblox appliances, which provides redundancy in the event of hardware failure. The NIOS appliance
external secondary name server is deployed outside of the companys internal firewall. In this case, the NIOS
appliance external secondary name server is a single NIOS appliance, but it could have been an HA pair.
Figure 1.5 Primary and Secondary Servers
Because the external secondary name server is outside of the corporate network, it provides an offsite source of name
resolution for the corporate customers and partners should the corporate connection to the Internet fail. Moreover,
even when the corporate link to the Internet is up, the external secondary server receives most of the queries for data
in the corporate external zones. This type of deployment results in the following benefits:
The use of the corporate Internet connection for name resolution traffic is minimized.
Name resolution by Internet name servers is faster.
NIOS appliances can also operate as forwarders or caching-only servers, either as a single node or as part of an HA
pair. A forwarder is responsible for handling queries from the internal name servers for Internet domain names
(queries that they cannot process themselves because they lack Internet connectivity).
Just as the primary DNS server is located inside the corporate internal firewall, the forwarder is also located inside
the firewall. Consequently, you must configure firewall rules that allow the forwarder to perform the following tasks:
Send queries to the Internet name servers
Receive responses from those Internet name servers
Block unsolicited DNS messages from the Internet name servers
GUI Client
Independent HA Pair
(Primary Server)
Internet
Network Clients
Independent Appliance
(External Secondary Server)
DNS Server
(Secondary Server)
NIOS 4.3r1 Infoblox Administrator Guide (Rev. A) 37
Chapter 2 Infoblox GUI
This chapter introduces the two versions of the Infoblox GUI (Graphical User Interface):
Infoblox Grid Manager GUI for NIOS appliances running a software package, such as DNSone or the NSQ
(Network Services for Lucent VitalQIP) package, with the Keystone upgrade
Infoblox Device Manager GUI for NIOS appliances running a software package without the Keystone upgrade
The chapter lists the requirements for the management system you use to access a NIOS appliance, explains how to
access the NIOS appliance, and describes the components of the Infoblox Grid Manager GUI. Topics in this chapter
include:
Management System Requirements on page 38
Accessing the Infoblox GUI on page 38
Connecting to a NIOS Appliance with JWS (Java Web Start) on page 39
Installing the Grid Manager on page 43
Connecting to a NIOS Appliance Using the Grid Manager on page 44
SSL (Secure Sockets Layer) Protocol on page 47
Managing Certificates on page 48
Understanding the GUI Components on page 50
Main Interface Components on page 50
Customizing a Perspective Layout on page 53
Creating a Login Banner on a NIOS Appliance on page 54
Customizing Columns on page 54
Using Global Search on page 55
Printing from the GUI on page 56
Multilingual Support on page 58
UTF-8 Supported Fields on page 58
UTF-8 Support Limitations on page 58
International Characters Support for RADIUS Authentication on page 59
Exporting Data on page 60
Exporting Data from Panels on page 60
Exporting Data to a CSV File on page 62
Infoblox GUI
38 Infoblox Administrator Guide (Rev. A) NIOS 4.3r1
Management System Requirements
The management system is the computer from which you configure and manage the NIOS appliance. The
management system must meet the following requirements to operate a NIOS appliance.
Figure 2.1 Software and Hardware Requirements for the Management System
Note: If the browser used to manage the NIOS appliance has a pop-up blocker enabled, you must turn off the pop-up
blocker for the IP address used to manage the NIOS appliance.
Accessing the Infoblox GUI
Before you access the Infoblox GUI, connect your NIOS appliance to the network as described in the installation
guide, user guide or quick start guide that shipped with your product. Refer to Hardware Information on page 721 for
more information on cabling and powering up the NIOS appliance.
Note: Before proceeding, make sure that your computer meets the current requirements for the GUI client as
described in Management System Requirements.
You can access and log in to a NIOS appliance using JWS (Java Web Start). You can use any computer on your network
that runs the following applications:
JRE (Java Runtime Environment) version 1.5.0_14 or version 1.6
JWS application, which is automatically installed with the corresponding version of the JRE
Standard browser that associates JNLP (Java Network Launching Protocol) file types with the JWS application
Alternatively, you can install the Grid Manager on management systems running one of the supported Microsoft
Windows operating systems, as described in About The Grid Manager on page 43.
Management System Software Requirements Management System Hardware Requirements
GUI ACCESS
Microsoft
Internet Explorer
6.0 or higher
on Microsoft Windows XP
and Internet
Explorer 7.0 on Windows Vista
or
Mozilla 1.7 or higher on Linux
Fedora Core 5 or higher, Red Hat
and
Sun Java Runtime Environment (JRE)
version 1.5.0_14 or version 1.6
JWS application, which is automatically
installed with JRE 1.5.0_14 or higher
CLI ACCESS
Secure Socket Shell (SSH) client that
supports SSHv2
Terminal emulation program, such as
minicom or Hilgraeve Hyperterminal
.
Minimum System:
500 MHz CPU with 256 MB RAM available to
the product GUI, and 56 Kbps connectivity to
NIOS appliance
Recommended System:
1 GHz (or higher) CPU with 512 MB RAM
available for the product GUI, and network
connectivity to NIOS appliance
Monitor Resolution:
1024 x 768 (minimum) to 1600 x 1200
(maximum)
Accessing the Infoblox GUI
NIOS 4.3r1 Infoblox Administrator Guide (Rev. A) 39
Connecting to a NIOS Appliance with JWS (Java Web Start)
To make an initial management connection to the NIOS appliance using JWS:
1. Start your browser, and enter https://ip_addr, where ip_addr is the IP address of the NIOS appliance that you
entered through the LCD or serial port, or the default IP address 192.168.1.2. See Using the LCD Panel on page
723 and Using the Serial Console on page 723.
The NIOS appliance sends its server certificate to the browser to authenticate itself during the SSL (Secure
Socket Layer) handshake. Because the default certificate is self-signed, your browser does not have a trusted
CA (certificate authority) certificate or a cached NIOS appliance server certificate (saved from an earlier
connection) to authenticate the NIOS appliance certificate. Also, the host name in the default certificate is
www.infoblox.com, which is unlikely to match the host name of your NIOS appliance. Consequently, messages
appear warning that the certificate is not from a trusted certifying authority and that the host name on the
certificate is either invalid or does not match the name of the site that sent the certificate.
Note: To eliminate certificate warnings, you can replace the default self-signed certificate with a different
certificate that has the host name of your NIOS appliance. You can either generate another self-signed
certificate with the right host name and save it to the CA certificate store of your browser (and, later in the
procedure, to the certificate stores for JWS and the downloaded GUI application), or request a CA-signed
certificate with the right host name and load it on the NIOS appliance. For information, see Managing
Certificates on page 48.
2. Either accept the certificate just for this session or save it to the certificate store of your browser.
3. On the NIOS appliance home page, click Launch Grid Manager or Launch Device Manager.
The browser and JWS perform the following operations:
a. The browser requests the JNLP (Java Network Launching Protocol) file from the NIOS appliance and
sends the file it receives to JWS (Java Web Start).
b. JWS checks for the JNLP file in its cache and, if it finds it, compares it with the recently received JNLP file.
Because this is the initial connection attempt, JWS does not yet have this file cached. In subsequent
connection attempts, comparing the newly downloaded JNLP file with the cached file can indicate
whether JWS needs to update any items that the file specifies.
c. If JWS discovers there is no cached JNLP file or that the new JNLP file differs from the earlier file, JWS
builds an SSL tunnel to the sources specified in the JNLP file. For this initial connection, JWS must make
an SSL connection to the NIOS appliance to download the GUI application.
JWS displays a security warning prompting you to accept or reject the NIOS appliance certificate the NIOS
appliance sends to authenticate itself. If the default certificate is in use, warning messages appear
stating the certificate is not from a trusted certifying authority, and that the host name on the certificate
is either invalid or does not match the name of the site. This is the same certificate that the NIOS
appliance uses to authenticate itself during all SSL handshakes.
4. Either accept the NIOS appliance server certificate just for this SSL session, or save it permanently to the JWS
server certificate store.
After the SSL tunnel is established, the NIOS appliance begins to download the GUI application, which is signed
with a different certificate than the server certificate the NIOS appliance uses to authenticate itself during SSL
handshakes. The certificate authenticating the GUI application is signed by Verisign. When received by JWS, it
displays a security warning prompting you to accept or reject the signed application.
5. Do one of the following:
Click Yes to accept the authenticity of the Infoblox GUI application for this download.
Click Always to accept the authenticity of the Infoblox GUI application for this and future downloads by
saving the certificate to the JWS application certificate store.
Note: To manage server certificates in JWS, open the Java Application Cache Viewer, and then click Edit ->
Preferences -> Security -> Certificates.
Infoblox GUI
40 Infoblox Administrator Guide (Rev. A) NIOS 4.3r1
JWS downloads the Infoblox GUI application and any other items it needsor, for subsequent connections, just
the items it needs to update. For this initial connection, JWS downloads the GUI application. It might also
download a different version of JRE. The NIOS appliance supports JRE 1.5.0_14 or JRE 1.6.
6. After the Infoblox GUI application download is complete, begin the login process by choosing the host name of
the NIOS appliance from the Hostname drop-down list.
7. Enter the user name and password. The default user name is admin, and the default password is infoblox.
Note: The user name and password are case-sensitive. Infoblox recommends changing them after you log in. For
more details, refer to Authenticating Administrators on page 101.
To reuse the same user name, select Options -> Save User Name. The NIOS appliance saves the user name and it
appears automatically the next time you invoke the GUI.
The GUI application initiates an SSL connection to the NIOS appliance. The NIOS appliance sends its server
certificate to authenticate itself to the application. If the default certificate is in use, warning messages appear
stating the certificate is not from a trusted certifying authority and that the host name on the certificate is either
invalid or does not match the name of the site.
8. Accept the certificate for this session, or save it permanently to the server certificate store of the GUI application.
Note: To manage CA (Certificate Authority) and server certificates in the Infoblox GUI application, open the GUI
application login prompt, and select Options -> Manage Certificates.
The SSL tunnel completes, and the login process continues. If the login is successful, the connection between
the Infoblox GUI application and the NIOS appliance is complete. If the login is not successful, an error message
appears and the login prompt returns.
When the session ends, the Infoblox GUI application remains in the Java sandbox. You can launch it from this
location the next time you want to connect to the NIOS appliance.
Accessing the Infoblox GUI
NIOS 4.3r1 Infoblox Administrator Guide (Rev. A) 41
Figure 2.2 Java Web Start Initial Access
After you make the initial connection, you can start the Infoblox GUI application with one of these methods:
Browser This is identical to the initial connection. Start your browser, and enter https://domain_name or
https://ip_addr to reach the NIOS appliance.
Infoblox GUI Application Shortcut If you created a shortcut (when prompted by JWS), double-click the shortcut
icon on your desktop. JWS checks the JNLP file and the NIOS appliance resource files (.jar files containing
components of the Infoblox GUI application) for updates. JWS downloads any updated items it might find, and
then the GUI application login prompt appears.
Java Application Cache Viewer Open the Java Application Cache Viewer, and click the Infoblox GUI application
that you want to use. Then click either Launch Online or Launch Offline. When you select Launch Online, JWS
checks the JNLP file and the NIOS appliance resource files for updates before the GUI application connects to
the NIOS appliance. When you select Launch Offline, JWS does not check for updates before the Infoblox GUI
application connects to the NIOS appliance.
2
3
1
+
J ava
Sandbox
Browser
Certificates
GUI
Application
Management Client
J ava
Certificates
Browser
SSL Tunnel
NIOS appliance
GUI
Certificates
Infoblox GUI
Application
= CA (Certificate Authority) Certificates
= Server Certificates
= J ava Application Certificates
= Application Certificate
(authenticates GUI application
during download)
= Infoblox Server Certificate
(authenticates the appliance when
establishing an SSL tunnel)
Commands
J NLP File Download
GUI Application Download
Certificate
authenticating
the appliance to
management
system browser
The browser and appliance form an SSL
tunnel. The browser either accepts the
appliance certificate automatically or the
administrator accepts it manually. Then
the browser downloads the J NLP (J ava
Network Launching Protocol) file and
passes it to the J ava application.
The J NLP files instructs J ava to check if it
has the latest GUI application and
downloads it if necessary. J ava and the
appliance form a new SSL tunnel between
themselves. If J ava automatically accepts
the two certificatesone authenticating
the appliance and the other authenticating
the GUI applicationor if the administrator
accepts them manually, the GUI
application download proceeds.
The Infoblox GUI application and the
appliance form a third SSL tunnel. If the GUI
application accepts the appliance certificate
automatically or the administrator accepts it
manually, the administrator can complete the
login and begin sending commands to the
appliance.
Certificates
authenticating
appliance and
downloaded GUI
application to
J ava application
Certificates
authenticating
an appliance to
GUI application
Infoblox GUI
42 Infoblox Administrator Guide (Rev. A) NIOS 4.3r1
Running a Single GUI Application
JWS can use the same Infoblox GUI application for different NIOS appliances as long as each NIOS appliance is
running the same version of software. However, each time you use the browser to initiate a connection to a different
NIOS appliance, JWS downloads the GUI application to the Java sandboxeven if you have already downloaded the
same version of the application when connecting to another NIOS appliance. If you manage a number of independent
NIOS appliances, this can result in many unnecessary downloads. To use the same GUI application for multiple NIOS
appliances running the same software version, do not begin the connection process from the browser. Instead, do
the following:
1. Use the GUI application shortcut or open the Java Application Cache Viewer.
2. Click the GUI application that you want to use, and then click Launch Online (to check for updates) or Launch
Offline (to bypass update checks).
Figure 2.3 Java Application Cache Viewer
3. When the login prompt appears, either select an existing host name from the Hostname drop-down list, or type
a new host name in the Hostname field. Then enter the correct user name and password, and click Login.
Clearing Cache on a Linux Computer
The following error message usually indicates that you must clear your Linux computer cache:
Ser ver sof t war e ver si on xx- xx- xx i s not compat i bl e wi t h t hi s GUI appl i cat i on. Obt ai n a
compat i bl e GUI ver si on by poi nt i ng a br owser at ht t ps: / / xx. xx. xx. "
Enter the following commands on a Linux terminal window to clear your computer's cache:
cd / . j ava/ depl oyment / cache/ j avaws
r m- r f ht t ps
This clears the cache.
1. Open a web browser and go to the same web address (https://xx.xx.xx).
2. Click Launch ID Grid.
GUI Application for
the NIOS appliance
About The Grid Manager
NIOS 4.3r1 Infoblox Administrator Guide (Rev. A) 43
About The Grid Manager
You can install the Infoblox Grid Manager on a computer running any of the following Microsoft Windows operating
systems:
Microsoft Windows XP with Service Pack 2
Microsoft Windows Vista with Service Pack 1
The Grid Manager installs the NIOS appliance JRE files and GUI application files in a container within a Java sandbox
on your computer. After the installation, the files remain in the sandbox and the Grid Manager always launches from
this location. The files in the sandbox are used only by the Grid Manager and do not affect any other Java application
on your system. Thus, your system can have a different version of the JRE for other applications.
The Grid Manager installs a complete, self-contained application package that can handle multiple versions of NIOS.
It automatically caches the GUI version it uses to connect to a NIOS appliance. When you attempt to connect to a NIOS
appliance that is running a different GUI version, the Grid Manager automatically detects the difference and
downloads the other GUI version, after your confirmation. This allows you to easily connect to NIOS appliances
running different versions of the NIOS software. You can configure the number of cached versions on your local
computer as explained in Managing Cache Settings on page 46.
Installing the Grid Manager
Note the following guidelines when installing the Grid Manager:
On a computer running Microsoft Windows XP:
If the computer is in a domain, all users except restricted users can install the Grid Manager.
If the computer is not in a domain, only Administrators can install the Grid Manager.
Users with administrator rights can install the Grid Manager on a computer running Microsoft Windows Vista.
Other users are prompted for the administrator password when they try to install Grid Manager.
These restrictions pertain to the Grid Manager installation only. After it is installed, any user can access the Grid
Manager.
To install the Grid Manager:
1. Download the Grid Manager setup.exe file from the Infoblox Support web site.
2. Double-click the .exe file to launch the Grid Manager Wizard.
3. In the Welcome splash screen, click Next.
4. Accept the License Agreement, and click Next.
5. Verify and/or change information in the Customer Information screen, and click Next.
6. Verify and/or change the local installation folder (C:\Program Files\Infoblox) on your computer, and click Next.
7. Verify the installation settings, and click Install.
The Wizard installs the new files in the destination folder.
8. At the end of the installation procedure, click Finish.
A Launch Infoblox Grid Manager icon appears on the desktop and Infoblox Grid Manager appears in the Start
menu of your computer.
Infoblox GUI
44 Infoblox Administrator Guide (Rev. A) NIOS 4.3r1
Changing the File Location
Note that in some cases, because of limited permissions or other restrictions, you cannot write to a system file. In
this case, before you launch the Grid Manager, you can change the environment variable to point to a directory for
which you have write permission.
1. Right click My Computer on the desktop.
2. Select Properties -> Advanced tab -> Environment Variables.
3. In the User Environment Variables dialog box, click New.
4. In the New User Variables dialog box, do the following and then click OK:
Type INFOBLOX_UI_CACHE_DIR in the Variable Name field.
Type the name of a directory for which you have write permission in the Variable Value field.
5. Click OK to close the User Environment Variables dialog box.
Connecting to a NIOS Appliance Using the Grid Manager
1. To launch the Infoblox Grid Manager, double-click the Launch Infoblox Grid Manager icon on your desktop or click
Start > All Programs > Infoblox, Inc. > Infoblox Grid Manager > Launch Infoblox Grid Manager.
I f you are launching the Grid Manager for the first time, it detects that there are no installed versions in the
cache and does the following:
Copies the JAR files from the local installation folder to the following location on your management system:
C: \ Document s and Set t i ngs\ user\ Appl i cat i on Dat a\ I nf obl ox\ I nst al l \ NIOS_version
Unpacks the JAR files to the following directory:
C: \ Document s and Set t i ngs\ user\ Appl i cat i on Dat a\ I nf obl ox\ depl oy\ NIOS version
Note that you can change the directory as described in Changing the File Location.
Creates a log file for the GUI deployment called ibdeploy.log.
Launches the login dialog box.
2. Enter the IP address of the NIOS appliance or grid master to which you are connecting.
Infoblox Grid Manager looks for the correct software version in the cache on the computer:
If this is the first time you are connecting to that NIOS appliance, it does not find the files in the cache and
displays a message indicating that the appropriate version of the software is not found in the cache, and
offers to download the new version.
If you click OK, Grid Manager downloads the files to a folder in C: \ Document s and
Set t i ngs\ user\ Appl i cat i on Dat a\ I nf obl ox\ I nst al l \ NIOS version. After the download is
complete, the Infoblox Grid Manager login screen displays.
When you launch Grid Manager to connect to the same NIOS appliance, it detects the server software
information in the current cache and launches using this cache file; if there is a more recent version, it picks
up the more recent version and stores this in the cache.
3. Enter your user name and password. The default user name is admin, and the default password is infoblox.
Note: The user name and password are case-sensitive.
To reuse the same user name, select Options -> Save User Name. The NIOS appliance saves the user name and it
appears automatically the next time you invoke the GUI.
The GUI application initiates an SSL connection to the NIOS appliance. The NIOS appliance sends its server
certificate to authenticate itself to the application. If the default certificate is in use, warning messages appear
stating that the certificate is not from a trusted certifying authority and that the host name on the certificate is
either invalid or does not match the name of the site.
About The Grid Manager
NIOS 4.3r1 Infoblox Administrator Guide (Rev. A) 45
4. Accept the certificate for this session, or save it permanently to the server certificate store of the GUI application.
Note: To manage CA (Certificate Authority) and server certificates in the Infoblox GUI application, open the GUI
application login prompt, and select Options -> Manage Certificates.
The SSL tunnel completes, and the login process continues. If the login is successful, the connection between
the Infoblox GUI application and the NIOS appliance is complete. If the login is not successful, an error message
appears and the login prompt returns.
When the session ends, the Infoblox GUI application remains in the Java sandbox. It launches from this location
the next time you want to connect to the NIOS appliance.
Setting Login Options
The NIOS Login dialog box provides several options that you can set to facilitate the login process.
Specify the Host Name
You can define the default host name that appears when the login prompt displays:
Select Options -> Hostname, and then select one of the following:
Initial: Retains the host name that you enter when you first install the NIOS appliance.
Last used: Enters a host name when you log in and retains it for subsequent logins.
Blank: Leaves the host name blank whenever you log in.
Save User Name
You can save your user name so that you do not have to type it each time you log in.
Select Options -> Save User Name
Manage Certificates
You can manage CA (Certificate Authority) and server certificates in the NIOS appliance. You can import certificates,
select and view their details, or remove them.
1. Select Options -> Manage Certificate.
The NIOS GUI Certificates dialog appears.
2. Select the Server Certificates or the CA Certificates tab and click Import.
3. Navigate to where the certificate is located and click Open.
You can manually import a certificate into the clients data store. You can also delete a certificate (select it and click
Remove) and view detailed information on it (select it and click Details).
Infoblox GUI
46 Infoblox Administrator Guide (Rev. A) NIOS 4.3r1
Managing Cache Settings
By default, Grid Manager caches 10 NIOS versions on your computer. You can change this default at any time in the
Login dialog box. Each cache file uses approximately 15 MB of disk space. Consider this when setting the number of
cache files for retention. When the system meets the predefined maximum number of cache files, it deletes the first
(oldest) and then adds the new version to the cache file.
To edit the cache settings:
1. Select the Options menu -> Cache Settings.
2. In the Cache Settings dialog box, enter the number of GUI versions to cache. You can enter a number between 2
and 32.
Note that when you use a Linux computer to first connect to a NIOS appliance, JWS automatically downloads the GUI
application to your computer. Though this initial version is retained in the cache, the Grid Manager does not include
it in the total number of cached versions. It includes only the versions that it downloads. Therefore, when your
computer connects to a NIOS appliance that is running a different version and the Grid Manager downloads it to your
computer, it includes this version in the total number of cached versions.
SSL (Secure Sockets Layer) Protocol
NIOS 4.3r1 Infoblox Administrator Guide (Rev. A) 47
SSL (Secure Sockets Layer) Protocol
When you log in to the NIOS appliance, your computer makes an HTTPS (Hypertext Transfer Protocol over Secure
Sockets Layer protocol) connection to the NIOS appliance. HTTPS is the secure version of HTTP, the client-server
protocol used to send and receive communications throughout the Web. HTTPS uses SSL (Secure Sockets Layer) to
secure the connection between a client and server. SSL provides server authentication and encryption. The NIOS
appliance supports SSL versions 2 and 3.
When a client first connects to a server, it starts a series of message exchanges, called the SSL handshake. During
this exchange, the server authenticates itself to the client by sending its server certificate. A certificate is an electronic
form that verifies the identity and public key of the subject of the certificate. (In SSL, the subject of the certificate is
the server.) Certificates are typically issued and digitally signed by a trusted third party, the Certificate Authority (CA).
A certificate contains the following information: the dates it is valid, the issuing CA, the server name, and the public
key of the server.
A server generates two distinct but related keys: a public key and a private key. During the SSL handshake, the server
sends its public key to the client. Once the client validates the certificate, it encrypts a random value with the public
key and sends it to the server. The server decrypts the random value with its private key.
The server and the client use the random value to generate the master secret, which they in turn use to generate
symmetric keys. The client and server end the handshake when they exchange messages indicating that they are
using the symmetric keys to encrypt further communications.
Figure 2.4 SSL Handshake
Client contacts the NIOS appliance and recommends
certain parameters, such as SSL version, cipher
settings, and session-specific data.
The appliance either agrees or recommends
other parameters. It also sends its certificate
which contains its public key.
Plain
Text
Cipher
Text
Cipher
Text
Cipher
Text
The client and the appliance agree to encrypt
all messages with symmetric keys.
Client encrypts random number with the public
key and sends it to the appliance. The appliance
uses its private key to decrypt the message.
The client and the appliance generate the
master secret, and then the symmetric keys.
The client and the appliance send all their messages through the SSL tunnel
which uses the cipher settings and encryption to secure their connection.
Public Key
Private Key
Infoblox GUI
48 Infoblox Administrator Guide (Rev. A) NIOS 4.3r1
Managing Certificates
The NIOS appliance generates a self-signed certificate when it first starts. A self-signed certificate is signed by the
subject of the certificate, and not by a CA (Certificate Authority). This is the default certificate. When your computer
first connects to the NIOS appliance, it sends this certificate to authenticate itself to your browser.
Because the default certificate is self-signed, your browser does not have a trusted CA certificate or a cached NIOS
appliance server certificate (saved from an earlier connection) to authenticate the NIOS appliance certificate. Also,
the host name in the default certificate is www.infoblox.com, which is unlikely to match the host name of your NIOS
appliance. Consequently, messages appear warning that the certificate is not from a trusted certifying authority and
that the host name on the certificate is either invalid or does not match the name of the site that sent the certificate.
Either accept the certificate just for this session or save it to the certificate store of your browser.
To eliminate certificate warnings, you can replace the default self-signed certificate with a different certificate that has
the host name of your NIOS appliance. The NIOS appliance supports X.509 certificates in .PEM format. After initial
login, you can do one of the following:
Generate another self-signed certificate with the correct host name and save it to the certificate store of your
browser.
Generate a self-signed certificate, see Generating a Self-Signed Certificate on page 48.
Request a CA-signed certificate with the correct host name and load it on the NIOS appliance.
Use a certificate from a CA by generating a certificate signing request as described in Generating a Certificate
Signing Request on page 49. When you receive the certificate from the CA, import it as described in Importing a
Certificate on page 49.
Additionally, before you log in to the NIOS appliance, you can manage the certificates on the client machine. For
information, see Manage Certificates on page 45
Generating a Self-Signed Certificate
You can replace the default certificate with a self-signed certificate that you generate. When you generate a
self-signed certificate, you can specify the correct host name and change the public/private key size, enter valid
dates and specify additional information specific to the NIOS appliance. If you have multiple appliances, you can
generate a certificate for each appliance with the appropriate host names.
To generate a self-signed certificate:
1. For a grid: From the Grid perspective, click + (for grid ) -> + (for Members ) -> grid_member -> Tools -> HTTPS
Certificate -> Generate Self-Signed Certificate.
For an independent appliance or HA pair: From the Device perspective, click hostname) -> Tools -> HTTPS
Certificate -> Generate Self-Signed Certificate.
2. In the Create Self-Signed Certificate dialog box, enter the following:
Key Size: Select either 2048 or 1024 for the length of the public key.
*Days Valid: Specify the validity period of the certificate.
*Common Name: Specify the domain name of the NIOS appliance. You can enter a fully qualified domain
name (FQDN).
Organization: Type the name of your company.
Organizational Unit: Type the name of your department.
Locality: Type a location, such as the city or town of your company.
State or Province: Type the state or province.
Country Code: Enter the 2-letter code that identifies the country, such as US.
Administrators E-mail Address: Enter the e-mail address of the appliance administrator.
Comment: Enter additional notes.
An asterisk (*) indicates the field is required.
3. Click OK to close the Create a Self-Signed Certificate dialog box.
SSL (Secure Sockets Layer) Protocol
NIOS 4.3r1 Infoblox Administrator Guide (Rev. A) 49
4. Click the Save icon.
The NIOS appliance logs you out, or you can log out yourself. When you log in to the appliance again, it uses the
certificate you generated.
Generating a Certificate Signing Request
You can generate a certificate signing request (CSR) that you can use to obtain a signed certificate from your own
trusted CA. Once you receive the signed certificate, you can import it into the NIOS appliance, as described in
Importing a Certificate on page 49.
To generate a CSR:
1. For a grid: From the Grid perspective, click + (for grid ) -> + (for Members ) -> grid_member -> Tools -> HTTPS
Certificate -> Generate Signing Request.
or
For an independent appliance or HA pair: From the Device perspective, click hostname) -> Tools -> HTTPS
Certificate -> Generate Signing Request.
2. In the Create Certificate Signing Request dialog box, enter the following:
Key Size: Select either 2048 or 1024 for the length of the public/private key pair.
*Common Name: Specify the domain name of the NIOS appliance. You can enter a fully qualified domain
name (FQDN).
Organization: Type the name of your company.
Organizational Unit: Type the name of your department.
Locality: Type a location, such as the city or town of your company.
State or Province: Type the state or province.
Country Code: Enter the 2-letter code that identifies the country, such as US.
Administrators E-mail Address: Enter the e-mail address of the appliance administrator.
Comment: Enter additional notes.
An asterisk (*) indicates the field is required.
3. Click OK to close the Create Certificate Signing Request dialog box.
4. In the Download filename dialog box, navigate to where you want to download the CSR, enter the file name and
click Save.
Importing a Certificate
You can replace the default server certificate with a signed certificate from your own trusted CA. First, generate a
certificate signing request as described inGenerating a Certificate Signing Request on page 49.
When you import a certificate, the NIOS appliance finds the matching CSR and takes the private key associated with
the CSR and associates it with the newly imported certificate. The appliance then automatically deletes the CSR.
To import a certificate:
1. For a grid: From the Grid perspective, click + (for grid ) -> + (for Members ) -> grid_member -> Tools -> HTTPS
Certificate -> Upload Certificate.
or
For an independent appliance or HA pair: From the Device perspective, click hostname -> Tools -> HTTPS
Certificate -> Upload Certificate.
2. Navigate to where the certificate is located and click Open.
The appliance imports the certificate and logs you out. When you log in to the appliance again, it uses the
certificate you imported.
Infoblox GUI
50 Infoblox Administrator Guide (Rev. A) NIOS 4.3r1
Understanding the GUI Components
You can view data and configuration settings and make configuration changes through the Infoblox GUI using the
following two methods:
Device Manager: When a NIOS appliance functions as an independent appliance, you launch the Device
Manager to access the GUI. The name appears in the title bar of the browser window.
Grid Manager: When the NIOS appliance is in a grid, you log in to the grid master and launch the Grid Manager.
The name appears in the title bar of the browser window.
Main Interface Components
The following figure illustrates the typical layout of the Infoblox GUI. You can detach and move the GUI components
and customize the GUI as necessary.
Figure 2.5 Infoblox GUI Overview
Menu
Each item in the menu is a drop-down list of available options. The menu items change dynamically according to the
perspective you are in.
Tip: Select an item and right-click to quickly access menu options.
Tool Bar
The tool bar contains a Save icon which you click to save your configuration changes, and a Restart Services icon,
which you click to restart services on a appliance or a grid.
Editor
Enter and edit information.
Properties Viewer
View object properties.
Panels
View and select items
to edit.
Perspective
Menu
Detach and move panels,
viewers and editors to
customize the GUI layout.
Tool Bar
Save Restart Services
Understanding the GUI Components
NIOS 4.3r1 Infoblox Administrator Guide (Rev. A) 51
Perspectives
A perspective is a container for tools used to manage the grid or appliance and its services. The Infoblox GUI
application provides a set of perspectives, each focusing on a specific functional area. You display a perspective by
clicking the appropriate icon on the tool bar:
Device: In this perspective, you configure an independent appliance and set its operational parameters.
Grid: In this perspective, you configure a grid and set operational parameters. A Keystone license is required for
this feature.
DNS: In this perspective, you enable and configure DNS services on the appliance or the grid.
DHCP and IPAM: In this perspective, you enable and configure DHCP service and IP Address Management
features.
Administrators: In this perspective, you configure administrators.
File Distribution: In this perspective, you enable and configure HTTP and TFTP (Trivial File Transfer Protocol)
services.
AAA: In this perspective, you configure RADIUS services to authenticate and authorize users, as well as manage
user accounts, policies, and policy groups.
Global Search: In this perspective, you search the entire database for a specific text string. All database objects
matching the text string are displayed in this perspective.
VitalQIP: This is not a standard part of the Infoblox GUI. In this perspective, you can configure the appliance to
function as a VitalQIP remote server. A VitalQIP license is required for this feature.
Note: The VitalQIP icon only displays when the NSQ software module and required licensing are installed.
Grid or Device
Perspective Icon
DHCP and IPAM
Perspective Icon
File Distribution
Perspective Icon
DNS
Perspective Icon
Authentication, Authorization, and
Accounting Perspective Icon
Administrators
Perspective Icon
Global Search
Perspective Icon
Infoblox GUI
52 Infoblox Administrator Guide (Rev. A) NIOS 4.3r1
Panel
Panels list objects that you can select and edit. You can expand or collapse lists by selecting the + or - sign beside
an object. Panels can be opened and closed from the View menu on the top menu bar.
Shortcuts
Double-click the tab of a panel to fully expand; double-click the tab again to reset the panel.
Select an object and right-click to display options.
Double-click an item to edit it (open its editor).
Ctrl+click to select multiple items.
Editor
You can enter information and configure objects in an editor. You can open multiple editors at one time. After you
enter information in an editor, you must click the Save icon to save your changes.
Properties Viewer
Viewers display information about a selected object. You cannot edit or select objects in a viewer. However, you can
expand, collapse, detach and move viewers to different locations.
Online Help
The Infoblox appliance ships with online help that you can access from anywhere in the GUI. The Help menu provides
access to the following:
About Infoblox Grid Manager: View information about the NIOS software version running on the appliance.
Download Admin Guide: Download the Infoblox Administrator Guide.
API Documentation: Display the API documentation.
Training: Display information about Infoblox training workshops.
Help Contents: Display the main Help system.
Dynamic Help: Access Help for the active panel, editor, or viewer. A window is active when its title bar is
highlighted.
In addition, to access Help for a dialog box, click the question mark (?) icon in the bottom left corner of the dialog box.
Understanding the GUI Components
NIOS 4.3r1 Infoblox Administrator Guide (Rev. A) 53
Customizing a Perspective Layout
You can customize the layout of a perspective by detaching and rearranging panels and views. In this way, you can
structure your workspace for optimum efficiency.
To customize a perspective layout:
1. Right-click the tab of the panel or view, and select
Detached from the context menu.
2. Left-click and drag to the desired location.
3. Resize and tile multiple detached panels or views to
create a custom layout.
Infoblox GUI
54 Infoblox Administrator Guide (Rev. A) NIOS 4.3r1
Creating a Login Banner on a NIOS Appliance
To create a statement that appears on the top of the Login screen (a banner message), follow the procedures in this
section. This function is useful for posting security warnings or user-friendly information well above the user name
and password fields on the Login screen. A login banner message can be up to 3000 characters long. In a grid,
perform this task on the grid master.
To create a login banner:
1. From the Grid perspective, click grid -> Edit -> Grid Properties.
or
From the Device perspective, click hostname -> Edit -> Device Properties.
2. In the Grid (or Device) editor, click Security.
3. Select Enable Login Banner and enter the text you want displayed in the Banner Text field.
4. Click the Save icon.
Customizing Columns
The NIOS appliance supports the ability to customize columns displayed in any perspective or panel within the GUI.
(An exception to this is the Properties view panel; the NIOS appliance does not support customizing columns within
the Properties view panel.)
You can move columns around and hide certain columns from view. For example, you might want to view only
columns related to IP addresses without displaying location or appliance information in the DHCP Lease History
panel. Resetting a perspective does not override column settings. The appliance retains changes to the columns even
after you reset a perspective.
Column settings are applied to all administrators and users accessing the appliance. If you customize the columns,
your column settings appear to all other users when they log in to the appliance.
You can customize columns in any of the following ways:
Hide columns so that they are not shown in the display
Show columns so that they are displayed and not hidden
Select the order in which the columns are displayed within a panel
Change the size of the columns. Each column can have maximum pixel size of 999
Customizing Columns within the GUI
To customize columns:
1. From any perspective or panel, click Edit -> Edit Columns.
2. When the Edit Column dialog box appears, you can set the following options:
SIze: Specify the column width, in pixels. You can specify any number from 1 through 999.
Auto Fit: Resize the column width to accommodate the largest string in the column. Select the Auto Fit
check box to enable this option. Keep in mind that enabling this option resizes for the current values within
the column. This option does not resize for future values.
Restore Default: Click Restore Default to restore back to the default column display.
To hide and display columns, and change their order:
Display column: Select the check box of each attribute or column you want to display. Click the Select
All button to automatically select all columns available within the list.
Hide column: Deselect the check box of each attribute or column you want to hide. Click the Deselect
All button to automatically deselect all columns within the list, hiding all items.
Ordering columns: Select a column from the list and click Up to move that column to the left in the
display. Click Down to move that column to the right in the display.
3. Click OK.
Understanding the GUI Components
NIOS 4.3r1 Infoblox Administrator Guide (Rev. A) 55
You can also change the order of the columns in a panel by dragging-and-dropping a column.
The leftmost column within the tree panel has some special restrictions. You cannot move the leftmost column.
However, you can move the column next to the leftmost column over as the first column. Take note that when you do
this, the icons you use to expand and collapse items remains in the same location in the panel (the left side of the
panel).
To edit columns using the drag-and-drop method:
1. From any perspective or panel, select any column heading title.
2. Drag and then drop the column to move the column around.
Using Global Search
This function allows you to search through the entire NIOS appliance database for any instances matching a specific
text string. The global search option allows you to search across different perspectives and views, instead of
searching under each perspective or view individually. For example, you can search for a specific host name across
both the DNS perspective and DHCP perspective with a single global search, or you can search for all occurrences of
a specific MAC address within the database.
The Global Search perspective is located next to the other perspectives in the GUI toolbar. The Global Search
perspective opens up a panel called Search Results and displays all matches within the panel. All match results are
displayed with the following information:
Name: Name of the matching object.
Type: Object type matching the global search. For example, the Type field identifies the type of record or type of
address of the matching object.
Matched Attribute: Attribute of the matching object. For example, if the global search matched the address
corresponding to a hostname, then field displays the address of the hostname.
Matched Value: The value of the matching object. For example, if the global search matched the address of a
hostname, then the field displays the hostname.
Note: NIOS displays search results based upon the page size setting from the administrator settings. For
information about page size configuration, see Authenticating Administrators on page 101.
To search globally:
1. From the Global Search perspective, type the text string to search on the appliance database.
2. Click Search.
NIOS supports regular expressions for global search. Regular expressions, commonly known as regex, are a set of key
combinations that are meant to allow the user to have a variety of control over what they are searching for.
Note: You cannot search zones based on the zone type. You can filter search results based on the zone type.
From the Search Results panel, you can do the following:
Open a panel to view the properties of a matching object.
Open a panel to edit the properties of a matching object.
Remove a matching object from the database.
Define the administrative permissions of an object, as described in Defining Permissions for an Object on page
56.
You can perform these operations by clicking matching object -> Edit.
Infoblox GUI
56 Infoblox Administrator Guide (Rev. A) NIOS 4.3r1
Defining Permissions for an Object
You can select an object in the Search Results panel and define its administrative permissions as follows:
1. Select an object from the list and click Edit -> Manage Permissions.
2. In the Manage Resource Permissions dialog box, complete the following:
Admin Group: Click Add, and select an admin group in the Select Admin Group dialog box. After you click OK to
close the dialog box, the appliance lists the admin group you selected.
Permissions: The appliance displays the name of the object in the Resource column. Select the permission for
the object by clicking Read/Write, Read Only or Deny.
3. Click OK to close the Manage Resource Permissions dialog box.
For information on setting administrative permissions, see Defining Permissions on page 77.
Printing from the GUI
NIOS appliance supports the ability to print the contents of the GUI from any perspective. Printing from the GUI allows
you to print the contents of a view within any perspective shown on the display. All page modifications that are
applied to the display contents, such as filters and sorting, affect the print output as well.
You can print to the following outputs:
Hard copy to the printer, or conversion to a PDF (Portable Document Format) file (see Print Hard Copy or PDF File
on page 56
Text file (see Print Output to a Text File on page 57)
CSV file (MS WIndows only with this feature installed) (see Exporting Data on page 60)
The amount of content printed depends on the page size configuration set by the administrator. For information on
configuring the page size, see Authenticating Administrators on page 101.
Note: GUI printing is supported on the Microsoft Windows operating system only.
Print Hard Copy or PDF File
To print a hard copy or PDF file from the GUI:
1. From any perspective, click File -> Print. The Print dialog box appears.
2. Set the print options you want for the print job. You can set the following print options:
Selected printer
Print preferences: portrait or landscape page orientation, legal or letter page size, and page margins.
Print to file (for PDF generation)
Page range
Number of copies
3. Click Print.
Printing from the GUI
NIOS 4.3r1 Infoblox Administrator Guide (Rev. A) 57
Print Output to a Text File
To print to a text file in the Windows operating system:
1. Install a new generic printer to Windows called GenericText.
2. From any perspective, click File -> Print. The print dialog box appears.
3. Set the print options you want for the print job. You can set the following print options:
Select the new GenericText printer.
Print preferences: portrait or landscape page orientation, legal or letter page size, and page margins.
Page range.
Number of copies.
4. Click Print.
Infoblox GUI
58 Infoblox Administrator Guide (Rev. A) NIOS 4.3r1
Multilingual Support
NIOS appliances support languages other than English in certain input fields. When you enter information in these
fields using non-English languages, the NIOS appliance uses UTF-8 (Unicode Transformation Format-8) encoding to
interpret the data. For information about which fields support UTF-8 encoding, see UTF-8 Supported Fields on page
58.
UTF-8 is a variable-length character encoding for Unicode characters. Unicode is a code table that lists the numerous
scripts used by all possible characters in all possible languages. It also has a large number of technical symbols and
special characters used in publishing. UTF-8 encodes each Unicode character as a variable number of one to four
octets (8-bit bytes), where the number of octets depends on the integer value assigned to the Unicode character. For
information about UTF-8 encoding, refer to RFC 3629 and the ISO/IEC 10646-1:2000 Annex D. For information about
Unicode, refer to The Unicode Standard.
Depending on the OS (operating system) that your management system uses, you must install the appropriate
language files in order to enter information in a specific language. For information about how to install language files,
refer to the documentation that comes with your management system.
UTF-8 Supported Fields
The NIOS appliance supports UTF-8 encoding in all of the comment fields and most input fields. You can enter
non-English characters in these data fields through the Infoblox GUI and the Infoblox API. When you use the Infoblox
API, all the non-ASCII strings must be UTF-8 encoded so that you can use Unicode characters. The NIOS appliance
does not support UTF-8 encoding for data that is configurable through the Infoblox CLI commands.
In general, the following items support UTF-8 encoding:
In the NAC Foundation module, the following fields that you use to customize the captive portal, self service
portal, and DHCP guest registration page:
Company Name
Welcome Message
Help Desk Message
All comment and custom fields
Acceptable Use Policy files
The following IPAM fields that you use to classify devices:
Location
Owner
Manufacturer
Model
All custom fields
All the comment fields in all of the Infoblox GUI perspectives.
File name fields for FTP and TFTP backup and restore operations.
The login banner text field. When you use the serial console or SSH, the appliance cannot correctly display the
UTF-8 encoded information that you enter for the login banner.
Note: For data fields that do not support UTF-8 encoding, the appliance displays an error message when you use
non-English languages.
UTF-8 Support Limitations
The NIOS appliance has the following UTF-8 support limitations:
Object names that have data restrictions due to their usage outside of the Infoblox database do not support
UTF-8 encoding. For example, IP addresses, DNS names, or Active Directory domain names.
Multilingual Support
NIOS 4.3r1 Infoblox Administrator Guide (Rev. A) 59
When importing a database, most of the ASCII control characters cannot be encoded. This might cause failures
in upgrades or database restore operations.
Search is based on Unicode standard. Depending on the language, you might not be able to perform a
case-sensitive search.
Binary data is encoded as text.
Hard-coded data in the DHCP authentication configuration remains in English. For example, the text on buttons
such as Accept, Continue, or Register, as well as HTML pages such as the complete.html file that tells you your
password has been successfully changed.
UTF-8 encoding does not fully support regular expressions. It matches constant strings. However, It does not
encode characters that are inside square brackets or followed by regular expressions such as *, ?, or +.
You can use UTF-8 characters to authenticate both the User Name and Password through the Infoblox GUI, but
not through the Infoblox CLI.
Infoblox CLI does not not support UTF-8 encoding.
International Characters Support for RADIUS Authentication
For RADIUS authentication, the NIOS appliance supports single-byte international character sets in the following:
Windows XP and Vista OS.
RADIUS and LDAP user names, passwords, and comments.
Replicated AD user names, passwords, and groups in all of the NIOS interfaces, except the Data Import Wizard.
Proxy requests if the RADIUS server that is proxied supports them.
You can configure the NIOS appliance to be a RADIUS server for RADIUS authentication. If you want the RADIUS
server to support wireless supplicants on a Windows client that does not use a Latin 1 (1252) codepage, you must
change the default codepage on the NIOS appliance to match the clients set up. The NIOS appliance uses the code-
page to translate single-byte characters into UTF-8 encoded characters. For information about how to configure the
codepage for RADIUS authentication, see RADIUS Authentication on page 633.
The NIOS appliance supports the following codepages:
UTF-8
Arabic (1256)
Baltic (1257)
Central/Eastern European (1250)
Cyrillic (1251)
Greek (1253)
Hebrew (1255)
Latin-1 (1252)
Turkish (1254)
Note: The default is Latin-1 (1252). This codepage is usually correct for most English based Windows environments.
Infoblox GUI
60 Infoblox Administrator Guide (Rev. A) NIOS 4.3r1
Exporting Data
You can export certain types of data from the NIOS appliance to a CSV (Comma Separated Values) file and store it in
a directory on your management station. You can then use a text editor or an application, such as Microsoft Excel, to
view the data in the CSV file.
The default name of the CSV file reflects the type of data being exported. For example, an export of grid members data
has the file name Grid.csv. You can change the file name, for example, by appending a date as in Grid022908, to
maintain multiple copies of the exported files.
Exporting Data from Panels
You can export data from most panels in the Infoblox Grid or Device Manager. When you export data from panels with
multiple columns, such as the Detailed Status panel in the Grid perspective and the Records panel in the DNS
perspective, the exported data reflects what is displayed in the GUI. You can move, hide, and sort columns as
described in Customizing Columns on page 54, to organize the data before you export it to a CSV file. Note that you
cannot export data from a panel when all its columns are hidden.
The following is a list of panels from which you can export data. The exported CSV files contain exactly what is
displayed in the panels, except for the files exported from the Grid, Infoblox Views, Networks, and Directories panel.
Grid Perspective
You can export a list of grid members from the Grid panel. You can export the data that is displayed in the following
panels:
Detailed Status
Recycle Bin
DNS Perspective
You can export a list of views and their zones from the Infoblox Views panel. You can export the data that is displayed
in the following panels:
Records
Shared Record Group Associations
Zone Statistics
Exporting Data
NIOS 4.3r1 Infoblox Administrator Guide (Rev. A) 61
DHCP and IPAM Perspective
You can export a list of networks from the Networks panel. You can export the data that is displayed in the following
panels:
Ranges, Fixed Addresses and Filters
Ranges and Fixed Address Templates
IP Address Management
DHCP Leases
DHCP Lease History
Network Statistic
DHCP Statistics
DHCP Failover Status
AAA Perspective
You can export data from the User Accounts panel.
File Distribution Perspective
You can export a list of directories from the Directories panel and the data that is displayed in the Files panel.
Global Search Perspective
You can export data from any search panel that is associated with any of the perspectives and windows that you can
export.
Exporting Hierarchical Data
By default, the Records panel lists DNS records individually by record name, in alphabetical order, as shown in the
following figure:
Figure 2.6 Resource Records List
When you export records from the Records panel and the records are individually listed, then the exported CSV file
lists all records displayed in the panel, as shown in the following figure:
Figure 2.7
Infoblox GUI
62 Infoblox Administrator Guide (Rev. A) NIOS 4.3r1
Alternatively, you can click the icon to display records hierarchically, as shown in the following figure:
Figure 2.8 Hierarchical View
When you export data from the Records panel and the records are listed hierarchically, then the CSV file lists only the
parent records that are displayed in the Records panel, as shown in the following figure:
Figure 2.9 Hierarchical Export
Exporting Data to a CSV File
To export data to a CSV file:
1. From a panel that supports CSV file export, do one of the following:
Right-click anywhere on the panel and select Export from the context menu.
Select File -> Export.
2. In the save as dialog box, do the following:
Select the destination directory for the file.
Either use the default name or type a new name for the file. The .csv file extension is automatically applied
to the filename.
A CSV Export Status dialog box displays the status of the export.
Exporting Large Files
If you are exporting a file with more than 500 objects, the NIOS appliance displays a dialog box with a progress bar
indicating the status of the export process. You can click one of the following:
Run in Background to run the export in background mode, allowing you to complete other tasks in NIOS while
the export is running
Cancel to cancel the export
Details to view details about the export
If you select Run In Background, the appliance displays the status of the export at the bottom of the window, as
shown in the following figure:
Figure 2.10 CSV Export Status
Click to view background
tasks in the Progress panel.
Exporting Data
NIOS 4.3r1 Infoblox Administrator Guide (Rev. A) 63
You can view background tasks by clicking the icon shown in Figure 2.10. The Progress panel displays the
status of all the current long-running tasks. You can cancel a task by clicking the icon beside the progress bar,
as shown in Figure 2.11.
Figure 2.11 CSV Export Progress Panel
Note: If you anticipate exporting large amounts of data, consider increasing the size of your java heap.
Click to cancel
the task.
Infoblox GUI
64 Infoblox Administrator Guide (Rev. A) NIOS 4.3r1
NIOS 4.3r1 Infoblox Administrator Guide (Rev. A) 65
Chapter 3 Managing Administrators
This chapter describes the various tasks associated with setting up admin groups and accounts. It contains the
following sections:
About Admin Accounts on page 67
About Admin Groups on page 69
Creating a Superuser Admin Group on page 69
About Limited-Access Admin Groups on page 70
About Admin Roles on page 71
Creating Limited-Access Admin Groups on page 72
Deleting Admin Roles and Groups on page 73
Viewing Admin Group Assignments on page 73
About Administrative Permissions on page 74
Applying Permissions and Managing Conflicts on page 75
Defining Permissions on page 77
Viewing and Managing Permissions on page 80
Modifying Permissions on page 81
Removing Permissions on page 81
Administrative Permissions for Grid Members on page 82
Managing DNS Resource Permissions on page 83
Administrative Permissions for Views on page 84
Administrative Permissions for Zones on page 85
Administrative Permissions for Resource Records on page 87
Administrative Permissions for Shared Record Groups on page 88
Managing Administrative Permissions for DHCP Resources on page 90
Administrative Permissions for Networks and Shared Networks on page 91
Administrative Permissions for Fixed Addresses on page 93
Administrative Permissions for DHCP Ranges on page 94
Administrative Permissions for DHCP Templates on page 95
Administrative Permissions for MAC Address Filters on page 96
Administrative Permissions for Network Discovery on page 96
Administrative Permissions for the DHCP Lease History on page 97
Administrative Permissions for the RADIUS Service on page 98
Managing Administrators
66 Infoblox Administrator Guide (Rev. A) NIOS 4.3r1
Administrative Permissions for File Distribution Services on page 100
Authenticating Administrators on page 101
Creating Local Admins on page 101
Modifying and Removing an Admin Account on page 102
About Remote Admins on page 102
Authenticating Using RADIUS on page 104
Remote RADIUS Authentication on page 105
Configuring RADIUS Authentication on the NIOS Appliance on page 105
Adding RADIUS Servers on page 106
Testing the RADIUS Server on page 107
Maintaining the RADIUS Admins Server List on the NIOS Appliance on page 107
Disabling a RADIUS Server on page 107
Configuring a RADIUS Server on page 108
Configuring Admin Groups on the Remote RADIUS Server on page 108
Configuring Remote Admin Accounts on the Remote RADIUS Server on page 108
Authorization Groups Using RADIUS on page 109
Accounting Activities Using RADIUS on page 109
Authenticating Admin Accounts Using Active Directory on page 110
Admin Authentication Using Active Directory on page 111
Configuring Active Directory Authentication for Admins on page 111
Defining the Admin Policy on page 112
Specifying a List of Remote Admin Groups on page 112
Configuring the Default Admin Group on page 112
Configuring a List of Authentication Methods on page 113
Changing Password Length Requirements on page 113
Notifying Administrators on page 113
About Admin Accounts
NIOS 4.3r1 Infoblox Administrator Guide (Rev. A) 67
About Admin Accounts
When an admin connects to the NIOS appliance and logs in with a user name and password, the appliance starts a
2-step process that includes both authentication and authorization. First, the appliance tries to authenticate the
admin using the user name and password that were entered. Second, it determines the authorized privileges of the
admin by identifying the group to which the admin belongs. It grants access to the admin only when it successfully
completes this process.
Infoblox uses the concept of administrator groups to which you add one or more individual administrators. The
administrators inherit the permissions and properties of the group to which they belong.
The NIOS appliance can authenticate users that are stored on its local database as well as users stored remotely on
an Active Directory domain controller and a RADIUS server. Regardless of the location of an admin account, all
administrators must belong to an admin group. In addition, the group from which the admin receives privileges and
properties is stored locally.
The tasks involved in storing administrator accounts locally and remotely are listed in Table 3.1.
Table 3.1 Storing Admin Accounts Locally and Remotely
The admin policy defines how the appliance authenticates the admin: with the local database, RADIUS, or
Active Directory. You must add RADIUS or Active Directory as one of the authentication methods in the
admin policy to enable that authentication method for admins. See Configuring a List of Authentication
Methods on page 113for more information about configuring the admin policy.
NIOS appliance RADIUS server or AD Domain Controller
To store admin
accounts locally
Use the default admin group
(admin-group) or define a new group
Set the privileges and properties for
the group
Add admin accounts to the group
To store admin
accounts remotely
Configure communication settings with
a RADIUS server or an Active Directory
domain controller
If you use admin groups on the RADIUS
server or Active Directory domain controller:
Use an existing admin group or define
a new one
Set the privileges and properties for
the group
If you do not use admin groups on the
RADIUS server:
Assign an admin group as the default
Configure communication settings with
the NIOS appliance
If you use admin groups:
Import Infoblox VSAs (vendor-specific
attributes) (if RADIUS)
Define an admin group with the same
name as that on the NIOS appliance
Define admin accounts and link them
to an admin group
If you do not use admin groups:
Define admin accounts
Managing Administrators
68 Infoblox Administrator Guide (Rev. A) NIOS 4.3r1
Figure 3.1 illustrates the relationship of local and remote admin accounts, admin policy, admin groups, and
permissions and properties.
Figure 3.1 Privileges and Properties Applied to Local and Remote Admin Accounts
Complete the following tasks to create admin accounts:
1. Use the default admin groups or create admin groups. See About Admin Groups on page 69.
2. Define the administrative permissions of each admin group. See About Administrative Permissions on page 74.
3. Create admin accounts and assign them to the appropriate admin group.
To add accounts to the local database, see Creating Local Admins on page 101.
To configure the appliance to authenticate admin accounts stored remotely, see About Remote Admins on
page 102.
Admin
Users
NIOS appliance RADIUS or Active Directory
When remote admin
accounts are not in
an admin group (or in a
group whose name does
not match that of a local
group), the NIOS
appliance applies the
default admin group
permissions and
properties (if configured).
The NIOS appliance first
checks the remote admin
policy to determine which
of the following
authentication methods to
use and where to get
membership information
from: local-admin
database, RADIUS, or
Active Directory.
Local
Admin
Groups
Remote
Admin
Groups
Adam
Balu
Eve Dan
Christine
Access permissions and properties come
from local admin group definitions.
When admin
accounts are in
an admin group
that matches a
group configured
locally, the
appliance selects
the first group
(based on remote
admin policy) and
applies the
permissions and
properties to the
admin belonging
to that group.
Login
Login
Login
Login
Login
Admin-Group1
Admin-Group2
Admin-Group3
Default
Admin-Group
Admin-Group2
Admin-Group3
=Admin Account
Note:
There can be admin
accounts in a local and
remote admin group with
the same group name.
Group
names
must
match.
Assigned from local admin group definitions:
Admin Permissions
(for resources, such as zones, networks,
members and DHCP lease history)
Properties
(for page and tree sizes)
About Admin Groups
NIOS 4.3r1 Infoblox Administrator Guide (Rev. A) 69
About Admin Groups
All administrators must belong to an admin group. The permissions and properties that you set for a group apply to
the administrators that you assign to that group.
There are three types of admin groups:
Superuser Superuser admin groups provide their members with unlimited access and control of all the
operations that a NIOS appliance performs. There is a default superuser admin group, called admin-group, with
one superuser administrator, admin. You can add users to this default admin group and create additional admin
groups with superuser privileges. Superusers can access the appliance through its console, GUI, and API. In
addition, only superusers can create admin groups.
Limited-Access Limited-access admin groups provide their members with read-only or read/write access to
specific resources. These admin groups can access the appliance through the GUI, API, or both. They cannot
access the appliance through the console.
ALL USERS The ALL USERS group is a default group in which you define global permissions for all
limited-access users. This group implicitly includes all limited-access users configured on the appliance.
Creating a Superuser Admin Group
Superusers have unlimited access to the NIOS appliance. They can perform all the operations that the appliance
provides. There are some operations, such as creating admin groups and accounts, that only superusers can perform.
Note that there must always be one superuser admin account stored in the local database to ensure that at least one
administrator can log in to the appliance in case the NIOS appliance loses connectivity to the remote admin
databases such as RADIUS servers or AD domain controllers.
There is a default superuser admin group (admin-group). You can create additional superuser admin groups, as
follows:
1. Log in as a superuser.
2. From the Administrators perspective, click Groups -> Edit -> Add Group.
3. In the Add Administrator Group editor, enter the following:
Group Name: Enter the name for the admin group.
Comment: Enter pertinent information about the group, such as location or department. The data entered
here displays in the Comment column when you select the admin group name in the tree view.
Superuser: Select this check box to grant the admin accounts that you assign to this group full authority to
view and configure all types of data.
Page Size: Enter a value for the number of lines of data that you want a single GUI list view to contain for
administrators that belong to this group. When there is a lot of data, you can improve the display
performance by setting a smaller page size, such as 100 instead of 1000. You can set the page size from 10
to 2000. The default page size is 100.
Disable this admin group: Select this check box to retain an inactivated profile for this admin group in the
configuration. For example, you might want to define a profile for recently hired administrators who have
not yet started work. Then when they do start, you simply need to clear this check box to activate the
profile.
4. Click the Save icon.
You can do one of the following:
Add local admins to the superuser group; see Creating Local Admins on page 101.
Assign the superuser group to remote admins; see About Remote Admins on page 102.
Managing Administrators
70 Infoblox Administrator Guide (Rev. A) NIOS 4.3r1
About Limited-Access Admin Groups
All admin groups, except superuser admin groups, require either read-only or read-write permission to access certain
resources, such as grid members, and DNS and DHCP resources. Therefore, when you create an admin group, you
must specify which resources the group is authorized to access and their level of access.
There are two ways to define the permissions of an admin group. You can create the group and assign permissions
directly to the group. In addition, you can create roles that contain permissions and assign the roles to the admin
group.
Only superusers can create admin groups and define their administrative permissions. Complete these tasks to
configure an admin group:
1. If you want to use admin roles to assign permissions to admin groups, create the admin roles as described in
About Admin Roles on page 71.
2. Define the permissions of the newly created admin roles, as described in Defining Permissions on page 77.
3. Create the admin group, as described in Creating Limited-Access Admin Groups on page 72.
4. Define the administrative permissions of the admin group.
Assign roles to the admin group, as described in Creating Admin Roles on page 71.
Assign specific permissions as described in Defining Permissions on page 77.
5. Assign admins to the group.
For local admin groups, see Creating Local Admins on page 101.
For remote admins, see About Remote Admins on page 102.
About Limited-Access Admin Groups
NIOS 4.3r1 Infoblox Administrator Guide (Rev. A) 71
About Admin Roles
A role is a group of permissions that you can apply to one or more admin groups. Roles allow you to quickly and easily
apply a suite of permissions to an admin group. You can define roles once and apply them to multiple admin groups.
The appliance contains the following system-defined admin roles:
AAA Admin: Provides read-write access to all grid AAA properties.
DHCP Admin: Provides read-write access to all DHCP MAC filters, members, networks, and shared networks, and
read-only access to the DHCP templates and DHCP lease history.
DNS Admin: Provides read-write access to all members, all shared record groups, and all Infoblox views.
File Distribution Admin: Provides read-write access to all grid file distribution properties.
Grid Admin: Provides read-write access to all DHCP MAC filters, DHCP templates, members, networks, shared
networks, DHCP lease history, all shared record groups, all Infoblox views, Grid AAA properties, Grid File
distribution properties.
You can assign these system-defined roles to admin groups and create additional roles based on the job functions in
your organization. If you are creating a role that has similar permissions to an existing role, you can copy the role and
then make the necessary modifications to the new role. Thus you do not have to create each new role from scratch.
You can assign up to 20 roles to an admin group, and you can assign a role to more than one admin group. When you
make a change to a role, the appliance automatically applies the change to that role in all admin groups to which the
role is assigned.
Creating Admin Roles
There are two ways to create an admin role. You can create a new role and define its permissions, and you can copy
an existing role. To create a new role from scratch:
1. From the Administrators perspective, click Roles -> Edit -> Add Role to display the Add Role editor.
2. Complete the following:
Role Name: Enter a name for the role.
Comment: Optionally, enter information about the role.
3. Click the Save icon.
To copy an existing role:
1. From the Administrators perspective, click Roles -> admin_role -> Edit -> Copy Role As.
2. In the Copy Role As dialog box, enter the name of the new role you are creating. You can also enter information
about the new role in the Comment field. Click OK to close the dialog box.
The appliance displays the new role and its permissions.
After you create roles, you can do the following:
Define their permissions. For information and guidelines on defining permissions, see About Administrative
Permissions on page 74.
Assign roles to admin groups, as described in Creating Limited-Access Admin Groups on page 72.
Managing Administrators
72 Infoblox Administrator Guide (Rev. A) NIOS 4.3r1
Creating Limited-Access Admin Groups
When you create a limited-access admin group, you can assign roles to it. The group then inherits the permissions of
its assigned roles. In addition, you can assign permissions directly to the group, as described in Defining Permissions
on page 77. Only superusers can create admin groups.
To create an admin group:
1. From the Administrators perspective, click Groups -> Edit -> Add Group to display the Add Administrator Group
editor.
2. Expand the Group Properties section and enter the following:
Group Name: Enter the name for the admin group.
Comment: Enter pertinent information about the group, such as location or department. The data entered
here displays in the Comment column when you select the admin group name in the tree view.
Superuser: Clear this check box to create a limited-access admin group.
Page Size: Enter a value for the number of lines of data that you want a single GUI list view to contain for
administrators that belong to this group. When there is a lot of data, you can improve the display
performance by setting a smaller page size, such as 100 instead of 1000. You can set the page size from 10
to 2000. The default page size is 100.
Access Method: Specify whether the admin group can use the GUI and the API (application programming
interface) to configure the appliance.
Access through GUI: Select this check box to allow the admin group to use the GUI.
Access through API: Select this check box to allow the admin group to use the API. For information
about the API, see Chapter 24, Infoblox DMAPI, on page 665.
Disable this admin group: Select this check box to retain an inactivated profile for this admin group in the
configuration. For example, you might want to define a profile for recently hired administrators who have
not yet started work. Then when they do start, you simply clear this check box to activate the profile.
3. Optionally, expand the Roles section and complete the following:
Click Add.
In the Select Role dialog box, select the roles you want to assign to the admin group, and then click OK.
You can assign up to 20 roles to an admin group. The appliance displays the selected roles in the list
box.
When an admin group is assigned multiple roles, the appliance applies the permissions to the group in
the order the roles are listed. Therefore if there are conflicts in the permissions among the roles, the
appliance uses the permission from the role that is listed first and ignores all the others. You can reorder
the list by selecting a role and clicking Move Up or Move Down. To delete a role, select it and click Delete.
After you select roles, you can click Check for conflicts to check for any conflicting permissions. For
information about checking conflicts, see Applying Permissions and Managing Conflicts on page 75.
Click Cancel to close the dialog box.
4. Click the Save icon.
About Limited-Access Admin Groups
NIOS 4.3r1 Infoblox Administrator Guide (Rev. A) 73
Deleting Admin Roles and Groups
You can remove both system-defined and user-defined admin roles and admin groups. To delete an admin group or
role:
1. Do one of the following from the Administrator perspective:
To remove an admin role, click + (for Roles) -> admin_role.
To remove an admin group, click + (for Groups) -> admin_group.
2. Click Edit -> Remove.
Viewing Admin Group Assignments
You can view to which admin groups a role is assigned by selecting the role and clicking View -> Admin Role
Assignments.
Managing Administrators
74 Infoblox Administrator Guide (Rev. A) NIOS 4.3r1
About Administrative Permissions
You can assign permissions to admin roles which you then assign to admin groups, or you can assign permissions
directly to an admin group. The following are permissions you can grant roles and admin groups:
Deny: Prevents admins from viewing, adding, modifying and deleting the resource. This is the default
permission level.
Read-Only: Allows admins to view and search for the resource. Admins cannot add, modify or delete the
resource.
Read/Write: Allows admins to view, search for, add, modify, and delete the resource.
By default, the appliance denies access to certain resources. Admin groups must have either read-only or read/write
permission to access the following resources:
Grid membersSee Administrative Permissions for Grid Members on page 82
DNS resourcesSee Managing DNS Resource Permissions on page 83.
DHCP resourcesSeeManaging Administrative Permissions for DHCP Resources on page 90.
RADIUS resourcesSee Administrative Permissions for the RADIUS Service on page 98.
File distribution resourcesSee Administrative Permissions for File Distribution Services on page 100.
You can define permissions at a global level, for example, for all Infoblox views or all DHCP networks in the database,
and at a more granular level, such as a specific zone, network, and even an individual database object, such as a
resource record or fixed address.
The appliance applies permissions hierarchically in a parent-child structure. When you define a permission to a
resource, the permission applies to all the other resources and objects contained within that resource. For example,
if you grant an admin group read-write permission to a grid, it automatically has read-write permission to all members
in the grid. However, you can override the grid-level permission by setting a different permission, read-only or deny,
for a grid member. Permissions at more specific levels override those set at a higher level.
When admins have permission to objects that are in a parent object, but are not given rights to the parent object, the
appliance displays the parent object in the tree view, for navigational purposes only. For example, as shown in
Figure 3.2, admins do not have permission to the Internal view and to corp.com, but have permission to the child zone
called sales.corp.com. In this case, the admins can see the Internal view and corp.com in the tree view, but cannot
see their contents. The admins can see the contents of sales.corp.com zone only.
Figure 3.2 Navigating to Objects
Admins in DNS Admins3 can
navigate to sales.corp.com
and create resource records,
even if they have no
permission to the Internal view
and corp.com.
About Administrative Permissions
NIOS 4.3r1 Infoblox Administrator Guide (Rev. A) 75
Applying Permissions and Managing Conflicts
When an admin tries to access an object, the appliance checks the permissions of the group to which the admin
belongs. Because permissions at more specific levels override those set at a higher level, the appliance checks object
permissions hierarchicallyfrom the most to the least specific. In addition, if the admin group has permissions
assigned directly to it and permissions inherited from its assigned roles, the appliance checks the permissions in the
following order:
1. Permissions assigned directly to the admin group
2. Permissions inherited from admin roles in the order they are listed in the Roles section of the Administrator
Group editor.
3. Permissions defined for the All Users group.
For example, an admin from the DNS1 admin group tries to access the a1.test.com A record in the test.com zone in
the Infoblox default view. The appliance first checks if the DNS1 admin group has a permission defined for the
a1.test.com A record. If there is none, then the appliance checks the roles assigned to DNS1, and then the All Users
group. If there is no permission defined for the a1.test.com A record, the appliance continues checking for
permissions in the order listed in Table 3.2. The appliance uses the first permission it finds.
Table 3.2 Permission Checking
An admin group that is assigned multiple roles and permissions can have conflicts among the different permissions.
As stated earlier, the appliance uses the first permission it finds and ignores the others. For example, as shown in
Table 3.3, if an admin group has read/write permission to all A records in the test.com zone and a role assigned to it
is denied permission to test.com, the appliance provides read/write access to A records in the test.com zone, but
denies access to the test.com zone and all its other resource records.
Table 3.3 Directly-Assigned Permissions and Roles
The appliance checks object permissions from
the most to the least specific, as listed.
For each object, the appliance checks permissions
in the order listed.
1. a1.test.com A record
2. A records in test.com
3. test.com
4. All zones in the default view
5. Default view
6. All A records
7. All zones
8. All Infoblox views
a. DNS1 admin group
b. Role 1, Role, 2, Role 3
c. All Users group
Permission assigned to the admin group Read/Write to all A records in the test.com
zone
Permission inherited from an admin role Deny to the test.com zone
Effective permissions Deny to the test.com zone
Read/Write to all A records in test.com
Deny to all other resource records in test.com
Managing Administrators
76 Infoblox Administrator Guide (Rev. A) NIOS 4.3r1
If the group has multiple roles, the appliance applies the permissions in the order the roles are listed. If there are
conflicts in the permissions among the roles, the appliance uses the permission from the role that is listed first. For
example, as shown in Table 3.4, the first role assigned to the admin group has read-only permission to all A records
in the test.com zone and the second role has read/write permission to the same records. The appliance applies the
permission from the first admin role.
Table 3.4 Multiple Roles
You can check for conflicting permissions when you add permissions to roles and to admin groups, and when you
assign roles to an admin group. When you use the Check for conflicts function, the appliance lists which permissions
are in conflict and indicates which ones it uses and ignores, as shown in Figure 3.3. If you want to change the
permission the appliance uses, you must change the order in which the roles are listed or change the permissions
that are directly assigned to the admin group.
Figure 3.3 Checking for Conflicts
Role 1 permission Read-only to all A records in the test.com zone
Role 2 permission Read/Write to all A records in test.com
Read/Write to all MX records in test.com
Effective permissions Deny to the test.com zone
Read-only to all A records in the test.com zone
Read/Write to all MX records in test.com
About Administrative Permissions
NIOS 4.3r1 Infoblox Administrator Guide (Rev. A) 77
Defining Permissions
From the Administrators perspective, you can add permissions to roles and admin groups. You can define global
permissions to resources as well as permissions to specific objects. Note that you can define global permissions from
the Administrators perspective only.
There are two ways to add permissions to specific objects. You can add permissions to specific objects from the
Administrators perspective, as described in the following procedure, as well as from the object itself.
To add permissions to a role or an admin group from the Administrators perspective:
1. Do one of the following from the Administrators perspective:
To define the permissions of an admin role, click + (for Roles) -> + admin_role -> Edit -> Add Permissions.
To define the permissions of an admin group, click + (for Groups) -> admin_group -> Edit -> Add Permissions.
The Add Permissions dialog box appears. Note that it does not list the existing permissions of the role or admin
group. (To view existing permissions, see Viewing and Managing Permissions on page 80.) If you try to add
permission for an object that has an existing permission, the appliance displays an error message.
2. To define global permissions, click Add in the Add Global Permissions tab, as shown in Figure 3.4.
Figure 3.4 Global Permissions Tab
The dialog box displays the default resource, All Members. Do one of the following:
Select Read/Write, Read Only, or Deny for the All Members resource.
or
Click the arrow for Resource to expand the resource list and select the resource for which you are setting the
global permission. Then, select Read/Write, Read Only, or Deny.
You can click Add again to define additional global permissions.
Click Add in the
Global
Permissions tab
to define global
permissions for
an admin group.
Managing Administrators
78 Infoblox Administrator Guide (Rev. A) NIOS 4.3r1
3. To define permissions for specific resources and objects, do the following in the Add Object Permissions tab.
Figure 3.5 Add Object Permissions Tab
a. Click Find Object....
b. In the Select Object dialog box, identify the object for which you want to add permission, as follows:
c. In the Text field, enter the name of the object. This field is not case-sensitive.
d. By default, the appliance searches all object types. To narrow down the search, select the type of the object
for which you are searching in the Type drop-down list.
e. Click Search.
The appliance lists the objects it found in the Search Results panel.
f. Select the object for which you are defining permissions and click OK.
The appliance displays the object you selected in the Object field of the Add Object Permissions dialog box.
4. Click Add.
Click the arrow to expand the resource list. The appliance displays the resources associated with the object. You
can set permissions for that object and for its related resources as well.
5. Select the resource for which you are defining permission.
6. Select the appropriate permission: Read/Write, Read Only, or Deny.
7. Optionally, you can check whether the permission you defined conflicts with another permission. Click Check
Conflicts and the appliance displays conflicting permissions in the Permissions Conflict dialog box. For
information, see Applying Permissions and Managing Conflicts on page 75.
8. Do one of the following:
If you are setting permission for the selected object only, click OK to close the dialog box.
If you are setting permissions for additional objects, click Apply.
The appliance stores the permission you defined and clears the dialog box, so you can define permission
for another object. Click Add to continue defining permissions for other resources. Click OK when you are
finished.
Click Find
Object in the
Add Object
Permissions tab
to retrieve an
object and
define its
permission.
About Administrative Permissions
NIOS 4.3r1 Infoblox Administrator Guide (Rev. A) 79
In addition, you can also set permissions for specific objects from the object itself. For example, to define
permissions for a particular grid member, navigate to that grid member and define its permissions.
To define the permission of a specific object:
1. Navigate to the object. For example, to define permissions for a particular grid member, do the following from the
Grid perspective, click + (for grid) -> + (for Members) -> member.
2. Select the object and do one of the following:
Right-click and select Manage Permissions from the context menu.
Click Edit-> Manage Permissions.
The appliance displays the Manage Resource Permissions dialog box. For example, Figure 3.6 shows the
Manage Resource Permissions dialog box where you define permissions for the selected grid member.
Figure 3.6 Manage Permissions for a Grid Member
3. In the Manage Resource Permissions dialog box, do the following:
Admin Group/Role: Click Add, and then select a role or an admin group in the Select Admin Group or Role dialog
box. After you click OK to close the dialog box, the appliance lists the role or admin group you selected.
Permissions: Click Add. After the appliance displays the object in the Resource column, select Read/Write, Read
Only or Deny.
Managing Administrators
80 Infoblox Administrator Guide (Rev. A) NIOS 4.3r1
4. Optionally, you can check whether the permission you defined conflicts with another permission. Click Check
Conflicts and the appliance displays conflicting permissions in the Permissions Conflict dialog box. For
information, see Applying Permissions and Managing Conflicts on page 75
5. Click OK to close the Manage Resource Permissions dialog box.
Viewing and Managing Permissions
Superusers can view the permissions of all admin groups. All other admins can view the permissions of their own
admin group. To view the permissions of a role or an admin group, do one of the following:
To view the permissions of an admin group, from the Administrators perspective, click + (for Groups) -> + (for
admin_group) -> + (for Permissions).
To view the permissions of a role, from the Administrators perspective, click + (for Roles) -> + (for admin_role).
The appliance lists the permission types of the selected role or group, which can be:
AAA Permissions
DHCP Permissions
DNS Permissions
File Distribution Permissions
Grid Permissions
You can select a permission type and view its corresponding permissions in the Permissions panel. By default, the
appliance displays the permissions in alphabetical order. You can display a hierarchical list by clicking the
icon.
Filtering the List of Permissions
You can filter the permissions you view by selecting one of the following:
Effective Permissions: Select to view only the permissions that the appliance is using for this group. The
permissions that were ignored due to conflicts are not listed in this view.
Direct Permissions: Select to view only the permissions that were specifically assigned to the group.
Permissions that were inherited from roles are not listed in this view.
Conflicting Permissions: Select to view only the permissions that are in conflict.
All Permissions: Select to view all permissions.
About Administrative Permissions
NIOS 4.3r1 Infoblox Administrator Guide (Rev. A) 81
Modifying Permissions
You can modify the permissions of user-defined admin roles and admin groups. You cannot modify the permissions
of system-defined admin roles. When you change the permissions of a role that has been assigned to multiple admin
groups, the appliance automatically applies the change to the role in all admin groups to which it is assigned. To
change the existing permissions of a role or an admin group:
1. Do one of the following from the Administrator perspective:
To modify the permissions of an admin role, click + (for Roles) -> + (for admin_role).
To modify the permissions of an admin group, click + (for Groups) -> + (for admin_group) -> + (for
Permissions).
2. Select the permission type and in the Permissions panel, select the resource that you want to modify.
3. Click Edit -> Permission Properties.
4. In the Permission Properties editor, select the new permission: Read/Write, Read-Only or Deny.
5. Optionally, click Check for conflicts to view any conflicts that result from the change. For information about
conflicting permissions, see Applying Permissions and Managing Conflicts.
6. To save the change, click the Save icon.
Removing Permissions
You can remove permissions from user-defined admin roles and admin groups. You cannot remove permissions from
system-defined admin roles. When you remove permissions from a role, it is removed from the role in all admin
groups to which the role is assigned. You can remove a permission from a group as long as it was not inherited from
a role. You cannot remove permissions that were inherited from a role.
To remove a permission:
1. Do one of the following from the Administrator perspective:
To remove the permissions of an admin role, click + (for Roles) -> + (for admin_role).
To remove the permissions of an admin group, click + (for Groups) -> + (for admin_group) -> + (for
Permissions).
2. Select the permission type and in the Permissions panel, select the resource that you want to remove
3. Right-click, and then select Remove.
4. Click Yes when the confirmation dialog appears.
Managing Administrators
82 Infoblox Administrator Guide (Rev. A) NIOS 4.3r1
Administrative Permissions for Grid Members
By default, the grid master denies access to grid members when a limited-access admin group does not have defined
permissions. You can grant an admin group read-only or read/write permission, or deny access to all grid members
or you can grant permission to specific grid members, as described in Defining Permissions on page 77.
Note: Only superusers can modify DNS and DHCP grid properties.
The following table lists the different types of permissions that you can define for grid members and the actions
admins can perform with each permission.
Table 3.5 Grid Member Permissions
Admins with the following permission(s) Can perform the following tasks
Read-only to grid members View DNS member properties
View and download syslog
View DNS cache and configuration file
View DHCP member properties
View network statistics and DHCP configuration file
Restart grid DNS and DHCP services
Read-only to grid members
Read/Write to networks and DHCP ranges
Assign members to networks and DHCP ranges
Read/Write to grid members Edit member properties
Clear DNS cache
Read/Write to grid members
Read-only to views
Add grid members to the Match Members list of a
view
Delete a view with grid members in the Match
Members list
Read/Write to grid members
Read/Write to zones
Assign members to DNS zones
Managing DNS Resource Permissions
NIOS 4.3r1 Infoblox Administrator Guide (Rev. A) 83
Managing DNS Resource Permissions
You can grant roles and admin groups read-only or read/write permission, or deny access to the following DNS
resources:
Views
Zones
A records
AAAA records
CNAME
DNAME
MX
PTR
SRV
TXT
Hosts
Bulk Hosts
Shared Record Groups
Shared A records
Shared AAAA records
Shared MX records
Shared SRV records
Shared TXT records
The appliance applies permissions for DNS resources hierarchically. Permissions to an Infoblox view apply to all
zones and resource records in that view. Permissions for a zone apply to all its subzones and resource records, and
resource record permissions apply to those resource records only. To override permissions set at higher level, you
must define permissions at a more specific level. To assign permissions, see Defining Permissions on page 77. The
following sections describe the different types of permissions that you can set for DNS resources:
Administrative Permissions for Views on page 84
Administrative Permissions for Zones on page 85
Administrative Permissions for Resource Records on page 87
Managing Administrators
84 Infoblox Administrator Guide (Rev. A) NIOS 4.3r1
Administrative Permissions for Views
Limited-access admin groups can access Infoblox views, including the default view, only if their administrative
permissions are defined. Permissions to an Infoblox view apply to all its zones and resource records. To override
view-level permissions, you must define permissions for its zones and resource records. For example, you can grant
an admin group read-only permission to a view and read/write permission to all its zones. This allows the admins to
display the view properties, but not edit them, and to create, edit and delete zones in the view.
You can grant read-only or read/write permission, or deny access to Infoblox views, as follows:
All viewsGlobal permission that applies to all Infoblox views in the database.
A specific viewApplies to its properties and its zones, if you do not define zone-level permissions. This
overrides the global view permissions.
All zones in a viewIf you do not define permissions for zones, they inherit the permissions of the view they are
in.
For information on setting permissions for a view and its zones, see Defining Permissions on page 77.
The following table lists the different types of permissions that you can set for Infoblox views and the actions admins
can perform with each permission.
Table 3.6 Permissions for Views
Admins with the following permission(s) Can perform the following tasks
Read-only to all views
Display view properties
Display zones and resource records
Read/Write to all views
Create, modify, and delete views
Create, modify, and delete zones and resource
records
Read/Write to a view
Modify and delete the view
Add, modify, and delete all zones and resource
records in the view
Read-only to a view
Read/Write permission grid members
Add grid members to the Match Members list of a
view
Delete a view with grid members in the Match
Members list
Read-only to all zones in a view
Display zone properties, subzones and resource
records
Read/Write to all zones in a view
Create, modify, and delete zones
Add, modify, and delete subzones and resource
records
Managing DNS Resource Permissions
NIOS 4.3r1 Infoblox Administrator Guide (Rev. A) 85
Administrative Permissions for Zones
By default, zones inherit administrative permissions from the Infoblox view in which they reside. You can override
view-level permissions by setting permissions for specific zones. Permissions set for a zone are inherited by its
subzones and resource records. To override zone-level permissions, set permissions for specific subzones and
resource records.
For example, you can grant an admin group the following permissions:
Read-only to a zone and to all its A, AAAA, and PTR records
Read/Write permission to all MX and SRV records in the zone
Deny to all the other resource recordsCNAME, DNAME, TXT, host, and bulk host
You can grant read-only or read/write permission, or deny access to zones as follows:
All zones Global permission that applies to all zones in all views.
All zones in a viewPermissions at this level override the global permissions.
A specific zoneApplies to the zone properties and resource records, if you do not define permissions for its
resource records. This overrides global and view-level permissions. If you delete a zone and reparent its
subzone, the subzone inherits the permissions of the new parent zone.
Each resource record type in a zoneFor example, you can define permissions for all A records and for all PTR
records in a zone. if you do not define permissions for resource records, they inherit the permissions of the zone
in which they reside.
For information on setting permissions for zones and resource records, see Defining Permissions on page 77.
The following table lists the different types of permissions that you can set for zones and their corresponding tasks.
Table 3.7 DNS Zone Permissions
Admins with the following permission(s) Can perform the following tasks
Read-only to a zone
View zone properties, subzones, and resource
records
Search for the zone, its subzones, and resource
records
Read/Write to all zones
Create, modify, and delete subzones and resource
records
Search for zones, subzones, and resource records
Read/Write to all zones in a view
Create, modify, and delete all zones in the view
Create, modify, and delete subzones and resource
records
Search for zones, subzones, and resource records
Read/Write to a zone
Modify and delete the zone
Create, modify, and delete subzones and resource
records
Lock and unlock the zone
Search within the zone for its subzones and
resource records
Read/Write to a zone
Read/Write to grid members
Assign grid members to a zone
Delete a zone with assigned grid members
Read/Write to a zone
Read/Write to all grid members in a name
server group
Assign a name server group to a zone
Delete a zone with name server groups assigned
Managing Administrators
86 Infoblox Administrator Guide (Rev. A) NIOS 4.3r1
Read/Write to a shared record group Assign a shared record group to a zone
Source zone:
Read-only to the source zone
Read-only to resource records to be copied
Destination zone:
Read/Write to the destination zone
Read/Write to all resource records in the
destination zone
Copy resource records from one zone to another
Admins with the following permission(s) Can perform the following tasks
Managing DNS Resource Permissions
NIOS 4.3r1 Infoblox Administrator Guide (Rev. A) 87
Administrative Permissions for Resource Records
Resource records inherit the permissions of the zone to which they belong. You can override zone-level permissions
by setting permissions for specific resource records.
You can grant read-only or read/write permission, or deny access to resource records as follows:
Each resource record type in all zones and in all viewsGlobal permission that applies to all resource records of
the specified type; for example, all A records in the database.
Each resource record type in a zone Permissions at this level override global permissions.
A specific resource recordOverrides zone-level permissions.
For information on setting permissions for resource records, see Defining Permissions on page 77. The following
table lists the different types of permissions that you can set for resource records and the actions admins can perform
with each permission.
Table 3.8 DNS Resources
The following are additional guidelines:
Only admins with read/write permission to bulk host records and read/write permission to reverse zones can
create bulk host records and automatically add reverse-mapping zones.
To create host records, admins must have read/write permission to the network and zone of the host.
Admins must have read-only permission to the host records in a zone to view the Host Name Compliance
Report. Admins must have read/write permission to the resource records in a zone to modify host names that
do not comply with the host policy.
Admins with the following permission(s) Can perform the following tasks
Read-only to a resource record type, such as all A
records or all PTR records
View resource records for the specified type only
Search for records of the specified type
Read/Write to a resource record types, such as
all A records or all PTR records
Create, modify, and delete resource records for the
specified type
Search for records of the specified type
Read-only to a resource record
View the resource record
Read/Write to a resource record View, modify, and delete the resource record
Managing Administrators
88 Infoblox Administrator Guide (Rev. A) NIOS 4.3r1
Administrative Permissions for Shared Record Groups
By default, only superusers can add, edit, and delete shared record groups. Limited-access admin groups can access
shared record groups, only if their administrative permissions are defined.
You can set different permissions for a shared record group and for each type of shared resource record in the group.
For example, you can grant a role or an admin group the following permissions:
Read-only to a shared record group and to all its shared A and AAAA records
Read/Write permission to all the shared MX and SRV records in the shared record group
Deny to the TXT records
You can grant read-only or read/write permission, or deny access to shared record groups, as follows:
All shared record groupsGlobal permission that applies to all shared record groups in the database.
A specific shared record groupOverrides global permissions.
Each shared record type in all shared record groups The shared resource record types include shared A
records, shared AAAA records, shared MX records, shared SRV records, and shared TXT resource records.
Each shared record type in a shared record group Permissions at this level override global permissions.
A specific shared recordOverrides zone-level permissions.
For information on setting permissions for shared record groups, see Defining Permissions on page 77. The following
table lists the different types of permissions that you can set for shared record groups and the actions admins can
perform with each permission.
Table 3.9 Permissions for Shared Record Groups
Admins with the following permission(s) Can perform the following tasks
Read-only to a shared record group View the shared record group
Read/Write to all shared record groups Create, modify, and delete shared record groups
Read/Write to a shared record group Modify and delete the shared record group
Read/Write to a shared record group
Read/Write to target zones
Assign a shared record group to zones
Change the zones associated with the shared
record group
Delete zones with a shared record group assigned.
Before you delete a shared record group, you must
remove all zones associated with it.
Read-only to a shared record type in all
shared record groups
View the shared records for the specific type only
Search for records of the specified type
Read/Write to a shared record type in all
shared record groups
Create, modify, and delete shared records for the
specified type
Read-only to a shared record type in a
specific shared record group
View the shared records for the specific type in the
specified shared record group only
Read/Write to a shared record type in a
specific shared record group
Create, modify, and delete shared records for the
specific type in the specified shared record group
only
Read-only to a specific shared record View the shared record
Read/Write to a specific shared record View, modify and delete the shared record
Managing DNS Resource Permissions
NIOS 4.3r1 Infoblox Administrator Guide (Rev. A) 89
Note the following guidelines:
Shared record group permissions override zone permissions.
Even if a zone is locked, superusers and limited-access users with read/write access can still edit or delete a
shared record in the zone.
Managing Administrators
90 Infoblox Administrator Guide (Rev. A) NIOS 4.3r1
Managing Administrative Permissions for DHCP Resources
Limited-access admin groups can access certain DHCP resources only if their administrative permissions are defined.
By default, the appliance denies access when a limited-access admin group does not have defined permissions. You
can grant admin groups read-only or read/write permission, or deny access to the following DHCP resources:
Networks
Shared networks
DHCP ranges
Fixed addresses
MAC address filters
Network templates
DHCP range templates
Fixed address templates
DHCP lease history
You can grant an admin group broad permissions to DHCP resources, such as read/write permission to all networks
and shared networks in the database. In addition, you can grant permission to specific resources, such as a specific
network, a DHCP range, or an individual IP address in a network. Permissions at more specific levels override global
permissions.
The following sections describe the different types of permissions that you can set for DHCP resources:
Administrative Permissions for Networks and Shared Networks on page 91
Administrative Permissions for Fixed Addresses on page 93
Administrative Permissions for DHCP Ranges on page 94
Administrative Permissions for DHCP Templates on page 95
Administrative Permissions for MAC Address Filters on page 96
Administrative Permissions for the DHCP Lease History on page 97
Managing Administrative Permissions for DHCP Resources
NIOS 4.3r1 Infoblox Administrator Guide (Rev. A) 91
Administrative Permissions for Networks and Shared Networks
Limited-access admin groups can access networks, including shared networks, only if their administrative
permissions are defined. Permissions for a network apply to all its DHCP ranges and fixed addresses. To override
network-level permissions, you must define permissions for specific DHCP ranges and fixed addresses. For example,
you can grant an admin group read-only permission to a network, read/write permission to its DHCP ranges, and
read-only permission to its fixed addresses.
You can grant read-only or read/write permission, or deny access to networks, as follows:
All networks and all shared networksGlobal permission that applies to all networks in the database.
A specific networkNetwork permissions apply to its properties and to all DHCP ranges, fixed addresses and
hosts in the network, if they do not have permissions defined. This overrides global permissions.
All DHCP ranges in a networkIf you do not define permissions for DHCP ranges, they inherit the permissions of
the network in which they reside.
All fixed addresses in a networkIf you do not define permissions for fixed addresses, they inherit the
permissions of the network in which they reside.
To define permissions for a specific network and its DHCP ranges and fixed addresses, see Defining Permissions on
page 77.
The following table lists the different types of permissions that you can set for networks and their corresponding
tasks.
Table 3.10 Network Permissions
Admins with the following permission(s) Can perform the following tasks
Read-only to all networks View the properties of all networks
View network statistics
Read-only to all networks
Read-only to all views
View the IP Address Management panel
Read/Write to all networks Create, modify, and delete networks and
shared networks
Create, modify, and delete DHCP ranges
and fixed addresses
Expand/join networks
Read/Write to all networks
Read-only to network templates
Create networks from templates
Read-only to all shared networks View shared networks
Read/Write to all shared networks Create, modify, and delete shared
networks
Read-only to a specific network View the properties of the network
View network statistics
Search for the network
Read/Write to a specific network Modify and delete the network
Create, modify, and delete DHCP ranges
and fixed addresses in the network
Expand/join networks, if admins have
read/write permission to both networks
Managing Administrators
92 Infoblox Administrator Guide (Rev. A) NIOS 4.3r1
Read/Write to a network
Read/Write to the parent zones
Create/Split network and automatically
create the reverse zone
Read/Write to a network
Read/Write to a grid member
Assign a grid member to the network and
its DHCP ranges
Modify and delete a network with the
assigned grid member
Read-only to all DHCP ranges in a network View DHCP ranges
Search for DHCP ranges
Read/Write to all DHCP ranges in a network Create, modify, and delete DHCP ranges
Read-only to all fixed addresses in a network View fixed addresses
Search for fixed addresses
Read/Write to all fixed addresses in a network Create, modify, and delete fixed addresses
Admins with the following permission(s) Can perform the following tasks
Managing Administrative Permissions for DHCP Resources
NIOS 4.3r1 Infoblox Administrator Guide (Rev. A) 93
Administrative Permissions for Fixed Addresses
Fixed addresses inherit the permissions of the networks in which they reside. You can override network-level
permissions by defining permissions for fixed addresses.
You can grant read-only or read-write permission, or deny access to fixed addresses, as follows:
All fixed addressesGlobal permission that applies to all fixed addresses in the database.
All fixed addresses in a network Permissions at this level override global permissions. If you do not define
permissions for fixed addresses, they inherit the permissions of the network in which they reside.
A single fixed addressOverrides global and network-level permissions.
For information on setting permissions for fixed addresses, see Defining Permissions on page 77.
The following table lists the different types of permissions that you can set for fixed addresses and their
corresponding tasks.
Table 3.11 Permissions for Fixed Addresses
Admins with the following permission(s) Can perform the following tasks
Read-only to all fixed addresses View fixed addresses
Search for fixed addresses
Read-only to all fixed addresses in a
network
View fixed addresses in the network
Search for fixed addresses in the network
Read/Write to all fixed addresses Create, modify, and delete fixed addresses
Read/Write to all fixed addresses in a
network
Create, modify, and delete fixed addresses in the
network
Read-only to a fixed address View the fixed address
Read/Write to a fixed address Modify and delete the fixed address
Managing Administrators
94 Infoblox Administrator Guide (Rev. A) NIOS 4.3r1
Administrative Permissions for DHCP Ranges
DHCP ranges inherit the permissions of the networks in which they reside. You can override network-level
permissions by defining permissions for DHCP ranges. You can read-only or read/write permission, or deny access to
DHCP address ranges, as follows:
All DHCP rangesGlobal permission that applies to all DHCP ranges in the database.
All DHCP ranges in a networkPermissions at this level override global permissions. If you do not define
permissions for DHCP ranges, they inherit the permissions of the network in which they reside.
A single DHCP rangeOverrides global and network-level permissions.
For information on setting permissions for DHCP ranges, see Defining Permissions on page 77. The following table
lists the different types of permissions that you can set for DHCP ranges and their corresponding tasks.
Table 3.12 DHCP Ranges
Admins with the following permission(s) Can perform the following tasks
Read-only to all DHCP ranges View DHCP ranges
Search for DHCP ranges
Read-only to all DHCP ranges in a network
Not Applicable
Independent HA Pair
Not Applicable
Grid Master
Grid Master Candidate
HA Grid Member
*
Single Grid Member
*
Using the MGMT Port
NIOS 4.3r1 Infoblox Administrator Guide (Rev. A) 137
The MGMT port is not enabled by default. By default, a NIOS appliance uses the LAN port (and HA port when deployed
in an HA pair). You must log in using a superuser account to enable and configure the MGMT port. You can enable the
MGMT port through the Infoblox GUI (as explained in the following sections) or through a console connection with the
following command: set i nt er f ace mgmt speed aut o dupl ex aut o
Note: For information about connecting Ethernet cables to the MGMT port, refer to Cabling for the MGMT Port on
page 727.
Appliance Management
You can restrict administrative access to a NIOS appliance by connecting the MGMT port to a subnet containing only
management systems. This approach ensures that only appliances on that subnet can access the Infoblox GUI and
receive appliance management communications such as syslog events, SNMP traps, and e-mail notifications from
the appliance.
If you are the only administrator, you can connect your management system directly to the MGMT port. If there are
several administrators, you can define a small subnetsuch as 10.1.1.0/29, which provides six host IP addresses
(10.1.1.110.1.1.6) plus the network address 10.1.1.0 and the broadcast address 10.1.1.7and connect to the
NIOS appliance through a dedicated switch (which is not connected to the rest of the network). Figure 4.5 shows how
an independent appliance separates appliance management traffic from network protocol services. Note that the
LAN port is on a different subnet from the MGMT port.
Figure 4.5 Appliance Management from One or More Management Systems
The NIOS appliance serves
DNS and DHCP to the public
network through the LAN port.
Public Network
1.1.1.0/24
DNS and DHCP Services
A single management system connects
directly to the MGMT port of the NIOS
appliance through an Ethernet cable.
Private Network
10.1.1.0/30
Appliance Management
Several management systems connect
to the MGMT port of the NIOS
appliance through a dedicated switch.
Private Network
10.1.1.0/29
Appliance Management
Note:
Because the two private networks are
used solely for appliance management
and are completely isolated from the rest
of the networkand therefore from each
othertheir address space can overlap
without causing any routing issues
LAN
1.1.1.5
MGMT
10.1.1.1
Ethernet
Cable
NIOS
appliance-1
LAN
1.1.1.6
MGMT
10.1.1.1
Infoblox
Appliance -2
Ethernet
Cable
Dedicated
Switch
DNS and DHCP Clients
Management Systems
10.1.1.2 - 10.1.1.5
Managing Appliance Operations
138 Infoblox Administrator Guide (Rev. A) NIOS 4.3r1
Similarly, you can restrict management access to a grid master to only those appliances connected to the MGMT ports
of the active and passive nodes of the grid master.
To enable the MGMT port on an independent appliance or grid master for appliance management and then cable the
MGMT port directly to your management system or to a network forwarding appliance such as a switch or router:
1. From the Grid perspective, click + (for grid ) -> + (for Member ) -> grid_master -> Edit -> Member Properties.
or
From the Device perspective, click hostname -> Edit -> Device Properties.
Note: You must enable the MGMT port before modifying its port settings. See Using the MGMT Port on page 136.
2. In the Grid Member or Device editor, click MGMT Port, and then enter the following in Node 1 subsection for a
single grid master or independent appliance, and in the Node 1 and Node 2 subsections for an HA grid master or
independent HA pair:
Enable management (MGMT) port: Select check box.
Enable VPN services on the MGMT port: Clear check box.
Restrict Support and remote console access to MGMT port: Select the check box to restrict SSH (Secure
Shell) v2 access to the MGMT port only. This restricts Infoblox Technical Support and remote console
connectionsboth of which use SSH v2to just the MGMT port. For an HA pair, you can make an SSH v2
connection to the MGMT port on both the active and passive nodes.
Clear the check box to allow SSH v2 access to both the MGMT and LAN ports. For an HA pair, you can make
an SSH v2 connection to the MGMT and LAN ports on both the active and passive nodes.
IP Address: Type the IP address for the MGMT port, which must be in a different subnet from that of the LAN
and HA ports.
Subnet Mask: Choose an appropriate subnet mask for the number of management systems that you want
to access the appliance through the MGMT port.
Gateway: Type the default gateway for the MGMT port. If you need to define any static routes for traffic
originating from the MGMT portsuch as SNMP traps, syslog events, and email notificationsdestined for
remote subnets beyond the immediate subnet, specify the IP address of this gateway in the route.
Use automatic MGMT port settings: Select the check box to instruct the NIOS appliance to negotiate the
optimum port connection type (full or half duplex) and speed with the connecting switch automatically. If
you clear the check box, manually configure the same settings on both the NIOS appliance and the switch.
By default, the check box is selected.
3. Click the Save icon to save your settings.
4. Close the current JWS (Java Web Start) application window.
5. Cable the MGMT port to your management system or to a switch or router to which your management system can
also connect.
6. If your management system is in a subnet from which it cannot reach the MGMT port, move it to a subnet from
which it can.
The Infoblox Grid (or Device) Manager GUI is now accessible through the MGMT port on the NIOS appliance from
your management system.
7. Start a new JWS session, and then log in to the IP address of the MGMT port.
8. Check the Detailed Status and Grid panels to make sure the status icons are green.
Using the MGMT Port
NIOS 4.3r1 Infoblox Administrator Guide (Rev. A) 139
Grid Communications
You can isolate all grid communications to a dedicated subnet as follows:
For grid communications from the grid master, which can be an HA pair or a single appliance, the master uses
either the VIP interface on the HA port of its active node (HA master) or its LAN port (single master). Neither a
single nor HA grid master can use its MGMT port for grid communications. (This restriction applies equally to
master candidates.)
Common grid members connect to the grid master through their MGMT port.
This ensures that all database synchronization and grid maintenance operations are inaccessible from other network
elements while the common grid members provide network protocol services on their LAN ports.
Figure 4.6 shows how grid members communicate to the master over a dedicated subnet.
Figure 4.6 Grid Communications
The private network
(10.1.1.0/24) is reserved for
grid communications
between the grid master and
all grid members, and for
appliance management
between the management
system and the grid master.
Private Network
10.1.1.0/24
for Grid Communications
and appliance Management
Public Network
1.1.1.0/24
DNS and DHCP Services
HA Grid Master Master Candidate
HA
HA
HA
HA
VIP
10.1.1.10
VIP
10.1.1.5
Management
System
10.1.1.30
HA
HA
MGMT
10.1.1.15
MGMT
10.1.1.20
Passive
Node
MGMT
10.1.1.21
Active Node
HA Member Single Member
LAN
1.1.1.6
VIP
1.1.1.7
DNS and DHCP Clients
The common grid
members connect to the
private network through
their MGMT ports*.
They connect to the
public network through
their LAN and HA ports
(using a VIP).
The grid master and
master candidate
connect to the private
network using a VIP
on their HA ports.
The common grid
members use the public
network (1.1.1.0/24) for
DNS and DHCP services.
* Only the active node of an HA member connects to the grid master. The
passive node communicates just with the active node. If there is an HA failover,
the newly promoted active node must first join the grid before continuing grid
communications with the grid master on behalf of the HA member.
Managing Appliance Operations
140 Infoblox Administrator Guide (Rev. A) NIOS 4.3r1
Enabling Grid Communications over the MGMT Port for Existing Grid Members
To enable the MGMT port for grid communications on an existing single or HA grid member:
1. Log in to the grid master with a superuser account.
2. From the Grid perspective, click + (for grid ) -> + (for Member ) -> member -> Edit -> Member Properties.
3. In the Grid Member editor, click MGMT Port, and then enter the following for Node 1. For an HA member, enter
the IP address, subnet mask, and gateway address for both Node 1 and Node 2.
Enable management (MGMT) Port: Select the check box.
Enable VPN services on the MGMT Port: Select the check box.
Restrict Support and remote console access to MGMT port: Select the check box to restrict SSH (Secure
Shell) v2 access to the MGMT port only. This restricts Infoblox Technical Support and remote console
connectionsboth of which use SSH v2to just the MGMT port. For an HA pair, you can make an SSH v2
connection to the MGMT port on both the active and passive nodes.
Clear the check box to allow SSH v2 access to both the MGMT and LAN ports. For an HA pair, you can make
an SSH v2 connection to the MGMT and LAN ports on both the active and passive nodes.
IP Address: Type the IP address of the MGMT port on the grid member, which must be in a different subnet
from that of the LAN and HA ports.
Subnet Mask: Choose the subnet mask for the MGMT port IP address.
Gateway: Type the default gateway for the MGMT port.
Use automatic MGMT port settings: Select the check box to instruct the NIOS appliance to negotiate the
optimum port connection type (full or half duplex) and speed with the connecting switch automatically. If
you clear the check box, manually configure the same settings on both the NIOS appliance and the switch.
By default, the check box is selected.
4. If the IP addresses of the LAN and HA ports are in the same subnet as the IP address of the MGMT port, click Node
Properties in the Grid Member editor, and then change the IP address of the LAN port (for a single member) and
LAN and HA ports (for an HA member).
5. Click the Save icon to save your settings.
The master communicates the new port settings to the member, which immediately begins using them. The
member stops using its LAN port for grid communications and begins using the MGMT port.
6. To confirm that the member still has grid connectivity, check that the status icons for that member are green on
the Detailed Status and Grid panels.
Enabling Grid Communications over the MGMT Port for New Grid Members
To enable the MGMT port for grid communications on a single appliance or HA pair and then join it to a grid:
Member MGMT Port Configuration on the Grid Master
1. Log in to the grid master with a superuser account.
2. From the Grid perspective, click grid -> Add Grid Member.
3. In the Grid Member editor, click Node Properties, configure the network settings for a single member or the
network and HA settings for an HA member, and then clear the Master Candidate check box. Any member
that is a master candidate cannot use the MGMT port for grid communications.
4. In the Grid Member editor, click MGMT Port, and then enter the following for Node 1 (for a single appliance).
For an HA pair, enter the IP address, subnet mask, gateway address, and port settings for both Node 1 and
Node 2.
Enable management (MGMT) Port: Select the check box.
Enable VPN services on the MGMT Port: (You must add the member before you can select this check
box, which you do in step 7.)
Using the MGMT Port
NIOS 4.3r1 Infoblox Administrator Guide (Rev. A) 141
Restrict Support and remote console access to MGMT port: Select the check box to restrict SSH (Secure
Shell) v2 access to the MGMT port only. This restricts Infoblox Technical Support and remote console
connectionsboth of which use SSH v2to just the MGMT port. For an HA member, you can make an
SSH v2 connection to the MGMT port on both the active and passive nodes.
Clear the check box to allow SSH v2 access to both the MGMT and LAN ports. For an HA member, you can
make an SSH v2 connection to the MGMT and LAN ports on both the active and passive nodes.
IP Address: Type the IP address of the MGMT port on the grid member. This is the address that you
previously set when configuring the appliance. The MGMT port address cannot be in the same subnet
as the addresses of the LAN and HA ports.
Subnet Mask: Choose the subnet mask for the MGMT port IP address.
Gateway: Type the default gateway for the MGMT port.
Use automatic MGMT port settings: Select the check box to instruct the member to negotiate the
optimum port connection type (full or half duplex) and speed with the connecting switch automatically.
If you clear the check box, manually configure the same settings on both the NIOS appliance and the
switch. By default, the check box is selected.
5. Click the Save icon to add the member.
6. In the Grid perspective, select the member you just created, click Edit -> Member Properties.
7. In the Grid Member editor, click MGMT Port, select Enable VPN services on the MGMT Port, and then click
the Save icon.
MGMT Port Configuration on Appliance or HA Pair
1. Log in as a superuser to the MGMT port of the appliance or active node of the HA pair that you want to join
to the grid.
2. From the Grid perspective, click + (for grid ) -> + (for Member ) -> member -> Edit -> Member Properties.
3. In the Grid Member editor, click MGMT Port, and then change the following for Node 1 (for a single
appliance). For an HA pair, enter the IP address, subnet mask, and gateway address for both Node 1 and
Node 2.
Enable management (MGMT) Port: Select the check box.
Enable VPN services on the MGMT Port: (You cannot select this because the appliance or HA pair is not
yet a grid member. When the appliance or HA pair joins the grid, it receives its new configuration from
the grid master, and in that configuration, this option is set.)
Note: For the remainder of the MGMT port settings, configure the same settings that you previously set for the
single or HA member on the grid master (see step 4 in Member MGMT Port Configuration on the Grid
Master on page 140).
4. If the IP addresses of the LAN and HA ports are in the same subnet as the IP address of the MGMT port, click
Node Properties in the Grid Member editor, and then change the IP address of the LAN port (for a single
member) and LAN and HA ports (for an HA member).
5. Click the Save icon to save your settings.
6. From the Grid perspective, click + (for grid ) -> + (for Member ) -> member -> Edit -> Join Grid.
7. Enter the following in the Join Grid dialog box:
Virtual IP of Grid Master: Type the VIP address of the grid master for the grid to which you want to add
the single appliance or HA pair.
Grid Name: Type the name of the grid.
Grid Shared Secret: Type the shared secret of the grid.
Re-type Grid Shared Secret: To ensure accuracy, retype the shared secret.
Use MGMT port to join grid: Because you have already enabled the MGMT port, this option is available.
Select it to connect to the grid through the MGMT port.
Managing Appliance Operations
142 Infoblox Administrator Guide (Rev. A) NIOS 4.3r1
For a single appliance, it connects to the grid master from its MGMT port. The grid master allows it to join the
grid, and sends it its configuration andif the appliance is running a different software version from the rest of
the gridthe software version for the grid.
When an HA pair joins the grid through their MGMT ports, each node joins separately. The process occurs as
follows:
1. You join the active node to the grid first (step 7) and the grid master sends it the remainder of its
configuration andif the node is running a different software version from the rest of the gridthe software
version for the grid.
2. The HA pair fails over.
3. You now log in to the other node, which is now active, and join it to the grid (repeat step 7). The master
sends it its configuration and (if necessary) the version of software running on the grid.
4. The HA pair fails over again, so that the node that was active when you started the join operation becomes
the active node again when you finish it.
After an appliance or HA pair is part of the grid, you continue configuring it through the grid master.
DNS Services
You can configure a single independent appliance or single grid member to provide DNS services through the MGMT
port in addition to the LAN port. For example, the appliance can provide DNS services through the MGMT port for
internal clients on a private network, and DNS services through the LAN port for external clients on a public network.
While providing DNS services on the MGMT port, you can still use that port simultaneously for appliance
management. Figure 4.7 shows a management system communicating with a single independent appliance through
its MGMT port while the appliance also provides DNS services on that port to a private network. Additionally, the
appliance provides DNS services to an external network through its LAN port.
Figure 4.7 DNS Services on the LAN and MGMT Ports, and appliance Management on the MGMT Port
Like a single independent appliance, a single grid member can also support concurrent DNS traffic on its MGMT and
LAN ports. However, because you manage all grid members through the grid master, a grid member only uses an
enabled MGMT port to send SNMP traps, syslog events, and email notifications, and to receive SSH connections.
External
Network
External DNS Clients External DNS Client
Single
Independent
Appliance
LAN
Port
MGMT
Port
Internal DNS Clients Internal
Network
Management System
Appliance management and
internal DNS services go
through the MGMT port.
External DNS services go
through the LAN port.
Using the MGMT Port
NIOS 4.3r1 Infoblox Administrator Guide (Rev. A) 143
In addition, the active node of an HA pair can provide DNS services through its MGMT port. To use this feature, you
must enable DNS services on the MGMT ports of both nodes in the HA pair and specify the MGMT port IP addresses
of both nodes on the DNS client as well, in case there is a failover and the passive node becomes active. Note that
only the active node can respond to queries that it receives. If a DNS client sends a query to the MGMT port of the
node that happens to be the passive node, the query can eventually time out and fail.
To enable DNS services on the MGMT port of an appliance:
1. From the Grid perspective, click + (for grid ) -> + (for Member ) -> grid_master -> Edit -> Member Properties.
or
From the Device perspective, click hostname -> Edit -> Device Properties.
2. In the Grid Member or Device editor, click MGMT Port, and then enter the following in Node 1 subsection for a
single grid master or independent appliance, and in the Node 1 and Node 2 subsections for an HA grid master or
independent HA pair:
Enable management (MGMT) Port: Select the check box.
IP Address: Enter the IP address of the MGMT port. The MGMT port IP address must be in a different subnet
from that of the LAN and HA ports.
Subnet mask: Choose an appropriate subnet mask for the MGMT port.
Gateway: Enter the IP address of the gateway for the MGMT port.
3. Click the Save icon to save your settings for the MGMT port.
4. From the DNS perspective of the Member DNS Properties editor, click DNS Members -> + (for grid ) -> member ->
DNS -> Modify -> General.
5. In the Member DNS Properties editor, click General, and then select Enable DNS Services on the MGMT Port.
6. Click the Save icon to save your settings.
7. Click the Restart Services icon if it flashes.
8. To see that the appliance now also serves DNS on the MGMT port:
From the DNS perspective, click DNS Members -> + (for grid ) -> member -> View -> Properties, and look in the
General section. Check that the value for Enable DNS Services on the MGMT Port is true.
or
From the DNS perspective, click DNS Members -> + (for grid ) -> member -> View -> DNS Configuration, and check
that the IP address of the MGMT port appears in the address match list in the listen-on substatement.
Managing Appliance Operations
144 Infoblox Administrator Guide (Rev. A) NIOS 4.3r1
Setting Static Routes
When you put the NIOS appliance on a segment of the network where there is a single path to and from it, a single
default route is sufficient. For example, in Figure 4.8 on page 144, the appliance is in the DMZ behind a firewall and
connects to the rest of the network through the DMZ interface on the firewall. For example, when hosts send DNS
queries from the Internet and the internal network to the appliance and when the appliance replies to those hosts,
the firewall takes care of all the routing.
Figure 4.8 Single Default Route
When the NIOS appliance is on a segment of the network where there are multiple gateways through which traffic to
and from the appliance can flow, a single default route is insufficient. For an example, see Figure 4.9.
NIOS appliance
Internet
Internal Network
Firewall
DMZ
1.2.2.1
The appliance responds to all queries from the
Internet and internal network by sending its
responses to the DMZ interface (1.2.2.1) on
the firewall.
The appliance only needs a single default route
to the firewall. The firewall then routes the
traffic where it needs to go.
The default route points all traffic from the LAN or LAN1
port on the NIOS appliance to the DMZ interface
(1.2.2.1) on the firewall.
Default route:
Network: 0.0.0.0
Netmask: 0.0.0.0
Gateway: 1.2.2.1
LAN
Port
Setting Static Routes
NIOS 4.3r1 Infoblox Administrator Guide (Rev. A) 145
Figure 4.9 Erroneously Routed DNS Replies
To resolve the problem illustrated in Figure 4.9 on page 145, add a second route pointing traffic destined for
10.1.1.0/24 to use the gateway with IP address 1.2.2.2 on firewall-2. This is shown in Figure 4.10.
Figure 4.10 Properly Routed DNS Replies
Internet
Internal Network
10.1.1.0/24
Switch
1.2.2.1
1.2.2.2
The default route points all traffic from the NIOS
appliance to the DMZ interface (1.2.2.1) on
firewall-1.
Default route:
Network: 0.0.0.0
Netmask: 0.0.0.0
Gateway: 1.2.2.1
DNS queries from the Internet reach the
appliance through firewall-1, and the
appliance sends its replies back through
firewall-1.
DNS queries from the internal network reach
the appliance through firewall-2, but because
there is only one default route, the appliance
erroneously sends DNS replies to the DMZ
interface (1.2.2.1) on firewall-1.
NIOS appliance
Firewall-1
Firewall-2
DMZ
Internet
Internal Network
10.1.1.0/24
Switch
1.2.2.1
1.2.2.2
The default route on the NIOS appliance
points traffic destined for the Internet to the
DMZ interface (1.2.2.1) on firewall-1.
Default route:
Network: 0.0.0.0
Netmask: 0.0.0.0
Gateway: 1.2.2.1
A second route on the appliance points
traffic destined for 10.1.1.0/24 to the DMZ
interface (1.2.2.2) on firewall-2.
Route to:
Network: 10.1.1.0
Netmask: 255.255.255.0
Gateway: 1.2.2.2
NIOS appliance
Firewall-1
Firewall-2
DMZ
1.2.2.0/24
Managing Appliance Operations
146 Infoblox Administrator Guide (Rev. A) NIOS 4.3r1
Whenever you want the NIOS appliance to send traffic through a gateway other than the default gateway, you need
to define a separate route. Then, when the appliance performs a route lookup, it chooses the route that most
completely matches the destination IP address in the packet header.
When you enable the MGMT port, the gateway you reference in a static route determines which port the NIOS
appliance uses when directing traffic to a specified destination.
If a route definition references a gateway that is in the same subnet as the IP and VIP addresses of the LAN (or
LAN1) and HA ports, the NIOS appliance uses the LAN (or LAN1) or HA port when directing traffic to that
gateway.
If a route definition references a gateway that is in the same subnet as the MGMT port, the NIOS appliance uses
the MGMT port when directing traffic to that gateway.
Figure 4.11 Static Routes for the LAN and MGMT Ports
The need for routes can apply to any type of traffic that originates from the appliance, such as DNS replies, DHCP
messages, SNMP traps, ICMP echo replies, Infoblox GUI management, and grid communications.
Internet
MGMT
Gateway
Switch
Switch
NIOS
appliance
Internal Network
10.1.1.0/24
Subnet
10.1.3.0/24
Subnet
10.1.2.0/24
LAN Port
1.2.2.5
1.2.2.2
10.1.1.1
Administrators 10.1.2.1 10.1.3.1 MGMT Port
10.1.2.5
Fr omLAN:
1. 2. 2. 0/ 24 dev et h1 scope l i nk
10.1.1.0/24 via 1.2.2.2 dev eth1
def aul t vi a 1. 2. 2. 1 dev et h1
Fr omMGMT:
10. 1. 2. 0/ 24 dev et h0 scope l i nk
10.1.3.0/24 via 10.1.2.1 dev eth0
def aul t vi a 10. 1. 2. 1 dev et h0
Fr omal l :
10.1.1.0/24 via 1.2.2.2 dev eth1
10.1.3.0/24 via 10.1.2.1 dev eth0
1. 2. 2. 0/ 24 dev et h1 pr ot o ker nel scope l i nk sr c 1. 2. 2. 5
10. 1. 2. 0/ 24 dev et h0 pr ot o ker nel scope l i nk sr c 10. 1. 2. 5
def aul t vi a 1. 2. 2. 1 dev et h1
Route Tables on the NIOS appliance
Two static routes direct traffic from the NIOS appliance:
From the LAN port (eth1, 1.2.2.5) through the gateway
at 1.2.2.2 to the 10.1.1.0/24 subnet.
From the MGMT port (eth0, 10.1.2.5) through the
gateway at 10.1.2.1 to the 10.1.3.0/24 subnet.
Note: There is a route table for each port
as well as a comprehensive route table.
For an HA pair, the LAN port route table
is duplicated for the HA port.
In this illustration, the static routes are
shown in green.
LAN Gateway
(Firewall-2)
LAN Gateway
(Firewall-1)
1.2.2.1
DMZ
1.2.2.0/24
Enabling DNS Resolution
NIOS 4.3r1 Infoblox Administrator Guide (Rev. A) 147
To set a static route, do the following:
1. For a grid member: From the Grid perspective, click + (for grid ) -> + (for Member s) -> member -> Edit -> Member
Properties.
or
For an independent appliance or HA pair: From the Device perspective, click hostname -> Edit -> Device
Properties.
2. In the Member or Device editor, click Static Routes, click Add, and then enter the following:
Network Address: Type the address of the remote network to which the NIOS appliance routes traffic.
Netmask: Choose the netmask that defines the remote network.
Gateway Address: Type the IP address of the gateway on the local subnet through which the NIOS appliance
directs traffic to reach the remote network. The gateway address must meet the following requirements:
It must belong to a working gateway router or gateway switch.
It must be in the same subnet as the NIOS appliance.
Note: Consult your network administrator before specifying the gateway address for a static route on the
appliance. Specifying an invalid gateway address can cause problems, such as packets being dropped or
sent to an incorrect address.
3. Click the Save icon to save your settings.
Enabling DNS Resolution
You can specify a network server to perform domain name queries and specify up to two name servers for resolving
a DNS name, plus use a search list to perform partial name resolution.
If a NIOS appliance provides DHCP services only, specify a DNS name server or servers that the appliance can use for
DNS lookups. You specify the IP address of a preferred name server and that of an alternate name server, plus use a
search list for performing partial name resolution.
To enable DNS resolution for a grid or for an independent appliance or HA pair:
1. From the Grid perspective, click grid -> Edit -> Grid Properties.
or
From the Device perspective, click hostname -> Edit -> Device Properties.
2. In the Grid editor, click DNS Resolver, and then enter the following:
Use DNS name resolver: Select the check box to enable the NIOS appliance to send DNS queries to the
preferred or alternate name servers whose IP addresses you specify in the following fields.
Preferred Name Server: Type the IP address of the server to which the appliance sends queries first.
Alternate Name Server: Type the IP address of the name server to which you want the NIOS appliance to
send queries if it does not receive a response from the preferred name server.
Search Domain Group: Define a group of domain names that the NIOS appliance can add to partial queries
that do not specify a domain name. For example, if you define a RADIUS authentication home server as
as1, and you list "corp100.com" and "hq.corp100.com" in the domain group list, then the NIOS
appliance sends a query for "as1.corp100.com" and another query for "as1.hq.corp100.com" to the
preferred or alternate name server.
To add a domain name to the group, type a domain name in the Domain field, and then click Add. To
remove a domain name from the group, select it, and then click Delete.
3. Click the Save icon.
Note: You can override the grid-level settings at the member level.
Managing Appliance Operations
148 Infoblox Administrator Guide (Rev. A) NIOS 4.3r1
Managing Licenses
Licenses come pre-installed on a NIOS appliance according to the software packages you ordered at the time of
purchase. If you wish to upgrade an existing appliance with the Keystone license, you must contact Infoblox Technical
Support and follow the procedures in Obtaining and Adding a License on page 149.
There are three types of licenses:
Maintenance licenses Examples: NIOS and Keystone maintenance licenses. The duration of maintenance
licenses are one, two, or three years. You can obtain these licenses from your Infoblox sales representative.
Service licenses Examples: DNS, DHCP, Keystone. These are permanent licenses. You can obtain these
licenses from your Infoblox sales representative.
Temporary licenses You can enable one of several sets of temporary service licenses through the CLI
command set t emp_l i cense . These licenses last for 60 days.
Two weeks before a maintenance license or a temporary license expires, an expiration warning appears during the
GUI login process. The warning reappears during each login until you renew the license. To do renew a license, contact
your Infoblox sales representative. If you decide not to renew an expired license and want to stop the warning from
reappearing, do the following:
1. Back up the configuration and database as described in Backing Up and Restoring a Configuration File on
page 222.
2. Log in to the Infoblox CLI, enter the show license command, and save all the license key strings.
3. Remove all the licensesand the entire configuration and databaseby entering the reset all
licenses command. For details, see Removing Licenses on page 149.
4. Add the unexpired licenses back to the appliance using either the Infoblox GUI or CLI.
5. Restore the backup file as described in Backing Up and Restoring a Configuration File on page 222.
Viewing the Installed Licenses on a NIOS Appliance
If the appliance you are identifying is part of a grid, you must log in to the master GUI for the grid to view the licenses
installed. If the appliance is deployed as a single independent appliance, log in to the GUI for that appliance.
To view the licenses installed on a NIOS appliance, follow these steps:
1. Log in to the Infoblox GUI using a superuser account.
2. From the Grid or Device perspective, click hostname -> View -> Properties.
3. Click the + icon beside the License section to expand it and view the licenses installed on the appliance.
Obtaining a 60-Day Temporary License
You can use the CLI command set t emp_l i cense to generate and install temporary 60-day licenses. This can
provide licensed features and functionality for the interim, while you wait for your permanent license to arrive.
To generate a temporary license:
1. Log in to the NIOS appliance through a remote console window. For more information on how to open a remote
console window, see the User Guide for your appliance.
2. After the Infoblox command prompt, enter the following command:
set t emp_l i cense
The following options appear:
1. DNSone (DNS, DHCP)
2. DNSone with Keystone (DNS, DHCP, Grid)
3. Network Services for Alcatel-Lucent VitalQIP (QIP, Grid)
4. Network Services for Voice (DHCP, Grid)
5. Network Services for Authentication (RADIUS, Grid)
Managing Licenses
NIOS 4.3r1 Infoblox Administrator Guide (Rev. A) 149
6. Network Services Suite (DNS, DHCP, RADIUS, Grid)
7. Add DNS Server license
8. Add DHCP Server license
9. Add RADIUS Server license
10. Add Grid license
3. Enter the number for the license you want to install.
4. Confirm the selection when prompted, and the following message appears:
Tempor ar y l i cense i s i nst al l ed.
Obtaining and Adding a License
A valid Keystone license is required for grid NIOS appliance deployments. You can upgrade existing independent
appliances to use a Keystone license and then add them to a grid. To upgrade your license, contact your Infoblox sales
representative.
To add a license:
1. Log in to the Infoblox GUI using a superuser account.
2. From the Grid or Device perspective, click hostname -> Edit -> Add License.
3. In the Add License dialog box, copy the hardware ID and serial number of your appliance and paste this
information into an e-mail to Infoblox Support.
4. When you receive the license key, use the shortcut keys Ctrl-C (for copy) and Ctrl-V (for paste) to copy the license
key from the response e-mail, and then paste it in the Enter license string field.
5. Click OK to close the Add License dialog box.
6. Close the browser window and log in to the Infoblox GUI.
7. If you are activating licenses for an HA pair, you must repeat this procedure for the second node.
Removing Licenses
You can remove licenses and reset a NIOS appliance to its factory default settings. For example, if you have a NIOS
appliance running the DNSone package with the Keystone upgrade, but you want to use it as an independent
appliance and manage it through the Device Manager GUI, you can do the following:
1. Log in to the NIOS appliance CLIlocally through the Console port or remotely through an SSHv2 connection
and use the show license command to view all the licenses installed on the appliance.
The output of the the show l i cense command looks similar to the following:
I nf obl ox > show l i cense
Ver si on: 4. 0r 1
Har dwar e I D: ecaf c0c469e8c75eb59cb7e4b5912a6
Li cense Type: Keyst one DVS
Expi r at i on Dat e: 11/ 04/ 2006
Li cense St r i ng: GQAAAAOS5WYr GV/ J EzH6wr HYQ8L1b25y3Y+VPPY=
Li cense Type: DNS
Expi r at i on Dat e: Per manent
Li cense St r i ng: EQAAAAKS4n90WFGNUSi r wvyUT9/ z
Managing Appliance Operations
150 Infoblox Administrator Guide (Rev. A) NIOS 4.3r1
Li cense Type: DHCP
Expi r at i on Dat e: Per manent
Li cense St r i ng: EgAAAAKU8nMl RBzcTWX63r HYFoymOQ==
Li cense Type: Keyst one Mai nt enance
Expi r at i on Dat e: 11/ 04/ 2006
Li cense St r i ng: GwAAAA2Z6HAt BkPFPyf zg/ yVRsLzI 2x0kYyKaPb22g==
Li cense Type: NI OS Mai nt enance
Expi r at i on Dat e: 11/ 04/ 2006
Li cense St r i ng: GwAAAAi V/ nAGGl j QEDv0h/ yVRsLzI 2x0kYyKb/ P20Q==
2. Copy the output of the show l i cense command, and save it to a text file on your management system.
3. Reset the NIOS appliance and remove all the licenses by entering the reset all licenses command.
4. This command returns all settings to their default values and removes all licenses.
I nf obl ox > r eset al l l i censes
The ent i r e syst emwi l l be er ased t o def aul t set t i ngs and al l l i censes wi l l be r emoved.
WARNI NG: THI S WI LL ERASE ALL DATA AND LOG FI LES THAT HAVE BEEN CREATED ON THI S SYSTEM.
ARE YOU SURE YOU WANT TO PROCEED? ( y or n) : y
The application restarts with the default settings and no licenses.
5. Log in to the CLI through the Console port, and check that all the licenses are gone by entering the
show license command.
I nf obl ox > show license
Ver si on: 4. 0r 1
Har dwar e I D: ecaf c0c469e8c75eb59cb7e4b5912a6
I nf obl ox >
6. Add back only the DNS, DHCP, and NIOS Maintenance licenses by entering the set license command and
then copying and pasting the text string for each license:
I nf obl ox > set license
Ent er l i cense st r i ng: EQAAAAKS4n90WFGNUSirwvyUT9/z
I nst al l l i cense? ( y or n) : y
Li cense i s i nst al l ed.
I nf obl ox > set license
Ent er l i cense st r i ng: EgAAAAKU8nMlRBzcTWX63rHYFoymOQ= =
I nst al l l i cense? ( y or n) : y
Li cense i s i nst al l ed.
I nf obl ox > set license
Ent er l i cense st r i ng: GwAAAAiV/nAGGljQEDv0h/yVRsLzI2x0kYyKb/P20Q==
I nst al l l i cense? ( y or n) : y
Li cense i s i nst al l ed.
7. To check that the licenses are now installed, enter the show license command.
When you next log in to the GUI, the Infoblox Device Manager appears instead of the Infoblox Grid Manager.
Shutting Down, Rebooting, and Resetting a NIOS Appliance
NIOS 4.3r1 Infoblox Administrator Guide (Rev. A) 151
Shutting Down, Rebooting, and Resetting a NIOS Appliance
To reboot and shut down a NIOS appliance, you can use the Infoblox Manager GUI or the Infoblox CLI. To reset a NIOS
appliance, you must use the Infoblox CLI.
Rebooting a NIOS Appliance
You can reboot a single NIOS appliance, a single node in an HA pair, or both nodes in an HA pair.
To reboot a single NIOS appliance or one or both nodes in an HA pair using the GUI:
1. From the Grid or Device perspective, click hostname -> Edit -> Reboot.
2. For an HA pair, choose whether to boot one node (and which one) or both nodes, and then click OK.
To reboot a single NIOS appliance using the CLI:
1. Log in to the Infoblox CLI using a superuser account for the NIOS appliance that you intend to reboot.
2. Enter the following CLI command: reboot
Shutting Down a NIOS Appliance
Under normal circumstances, you do not need to turn off or shut down a NIOS appliance. It is designed to operate
continuously. However, if you want to turn off a NIOS appliance and it is inconvenient to turn off the power switch,
you can shut down the NIOS appliance using the GUI. Before shutting down a remote appliance, make sure you can
restart it. You cannot restart the system using the GUI.
Note: If there is a disruption in power when the NIOS appliance is operating, the NIOS appliance automatically
reboots itself when power is restored.
To shutdown a NIOS appliance using the GUI:
1. Log in to the Infoblox Manager GUI using a superuser account.
2. From the Grid or Device perspective, click hostname -> Edit -> Shutdown.
3. For an HA pair, choose whether to shut down one node (and which one) or both nodes, and then click OK.
The NIOS appliance shuts down. The fans might continue to operate until the appliance cools down.
To shutdown a NIOS appliance using the CLI:
1. Log in to the Infoblox CLI using a superuser account.
2. Enter the following CLI command: shutdown
Resetting a NIOS Appliance
There are three ways to reset a NIOS appliance:
Resetting the Database on page 152
Resetting a NIOS Appliance to Factory Settings on page 152
Resetting the NIOS Appliance to Factory Settings and Removing Licenses on page 152
You can perform these functions only through the CLI.
Managing Appliance Operations
152 Infoblox Administrator Guide (Rev. A) NIOS 4.3r1
Resetting the Database
You can reset the database if you lose the administrator account and password or if you want to clear the database
but preserve the log files to diagnose a problem. This function removes the configuration files, and the DNS and DHCP
data from the appliance database. During this procedure, you are given the option to preserve the network settings
of the appliance, which are the IP address and subnet mask, the IP address of the gateway, the host name, and the
remote access setting.
To reset the database:
1. Log in to the Infoblox CLI using a superuser account.
2. Enter the following CLI command: reset database
The appliance then displays a message similar to the following:
The f ol l owi ng net wor k set t i ngs can be r est or ed af t er r eset :
I P Addr ess: 10. 1. 1. 10
Subnet Mask: 255. 255. 255. 0
Gat eway: 10. 1. 1. 1
Host Name: ns1. cor p100. com
Remot e Consol e Access: t r ue
The ent i r e dat abase wi l l be er ased.
Do you wi sh t o pr eser ve basi c net wor k set t i ngs? ( y or n)
3. Press the Y key to preserve the network settings or the N key to return the network settings to their default values
(192.168.1.2, 255.255.255.0, 192.168.1.1).
Resetting a NIOS Appliance to Factory Settings
You can reset a NIOS appliance to its original factory settings. This removes the database, network settings, logs, and
configuration files. Then, it reboots with its factory settings, which are the default user name and password, and
default network settings. When you perform this procedure, the appliance does not give you the option to preserve
your network settings.
Note: If you have previously imported HTTPS certificates, the appliance regenerates the certificates and replaces
them.
To reset the NIOS appliance to its factory settings:
1. Log in to the Infoblox CLI using a superuser account.
2. Enter the following CLI command: reset all
Resetting the NIOS Appliance to Factory Settings and Removing Licenses
You can also reset a NIOS appliance to its original factory settings and remove all the licenses installed on the
appliance. This removes the database, network settings, logs, configuration files, and licenses. The appliance then
reboots with its factory settings, which are the default user name and password, and default network settings.
Note: If you have previously imported HTTPS certificates, the NIOS appliance regenerates the certificates and
replaces them.
To reset the NIOS appliance to its factory settings and remove all its licenses:
1. Log in to the Infoblox CLI using a superuser account.
2. Enter the following CLI command: reset all licenses
Managing the Disk Subsystem on the Infoblox-2000
NIOS 4.3r1 Infoblox Administrator Guide (Rev. A) 153
Managing the Disk Subsystem on the Infoblox-2000
Among its many features, the Infoblox-2000 uses redundant disk drives in a RAID 10 array. This configuration
provides the optimum mix of performance with completely redundant data storage with recovery features in the event
of disk failures. The disk array is completely self managed. There are no maintenance or special procedures required
to service the disk subsystem.
Caution: It is important to never remove more than one disk at a time from the array. Removing two or more disks at
once can cause a failure and possibly unrecoverable condition.
About RAID 10
RAID 10 (or sometimes called RAID 1+0) is a stripe of mirrors. This means that the array combinesor stripes
multiple disk drives, creating a single logical volume (RAID 0). Striping disk drives improves database write
performance over a single disk drive for large databases. The disks are also mirrored (RAID 1), so that each disk in
the logical volume is fully redundant. Please seeFigure 4.12.
Figure 4.12 RAID 10 Array Configuration
When evaluating a fault on the Infoblox-2000, it is best to think of the disk subsystem as a single, integrated unit with
four components, rather than four independent disk drives.
RAID 0
RAID 1 RAID 1
Disk 1
Primary
Disk 1
Backup
Disk 2
Primary
Disk 2
Backup
Managing Appliance Operations
154 Infoblox Administrator Guide (Rev. A) NIOS 4.3r1
Evaluating the Status of the Disk Subsystem
You can monitor the disk subsystem through the Infoblox GUI, the scrolling front panel LCD display, and four front
panel LEDs next to the disk drives. In addition, you can monitor the disk status by using the CLI command show
har dwar e_st at us.
The Detailed Status panel provides a detailed status report on the appliance and service operations. To see a detailed
status report, from the Grid perspective, select grid, and then click View -> Detailed Status. After displaying the
Detailed Status panel, you can view the status of individual grid members and services by selecting them in the Grid
panel. For more information on the Detailed Status Panel, see Viewing Detailed Status on page 160.
The RAID icon indicates the status of the RAID array on the Infoblox-2000.
Appliance Front Panel
The disk drives are located on the right side of the appliance front panel. To the right of each drive there is an LED
that displays the status of each drive.
Table 4.4 Disk Drive LEDs
In addition, the front panel LCD scrolls and displays the disk array status every 20 seconds.
Replacing a Failed Disk Drive
The Infoblox-2000 was designed to provide continuous operation in the event of a failed disk. Hot-swapping a disk
drive is a simple process that does not require issuing commands or a GUI operation. To replace a disk drive, follow
this procedure:
1. Identify and verify the failed drive via the Grid Manager, front panel LCD, or CLI.
2. If the activity light is green or blinking yellow, make sure you have identified the correct drive. There are
conditions where a drive could be in the process of failing and still be green or yellow.
Note: Do not remove a correctly functioning drive
3. Push in the latch for the drive and pull the release lever out towards you.
4. When the drive disengages, slide it out of the slot.
Icon Color Meaning
Green The RAID array is functioning properly.
Yellow A new disk was inserted and the RAID array is rebuilding.
Red The RAID array is degraded. At least one disk is not functioning properly. The GUI lists the disks
that are online. Replace only the disks that are offline.
LED Color Condition Action
Green Disk operating normally None
Yellow Disk read/write activity Disk is functioning normally or is synchronizing if recently
inserted.
Dark Disk has failed or not inserted Verify the failure in the GUI or CLI. Remove the disk and
replace with a functional disk drive. Note that the drive
rebuilds with its twin.
Managing the Disk Subsystem on the Infoblox-2000
NIOS 4.3r1 Infoblox Administrator Guide (Rev. A) 155
Replacement drives are shipped as a complete unit, ready to insert into the appliance. There is no preparation
required. To install a replacement drive, follow this procedure:
1. Insert the replacement drive into the drive bay slot.
2. Gently slide the drive into place. When you feel the release lever engage, continue applying gentle pressure to
the drive while pushing the release lever towards the appliance.
3. The release lever locks into place and the LED next to the disk drive lights up. Note that if the alarm buzzer is
sounding, it automatically turns off about 20 seconds after the drive is inserted.
4. The disk drive automatically goes into rebuild mode.
Disk Array Guidelines
Infoblox has designed the disk array to be completely self managing. There are no maintenance procedures required
for a normally functioning disk array. Mishandling the disk array can cause an unrecoverable error that could result
in a failed appliance. Following are some guidelines for managing the disk array:
Only remove one disk at a time. Never remove two or more disks from the appliance at once. This rule includes a
powered down appliance.
There is no way to know the arrangement of the primary and backup disk drives in the RAID 10 array.
You can hot swap a drive while the appliance remains in production.
There is never a condition that requires you to power down the appliance or unmount a disk drive to replace a
failed unit.
If you inadvertently remove the wrong disk drive, do not immediately remove the disk drive you originally
intended to remove. Verify the status of the array before removing another drive. Removing a second drive could
render the appliance inoperable.
If a drive has failed, there is an audio alarm buzzer. The alarm automatically stops about 20 seconds after a
functional disk has been inserted into the array.
Only remove failed or failing disk drives. Never remove an optimally functioning drive.
In the unlikely event that two disk drives fail simultaneously and the appliance is still operational, remove and
replace the failed disk drives one at a time.
Rebuild time can vary. The rebuild process takes approximately two hours on an idle appliance. On very busy
appliances (over 90% utilization), the disk rebuild process can take as long as 40 hours. On a grid master
serving a very large grid, the rebuild process could take at least 24 hours.
If your acceptance procedures require a test of the RAID hot-swap features, any drive can be removed, but only
one disk drive at a time should be removed. Removing two disks has a 50% probability of an appliance failure.
Removing more than two disks results in an appliance failure and requires an RMA of the appliance.
Managing Appliance Operations
156 Infoblox Administrator Guide (Rev. A) NIOS 4.3r1
Restarting Services
Whenever you make a change (such as add a zone, network, or a range) you click the Restart icon to restart services.
You can restart the DNS, DHCP, RADIUS, and VitalQIP services after you make configuration changes. You can also
specify a future restart time.
You can restart services at the grid level or the member level as described in:
Restarting Grid Services on page 156
Restarting Member Services on page 157
The following rules apply to superusers and limited-access users:
You can cancel a schedule that you create to restart services. A superuser can cancel any scheduled restarts.
Only a superuser or administrators with read and write permission to all of the grid members can schedule a
grid restart.
When a superuser schedules a grid restart, a limited-access user cannot schedule a member-level restart.
Limited-access users cannot cancel a superusers scheduled changes.
Limited-access users cannot create or modify a schedule for a grid member if a schedule for the member
(created by another user) already exists.
The system writes every scheduled change action to the audit log as follows:
USER l ogon_i d act i on ser vi ce r est ar t schedul e ' schedul e' on gr i d ( or member ) gr i d name
or member node i d
For example:
USER j doe i nser t ser vi ce r est ar t schedul e ' 02/ 20/ 2007 01: 30: 00' on gr i d I nf obl ox
USER j doe del et ed ser vi ce r est ar t schedul e ' 02/ 22/ 2007 01: 30: 00' on node i d 3
For more information on the audit log, see Using the Audit Log on page 170.
Restarting Grid Services
Only a superuser or administrators with read and write permission to all grid members can schedule a grid restart.
You can restart services at the grid level either simultaneously or sequentially, and also specify the restart services
time.
After you enter a specific date and time, the system schedules to restart services at the specified time on each grid
member, one by one. To restart services at the grid level:
1. Click the Restart Services icon.
The Restart Grid Services dialog box appears.
2. Enter the following in the Restart services on all members section:
Simultaneously: Restarts the services on all of the members in a grid at the same time.
Sequentially: This is the default option. Restarts the services on each grid member according to the
number of seconds you enter in the Sequential Delay field. For example, if you enter the sequential
delay as 10 seconds, the system restarts services on the first member, and 10 seconds later on the
second member.
3. Select one of the following options in the Restart services time section:
Immediately: Restarts services at once.
Scheduled: Enter the following information to schedule all grid members to restart at a certain date and
time:
Date: Enter the date on which the services should restart in MM/DD/YYYY (month/day/year)
format.
Time: Enter the time in hh:mm:ss (hours: minutes: seconds) format. Hours must be a numeric
value between 0 and 23. For example, if you make the change at 10:00 a.m. on Wednesday and
want the change to occur at 10:30 p.m., enter 22:30:00.
Restarting Services
NIOS 4.3r1 Infoblox Administrator Guide (Rev. A) 157
Time Zone: Select a time zone from the drop-down menu. The drop-down menu displays the grid
default time (see Changing Time Zone Settings on page 117). However, you can select a different
time zone. For example, if the grid default time zone is Eastern time and you are in California, you
can schedule a restart in the Pacific time zone. Enter the date and time and select the Pacific time
zone and click the Save icon. When you invoke the GUI the next time, the system calculates the
time difference between the two time zones and displays the scheduled time in the grid default
time zone (Eastern time).
Note: The NIOS appliance converts the time zone to the grid default time zone only after you save and reinvoke
the GUI.
Click the Show Details button to view the following restart services details: IP address of the grid
members that are restarting, services that are restarting (such as DNS, DHCP, and RADIUS), the restart
date and time, and the time zone.
4. Click OK.
The Restart Services icon changes from the Infoblox logo to a clock to indicate that a
restart has been scheduled.
Restarting Member Services
The member restart time always supersedes the grid restart time. If the member restart time is later than the grid
restart time, then the member restarts services at its scheduled time. If the member restart time is ahead of the grid
restart time, then the member restarts services at its scheduled restart time, and again during the grid restart time.
To restart member services:
1. Click the Restart Services icon.
The Restart Member Services dialog box appears.
2. You can specify whether the member should restart services when necessary or you can force it to restart
services. Select one of the following under the Restart services section:
Restart services (if needed): This option restarts all active DNS, DHCP, RADIUS, and VitalQIP proxy
services if there are any changes requiring a service restart. To see which services are enabled and
must be restarted, click Show Details.
Force restart services: This option forces all active services to restart regardless of their state.
3. Select one of the following options in the Restart services time section:
Immediately: Restarts services instantly.
Scheduled: Enter the date, time, and select the time zone as follows:
Date: Specify the date on which the services should restart in MM/DD/YYYY (month/day/year)
format.
Time: Specify the time in hh:mm:ss (hours: minutes: seconds) format. Hours must be a numeric
value between 0 and 23. For example, if you make the change at 10:00 a.m. on Wednesday and
want the change to occur at 10:30 p.m., enter 22:30:00.
Time Zone: Select a time zone from the drop-down menu. The drop-down menu displays the
member default time zone (see Changing Time Zone Settings on page 117). But, you can select a
different time zone when you create the schedule. For example, if the member default time zone is
Eastern time and you are in California, you can schedule a restart in the Pacific time zone. Enter the
date and time and select the Pacific time zone and click the Save icon. When you invoke the GUI
the next time, the system calculates the time difference between the two time zones and displays
the scheduled time in the member default time zone (Eastern time).
Note: The NIOS appliance converts the time zone to the grid default time zone only after you save and reinvoke
the GUI.
Managing Appliance Operations
158 Infoblox Administrator Guide (Rev. A) NIOS 4.3r1
Click the Show Details button to view the following restart services details: IP addresses of the
members that are restarting, services that are restarting (such as DNS, DHCP, and RADIUS), the restart
date and time, and the time zone.
The Restart Services icon changes from the Infoblox logo to a clock to indicate that a
restart has been scheduled.
Canceling a Scheduled Restart
Limited-access users can only cancel a schedule that they created. Superusers can cancel a schedule that any user
created. You can cancel scheduled changes for the grid only from the grid level and scheduled changes for the
member only from the member-level.
You can cancel a scheduled restart either by using the Manage Restart Services option or by resetting the restart
services time to Immediately (instead of selecting Scheduled) in the Restart Member Services dialog box.
Use the following steps to cancel a scheduled restart using the Manage Restart Services option. When you use this
option, the system cancels the schedule to restart services on the member or grid and does not restart services.
1. From the Grid or Device perspective, select the drop-down menu next to the clock icon in the GUI.
2. Select Manage Restart Services.
The Manage Grid Services dialog box or the Manage Device Services dialog box appears.
3. Click Cancel Restart.
The Cancel Schedule Warning message appears.
4. Click Yes and click OK.
The Restart Services icon in the GUI changes back from the clock icon to the Infoblox logo provided there is
no other scheduled restart.
Use the following steps to cancel a scheduled restart by resetting the restart services time. When you use this option,
the system cancels the scheduled restart and restarts the services on the member or the grid at once.
1. From the Grid or Device perspective, click the grid or the member.
2. Select the drop-down menu next to the clock icon in the GUI.
3. Select Restart Member Services or Restart Grid Services.
The Restart Member Services or Restart Grid Services dialog box appears.
4. Select Immediately in the Restart services time section and click OK.
The Cancel Schedule Warning message appears.
5. Click Yes and click OK.
The Restart Services icon in the GUI changes back from the clock icon to the Infoblox logo provided there is
no other scheduled restart.
NIOS 4.3r1 Infoblox Administrator Guide (Rev. A) 159
Chapter 5 Monitoring the Appliance
This chapter describes the status icons in the Infoblox GUI that indicate the state of appliances, services, database
capacity, ethernet ports, HA, and grid replication. It also explains how to use the various logs and the traffic capture
tool to monitor a NIOS appliance. You can set the monitoring parameters at the grid and member levels.
The topics in this chapter include:
Viewing Detailed Status on page 160
Appliance Status on page 160
Service Status on page 160
DB Capacity Used on page 161
Disk Usage on page 161
HA, LAN, or MGMT Port on page 162
LCD on page 162
Memory Usage on page 162
Replication on page 163
Using a Syslog Server on page 165
Specifying Syslog Servers on page 165
Configuring Syslog for a Grid Member on page 166
Setting DNS Logging Categories on page 167
Viewing the Syslog on page 168
Searching for Text on page 168
Downloading the Syslog File on page 169
Monitoring Tools on page 170
Using the Audit Log on page 170
Using the Replication Log on page 172
Using the Traffic Capture Tool on page 173
Monitoring the Appliance
160 Infoblox Administrator Guide (Rev. A) NIOS 4.3r1
Viewing Detailed Status
The NIOS GUI changes the color of status icons to indicate the state of appliances, services, database capacity,
ethernet ports, HA, and grid replication. For the Infoblox-1552 and 2000, the GUI displays status icons for the power
supplies. For the Infoblox-2000, the GUI displays icons to indicate the state of the RAID array and disk controller
backup battery.
To see a detailed status report for a grid, from the Grid perspective, select grid, and then click View -> Detailed Status.
After displaying the Detailed Status panel, you can view the status of individual grid members and services by
selecting them in the Grid panel.
The Detailed Status panel provides a detailed status report on the following appliance and service operations:
Appliance Status
The status icons indicate the operational status of a grid member and a general description about what it is currently
doing. The appliance status icon can be one of the following colors:
Following are some appliance descriptions that might appear in the Description column: Running, Offline,
Connecting, Synchronizing, Authentication Failed, Shared secret did not match, Not Licensed, SW Revision Mismatch,
Downloading Release from Master, and Shutting Down.
Service Status
After you enable DHCP, DNS, HTTP (for file distribution), RADIUS, TFTP, or VitalQIP services, the Infoblox GUI indicates
its status with a green or red icon. Because the status icons for NTP have a different meaning, those meanings are
explained in a separate table.
DHCP, DNS, HTTP (File Distribution) , RADIUS, TFTP, or VitalQIP
Icon Color Meaning
Green The appliance is operating normally in a running state.
Yellow The appliance is connecting or synchronizing with its grid master.
Red The grid member is offline, is not licensed (that is, it does not have a DNSone license with the
Keystone upgrade that permits grid membership), is upgrading or downgrading, or is shutting
down.
Icon Color Meaning
Green A service is enabled and running properly.
Red A service is enabled but not running. (A red status icon can also appear temporarily when a
service is enabled and begins running, but the monitoring mechanism has not yet notified the
GUI engine.)
Viewing Detailed Status
NIOS 4.3r1 Infoblox Administrator Guide (Rev. A) 161
NTP
The type of information that can appear in the Description column for a service corresponds to SNMP trap messages.
DB Capacity Used
Status icons for DB Capacity Used indicate the current percentage of the database in use on a selected grid member.
The maximum is 100%.
Disk Usage
This indicates the percentage of the data partition on the hard disk drive currently in use.
FAN
The status icon indicates whether the fan(s) are functioning. The corresponding description displays the fan speed.
Icon Color Meaning
Green NTP is enabled and running properly.
Yellow (grid member) NTP is enabled and running properly on the grid master, but it is not running on
this member, although it is enabled on this member.
Red (grid master) NTP is enabled on the grid master, but it is not running on the master.
Icon Color Meaning
Green Under 85% database capacity is currently in use.
Yellow Over 85% database capacity is currently in use. When the capacity exceeds 85%, the icon
changes from green to yellow and the NIOS appliance sends an SNMP trap.
Icon Color Meaning
Green Under 85% capacity
Yellow Between 85% and 95% capacity
Red Over 95% capacity
Icon Color Meaning
Green All fans are functioning properly.
Red At least one fan is not running.
Monitoring the Appliance
162 Infoblox Administrator Guide (Rev. A) NIOS 4.3r1
HA, LAN, or MGMT Port
The status icons for the HA, LAN/LAN1, and MGMT ethernet ports indicate the state of their network connectivity.
LCD
The LCD status icon indicates its operational status.
Memory Usage
The status icon for memory usage indicates the current percentage of memory in use.
Note: You can see more details about memory usage through the CLI command: show memor y
Power Supply
The Infoblox-1552 and Infoblox-2000 have redundant power supplies. The power supply icon indicates the
operational status of the power supplies.
Icon Color Meaning
Green The port is properly connected to a network. Its IP address appears in the Description column.
Red The port is not able to make a network connection.
Icon Color Meaning
Green The LCD is functioning properly.
Red The LCD process is not running.
Icon Color Meaning
Green Under 90% capacity
Yellow Between 90% and 95% capacity and increased activity
Red Over 95% capacity and increased activity
Icon Color Meaning
Green The power supplies are functioning properly.
Red One power supply is not running. To find out which power supply failed, check the LEDs of the
power supplies.
Viewing Detailed Status
NIOS 4.3r1 Infoblox Administrator Guide (Rev. A) 163
RAID
This icon indicates the status of the RAID array on the Infoblox-2000.
RAID Battery
This icon indicates the status of the disk controller backup battery on the Infoblox-2000.
Temperatures
This icon is always green. The description reports the CPU and system temperatures.
Replication
The current state of replication between a grid member and master or between the passive and active nodes in an HA
pair.
Grid Member <> Master
Icon Color Meaning
Green The RAID array is functioning properly.
Yellow A new disk was inserted and the RAID array is rebuilding.
Red The RAID array is degraded. At least one disk is not functioning properly. The GUI lists the disks
that are online. Replace only the disks that are offline.
Icon Color Meaning
Green The battery is charged. The description indicates the estimated number of hours of charge
remaining on the battery
Red The battery is not charged.
Icon Color Meaning
Green Grid communications are operating normally and ongoing database updates are occurring.
Yellow The member is synchronizing itself with the master, and either complete or partial database
replication is occurring. All master candidates receive the complete database. All regular
members (that is, members not configured as master candidates) receive the section of the
database that applies to themselves.
Red The member and master are not replicating the database between themselves.
Monitoring the Appliance
164 Infoblox Administrator Guide (Rev. A) NIOS 4.3r1
HA Pair Passive Node <> Active Node
Icon Color Meaning
Green HA communications are operating normally and database replication is occurring.
Yellow The passive node is synchronizing itself with the active node, and database replication is
occurring.
Red The passive and active nodes are not replicating the database between themselves.
Using a Syslog Server
NIOS 4.3r1 Infoblox Administrator Guide (Rev. A) 165
Using a Syslog Server
Syslog is a widely used mechanism for logging system events. NIOS appliances generate syslog messages which you
can view through the system log viewer and download to a directory on your management station. In addition, you
can configure a NIOS appliance to send the messages to one or more external syslog servers for later analysis. Syslog
messages provide information about appliance operations and processes. You can also include audit log messages
and specific BIND messages among the messages the appliance sends to the syslog server.
You can set syslog parameters at the grid and member levels. At the member level, you can override grid-level syslog
settings and enable syslog proxy.
The topics in this section include:
Specifying Syslog Servers on page 165
Configuring Syslog for a Grid Member on page 166
Setting DNS Logging Categories on page 167
Viewing the Syslog on page 168
Searching for Text on page 168
Downloading the Syslog File on page 169
Specifying Syslog Servers
To configure a NIOS appliance to send messages to a syslog server:
1. From the Grid perspective, click grid -> Edit -> Grid Properties.
or
From the Device perspective, click hostname -> Edit -> Device Properties.
2. In the Grid or Device editor, click Monitoring, and then enter the following:
Syslog
In addition to storing the system log on a grid member, you can configure grid to send the log to an external
syslog server.
Override grid syslog settings: Select this check box to override grid-level settings and apply member-level
settings. Clear it to apply grid-level settings to this member. If Member Type is Riverbed, you must select
this check box to override grid-level settings. The appliance automatically configures the syslog size to
20MB for Riverbed members.
Syslog size (MBytes): Specify the maximum size of the syslog file. Enter a value from 10 to 300. The default
is 300MB.
When the syslog file reaches its maximum size, the appliance automatically writes the file into a new file by
adding a . 0 extension to the first file and incrementing subsequent file extensions by 1.
Enable external syslog server: Select this check box to enable the NIOS appliance to send messages to a
specified syslog server.
Syslog Server Group: To define one or more syslog servers, click Add, enter the following, and then click OK:
Server Address: Type the IP address of a syslog server.
Connection Type: Specify whether the appliance uses TCP or UDP to connect to the external syslog
server.
Port: Specify the destination port number.
Out Interface: Specify the interface through which the appliance sends syslog messages to the syslog
server.
Monitoring the Appliance
166 Infoblox Administrator Guide (Rev. A) NIOS 4.3r1
Severity Filter: Choose a filter from the drop-down list. When you choose a severity level, grid members
send messages for that severity level plus all messages for all severity levels above it. The lowest
severity level is debug (at the top of the drop-down list), and the highest severity level is emerg (at the
bottom of the list). Accordingly, if you choose debug, grid members send all syslog messages to the
server. If you choose err, grid members send messages with the severity levels err, crit, alert, and
emerg. If you choose emerg, they send only emerg messages.
Message Source: Specify which syslog messages the appliance sends to the external syslog server:
Internal: The appliance sends syslog messages that it generates.
External: The appliance sends syslog messages that it receives from other devices, such as syslog
servers and routers.
Any: The appliance sends both internal and external syslog messages.
Copy audit log messages to syslog: Select the check box for the NIOS appliance to include audit log
messages among the messages it sends to the syslog server. This function can be helpful for monitoring
administrative activity on multiple appliances from a central location.
Audit Log Facility: Choose the facility where you want the syslog server to sort the audit log messages.
3. Click the Save icon to save your settings.
Configuring Syslog for a Grid Member
You can override grid-level syslog settings and enable syslog proxy for individual members. When you enable syslog
proxy, the member receives syslog messages from specified devices, such as syslog servers and routers, and then
forwards these messages to an external syslog server. You can also enable appliances to use TCP for sending syslog
messages. TCP is more reliable than using UDP; this reliability is important for security, accounting, and auditing
messages sent through syslog.
To configure syslog parameters for a member:
1. From the Grid perspective, click + (for grid) -> + (for Members) -> member -> Edit -> Member Properties.
2. In the Grid Member editor, click Monitoring, and enter the following:
Syslog
In addition to storing the system log on a grid member, you can configure a member to send the log to a syslog
server.
Override grid syslog settings: Select the check box to override grid-level settings and apply member-level
settings. Clear it to apply grid-level settings to this member. If Member Type is Riverbed, you must select
this check box to override grid-level settings. The appliance automatically configures the syslog size to
20MB for Riverbed members.
Syslog size (MBytes): Specify the maximum size of the syslog file. Enter a value from 10 to 300. The default
is 300MB.
When the syslog file reaches its maximum size, the appliance automatically writes the file into a new file by
adding a . 0 extension to the first file and incrementing subsequent file extensions by 1.
Enable external syslog server: Select this check box to enable the NIOS appliance to send messages to a
specified syslog server.
Syslog Server Group: To define one or more syslog servers, click Add, enter the following, and then click OK:
Server Address: Type the IP address of a syslog server.
Connection Type: Specify whether the appliance uses TCP or UDP to connect to the external syslog
server.
Port: Specify the destination port number.
Out Interface: Specify the interface through which the appliance sends syslog messages to the syslog
server.
Using a Syslog Server
NIOS 4.3r1 Infoblox Administrator Guide (Rev. A) 167
Severity Filter: Choose a filter from the drop-down list. When you choose a severity level, the NIOS
appliance sends messages for that severity level plus all messages for all severity levels above it. The
lowest severity level is debug (at the top of the drop-down list), and the highest severity level is emerg
(at the bottom of the list). Accordingly, if you choose debug, the single appliance or active node in an
HA pair sends all syslog messages to the server. If you choose err, it sends messages with the
severity levels err, crit, alert, and emerg. If you choose emerg, it sends only emerg messages.
Message Source: Specify which syslog messages the appliance sends to the external syslog server:
Internal: The appliance sends syslog messages that it generates.
External: The appliance sends syslog messages that it receives from other devices.
Any: The appliance sends both internal and external syslog messages.
Enable syslog proxy: Select this check box to enable the appliance to receive syslog messages from other
devices, such as syslog servers and routers, and then forward these messages to an external syslog server.
Enable listening on TCP: Select this check box if the appliance uses TCP to receive messages from other
devices.
Port: Enter the number of the port through which the appliance receives syslog messages from other
devices.
Enable listening on UDP: Select this check box if the appliance uses UDP to to receive messages from other
devices.
Port: Enter the number of the port through which the appliance receives syslog messages from other
devices.
Proxy Client Access Control: Click Add, enter the following in the Access Control Item dialog box, and then
click OK:
IP Address option: Select IP Address if you are adding the IP address of an appliance or select Network
if you are adding the network address of a group of appliances.
Address: Enter the IP address of the appliance or network.
Subnet Mask: If you entered a network IP address, you must also enter its subnet mask.
3. Click the Save icon to save your settings.
Setting DNS Logging Categories
You can specify which of 14 BIND logging message categories you want syslog to capture, and furthermore, you can
filter these messages by severity. For information about severity types, refer to Using a Syslog Server on page 165.
To specify logging categories:
1. From the Grid perspective, click + (for grid ) -> + (for Services) -> DNS -> Service Properties.
or
From the Device perspective, click + (for hostname ) -> DNS -> Service Properties.
2. In the Grid DNS Properties editor, click Logging, and then enter the following:
Logging Facility: Select a facility from the drop-down list. This is the location on the syslog server to which
you want to sort the DNS logging messages.
Select one of more of these log categories:
Enable General: Records the BIND messages that are not specifically classified.
Enable Config: Records the configuration file parsing messages.
Enable DNSSEC: Records the DNSSEC-signed responses.
Enable Network: Records the network operation messages.
Enable Queries: Records the query response messages.
Enable Security: Records the approved and denied requests.
Enable Transfer-in: Records zone transfer messages from the remote name servers to the appliance.
Enable Transfer-out: Records zone transfer messages from the NIOS appliance to remote name servers.
Monitoring the Appliance
168 Infoblox Administrator Guide (Rev. A) NIOS 4.3r1
Enable Update: Records the dynamic update instances.
Enable Resolver: Records the DNS resolution instances, including recursive queries from resolvers.
Enable Notify: Records the asynchronous zone change notification messages.
Enable Lame Servers: Records bad delegation instances.
Enable Database: Records BINDs internal database processes.
Enable Client: Records client requests.
3. Click the Save icon to save your settings.
4. Click the Restart Services icon if it flashes.
Viewing the Syslog
In addition to saving syslog messages to a remote syslog server, a NIOS appliance also stores the system messages
locally. When the syslog file reaches its maximum size, which is 300 MB for Infoblox appliances and 20 MB for NIOS
virtual appliances, the appliance automatically writes the file into a new file by adding a . 0 extension to the first file
and incrementing subsequent file extensions by 1.
Files are compressed during the rotation process, adding a . gz extension following the numerical increment
(file. #. gz). The sequential incrementation goes from zero through nine. When the eleventh file is started, the first
log file (file. 0. gz) is deleted, and subsequent files are renumbered accordingly. For example, the current log file
moves to file. 0. gz, the previous file. 0. gz moves to file. 1. gz, and so on through file. 9. gz. A maximum of
10 log files (0-9) are kept.
To view syslog messages on a NIOS appliance:
1. From the Grid perspective, click + (for grid ) -> + (for Members) -> member -> File -> System Log -> ip_addr .
or
From the Device perspective, click hostname -> File -> System Log -> ip_addr .
Note: You can also right-click a grid member or independent appliance or HA pair, and then select System Log
-> ip_addr in the short-cut menu.
The appliance displays the syslog messages for the specified member.
2. To refresh the contents in the System Log File viewer, click View -> Refresh (or press the F5 key).
3. To delete the contents in the System Log File viewer, click View -> Clear. Note that only a superuser can clear the
syslog file.
Searching for Text
Instead of paging through the syslog messages to locate messages, you can limit the display to syslog messages with
certain text strings. To search for specified text strings:
1. From the Grid perspective, click + (for grid ) -> + (for Members) -> member -> File -> System Log -> ip_addr .
or
From the Device perspective, click hostname -> File -> System Log -> ip_addr .
Note: You can also right-click a grid member or independent appliance or HA pair, and then select System Log
-> ip_addr in the short-cut menu.
The appliance displays the syslog messages for the specified member.
2. Click the Search icon in the upper right corner of the System Log File viewer.
3. Enter the text string and then click Search.
The appliance displays the results of your search in a Search Results panel.
Using a Syslog Server
NIOS 4.3r1 Infoblox Administrator Guide (Rev. A) 169
Downloading the Syslog File
You can download the syslog file to a specified directory, if you want to print and analyze it.
To download a syslog file:
1. From the Grid perspective, click + (for grid ) -> + (for Members) -> member -> File -> System Log -> ip_addr .
or
From the Device perspective, click hostname -> File -> System Log -> ip_addr .
Note: You can also right-click a grid member or independent appliance or HA pair, and then select System Log
-> ip_addr in the short-cut menu.
The appliance displays the syslog messages for the specified member.
2. Click the Download File icon in the upper right corner of the System Log File viewer, navigate to a directory where
you want to save it, optionally change the file name (the default names are node_1_sysLog.tar.gz and
node_2_sysLog.tar.gz ), and then click OK.
Monitoring the Appliance
170 Infoblox Administrator Guide (Rev. A) NIOS 4.3r1
Monitoring Tools
You can view the audit log, the replication log, and the traffic capture tool in a grid or HA pair to monitor administrator
activity, and capture traffic for diagnostic purposes.
This section includes the following topics:
Using the Audit Log on page 170
Using the Replication Log on page 172
Using the Traffic Capture Tool on page 173
Using the Audit Log
The audit log contains a record of all Infoblox administrative activity. It provides detailed information on changes such
as:
Date and time stamp of the change. If you have different admin accounts with different time zone settings, the
appliance uses the time zone of the admin account that you use to log in to the appliance to display the date
and time stamp.
Administrator name
Changed object name
New value of the object. If you change multiple properties of an object, the audit log lists all changes in a
comma-separated log entry. You can also search the audit log to find the new value of an object.
The system logs the following successful operations:
Write operations such as add, modify, or remove objects.
System management operations such as restart service and reboot unit.
When the audit log reaches it maximum size, which is 100 MB, the appliance automatically writes the file into a new
file by adding a . 0 extension to the first file and incrementing subsequent file extensions by 1. Files are compressed
during the rotation process, adding a . gz extension following the numerical increment (file. #. gz). The sequential
incrementation goes from zero through nine. When the eleventh file is started, the first log file (file. 0. gz) is
deleted, and subsequent files are renumbered accordingly. For example, the current log file moves to file. 0. gz,
the previous file. 0. gz moves to file. 1. gz, and so on through file. 9. gz. A maximum of 10 log files (0-9) are
kept. To list the audit log files and their sizes, log in to the Infoblox CLI and execute the show l ogf i l es command.
To view the audit log:
From the Grid perspective, select grid -> File -> Audit Log.
or
From the Device perspective, select hostname -> File -> Audit Log .
You can also do the following:
To refresh the audit log view, select View -> Refresh (or press the F5 key).
To delete the contents of the audit log file, select View -> Clear.
You can search for audit logs that pertain to particular DNS and DHCP objects. To search the audit log file:
1. Click the Search icon in the upper right corner of the Audit Log File viewer.
2. In the Search Audit Log dialog box, enter the search criteria as follows:
Match Fields: In this section, you specify the fields the appliance uses to filter the Audit Log. Enter the following:
Admin Name: Enter the name of the administrator to view the Audit Log changes made only by a specific
administrator. The name you enter in this field need not be complete. You can use regular expressions to
expand your search. For example, you can just enter ad* or adm to search for the admin name
administrator. Also, the data you enter is not case sensitive.
Message/Value: Enter any word or sentence from the message to be searched or the value of the object that
was created, modified, or deleted. The data you enter is not case sensitive.
Monitoring Tools
NIOS 4.3r1 Infoblox Administrator Guide (Rev. A) 171
The message you enter in this field need not be complete. You can use regular expressions to expand your
search. For example, to find messages with the word created, you can just enter cre or cre*.
For example, if you changed the Comment field for an authoritative zone from today is tuesday to today is
wednesday, the Audit Log displays this change in the Message column as follows:
comment Fr om: t oday i s t uesday To: t oday i s wednesday
In this case, you can search for the string today is wednesday but you cannot search for To: today is
wednesday.
You can also search based on the value of the object you changed. For example, if you change the end IP
address of a DHCP range from 10.0.20.0 to 10.0.30.0, you can enter 30 in the Message/Value field to find
the log for this change.
Object Restrictions: In this section, you can specify additional filter criteria to restrict the Audit Log search.
Object Type: This drop-down list displays the different types of objects that you can select for the search.
You can select No Object Type Restrictions to search all object types or you can select a specific object
type. When you select a specific object type, you can enter an object name.
Object Name: To restrict the search to a specific object, you can enter a name for the object type you
specified. You can enter a partial name and use regular expressions as well. For example, to find a DNS
object called test.com, you can just enter tes or te*.
Time Range
In this section, you can either select from a predefined time range or specify your own custom range. The
appliance uses the time zone that it automatically detects from the management system that the admin uses to
log in. Or you can override the time zone auto-detection feature at the admin and member level by specifying a
time zone.
For example, if you are in the Eastern Standard Time zone, then the time range section in the dialog displays the
Eastern Standard Time regardless of the grid time zone setting. If you change the time zone on your computer,
you must log out and then log back in to the NIOS appliance for the new time zone to take effect.
Predefined range: Select one of the following predefined date and time ranges from the drop-down menu:
All: Displays all audit log messages logged at all available dates and times.
Last Week: Displays all audit log activity that occurred one week before the current time.
Last Day: Displays audit log activity that occurred one day (24 hours) before the current time.
Last 12 Hours: Displays all audit log activity that occurred 12 hours before the current time.
Last 4 Hours: Displays audit log activity that occurred four hours before the current time.
Last Hour: Displays all audit log activity that occurred one hour before the current time.
Custom range: Click and select one of the following:
From: Either select Oldest message or click Specify and then enter the start date and time in the
year/month/date and hours:minutes:seconds format.
To: Either select Newest message or click Specify and then enter the end date and time in the
year/month/date and hours:minutes:seconds format.
3. Click Search
The appliance displays the results of your search in a Search Results panel.
To download the audit log file, click the Download File icon in the upper right corner of the Audit Log File viewer,
navigate to a directory where you want to save it, optionally change the file name (the default name is
auditLog.tar.gz ), and click OK.
Monitoring the Appliance
172 Infoblox Administrator Guide (Rev. A) NIOS 4.3r1
Audit Log Format
The format of the audit log is similar to the syslog:
[ dat e and t i me st amp] [ user name] : message
For example:
[ 2007/ 05/ 05 11: 13: 54. 208] [ admi n] : updat ed gr i d t i me zone
Note: The dates and timestamps in the audit log are determined by the time zone setting of the admin account
that you use to log in to the NIOS appliance.
Specifying the Audit Log Type
Select either the Detailed (default) or Brief audit log type as follows:
1. Select Grid -> Edit -> Grid Properties.
2. Click the Grid Properties section to expand it.
3. Select one of the following types in the Audit Log section:
Detailed: This is the default type. It is automatically selected. It provides detailed information on all
administrative changes such as the date and time stamp of the change, administrator name, changed
object name, and the new values of all properties.
Brief: Provides information on administrative changes such as the date and time stamp of the change,
administrator name, and the changed object name. It does not show the new value of the object. The
following are examples of brief audit log messages:
[ 2007/ 06/ 08 12: 36: 35. 768] [ admi n] : Modi f i ed Admi nGr oup t est _gr oup
[ 2007/ 07/ 10 12: 39: 19. 424] [ admi n] : Del et ed Aut hZone t est . comvi ew=def aul t
Using the Replication Log
The Replication Status panel reports the status of the database replication between grid members and master. The
Replication Status panel reports the status of the database replication between grid members and master, and
between the two nodes in an independent HA pair. You can use this information to check the health of grid and HA
pair activity.
To view the replication log:
From the Grid perspective, click grid -> View -> Replication Status.
or
From the Device perspective, click hostname -> View -> Replication Status .
To refresh the contents in the Replication Log viewer, click View -> Refresh (or press the F5 key).
Monitoring Tools
NIOS 4.3r1 Infoblox Administrator Guide (Rev. A) 173
Using the Traffic Capture Tool
You can capture the traffic on one or all of the ports on a NIOS appliance, and then view it using a third-party network
protocol analyzer application, such as the Ethereal Network Protocol Analyzer.
The NIOS appliance saves all the traffic it captures into a .cap file and compresses it into a .tar.gz file. Your
management system must have a utility that can extract the .tar file from the .gzip file, and an application that can
read the .cap (capture) file format. This section explains the process of first capturing traffic, and then downloading
it to your management system. After that, you can extract the traffic capture file and view it with a third-party traffic
analyzer application.
Note: The NIOS appliance always saves a traffic capture file as tcpdumpLog.tar.gz. If you want to download multiple
traffic capture files to the same location, rename each downloaded file before downloading the next.
1. From the Grid perspective, click -> + (for grid) -> + (for Members) -> member -> Tools -> Capture Traffic.
or
From the Device perspective, click hostname -> Tools -> Capture Traffic.
2. In the Traffic Capture dialog box, enter the following:
HA port: Select to capture all traffic that the HA port receives and transmits.
LAN port: Select to capture all traffic that the LAN port receives and transmits.
MGMT port: Select to capture all traffic that the MGMT port receives and transmits.
All ports (promiscuous mode not supported): Select to capture traffic addressed to all ports. Note that the
NIOS appliance only captures traffic that is addressed to it.
Seconds to run: Specify the number of seconds that you want the traffic capture tool to run.
Note: NIOS virtual appliances support capturing traffic only on the LAN port.
3. Click Start.
A message appears warning that the use of the traffic capture tool causes a decrease in network service
processing and prompts you to confirm your use of the tool.
4. Click Yes.
5. When you want to view the captured traffic, click Download.
6. Another message appears stating that clicking Download causes the traffic capture operation (if it is still ongoing)
to stop and asks if you want to proceed.
7. Click OK.
8. Navigate to where you want to save the file, rename it if you want, and then click OK or Save.
9. Use terminal window commands (Linux) or a software application (such as StuffIt or WinZip) to extract the
contents of the .tar.gz file.
10. When you see the traffic.cap file in the directory where you extracted the .tar.gz file, open it with the third-party
network protocol analyzer application.
Monitoring the Appliance
174 Infoblox Administrator Guide (Rev. A) NIOS 4.3r1
Using the Capacity Report
You can view the capacity usage and object type information of an appliance in the Capacity Report panel. The
capacity report displays capacity and object type information of an independent appliance, a grid master, or a grid
member. For an HA pair, the report displays information that is on the active node.
The top half of the panel displays a capacity summary, and the bottom half displays the object types that the
appliance supports and the total counts for each object type.
To view the capacity report:
From the Grid perspective, click + (for grid) -> + (for Members) -> member -> View -> Capacity Report.
or
From the Device perspective, select hostname -> View -> Capacity Report.
The capacity summary contains the following information:
Name: The name of the appliance.
Role: The role of the appliance. The value can be Grid Master, Grid Master Candidate, Grid Member, or
Standalone.
Hardware Type: The type of hardware. For an HA pair, the report displays the hardware type for both the active
and passive nodes.
Maximum Capacity: The maximum number of objects that the appliance can support.
Total Objects: The total number of objects that are currently in the database.
% Capacity Used: The percentage of the capacity that is in use.
The report categorizes object types that you can manage through the NIOS appliance. For objects that are only used
for internal system operations, the report groups and shows them under the object type Other.
The report displays the following information for object types:
Object Type: The type of objects. For example, DHCP Lease, Admin Group, or PTR Record.
Total: The total number of objects for a specific object type.
You can print the object type information or export it to a CSV file. For information on printing the object types, see
Printing from the GUI on page 56; and for information on exporting to a CSV file, see Exporting Data on page 60.
NIOS 4.3r1 Infoblox Administrator Guide 175
Chapter 6 Monitoring with SNMP
This chapter describes how you can use SNMP (Simple Network Management Protocol) to monitor NIOS appliances
in your network. It contains the following topics:
Understanding SNMP on page 176
SNMP MIB Hierarchy on page 177
MIB Objects on page 178
Infoblox MIBs on page 179
Loading the Infoblox MIBs on page 179
ibTrap MIB on page 180
Interpreting Infoblox SNMP traps on page 181
Types of Traps (OID 3.1.1.1.1) on page 182
Trap Binding Variables (OID 3.1.1.1.2) on page 184
Trap Severity (OID 3.1.1.1.2.2.0) on page 185
ibProbableCause Values (OID 3.1.1.1.2.4.0) on page 186
ibSubsystemName Values (OID 3.1.1.1.2.9.0) on page 187
ibPreviousState (OID 3.1.1.1.2.9.0) and ibCurrentState (OID 3.1.1.1.2.10.0) on page 188
ibTrapDesc (OID 3.1.1.1.2.11.0) on page 189
ibPlatformOne MIB on page 202
ibDHCPOne MIB on page 207
ibDNSOne MIB on page 210
ibIPWC MIB on page 212
Configuring SNMP on page 217
Accepting SNMP Queries on page 217
Setting System Information on page 217
Adding SNMP Trap Receivers on page 218
Configuring SNMP for a Grid Member on page 218
Click the Save icon to save your settings. on page 218
Monitoring with SNMP
176 Infoblox Administrator Guide NIOS 4.3r1
Understanding SNMP
You can use SNMP (Simple Network Management Protocol) to manage network devices and monitor their processes.
An SNMP-managed device, such as a NIOS appliance, has an SNMP agent that collects data and stores them as
objects in MIBs (Management Information Bases). The SNMP agent can also send traps (or notifications) to alert you
when certain events occur within the appliance or on the network. You can view data in the SNMP MIBs and receive
SNMP traps on a management system running an SNMP management application, such as HP OpenView, IBM Tivoli
NetView, or any of the freely available or commercial SNMP management applications on the Internet.
Figure 6.1 SNMP Overview
You can configure a NIOS appliance as an SNMP-managed device. NIOS appliances support SNMP versions 1 and 2,
and adhere to the following RFCs:
RFC 3411, An Architecture for Describing Simple Network Management Protocol (SNMP) Management
Frameworks
RFC 3412, Message Processing and Dispatching for the Simple Network Management Protocol (SNMP)
RFC 3413, Simple Network Management Protocol (SNMP) Applications
RFC 3416, Version 2 of the Protocol Operations for the Simple Network Management Protocol (SNMP)
RFC 3418, Management Information Base (MIB) for the Simple Network Management Protocol (SNMP)
RFC 1155, Structure and identification of Management information for TCP/IP-based internets
RFC 1213, Management Information Base for Network Management of TCP/IP-based internets:MIB-II
Traps
Queries
SNMP Management System
Agent
MIB
MIB
MIB
MIB
MIB
NIOS Appliance
SNMP MIB Hierarchy
NIOS 4.3r1 Infoblox Administrator Guide 177
SNMP MIB Hierarchy
Infoblox supports the standard MIBs defined in RFC-1213, Management Information Base for Network Management
of TCP/IP-based internets: MIB-II, in addition to implementing its own enterprise MIBs. The Infoblox MIBs are part of
a universal hierarchical structure, usually referred to as the MIB tree. The MIB tree has an unlabeled root with three
subtrees. Figure 6.2 illustrates the branch of the MIB tree that leads to the Infoblox enterprise MIBs. Each object in
the MIB tree has a label that consists of a textual description and an OID (object identifier). An OID is a unique
dotted-decimal number that identifies the location of the object in the MIB tree. Note that all OIDs begin with a dot
(.) to indicate the root of the MIB tree.
As shown in Figure 6.2, Infoblox is a branch of the Enterprise subtree. IANA (Internet Assigned Numbers Authority)
administers the Enterprise subtree, which is designated specifically for vendors who define their own MIBs. The
IANA-assigned enterprise number of Infoblox is 7779; therefore, the OIDs of all Infoblox MIB objects begin with the
prefix .1.3.6.1.4.1.7779.
The Infoblox SNMP subtree branches down through two levels, ibProduct and ibOne, to the Infoblox MIBs: ibTrap,
ibPlatformOne, ibDNSone, and ibDHCPOne. The ibTrap MIB defines the traps that NIOS appliances send, and the
ibPlatformOne, ibDNSone, and ibDHCPOne MIBs provide information about the appliance. For detailed information
about these MIBS, see Infoblox MIBs on page 179.
Figure 6.2 MIB Hierarchy
(.1.3.6.1)
Internet
(.1.3.6)
U.S. Department of Defense (DOD)
(.1.3.6.1.4)
Private
(.1.3.6.1.4.1)
Enterprise
(.1.3.6.1.4.1.7779)
Infoblox
(.1)
International Organization
for Standardization (ISO)
(.1.3)
ORG
(.1.3.6.1.4.1.7779.3)
Infoblox SNMP Tree
(.1.3.6.1.4.1.7779.3.1)
ibProduct
(.1.3.6.1.4.1.7779.3.1.1)
ibOne
(.1.3.6.1.4.1.7779.3.1.1.1)
ibTrap
(.1.3.6.1.4.1.7779.3.1.12)
ibPlatformOne
(.1.3.6.1.4.1.7779.3.1.1.3)
ibDNSOne
(.1.3.6.1.4.1.7779.3.1.1.4)
ibDHCPOne
(.0)
International Telegraph and
Telephone Consultative Committee
(CCITT)
(.0)
CCITT and ISO
Monitoring with SNMP
178 Infoblox Administrator Guide NIOS 4.3r1
MIB Objects
The Infoblox MIB objects were implemented according to the guidelines in RFCs 1155 and 2578. They specify two
types of macros for defining MIB objects: OBJECT-TYPE and NOTIFICATION-TYPE. These macros contain clauses that
describe the characteristics of an object, such as its syntax and its status. OBJECT-TYPE macros describe MIB objects,
and NOTIFICATION-TYPE macros describe objects used in SNMP traps.
Each object in the ibPlatformOne, ibDNSone, and ibDHCPOne MIBs contains the following clauses from the
OBJECT-TYPE macro:
OBJECT-TYPE: Provides the administratively-assigned name of the object.
SYNTAX: Identifies the data structure of the object, such as integers, counters, and octet strings.
MAX-ACCESS: Identifies the type of access that a management station has to the object. All Infoblox MIB objects
provide read-only access.
STATUS: Identifies the status of the object. Values are current, obsolete, and deprecated.
DESCRIPTION: Provides a textual description of the object.
INDEX or AUGMENTS: An object that represents a conceptual row must have either an INDEX or AUGMENTS
clause that defines a key for selecting a row in a table.
OID: The dotted decimal object identifier that defines the location of the object in the universal MIB tree.
The ibTrap MIB defines the SNMP traps that a NIOS appliance can send. Each object in the ibTrap MIB contains the
following clauses from the NOTIFICATION-TYPE macro:
NOTIFICATION-TYPE: Provides the administratively-assigned name of the object.
OBJECTS: Provides an ordered list of MIB objects that are in the trap.
STATUS: Identifies the status of the object. Values are current, obsolete, and deprecated.
DESCRIPTION: Provides the notification information.
Infoblox MIBs
NIOS 4.3r1 Infoblox Administrator Guide 179
Infoblox MIBs
You can configure a NIOS appliance as an SNMP-managed device so that an SNMP management station can send
queries to the appliance and retrieve information from its MIBs. Perform the following tasks to access the Infoblox
MIBs:
1. Configure a NIOS appliance to accept queries, as described in Accepting SNMP Queries on page 217.
2. Load the MIB files onto the management system. To obtain the latest Infoblox MIB files:
a. From the Grid Perspective, select id_grid -> Tools -> Download SNMP MIBs.
b. In the Save As dialog box, navigate to a directory to which you want to save the MIBs.
c. Click Save.
3. Use a MIB browser or SNMP management application to query the objects in each MIB.
The NIOS appliance allows read-only access to the MIBs. This is equivalent to the Get and Get Next operations in
SNMP.
Loading the Infoblox MIBs
If you are using an SNMP manager toolkit with strict dependency checking, you must download the following Infoblox
MIBs in the order they are listed:
1. IB-SMI-MIB.txt
2. IB-TRAP-MIB.txt
3. IB-PLATFORMONE-MIB.txt
4. IB-DNSONE-MIB.txt
5. IB-DHCPONE-MIB.txt
6. IB-IPWC-MIB.txt (if you use the Infoblox IPAM WinConnect service)
In addition, if the SNMP manager toolkit the you use requires a different MIB file naming convention, you can rename
the MIB files accordingly.
NET-SNMP MIBs
NIOS appliances support NET-SNMP (formerly UCD-SNMP), a collection of applications used to implement the SNMP
protocol. When you download the Infoblox MIBs from the Infoblox Support site, you can download some of the
NET-SNMP MIBs and load them onto your SNMP management system. The NET-SNMP MIBs provide the top-level
infrastructure for the SNMP MIB tree. They define, among other things, the objects in the SNMP traps that the agent
sends when the SNMP engine starts and stops. For additional information on NET-SNMP and the MIB files distributed
with NET-SNMP, refer to http://net-snmp.sourceforge.net/.
RADIUS MIBs
The NIOS appliance supports the RADIUS-ACC-SERVER-MIB and RADIUS-AUTH-SERVER-MIB. You can download these
MIBs along with the Infoblox enterprise MIBs. When you install the RADIUS server license on the appliance and
configure RADIUS services, the appliance responds to queries for data from the RADIUS MIBs, if configured to do so.
For information on these MIBs, refer to RFC 2619, RADIUS Authentication Server MIB and RFC 2621, RADIUS
Accounting Server MIB.
Monitoring with SNMP
180 Infoblox Administrator Guide NIOS 4.3r1
ibTrap MIB
NIOS appliances send SNMP traps when events, internal process failures, or critical service failures occur. The ibTrap
MIB defines the types of traps that a NIOS appliance sends and the value that each MIB object represents. The
Infoblox SNMP traps report objects which the ibTrap MIB defines. Figure 6.3 illustrates the ibTrap MIB structure. It
provides the OID and textual description for each object.
Note: OIDs shown in the illustrations and tables in this section do not include the prefix .1.3.6.1.4.1.7779.
The ibTrap MIB comprises two trees, ibTrapOneModule and ibNotificationVarBind. The ibTraponeModule tree
contains objects for the types of traps that a NIOS appliance sends. The ibNotificationVarBind tree contains objects
that the Infoblox SNMP traps report. You cannot send queries for the objects in this MIB module. The objects are used
only in the SNMP traps.
Figure 6.3 ibTrapOne MIB Structure
(3.1.1.1) ibTrap MIB
(3.1.1.1.1)
ibTrapOneModule
(3.1.1.1.2)
ibNotificationVarBind
(3.1.1.1.1.1.0)
ibEquipmentFailureTrap
(3.1.1.1.1.2.0)
ibProcessingFailureTrap
(3.1.1.1.1.3.0)
ibThresholdCrossingEvent
(3.1.1.1.1.4.0)
ibStateChangeEvent
(3.1.1.1.1.5.0)
ibProcStartStopTrap
(3.1.1.1.2.1.0)
ibNodeName
(3.1.1.1.2.2.0)
ibTrapSeverity
(3.1.1.1.2.3.0)
ibObjectName
(3.1.1.1.2.4.0)
ibProbableCause
(3.1.1.1.2.5.0)
ibSubsystemName
(3.1.1.1.2.6.0)
ibCurThresholdValue
(3.1.1.1.2.7.0)
ibThresholdHigh
(3.1.1.1.2.8.0)
ibThresholdLow
(3.1.1.1.2.9.0)
ibPreviousState
(3.1.1.1.2.10.0)
ibCurrentState
(3.1.1.1.2.11.0)
ibTrapDesc
Infoblox MIBs
NIOS 4.3r1 Infoblox Administrator Guide 181
Interpreting Infoblox SNMP traps
Depending on the SNMP management application that your management system uses, the SNMP traps that you
receive might list the OIDs for all relevant MIB objects from both the ibTrapOneModule and ibNotificationVarBind
trees. For OIDs that have string values, the trap lists the text. For OIDs that contain integers, you can use the tables in
this section to find out the values. Some SNMP management applications list only the object name and the
corresponding values in the SNMP trap. Whether your SNMP management application lists OIDs or not, you can use
the tables in this section to find out the corresponding values and definitions for each MIB object.
The following is a sample trap that a NIOS appliance sends:
418: J an 31 18: 52: 26 ( none) snmpt r apd[ 6087] : 2008- 01- 31 18: 52: 26 10. 35. 1. 156 [ UDP:
[ 10. 35. 1. 156] : 32772] : DI SMAN- EVENT- MI B: : sysUpTi meI nst ance = Ti met i cks: ( 1080)
0: 00: 10. 80 SNMPv2- MI B: : snmpTr apOI D. 0 = OI D: SNMPv2- SMI : : ent er pr i ses. 7779. 3. 1. 1. 1. 1. 4. 0
SNMPv2- SMI : : ent er pr i ses. 7779. 3. 1. 1. 1. 2. 1. 0 = STRI NG: " 10. 35. 1. 156"
SNMPv2- SMI : : ent er pr i ses.
7779. 3. 1. 1. 1. 2. 3. 0 = STRI NG: " nt p_sync" SNMPv2- SMI : : ent er pr i ses. 7779. 3. 1. 1. 1. 2. 9. 0 =
I NTEGER: 15 SNMPv2- SMI : : ent er pr i ses. 7779. 3. 1. 1. 1. 2. 10. 0 = I NTEGER: 16
SNMPv2- SMI : : ent er pr i ses. 7779. 3. 1. 1. 1. 2. 11. 0 = STRI NG: " The NTP ser vi ce i s out of
synchr oni zat i on. "
The sample trap lists the OIDs and their corresponding values that can help you identify the cause of the event or
problem. You can find the definition for each OID or object and its value using the tables in this section. To identify
possible cause and recommended actions for the trap, use the ibTrapDesc tables. For information, see ibTrapDesc
(OID 3.1.1.1.2.11.0) on page 189.
You can interpret the sample trap as follows:
Using the ibTrapOneModule table, you find out that OID 7779.3.1.1.1.1.4.0 represents an Object State Change
trap. This type of trap includes the following objects. For each object, the trap displays the OID and its
corresponding value. The following is how you can interpret the rest of the trap:
ibNodeName (OID 7779.3.1.1.1.2.1.0)
Using the ibNotificationVarBind (OID 3.1.1.1.2) table, you find out that OID 7779.3.1.1.1.2.1.0
represents the MIB object ibNodeName, which is the IP address of the appliance on which the trap
occurred. Therefore, the statement 7779. 3. 1. 1. 1. 2. 1. 0 = STRI NG: " 10. 35. 1. 156"
SNMPv2- SMI : : ent er pr i ses. tells you that the IP address of the appliance on which the trap
occurred has an IP address of 10.35.1.156.
ibObjectName (OID 7779.3.1.1.1.2.3.0)
The statement 7779. 3. 1. 1. 1. 2. 3. 0 = STRI NG: " nt p_sync"
SNMPv2- SMI : : ent er pr i ses. tells you that the MIB object ibOjectName, which is the name of
the object for which the trap was generated, has a value of ntp_sync, which represents NTP
synchronization issues.
ibPreviousState (OID 7779.3.1.1.1.2.9.0)
The statement 7779. 3. 1. 1. 1. 2. 9. 0 = I NTEGER: 15 SNMPv2- SMI : : ent er pr i ses. tells
you that the MIB object ibPreviousState, which indicates the previous state of the appliance, has a
value of 15. Using the ibPreviousState and ibCurrentState Values table, you know that 15
represents ntp-sync-up, which means that the NTP server was up and running.
ibCurrentState (OID 7779.3.1.1.1.2.10.0)
The statement 7779. 3. 1. 1. 1. 2. 10. 0 = I NTEGER: 16 SNMPv2- SMI : : ent er pr i ses. tells
you that the MIB object ibCurrentState, which indicates the current state of the appliance, has a
value of 16. Using the ibPreviousState and ibCurrentState Values table, you know that 16
represents ntp-sync-down, which means that the NTP server is now out of sync.
ibTrapDesc (OID 7779.3.1.1.1.2.11.0)
The last statement 7779. 3. 1. 1. 1. 2. 11. 0 = STRI NG: " The NTP ser vi ce i s out of
synchr oni zat i on. " states the description of the trap. Using the Object State Change Traps table
for ibTrapDesc, you can find out the details of the trap description and recommended actions for
this problem.
Monitoring with SNMP
182 Infoblox Administrator Guide NIOS 4.3r1
Types of Traps (OID 3.1.1.1.1)
ibTrapOneModule defines the types of traps that the NIOS appliance can send. There are five types of SNMP traps.
Table 6.1 describe the types of traps and their objects in the ibTrapOneModule tree.
Table 6.1 ibTrapOneModule
OID Trap Type MIB Object Description
3.1.1.1.1.1.0 Equipment
Failure
ibEquipmentFailureTrap The NIOS appliance generates this trap when a
hardware failure occurs. This trap includes the
following objects:
ibNodeName
ibTrapSevertiy
ibObjectName (equipment name)
ibProbableCause
ibTrapDesc
For a list of trap descriptions for this type of trap,
see Equipment Failure Traps on page 189.
3.1.1.1.1.2.0 Processing and
Software
Failure
ibProcessingFailureTrap The NIOS appliance generates this trap when a
failure occurs in one of the software processes. This
trap includes the following objects:
ibNodeName
ibTrapSeverity
ibSubsystemName
ibProbableCause
ibTrapDesc
For a list of trap descriptions for this type of trap,
see Processing and Software Failure Traps on page
190.
3.1.1.1.1.3.0 Threshold
Crossing
ibThresholdCrossingEvent The NIOS appliance generates this trap when any of
the following events occur:
System memory or disk usage exceeds 90%.
A problem occurs when the grid master
replicates its database to its grid members.
DHCP address usage crosses a watermark
threshold. For more information about tracking
IP address usage, see Chapter 18, Managing
IP Data IPAM, on page 557.
This trap includes the following objects:
ibNodeName
ibObjectName (threshold name)
ibCurThresholdvalue
ibThresholdHigh
ibThresholdLow
ibTrapDesc
For a list of trap descriptions for this type of trap,
see Threshold Crossing Traps on page 195.
Infoblox MIBs
NIOS 4.3r1 Infoblox Administrator Guide 183
3.1.1.1.1.4.0 Object State
Change
ibStateChangeEvent The NIOS appliance generates this trap when there
is a change in its state, such as:
The link to one of the configured ports goes
down, and then goes back up again.
A failover occurs in an HA (high availability)
pair configuration.
A member connects to the grid master.
An appliance in a grid goes offline.
This trap includes the following objects:
ibNodeName
ibObjectName
ibPreviousState
ibCurrentState
ibTrapDesc
For a list of possible trap descriptions for this type
of trap, see Object State Change Traps on page
199.
3.1.1.1.1.5.0 Process Started
and Stopped
ibProcStartStopTrap The NIOS appliance generates this type of trap
when any of the following events occur:
When you enable HTTP redirection.
When you change the HTTP access setting.
When you change the HTTP session time out
setting.
When a failover occurs in an HA pair
configuration.
This trap includes the following objects:
ibNodeName
ibSubsystemName
ibTrapDesc
For a list of possible trap descriptions for this type
of trap, see Process Started and Stopped Traps on
page 201.
OID Trap Type MIB Object Description
Monitoring with SNMP
184 Infoblox Administrator Guide NIOS 4.3r1
Trap Binding Variables (OID 3.1.1.1.2)
Each SNMP trap contains information about the event or the problem. The Infoblox SNMP traps include MIB objects
and their corresponding values from the ibNotificationVarBind module. Table 6.2 describes the objects in the
ibNotificationVarBind module.
Table 6.2 ibNotificationVarBind (OID 3.1.1.1.2)
Note: The OIDs shown in the following table do not include the prefix .1.3.6.1.4.1.7779..
OID MIB Object Description
3.1.1.1.2.1.0 ibNodeName The IP address of the appliance on which the trap occurs. This may or
may not be the same as the appliance that sends the trap. This object
is used in all types of traps.
3.1.1.1.2.2.0 ibTrapSeverity The severity of the trap. There are five levels of severity. See Trap
Severity (OID 3.1.1.1.2.2.0) on page 185 for details.
3.1.1.1.2.3.0 ibObjectName The name of the object for which the trap was generated. This is used
in the Equipment Failure traps, Threshold Crossing traps, and the
Object State Change traps. The following shows what this object
represents depending on the type of traps:
Equipment Failure traps: The equipment name.
Threshold Crossing traps: The threshold name.
State Change traps: The object that changes state.
3.1.1.1.2.4.0 ibProbableCause The probable cause of the trap. See ibProbableCause Values on page
186 for the definitions of each value.
3.1.1.1.2.5.0 ibSubsystemName The subsystem for which the trap was generated, such as NTP or
SNMP. This object is used in the Processing and Software Failure traps
and the Process Start and Stop traps. See ibSubsystemName Values
(OID 3.1.1.1.2.9.0) on page 187 for definitions of each value.
3.1.1.1.2.6.0 ibCurThresholdValue The current value of the threshold counter. This object is used in the
Threshold Crossing traps.
3.1.1.1.2.7.0 ibThresholdHigh The value for the high watermark. This only applies when the
appliance sends a trap to indicate that DHCP address usage is above
the configured high watermark value for a DHCP address range. This
object is used in Threshold Crossing traps. For additional information,
see Setting Watermark Properties on page 567.
3.1.1.1.2.8.0 ibThresholdLow The value for the low watermark. This only applies when the
appliance sends a trap to indicate that DHCP address usage went
below the configured low watermark value for a DHCP address range.
This object is used in Threshold Crossing traps. For additional
information, see Setting Watermark Properties on page 567.
3.1.1.1.2.9.0 ibPreviousState The previous state of the appliance. This object is used in the Object
State Change traps. See ibPreviousState (OID 3.1.1.1.2.9.0) and
ibCurrentState (OID 3.1.1.1.2.10.0) on page 188 for definitions of
each value.
Infoblox MIBs
NIOS 4.3r1 Infoblox Administrator Guide 185
Trap Severity (OID 3.1.1.1.2.2.0)
The object ibTrapSeverity defines the severity level for each Infoblox SNMP trap. There are five levels of severity.
3.1.1.1.2.10.0 ibCurrentState The current state of the appliance. This object is used in the Object
State Change traps. See ibPreviousState (OID 3.1.1.1.2.9.0) and
ibCurrentState (OID 3.1.1.1.2.10.0) on page 188 for the definition of
each value.
3.1.1.1.2.11.0 ibTrapDesc The description of the trap. This object is used in all types of traps.
See ibTrapDesc (OID 3.1.1.1.2.11.0) on page 189 for the description,
possible cause, and recommended actions for each Infoblox SNMP
trap.
Value Description
1 Undetermined
2 Informational: Event that requires no further
action.
3 Minor: Event that does not require user
intervention.
4 Major: Event that requires user intervention
and assistance from Infoblox Technical
Support.
5 Critical: Problem that affects services and
system operations, and requires assistance
from Infoblox Technical Support.
OID MIB Object Description
Monitoring with SNMP
186 Infoblox Administrator Guide NIOS 4.3r1
ibProbableCause Values (OID 3.1.1.1.2.4.0)
Table 6.4 lists the values that are associated with the object ibProbableCause (OID 3.1.1.1.2.4.0). These values
provide information about the events, such as software failures, that trigger traps.
Table 6.3 ibProbableCause Values
Value
OID 3.1.1.2.4.0
ibProbableCause
0 ibClear
1 ibUnknown
2 ibPrimaryDiskFailure
3 ibFanFailure-old
4 ibPowerSupplyFailure
5 ibDBFailure
6 ibApacheSoftwareFailure
7 ibSerialConsoleFailure
11 ibControldSoftwareFailure
12 ibUpgradeFailure
13 ibSNMPDFailure
15 ibSSHDSoftwareFailure
16 ibNTPDSoftwareFailure
17 ibClusterdSoftwareFailure
18 ibLCDSoftwareFailure
19 ibDHCPdSoftwareFailure
20 ibNamedSoftwareFailure
23 ibRadiusdSoftwareFailure
24 ibNTLMSoftwareFailure
25 ibNetBIOSDaemonFailure
26 ibWindowBindDaemonFailure
27 ibTFTPDSoftwareFailure
28 ibQIPRemoteServerSoftwareFailure
29 ibBackupSoftwareFailure
30 ibBackupDatabaseSoftwareFailure
31 ibBackupModuleSoftwareFailure
32 ibBackupSizeSoftwareFailure
33 ibBackupLockSoftwareFailure
34 ibHTTPFileDistSoftwareFailure
Infoblox MIBs
NIOS 4.3r1 Infoblox Administrator Guide 187
ibSubsystemName Values (OID 3.1.1.1.2.9.0)
Table 6.4 lists the values that are associated with the object ibSubsystemName (OID 3.1.1.1.2.9.0). These values
provide information about the subsystems that trigger the traps.
Table 6.4 ibSubsystemName Values
35 ibOSPFSoftwareFailure
36 ibAuthDHCPNamedSoftwareFailure
37 ibFan1Failure
38 ibFan2Failure
39 ibFan3Failure
40 ibFan1OK
41 ibFan2OK
42 ibFan3OK
43 ibIPWCSoftwareFailure
44 ibFTPDSoftwareFailure
3001 ibRAIDIsOptimal
3002 ibRAIDIsDegraded
3003 ibRAIDIsRebuilding
3004 ibRAIDStatusUnknown
3005 ibRAIDBatteryIsOK
3006 ibRAIDBatteryFailed
Value
OID 3.1.1.1.2.9.0
ibSubsystemName
0 Uses the original ibObjectName and
ibSubsystemName when the trap is cleared.
1 N/A
2 N/A
3 N/A
4 N/A
5 Db_jnld
6 httpd
7 serial_console
11 controld
Value
OID 3.1.1.2.4.0
ibProbableCause
Monitoring with SNMP
188 Infoblox Administrator Guide NIOS 4.3r1
ibPreviousState (OID 3.1.1.1.2.9.0) and ibCurrentState (OID 3.1.1.1.2.10.0)
The ibPreviousState object indicates the state of the appliance before the event triggered the trap. The ibCurrentState
object indicates the current state of the appliance. Table 6.5 shows the message and description for each state.
Table 6.5 ibPreviousState and ibCurrentState Values
12 N/A
13 Snmpd
15 Sshd
16 Ntpd
17 Clusterd
18 Lcd
19 Dhcpd
20 Named
23 Radiusd
24 NTLM
25 Netbiosd
26 Winbindd
27 Tftpd
28 QIP
29 N/A
30 N/A
31 N/A
32 N/A
33 N/A
34 HTTPd
35 OSPF
Value Description Definition
1 ha-active The HA pair is in ACTIVE state.
2 ha-passive The HA pair is in PASSIVE state.
3 ha-initial The HA pair is in INITIAL state.
4 grid-connected The appliance is connected to the grid.
5 grid-disconnected The appliance is not connected to the grid.
6 enet-link-up The ethernet port link is active.
Value
OID 3.1.1.1.2.9.0
ibSubsystemName
Infoblox MIBs
NIOS 4.3r1 Infoblox Administrator Guide 189
ibTrapDesc (OID 3.1.1.1.2.11.0)
The ibTrapDesc object lists the trap messages of all Infoblox SNMP traps. This section lists all the SNMP traps by their
trap types. Each trap table describes the trap message, severity, cause, and recommended actions.
Equipment Failure Traps
7 enet-link-down The ethernet port link is inactive.
8 replication-online The replication is online.
9 replication-offline The replication is offline.
10 replication-snapshotting The replication is snapshotting.
11 service-up The service is up.
12 service-down The service is down.
13 ha-replication-online The HA pair replication is online.
14 ha-replication-offline The HA pair replication is offline.
15 ntp-syn-up The NTP server is synchronizing.
16 ntp-syn-down The NTP server is out of sync.
ibTrapDesc
OID 3.1.1.1.2.11.0
ibTrapServerity
OID 3.1.1.1.2.2
Description/Cause Recommended Actions
Primary Drive Full
Primary drive is full. Major The primary disk drive
reached 100% of usage.
1. Review the syslog file to identify the
possible cause of this problem.
2. Contact Infoblox Technical Support for
assistance.
Fan Monitoring
Fan <n> failure has
occurred.
Minor The specified fan failed.
The fan number <n> can
be 1, 2, or 3.
Inspect the specified fan for mechanical or
electrical problems.
Fan <n> is OK. Informational The specified fan is
functioning properly. The
fan number <n> can be 1,
2, or 3.
No action is required.
Power Supply Failure: monitored at 1 minute
A power supply
failure has occurred.
Major The power supply failed. 1. Inspect the power supply for the
possible cause of the failure.
2. Contact Infoblox Technical Support for
assistance.
Value Description Definition
Monitoring with SNMP
190 Infoblox Administrator Guide NIOS 4.3r1
Processing and Software Failure Traps
RAID monitoring, at 1 minute interval
A RAID battery failure
has occurred.
Major The system RAID battery
failed. The alert light is
red.
1. Inspect the battery for the possible
cause of the failure.
2. Contact Infoblox Technical Support for
assistance.
The systems RAID
battery is OK.
Informational The system RAID battery
is charging and
functioning properly. The
alert light changed from
red to green.
No action is required.
Unable to retrieve
RAID array state!
Undetermined The appliance failed to
retrieve the RAID array
state. The alert light is
red.
1. Review the syslog file to identify the
possible cause of this problem.
2. Contact Infoblox Technical Support for
assistance.
The systems RAID
array is now running
in an optimal state.
Informational The RAID system is
functioning at an optimal
state.
No action is required.
The systems RAID
array is in a
degraded state.
Major The RAID system is
degrading.
1. Review the syslog file to identify the
possible cause of this problem.
2. Contact Infoblox Technical Support for
assistance.
The systems RAID
array is rebuilding.
Minor The RAID system is
rebuilding.
No action is required.
ibTrapDesc
OID 3.1.1.1.2.11.0
ibTrapServerity
OID 3.1.1.1.2.2
Description/Cause Recommended Actions
Named Daemon Failure
A named daemon
monitoring failure
has occurred.
Critical The named process
failed.
1. Review the syslog file to identify the
possible cause of this problem.
2. Contact Infoblox Technical Support for
assistance.
DHCP Daemon Failure
A DHCP daemon
monitoring failure
has occurred.
Critical The dhcpd process failed. 1. Review the syslog file to identify the
possible cause of this problem.
2. Contact Infoblox Technical Support for
assistance.
ibTrapDesc
OID 3.1.1.1.2.11.0
ibTrapServerity
OID 3.1.1.1.2.2
Description/Cause Recommended Actions
Infoblox MIBs
NIOS 4.3r1 Infoblox Administrator Guide 191
VitalQIP Remote Server Failure
A VitalQIP remote
server failure has
occurred.
Critical The qip-msgd or the
qip-rmtd process failed.
1. Review the syslog file to identify the
possible cause of this problem.
2. Contact Infoblox Technical Support for
assistance.
SSH Daemon Failure
An SSH daemon
failure has occurred.
Major The sshd process failed.
1. Review the syslog file to identify the
possible cause of this problem.
2. Contact Infoblox Technical Support for
assistance.
NTP Daemon Failure, monitored every 10 minutes
An NTP daemon
failure has occurred.
Major The ntpd process failed.
1. Review the syslog file to identify the
possible cause of this problem.
2. Contact Infoblox Technical Support for
assistance.
Cluster Daemon Failure
A cluster daemon
failure has occurred.
Critical The clusterd process
failed.
1. Review the syslog file to identify the
possible cause of this problem.
2. Contact Infoblox Technical Support for
assistance.
LCD Daemon Failure
An LCD daemon
failure has occurred.
Major The LCD process failed.
The alert light is yellow.
1. Inspect the LCD panel for the possible
cause of this problem.
2. Review the syslog file to identify the
possible cause of this problem.
3. Contact Infoblox Technical Support for
assistance.
Apache Software httpd failure, monitored every 2 minutes
An Apache software
failure has occurred.
Critical The request to monitor
the Apache server failed.
1. Review the syslog file to identify the
possible cause of this problem.
2. Contact Infoblox Technical Support for
assistance.
Serial Console Failure
An Infoblox serial
console software
failure has occurred.
Major The Infoblox serial
console failed.
1. Review the syslog file to identify the
possible cause of this problem.
2. Contact Infoblox Technical Support for
assistance.
ibTrapDesc
OID 3.1.1.1.2.11.0
ibTrapServerity
OID 3.1.1.1.2.2
Description/Cause Recommended Actions
Monitoring with SNMP
192 Infoblox Administrator Guide NIOS 4.3r1
Controld Software Failure
A controld failure has
occurred.
Critical The controld process
failed.
1. Review the syslog file to identify the
possible cause of this problem.
2. Contact Infoblox Technical Support for
assistance.
SNMP Sub-agent Failure
An SNMP server
failure has occurred.
Major The one-subagent
process failed.
1. Review the syslog file to identify the
possible cause of this problem.
2. Contact Infoblox Technical Support for
assistance.
TFTPD and FTPD Failure
A TFTPD daemon
failure has occurred.
Critical The tftpd process failed.
1. Review the syslog file to identify the
possible cause of this problem.
2. Contact Infoblox Technical Support for
assistance.
An FTPD daemon
failure has occurred.
Critical The ftpd process failed.
1. Review the syslog file to identify the
possible cause of this problem.
2. Contact Infoblox Technical Support for
assistance.
HTTP File Distribution, monitored at 10 second intervals
An HTTP file
distribution daemon
failure has occurred.
Critical The HTTP file distribution
process failed.
1. Review the syslog file to identify the
possible cause of this problem.
2. Contact Infoblox Technical Support for
assistance.
auth_named Process Failure
An auth named
server failure has
occurred.
Critical The auth_named server
failed.
1. Review the syslog file to identify the
possible cause of this problem.
2. Contact Infoblox Technical Support for
assistance.
IPWC Processes, monitored at 30 second intervals for IB-250 and 10 second intervals for other appliances
An IPAM WinConnect
server failure has
occurred.
Critical The IPWC (IPAM
WinConnect) 6server
failed.
1. Review the syslog file to identify the
possible cause of this problem.
2. Contact Infoblox Technical Support for
assistance.
DNS ONE quagga Processes (zebra & ospfd)
An OSPF routing
daemon failure has
occurred.
Critical Either the zebra process
or the ospfd process
failed.
1. Review the syslog file to identify the
possible cause of this problem.
2. Contact Infoblox Technical Support for
assistance.
ibTrapDesc
OID 3.1.1.1.2.11.0
ibTrapServerity
OID 3.1.1.1.2.2
Description/Cause Recommended Actions
Infoblox MIBs
NIOS 4.3r1 Infoblox Administrator Guide 193
radiusd Monitoring
A RADIUS daemon
monitoring failure
has occurred.
Critical The radiusd process
failed.
1. Review the syslog file to identify the
possible cause of this problem.
2. Contact Infoblox Technical Support for
assistance.
Backup Failure
Backup failed. Not
implemented.
The backup failed.
One of the following
could be the cause of the
failure:
The appliance could
not access a backup
directory.
The IPAM
WinConnect backup
failed.
The backup was
interrupted by one of
the following signals:
SIGINT, SIGHUP, or
SIGTERM.
Incorrect login or
connection failure in
an FTP backup.
The backup failed to
create temporary
files.
1. Review the syslog file to identify the
possible cause of this problem.
2. Contact Infoblox Technical Support for
assistance.
Database Backup Failure
Database backup
failed.
Not
implemented.
The db_dump process
failed.
1. Review the syslog file to identify the
possible cause of this problem.
2. Contact Infoblox Technical Support for
assistance.
Backup Module Failure
Module backup
failed.
Not
implemented.
The backup of product-
specific files failed.
1. Review the syslog file to identify the
possible cause of this problem.
2. Contact Infoblox Technical Support for
assistance.
ibTrapDesc
OID 3.1.1.1.2.11.0
ibTrapServerity
OID 3.1.1.1.2.2
Description/Cause Recommended Actions
Monitoring with SNMP
194 Infoblox Administrator Guide NIOS 4.3r1
Backup File Size Exceeded
File size exceeded
the quota. Backup
failed.
Not
implemented.
The backup failed
because the file size
exceeded the limit of
5GB.
Limit the size of the backup file to less than
5GB.
Another backup is in
progress. Backup will
not be performed.
Not
implemented.
The backup failed
because of an attempt to
back up or merge files
while another backup or
restore was in progress.
Wait until the backup or restore is complete
before starting another backup.
Watchdog Process Monitoring
WATCHDOG:
<registered client
name> failed on
<server IP address>
Critical The watchdog process
detected a registered
client failure on a specific
server.
The <registered client
name> could be one of the
following:
Clusterd timeout
thread
DB Sentinel
run_server loop
Process manager
main loop
Clusterd monitor
Disk monitor
1. Review the syslog file to identify the
possible cause of this problem.
2. Contact Infoblox Technical Support for
assistance.
ibTrapDesc
OID 3.1.1.1.2.11.0
ibTrapServerity
OID 3.1.1.1.2.2
Description/Cause Recommended Actions
Infoblox MIBs
NIOS 4.3r1 Infoblox Administrator Guide 195
Threshold Crossing Traps
ibTrapDesc
OID 3.1.1.1.2.11.0
ibTrapServerity
OID 3.1.1.1.2.2
Description/Cause Recommended Actions
System Memory Usage
System has run out
of memory.
Major The appliance ran out of memory.
The appliance encountered this
problem when one of the following
occurred:
The total free memory on the
appliance was less than or equal
to 0%.
The total physical memory was
less than the total free memory.
The percentage of free memory
compared to the total physical
memory was less than 5%, and
the free swap percentage was
less than 80%.
The percentage of free memory
compared to the total physical
memory was less than 5%, plus
the numbers of both swap INs
and swap OUTs were greater
than or equal to 3,200.
The percentage of free memory
compared to the total physical
memory was between 5% and
10%, the free swap percentage
was greater than or equal to
80%, plus the numbers of both
swap INs and swap OUTs were
greater than or equal to 3,200.
The percentage of free memory
compared to the total physical
memory was greater than 10%,
the free swap percentage was
less than 80%, plus the
numbers of both swap INs and
swap OUTs were greater than or
equal to 3,200.
Note: Free memory = free physical
RAM + free cache buffers.
The high threshold for swap
pages is 3,200.
1. Review the syslog file to
identify the possible cause
of this problem.
2. Contact Infoblox Technical
Support for assistance.
Monitoring with SNMP
196 Infoblox Administrator Guide NIOS 4.3r1
System memory
usage is over 90%.
Minor The memory usage on the appliance
exceeded 90%.
The appliance encountered this
problem when one of the following
occurred:
The percentage of free memory
compared to the total physical
memory was less than 5%, and
the free swap percentage was
less than 90%.
The percentage of free memory
compared to the total physical
memory was less than 5%, plus
the number of swap INs was less
than 3,200 and the number of
swap OUTs was greater than or
equal to 3,200.
The percentage of free memory
compared to the total physical
memory was between 5% and
10%, and the free swap
percentage was less than 80%.
The percentage of free memory
compared to the total physical
memory was greater than 5%,
plus the number of swap INs
was less than 3,200 and the
number of swap OUTs was
greater than or equal to 3,200.
Note: Free memory = free physical
RAM + free cache buffers.
The high threshold for swap
pages is 3,200.
1. Review the syslog file to
identify the possible cause
of this problem.
2. Contact Infoblox Technical
Support for assistance.
System memory is
OK.
Minor The memory usage on the system is
back to normal from the previous
state.
No action is required.
ibTrapDesc
OID 3.1.1.1.2.11.0
ibTrapServerity
OID 3.1.1.1.2.2
Description/Cause Recommended Actions
Infoblox MIBs
NIOS 4.3r1 Infoblox Administrator Guide 197
Primary Hard Drive Usage (monitored every 30 seconds)
System primary
hard disk usage is
over 90%.
Minor The primary hard disk usage
exceeded 90%. The alert light is
yellow.
1. Review the syslog file to
identify the possible cause
of this problem.
2. Contact Infoblox Technical
Support for assistance.
Primary drive is full. Major The primary hard disk usage
exceeded 95%. The alert light is red.
1. Review the syslog file to
identify the possible cause
of this problem.
2. Contact Infoblox Technical
Support for assistance.
Primary drive
usage is OK.
Minor The primary hard disk usage is 85%
or lower. The alert light is green.
No action is required.
Replication Statistics Monitoring
Grid queue
replication
problem.
Not
implemented.
The system encountered this
problem when all of the following
conditions occurred:
The node was online.
The number of the replication
queue being sent from the
master column was greater than
0, or the number of the queue
received was greater than 0.
It was more than 10 minutes
since the last replication queue
was sent and monitored.
1. Review the syslog file to
identify the possible cause
of this problem.
2. Contact Infoblox Technical
Support for assistance.
ibTrapDesc
OID 3.1.1.1.2.11.0
ibTrapServerity
OID 3.1.1.1.2.2
Description/Cause Recommended Actions
Monitoring with SNMP
198 Infoblox Administrator Guide NIOS 4.3r1
DHCP Range Threshold Crossing
DHCP threshold
crossed:
Member: <DHCP
server node VIP>
Network: <network>
Range: <DHCP
range>
High Watermark:
<high watermark
percentage> (95%
by default)
Low Watermark:
<low watermark
percentage> (0% by
default)
Current Usage:
<current usage
percentage>
Active Leases:
<number of active
leases>
Available Leases:
<number of
available leases>
Total Addresses:
<total addresses>
Not
implemented.
The system encountered this
problem when one of the following
conditions occurred:
The address usage in the DHCP
range was greater than the high
watermark.
The address usage in the DHCP
range was less than the low
watermark.
1. Review the syslog file to
identify the possible cause
of this problem.
2. Contact Infoblox Technical
Support for assistance.
DHCP DDNS Updates Deferred
DHCP DNS updates
deferred:
Retried at least
once: <number of
retries>
Maximum number
of deferred
updates since start
of problem episode
(or restart): <max
number>
Not
implemented.
The DNS updates were deferred
because of DDNS update errors.
1. Review the syslog file to
identify the possible cause
of this problem.
2. Contact Infoblox Technical
Support for assistance.
ibTrapDesc
OID 3.1.1.1.2.11.0
ibTrapServerity
OID 3.1.1.1.2.2
Description/Cause Recommended Actions
Infoblox MIBs
NIOS 4.3r1 Infoblox Administrator Guide 199
Object State Change Traps
Database Capacity Usage
Over 85%
database capacity
used.
Minor The appliance database usage
exceeded 85%.
1. Increase the database
capacity.
2. Contact Infoblox Technical
Support for assistance.
Database capacity
used is OK.
Minor The appliance database usage is less
than 85%.
No action is required.
ibTrapDesc
OID 3.1.1.1.2.11.0
ibTrapServerity
OID 3.1.1.1.2.2
Description/Cause Recommended Actions
Service Shutdown
Shutting down
services due to
database snapshot.
Not
implemented.
The appliance is shutting
down its services while
synchronizing the
database with the grid
master.
No action is required.
Shutting down
services due to
database snapshot.
Not
implemented.
The appliance is shutting
down its services while
synchronizing the
database with the grid
master.
No action is required.
Network Interfaces Monitoring
LAN port link is
down. Please check
the connection.
Major The LAN port is up, but
the link is down.
Check the LAN link connection.
HA port link is down.
Please check the
connection.
Major The HA port is up, but the
link is down.
Check the HA link connection.
MGMT port link is
down. Please check
the connection.
Major The MGMT port is
enabled, but the link is
down.
Check the MGMT link connection.
LAN port link is up. Major The LAN port link is up
and running.
No action is required.
HA port link is up. Major The HA port link is up and
running.
No action is required.
MGMT port link is up. Major The MGMT port link is up
and running.
No action is required.
ibTrapDesc
OID 3.1.1.1.2.11.0
ibTrapServerity
OID 3.1.1.1.2.2
Description/Cause Recommended Actions
Monitoring with SNMP
200 Infoblox Administrator Guide NIOS 4.3r1
HA State Change from Initial to Active
The node has
become ACTIVE.
Not
implemented.
A node in an HA pair
becomes active. The HA
pair starts up.
No action is required.
HA State Change from Passive to Active
The node has
become ACTIVE.
Not
implemented.
The node changed from a
passive to an active node.
No action is required.
HA State Change from Initial to Passive
The node has
become PASSIVE.
Not
implemented.
A node in an HA pair
becomes passive. The HA
pair starts up, and the
node is not a grid master
candidate.
No action is required.
Node Connected to Grid
The grid member is
connected to the grid
master.
Not
implemented.
The grid member joined
the grid, and it is not a
grid master candidate.
No action is required.
Node Disconnected to Grid
The grid member is
not connected to the
grid master.
Not
implemented.
The grid member lost its
connection to the grid
master.
No action is required.
Replication State Monitoring
HA replication
online.
Not
implemented.
The replication queue is
online.
No action is required.
HA replication
offline.
Not
implemented.
The replication queue is
offline.
No action is required.
NTP is out of sync, monitored every 30 seconds
The NTP server is out
of synchronization.
Major The Infoblox NTP server
and the external NTP
server are not
synchronized.
1. Review the syslog file to identify the
possible cause of this problem.
2. Contact Infoblox Technical Support for
assistance.
Replication State Monitoring
Replication queue is
offline.
Not
implemented.
The replication queue is
offline.
No action is required.
ibTrapDesc
OID 3.1.1.1.2.11.0
ibTrapServerity
OID 3.1.1.1.2.2
Description/Cause Recommended Actions
Infoblox MIBs
NIOS 4.3r1 Infoblox Administrator Guide 201
Process Started and Stopped Traps
ibTrapDesc
OID 3.1.1.1.2.11.0
ibTrapServerity
OID 3.1.1.1.2.2
Description/Cause Recommended Actions
Httpd Start
The process started
normally.
Informational The httpd process
started.
No action is required.
Httpd Stop
The process stopped
normally.
Informational The httpd process
stopped.
No action is required.
Monitoring with SNMP
202 Infoblox Administrator Guide NIOS 4.3r1
ibPlatformOne MIB
The ibPlatformOne MIB provides information about the CPU temperature of the appliance, the replication status, and
the average latency of DNS requests. Figure 6.4 illustrates the structure of the PlatformOne MIB. (Note that the OIDs
in the illustration do not include the prefix .1.3.6.1.4.1.7779.) The ibPlatformOne MIB branches out into six subtrees:
ibCPUTemperature tracks the CPU temperature of the appliance
ibClusterReplicationStatusTable provides information in tabular format about the replication status of the
appliance. See ibClusterReplicationStatusTable on page 203 for more information.
ibNetworkMonitor provides information about the average latency of authoritative and nonauthoritative replies
to DNS queries for different time intervals. See ibNetwork Monitor on page 203 for more information.
ibHardwareType provides the model number of the Infoblox hardware platform.
ibHardwareId provides the hardware iD of the NIOS appliance.
ibSerialNumber provides the serial number of the Infoblox hardware platform.
Figure 6.4 PlatformOneMIB Structure
(3.1.1.2) ibPlatformOne MIB
(3.1.1.2.1) ibPlatformOneModule
(3.1.1.2.1.1)
ibCPUTemperature
(3.1.1.2.1.2)
ibClusterReplicationStatusTable
(3.1.1.2.1.2.1)
ibClusterReplicationStatusEntry
(3.1.1.2.1.3)
ibNetworkMonitor
(3.1.1.2.1.3.1)
ibNetworkMonitorDNS
(3.1.1.2.1.3.1.1)
ibNetworkMonitorDNSActive
(3.1.1.2.1.3.1.2)
ibNetworkMonitorDNSNonAA
(3.1.1.2.1.3.1.3)
ibNetworkMonitorDNSAA
(3.1.1.2.1.2.1.1)
ibNodeIPAddress
(3.1.1.2.1.2.1.2)
ibNodeReplicationStatus
(3.1.1.2.1.2.1.3)
ibNodeQueueFromMaster
(3.1.1.2.1.2.1.4)
ibNodeLastRepTimeFromMaster
(3.1.1.2.1.2.1.5)
ibNodeQueueToMaster
(3.1.1.2.1.2.1.6)
ibNodeLastRepTimeToMaster
(3.1.1.2.1.4)
ibHardwareType
(3.1.1.2.1.5)
ibHardwareId
(3.1.1.2.1.6)
ibSerialNumber
Infoblox MIBs
NIOS 4.3r1 Infoblox Administrator Guide 203
ibClusterReplicationStatusTable
This table provides information about the grid replication status.
Table 6.6 ibClusterReplicationStatusTable Objects
ibNetwork Monitor
As shown in Figure 6.4, the ibNetwork Monitor has one subtree, ibNetworkMonitorDNS, that branches out into the
following:
ibNetworkMonitorDNSActive reports on whether DNS latency monitoring is enabled. This is the only object in
this branch. When you send a query for this object, the appliance responds with either active or nonactive.
ibNetworkMonitorDNSNonAA provides information about the average latency of nonauthoritative replies to DNS
queries for 1-, 5-, 15-, and 60-minute intervals.
ibNetworkMonitorDNSAA provides information about the average latency of authoritative replies to DNS queries
for 1-, 5-, 15-, and 60-minute intervals.
Object Description
ibClusterReplicationStatusEntry A conceptual row that provides information about the grid replication status.
ibNodeIPAddress IP address of a grid member
ibNodeReplicationStatus Replication status of the grid member
ibNodeQueueFromMaster Sent queue size from master
ibNodeLastRepTimeFromMaster Last sent time from master
ibNodeQueueToMaster Receive queue size from master
ibNodeLastRepTimeToMaster Last receive time from master
Monitoring with SNMP
204 Infoblox Administrator Guide NIOS 4.3r1
Figure 6.5 ibNetworkMonitorDNSNonAA and ibNetworkMonitorDNSAA Subtrees
(3.1.1.2.1.3.1.2.1)
ibNetworkMonitorDNSNonAAT1
(3.1.1.2.1.3.1.2.1.1)
ibNetworkMonitorDNSNonAAT1AvgLatency
(3.1.1.2.1.3.1.2.1.2)
ibNetworkMonitorDNSNonAAT1Count
(3.1.1.2.1.3.1.2.2)
ibNetworkMonitorDNSNonAAT5
(3.1.1.2.1.3.1.2.2.1)
ibNetworkMonitorDNSNonAAT5AvgLatency
(3.1.1.2.1.3.1.2.2.2)
ibNetworkMonitorDNSNonAAT5Count
(3.1.1.2.1.3.1.2.3)
ibNetworkMonitorDNSNonAAT15
(3.1.1.2.1.3.1.2.3.1)
ibNetworkMonitorDNSNonAAT15AvgLatency
(3.1.1.2.1.3.1.2.3.2)
ibNetworkMonitorDNSNonAAT15Count
(3.1.1.2.1.3.1.2.4)
ibNetworkMonitorDNSNonAAT60
(3.1.1.2.1.3.1.2.4.1)
ibNetworkMonitorDNSNonAAT60AvgLatency
(3.1.1.2.1.3.1.2.4.2)
ibNetworkMonitorDNSNonAAT60Count
(3.1.1.2.1.3.1.2)
ibNetworkMonitorDNSNonAA
(3.1.1.2.1.3.1.3.1)
ibNetworkMonitorDNSAAT1
(3.1.1.2.1.3.1.3.1.1)
ibNetworkMonitorDNSAAT1AvgLatency
(3.1.1.2.1.3.1.3.1.2)
ibNetworkMonitorDNSAAT1Count
(3.1.1.2.1.3.1.3.2)
ibNetworkMonitorDNSNonAAT5
(3.1.1.2.1.3.1.3.2.1)
ibNetworkMonitorDNSAAT5AvgLatency
(3.1.1.2.1.3.1.3.2.2)
ibNetworkMonitorDNSAAT5Count
(3.1.1.2.1.3.1.3.3)
ibNetworkMonitorDNSAAT15
(3.1.1.2.1.3.1.3.3.1)
ibNetworkMonitorDNSAAT15AvgLatency
(3.1.1.2.1.3.1.3.3.2)
ibNetworkMonitorDNSAAT15Count
(3.1.1.2.1.3.1.3.4)
ibNetworkMonitorDNSAAT60
(3.1.1.2.1.3.1.3.4.1)
ibNetworkMonitorDNSAAT60AvgLatency
(3.1.1.2.1.3.1.3.4.2)
ibNetworkMonitorDNSAAT60Count
(3.1.1.2.1.3.1.3)
ibNetworkMonitorDNSAA
(3.1.1.2.1.3.1.3.5)
ibNetworkMonitorDNSAAT1440
(3.1.1.2.1.3.1.3.5.1)
ibNetworkMonitorDNSAAT1440AvgLatency
(3.1.1.2.1.3.1.3.5.2)
ibNetworkMonitorDNSAAT1440Count
(3.1.1.2.1.3.1.2.5)
ibNetworkMonitorDNSNonAAT1440
(3.1.1.2.1.3.1.2.5.1)
ibNetworkMonitorDNSNonAAT1440AvgLatency
(3.1.1.2.1.3.1.2.5.2)
ibNetworkMonitorDNSNonAAT1440Count
Infoblox MIBs
NIOS 4.3r1 Infoblox Administrator Guide 205
Table 6.7 describes the objects in ibNetworkMonitorDNSNonAA. You can send queries to retrieve values for these
objects.
Table 6.7 ibNetworkMonitorDNSNonAA Objects
Object Description
ibNetworkMonitorDNSNonAAT1 File that contains the objects for monitoring the average latency
of nonauthoritative replies to queries during the last minute.
ibNetworkMonitorDNSNonAAT1AvgLatency Indicates the average latency in microseconds of
nonauthoritative replies to queries during the last minute.
ibNetworkMonitorDNSNonAAT1Count Indicates the number of queries used to calculate the average
latency of nonauthoritative replies during the last minute.
ibNetworkMonitorDNSNonAAT5 File that contains the objects for monitoring the average latency
of nonauthoritative replies to queries during the last five
minutes.
ibNetworkMonitorDNSNonAAT5AvgLatency Indicates the average latency in microseconds of
nonauthoritative replies to queries during the last five minutes.
ibNetworkMonitorDNSNonAAT5Count Indicates the number of queries used to calculate the average
latency of nonauthoritative replies during the last five minutes.
ibNetworkMonitorDNSNonAAT15 File that contains the objects for monitoring the average latency
of nonauthoritative replies to queries during the last 15 minutes.
ibNetworkMonitorDNSNonAAT15AvgLatency Indicates the average latency in microseconds of
nonauthoritative replies to queries during the last 15 minutes.
ibNetworkMonitorDNSNonAAT15Count Indicates the number of queries used to calculate the average
latency of nonauthoritative replies during the last 15 minutes.
ibNetworkMonitorDNSNonAAT60 File that contains the objects for monitoring the average latency
of nonauthoritative replies to queries during the last 60 minutes.
ibNetworkMonitorDNSNonAAT60AvgLatency Indicates the average latency in microseconds of
nonauthoritative replies to queries during the last 60 minutes.
ibNetworkMonitorDNSNonAAT60Count Indicates the number of queries used to calculate the average
latency of nonauthoritative replies during the last 60 minutes.
ibNetworkMonitorDNSNonAAT1440 File that contains the objects for monitoring the average latency
of nonauthoritative replies to queries during the last 1440
minutes.
ibNetworkMonitorDNSNonAAT1440AvgLatency Indicates the average latency in microseconds of
nonauthoritative replies to queries during the last 1440 minutes.
ibNetworkMonitorDNSNonAAT1440Count Indicates the number of queries used to calculate the average
latency of nonauthoritative replies during the last 1440 minutes.
Monitoring with SNMP
206 Infoblox Administrator Guide NIOS 4.3r1
Table 6.8 describes the objects in ibNetworkMonitorDNSAA. You can send queries to retrieve values for these
objects.
Table 6.8 ibNetworkMonitorDNSAA Objects
Object Description
ibNetworkMonitorDNSAAT1 File that contains the objects for monitoring the average latency
of authoritative replies to queries during the last minute.
ibNetworkMonitorDNSAAT1AvgLatency Indicates the average latency in microseconds of authoritative
replies to queries during the last minute.
ibNetworkMonitorDNSAAT1Count Indicates the number of queries used to calculate the average
latency of authoritative replies during the last minute.
ibNetworkMonitorDNSAAT5 File that contains the objects for monitoring the average latency
of authoritative replies to queries during the last five minutes.
ibNetworkMonitorDNSAAT5AvgLatency Indicates the average latency in microseconds of authoritative
replies to queries during the last five minutes.
ibNetworkMonitorDNSAAT5Count Indicates the number of queries used to calculate the average
latency of authoritative replies during the last five minutes.
ibNetworkMonitorDNSAAT15 File that contains the objects for monitoring the average latency
of authoritative replies to queries during the last 15 minutes.
ibNetworkMonitorDNSAAT15AvgLatency Indicates the average latency in microseconds of authoritative
replies to queries during the last 15 minutes.
ibNetworkMonitorDNSAAT15Count Indicates the number of queries used to calculate the average
latency of authoritative replies during the last 15 minutes.
ibNetworkMonitorDNSAAT60 File that contains the objects for monitoring the average latency
of authoritative replies to queries during the last 60 minutes.
ibNetworkMonitorDNSAAT60AvgLatency Indicates the average latency in microseconds of authoritative
replies to queries during the last 60 minutes.
ibNetworkMonitorDNSAAT60Count Indicates the number of queries used to calculate the average
latency of authoritative replies during the last 60 minutes.
ibNetworkMonitorDNSAAT1440 File that contains the objects for monitoring the average latency
of authoritative replies to queries during the last 1440 minutes.
ibNetworkMonitorDNSAAT1440AvgLatency Indicates the average latency in microseconds of authoritative
replies to queries during the last 1440 minutes.
ibNetworkMonitorDNSAAT1440Count Indicates the number of queries used to calculate the average
latency of authoritative replies during the last 1440 minutes.
Infoblox MIBs
NIOS 4.3r1 Infoblox Administrator Guide 207
ibDHCPOne MIB
The ibDHCPOne MIB provides information about address usage within a subnet, DHCP lease statistics, and DHCP
packet counts. Figure 6.6 illustrates the structure of the ibDHCPOne MIB. (Note that the OIDs shown in the illustration
do not include the prefix .1.3.6.1.4.1.7779.) It has three subtrees: ibDHCPSubnetTable, ibDHCPLeaseTable, and
ibDHCP Statistics.
Figure 6.6 DHCPone MIB
(3.1.1.4) ibDHCPOne MIB
(3.1.1.4.1) ibDHCPModule
(3.1.1.4.1.1)
ibDHCPSubnetTable
(3.1.1.4.1.2)
ibDHCPLeaseTable
(3.1.1.4.1.2.1)
ibDHCPLeaseEntry
(3.1.1.4.1.3)
ibDHCPStatistics
(3.1.1.4.1.2.1.1)
ibDHCPLeaseAddress
(3.1.1.4.1.2.1.2)
ibDHCPLeaseMACAddress
(3.1.1.4.1.2.1.3)
ibDHCPLeaseStart
(3.1.1.4.1.2.1.4)
ibDHCPLeaseEnd
(3.1.1.4.1.2.1.5)
ibDHCPLeaseBindState
(3.1.1.4.1.2.1.6)
ibDHCPLeaseNextBindState
(3.1.1.4.1.1.1.1)
ibDHCPSubnetNetworkAddress
(3.1.1.4.1.1.1)
ibDHCPSubnetEntry
(3.1.1.4.1.1.1.2)
ibDHCPSubnetNetworkMask
(3.1.1.4.1.1.1.3)
ibDHCPSubnetPercentUsed
(3.1.1.4.1.2.1.7)
ibDHCPLeaseClientHostName
(3.1.1.4.1.2.1.8)
ibDHCPLeaseUID
(3.1.1.4.1.3.1)
ibDhcpTotalNoOfDiscovers
(3.1.1.4.1.3.2)
ibDhcpTotalNoOfRequests
(3.1.1.4.1.3.3)
ibDhcpTotalNoOfReleases
(3.1.1.4.1.3.4)
ibDhcpTotalNoOfOffers
(3.1.1.4.1.3.5)
ibDhcpTotalNoOfAcks
(3.1.1.4.1.3.6)
ibDhcpTotalNoOfNacks
(3.1.1.4.1.3.7)
ibDhcpTotalNoOfDeclines
(3.1.1.4.1.3.8)
ibDhcpTotalNoOfInforms
(3.1.1.4.1.3.9)
ibDhcpTotalNoOthers
Monitoring with SNMP
208 Infoblox Administrator Guide NIOS 4.3r1
The ibDHCPSubnetTable provides statistical data about the DHCP operations of the appliance. It contains the
following objects:
Table 6.9 ibDHCPSubnetTable
Following is an example of the table as viewed through a MIB browser:
Figure 6.7 MIB Browser View 1
The ibDHCPLeaseTable provides statistics about the DHCP leases. It contains the following objects:
Table 6.10 ibDHCPLeaseTable
Object Description
ibDHCPSubnet Entry File that contains the objects for monitoring DHCP operations on the
appliance.
ibDHCPSubnetNetworkAddress The subnetworks, in IP address format, that have IP addresses for lease. A
subnetwork may have many address ranges for lease.
ibDHCPSubnetNetworkMask The subnet mask in dotted decimal format.
ibDHCPSubnetPercentUsed The percentage of dynamic DHCP addresses leased out at this time for each
subnet. Fixed addresses are always counted as leased for this calculation, if
the fixed addresses are within a leased address range.
Object Description
ibDHCPLeaseEntry File that contains the objects that provide information about DHCP leases.
ibDHCPLeaseAddress The IP address issued by DHCP.
ibDHCPLeaseMACAddress The MAC Address of the DHCP client.
ibDHCPLeaseStart The start time of the DHCP lease.
ibDHCPLeaseEnd The end time of the DHCP lease.
ibDHCPLeaseBindState The IP address binding state of the DHCP lease. The binding state is used by
the DHCP failover protocol and indicates, among other things, whether an IP
address is in use, has been released, or is available for allocation.
ibDHCPLeaseNextBindState Next Binding state of DHCP lease.
Infoblox MIBs
NIOS 4.3r1 Infoblox Administrator Guide 209
ibDHCP Statistics maintains counters for different types of packets. The counters always start with zero when you
enable DHCP. Therefore the numbers reflect the total number of packets received since DHCP was enabled on the
NIOS appliance. The ibDHCPStatistics module contains the following objects:
Table 6.11 ibDHCPStatistics
ibDHCPLeaseClientHostName Client provided host name during DHCP registration.
ibDHCPLeaseUID Client provided UID during DHCP registration. (The UID is a number that
uniquely identifies the client machine.)
Object Description
ibDhcpTotalNoOfDiscovers The number of DHCPDISCOVER messages that the appliance received. Clients
broadcast DHCPDISCOVER messages when they need an IP address and
network configuration information.
ibDhcpTotalNoOfRequests The number of DHCPREQUEST messages that the appliance received. A client
sends a DHCPREQUEST message requesting configuration information, after it
receives the DHCPOFFER message.
ibDhcpTotalNoOfReleases The number of DHCPRELEASE messages that the appliance received from its
clients. A client sends a DHCP release when it terminates its lease on an IP
address.
ibDhcpTotalNoOfOffers The number of DHCPOFFER messages that the appliance has sent to clients.
The appliance sends a DHCPOFFER message to a client. It contains an IP
address and configuration information.
ibDhcpTotalNoOfAcks The number of DHCPACK messages that the appliance sent to clients. It sends
a DHCPACK message to a client to confirm that the IP address offered is still
available.
ibDhcpTotalNoOfNacks The number of DHCPNACK messages that the appliance sent to clients. It sends
a DHCPNACK message to withdraw its offer of an IP address.
ibDhcpTotalNoOfDeclines The number of DHCPDECLINE messages that the appliance received. A client
sends a DHCPDECLINE message if it determines that an offered IP address is
already in use.
ibDhcpTotalNoOfInforms The number of DHCPINFORM messages that the appliance received. A client
sends a DHCPINFORM message when it has an IP address but needs
information about the network.
ibDhcpTotalNoOfOthers The total number of DHCP messages other than those used in negotiation, such
as DHCPFORCERENEW, DHCPKNOWN, and DHCPLEASEQUERY.
Object Description
Monitoring with SNMP
210 Infoblox Administrator Guide NIOS 4.3r1
ibDNSOne MIB
The ibDNSOne MIB provides statistical information about the DNS processes and about the views and zones in the
database. Figure 6.7 illustrates the structure of the ibDNSOne MIB. (Note that the OIDs shown in the illustration do
not include the prefix 1.3.6.1.4.1.7779.) The ibDNSOne MIB contains two subtrees, ibZoneStatisticsTable and the
ibZonePlusViewStatisticsTable.
Figure 6.8 ibDNSOne MIB
The ibZoneStatisticsTable provides statistical data about the DNS operations on the appliance. The following lists the
OIDs and the objects in the table:
Table 6.12 ibZoneStatisticsTable
Object Description
ibBindZoneName DNS Zone name.
ibBindZoneSuccess The number of successful responses since the DNS process started.
ibBindZoneReferral The number of DNS referrals since the DNS process started.
ibBindZoneNxRRset The number of DNS queries received for non-existent records.
ibBindZoneNxDomain The number of DNS queries received for non-existent domains.
(3.1.1.3) ibDNSOne MIB
(3.1.1.3.1) ibDnsModule
(3.1.1.3.1.1)
ibZoneStatisticsTable
(3.1.1.3.1.1.1)
ibZoneStatisticsEntry
(3.1.1.3.1.1.1.1)
ibBindZoneName
(3.1.1.3.1.1.1.2)
ibBindZoneSuccess
(3.1.1.3.1.1.1.3)
ibBindZoneReferral
(3.1.1.3.1.1.1.4)
ibBindZoneNxRRset
(3.1.1.3.1.1.1.5)
ibBindZoneNxDomain
(3.1.1.3.1.1.1.6)
ibBindZoneRecursion
(3.1.1.3.1.1.1.7)
ibBindZoneFailure
(3.1.1.3.1.2)
ibZonePlusViewStatisticsTable
(3.1.1.3.1.2.1)
ibZonePlusViewStatisticsEntry
(3.1.1.3.1.2.1.1)
ibZonePlusViewName
(3.1.1.3.1.2.1.2)
ibZonePlusViewSuccess
(3.1.1.3.1.2.1.3)
ibZonePlusViewReferral
(3.1.1.3.1.2.1.4)
ibZonePlusViewNxRRset
(3.1.1.3.1.2.1.5)
ibZonePlusViewNxDomain
(3.1.1.3.1.2.1.6)
ibZonePlusViewRecursion
(3.1.1.4.1.2.1.7)
ibZonePlusViewFailure
(3.1.1.4.1.2.1.8)
ibBindViewName
Infoblox MIBs
NIOS 4.3r1 Infoblox Administrator Guide 211
The ibZonePlusViewStatisticsTable provides statistical data about Infoblox views and their zones. The following table
lists the objects and their OIDS:
Table 6.13 ibZonePlusViewStatisticsTable
Following is an example of the table as viewed through a MIB browser:
Figure 6.9 MIB Browser View 2
ibBindZoneRecursion The number of queries received using recursion since the DNS process started.
ibBindZoneFailure The number of failed queries since the DNS process started.
Object Description
ibZonePlusViewName The zone name. The first one in the default view is the global summary
statistics. Index name for global statistics is summary.
ibZonePlusViewSuccess Number of successful responses since the DNS process started.
ibZonePlusViewReferral Number of DNS referrals
ibZonePlusViewNxRRset Number of DNS queries received for non-existent records.
ibZonePlusViewNxDomain Number of DNS queries received for non-existent domains.
ibZonePlusViewRecursion Number of DNS recursive queries received
ibZonePlusViewFailure Number of failed queries
ibBindViewName View name. This is blank for default view
Object Description
Monitoring with SNMP
212 Infoblox Administrator Guide NIOS 4.3r1
ibIPWC MIB
The ibIPWC MIB defines the objects in the WinConnect MIB module as well as the types of traps that an IPAM
WinConnect server sends. If you use the Infoblox IPAM WinConnect service, you must download the ibIPWC MIB. (For
information about IPAM WinConnect, see Chapter 22, IPAM WinConnect, on page 643.) Figure 6.10 illustrates the
structure of the IPWC MiB. The OIDs in the illustration do not include the prefix 1.3.6.4.1.25558. where 25558 is the
IANA-assigned enterprise number for Ipanto. (Note that Ipanto is the former name of WinConnect.)
The ibIPWC MIB branches out into two subtrees:
ssp: The ssp tree contains objects that provide information about the WinConnect server and its client. ssp
branches out into two subtrees, sipd and aipd. See tables 6.18 to 6.23 for information about the objects and
their definitions in the sipd and aipd trees.
traps: The traps tree provides information about the SNMP traps that the IPAM WinConnect server sends. See
Table 6.20 for a list of traps that the WinConnect server generates.
Figure 6.10 ibIPWC MIB structure
ibIPWC MIB
ipanto
(1)
ssp
(1.2)
aipd
(2)
traps
(1.2.1)
type
(1.2.2)
name
(1.1.1)
process
(1.1)
sipd
(1.1.2)
license
(1.1.3)
client
(1.1.4)
db
(1.1.5)
error
(1.1.6)
job
(1.1.7)
backup
(1.1.1.1)
port
(1.1.1.2)
sslPort
(1.1.1.3)
uid
(1.1.1.4)
suid
(1.1.2.1)
date
(1.1.2.2)
hostcount
(1.1.3.1)
ipSrc
(1.1.3.2)
user
(1.1.3.3)
agent
See Table 6.24 for
details of the traps
and descriptions.
See Table 6.21 for details
of the agent tree.
See Tables 6.22 and 6.23
for details of the db tree
and its subtrees.
Infoblox MIBs
NIOS 4.3r1 Infoblox Administrator Guide 213
The sipd tree contains objects that provide information about the WinConnect server and its client. Table 6.14 lists
the objects and their descriptions in the sipd tree.
Table 6.14 sipd
The aipd tree contains information about objects that provide information about the WinConnect connector.
Table 6.15 lists the objects and their descriptions in the aipd tree.
Table 6.15 aipd
Object Description
process Contains objects that provide information about the WinConnect server
process. This subtree contains four objects:
port: The server port of the WinConnect server.
sslPort: The SSL port of the WinConnect server.
uid: The WinConnect server process ID.
suid: The unique ID of the WinConnect server.
license Contains objects that provide licensing information about the WinConnect
server. This subtree contains two objects:
date: DEPRECATED.
hostCount: The number of licensed hosts.
client Contains objects that provide information about the WinConnect client. See
Table 6.16 for details.
db Contains objects that provide information about the WinConnect database.
See Table 6.18 for details.
error Contains objects that provide information about the error messages that the
WinConnect server generates. This subtree contains two objects:
description: The error description.
code: The error code.
job Contains one object:
name: The scheduled job name.
backup Contains one object:
date: The date of the last WinConnect server backup.
Object Description
type The WinConnect connector type.
name The WinConnect connector name.
Monitoring with SNMP
214 Infoblox Administrator Guide NIOS 4.3r1
The client tree under sipd contains objects that provide information about the WinConnect client. Table 6.16 lists the
objects and their descriptions in the client tree.
Table 6.16 client
The agent tree under client contains objects that provide information about the WinConnect connector. Table 6.17
lists the objects and their descriptions in the agent tree.
Table 6.17 agent
The db tree under sipd contains objects that provide information about the WinConnect database. Table 6.18 lists
the objects and their descriptions in the db tree.
Table 6.18 db
Object Description
ipSrc The IP address of the client server.
user Contains two objects:
name: The WinConnect user name.
sessionType: The user session type.
agent Contains objects that provide information about the WinConnect connector.
See Table 6.17 for details.
Object Description
type The WinConnect connector type.
name The WinConnect connector name.
service Contains three objects:
type: The managed service type.
name: The managed service name.
access: The managed service access.
Object Description
organization The organization that owns the object in the WinConnect database.
dhcp Contains objects that provide information about the IP addresses in the
database. See Table 6.19 for details.
dns Contains one object:
zone: The DNS zone. Contains one object:
name: The zone name in the WinConnect database.
subnet Contains three objects:
address: The subnet address.
mask: The subnet mask.
rate: The occupation rate of the subnet.
clockskew DEPRECATED.
Infoblox MIBs
NIOS 4.3r1 Infoblox Administrator Guide 215
f
The dhcp tree under db contains objects that provide information about the IP addresses in the WinConnect
database. Table 6.19 lists the objects and their descriptions in the dhcp tree.
Table 6.19 dhcp
The WinConnect server generates traps to notify the SNMP monitoring device of events. Table 6.20 lists the types of
traps that the WinConnect server sends.
Table 6.20 traps
Object Description
host Contains two objects:
activeCount: The number of active hosts in the WinConnect database.
totalCount: The total number of hosts in the WinConnect database.
pool Contains three objects:
start: The start IP address of the address pool.
end: The end IP address of the address pool.
rate: The occupation rate of the address pool.
Object Description
start WinConnect is ready to reply to client requests.
stop WinConnect cannot accept client requests or connections.
licenseInvalid DEPRECATED.
licenseDateExpired DEPRECATED.
licenseDateWarning DEPRECATED.
licenseHostExceeded The maximum number of host licenses has been reached.
licenseHostWarning 90% of the host licenses have been assigned.
clockSkewWarning DEPRECATED.
clockSkewExceeded WinConnect detected a clock skew error.
clockSkewError DEPRECATED.
dbIntegrityError WinConnect detected that the database is corrupted, or WinConnect cannot
determine the integrity of the database.
userlogin A user started a session.
userlogout A user ended a session.
userAuthFailed WinConnect failed to authenticate the user.
agentLogin The WinConnect connector connected to WinConnect.
agentAuthFailed The WinConnect connector failed to connect to WinConnect.
userAuthFailureExceeded The maximum number of user authentication has been reached.
synchroStartMaster DEPRECATED.
synchroStartSlave DEPRECATED.
Monitoring with SNMP
216 Infoblox Administrator Guide NIOS 4.3r1
sychroSuccess DEPRECATED.
synchroFailed DEPRECATED.
serviceStarted The WinConnect connector informed WinConnect that the current service
status is running.
serviceStopped The WinConnect connector informed WinConnect that the current service
status is stopped.
controlStart A user requested to start a specific service.
controlStop A user requested to stop a specific service.
controlRestart A user requested to restart a specific service.
controlReload A user requested to reload a DNS zone.
unreachable WinConnect could not contact the WinConnect connector.
poolCapacityWarning Over 90% of the IP addresses in the address pool have been assigned.
poolCapacityFull 100% of the IP addresses in the address pool have been assigned.
subnetCapacityWarning Over 90% of the subnet has been assigned.
subnetCapacityFull 100% of the subnet has been assigned.
jobErrorGeneration The command for a scheduled job failed and generated an error. Check the logs
on the WinConnect server for the error.
jobWarningGeneration A scheduled job completed with warning. Check the logs on the WinConnect
server for the warning.
jobErrorExecution A scheduled job execution failed.
discoverWarning The command for network discovery completed with a warning. Check the logs
on the WinConnect server for the warning.
restoreError The restore process completed with errors. Check the logs on the WinConnect
server for the errors.
restoreSuccess The restore process completed successfully.
backupError The backup process completed with errors. Check the logs on the WinConnect
server for the errors.
backupSuccess The backup process completed successfully.
cwServerSynchro The synchronization process with the CiscoWorks server is starting.
applySubnetTemplateSuccess WinConnect successfully applied the subnet template.
applySubnetTemplateFailure WinConnect failed to apply the subnet template.
Object Description
Configuring SNMP
NIOS 4.3r1 Infoblox Administrator Guide 217
Configuring SNMP
Perform the following tasks to configure SNMP on the NIOS appliance:
Enable the NIOS appliance to accept queries and define the community string that management systems must
specify when they send queries to the appliance.
Specify the management systems to which the appliance sends traps.
For a grid, you can perform these tasks at the grid level and at the member level. You can define SNMP settings for an
entire grid, and when necessary, define different SNMP settings for a member. SNMP settings for a member override
SNMP settings for a grid.
You can also set up SNMP on an independent appliance or HA pair.
Accepting SNMP Queries
You can allow specific management systems to send queries to a NIOS appliance. When you do, you must specify a
community string. The appliance accepts queries only from management systems that provide the correct community
string.
To configure a grid or an independent NIOS appliance or HA pair to accept SNMP queries:
1. From the Grid perspective, click + (for grid) -> + (for Members) -> member -> Edit -> Member Properties.
or
From the Device perspective, click Device -> host_name -> Edit -> Device Properties.
2. In the Grid or Device editor, click Monitoring, and then enter the following:
Enable queries: Select this check box for grid members or an independent appliance or HA pair to accept
queries from SNMP management systems.
Community String: Enter a text string that the management system must send together with its queries
to the grid or the independent appliance or HA pair. A community string is similar to a password in that
the appliance accepts queries only from management systems that send the correct community string.
Note that this community string must match exactly what you enter in the management system.
3. Click the Save icon to save your settings.
Setting System Information
You can enter values for the following managed objects in MIB-II, the standard MIB defined in RFC 1213:
sysContact
sysLocation
sysName
sysDescr
After you enter these values on the appliance, administrators can send queries for these values from management
systems that are allowed to send queries to the appliance.
To enter system information:
1. From the Grid perspective, click + (for grid) -> + (for Members) -> member -> Edit -> Member Properties.
or
From the Device perspective, click Device -> host_name -> Edit -> Device Properties.
2. In the Grid or Device editor, click Monitoring, and then enter the following:
Set objects: Select check box.
sysContact: Enter the name of the contact person for the appliance.
sysLocation: Enter the physical location of the appliance.
Monitoring with SNMP
218 Infoblox Administrator Guide NIOS 4.3r1
sysName: Enter the fully qualified domain name of the appliance.
sysDescr: Enter useful information about the appliance, such as the software version it is running.
3. Click the Save icon to save your settings.
Adding SNMP Trap Receivers
You can enable a NIOS appliance to send traps to specific management systems or trap receivers. It sends traps
whenever certain events occur, as described in ibTrap MIB on page 180.
To configure an SNMP trap receiver for a grid or an independent appliance or HA pair:
1. From the Grid perspective, click + (for grid) -> + (for Members) -> member -> Edit -> Member Properties.
or
From the Device perspective, click Device -> host_name -> Edit -> Device Properties.
2. In the Grid or Device editor, click Monitoring, and then enter the following:
Enable traps: Select the check box to enable grid members or an independent appliance or HA pair to send
traps to specified SNMP management systems.
Community String: Enter a text string that the NIOS appliance sends to the management system
together with its traps. Note that this community string must match exactly what you enter in the
management system.
Trap Receiver Group: Type an address of an SNMP management system to which you want the SNMP
agent on grid members and independent appliances to send traps in the IP Address field, and then
click Add. (You can enter more than one trap receiver.)
To remove an IP address from the list, select the address, and then click Delete.
3. Click the Save icon to save your settings.
Configuring SNMP for a Grid Member
You can override grid-level SNMP settings for individual members. To modify the SNMP settings for a grid member:
1. From the Grid perspective, click + (for grid) -> + (for Members) -> member -> Edit -> Member Properties.
2. In the Grid Member editor, click Monitoring, and then enter the following:
Override grid SNMP settings: Select the check box to override grid-level SNMP settings and apply
member-level settings.
Enable queries: Select the check box for the member to accept queries from SNMP management
systems. Clear the check box to disable the member from accepting SNMP queries.
Community String: Type a community stringwhich is very much like a passwordthat SNMP
management systems must send when querying the member.
Enable traps: Select the check box to enable the grid member to send traps to specified SNMP
management systems. Clear the check box to disable the member from sending SNMP traps.
Community String: Type a community stringwhich is very much like a passwordthat the grid
member must include when sending traps to the specified SNMP management systems.
Trap Receiver Group: Type the IP address of an SNMP management system to which you want the
grid member to send traps in the IP Address field, and then click Add. To remove an IP address from
the list, select the address, and then click Delete.
Set objects: Select this check box.
sysContact: Enter the name of the contact person for the appliance.
sysLocation: Enter the physical location of the appliance.
sysName: Enter the fully qualified domain name of the appliance.
sysDescr: Enter useful information about the appliance, such as the software version it is running.
3. Click the Save icon to save your settings.
NIOS 4.3r1 Infoblox Administrator Guide (Rev. A) 219
Chapter 7 Changing Software and
Merging Files
You can perform software upgrades and downgrades for your NIOS appliance. You can also merge data files from
previous versions of the DNSone module to a NIOS appliance running DNSone 3.2 or later. This chapter explains how
to perform these procedures:
Upgrading NIOS Software on page 220
Downgrading Software on page 220
Reverting to the Previously Running Software Version on page 221
Backing Up and Restoring a Configuration File on page 222
Back Up and Restore Overview on page 222
Automatically Backing Up a Data File on page 223
Downloading a Backup File on page 224
Restoring a Configuration File on page 225
Loading a Configuration File on a Different Appliance on page 226
Downloading a Support Bundle on page 227
Changing Software and Merging Files
220 Infoblox Administrator Guide (Rev. A) NIOS 4.3r1
Upgrading NIOS Software
Infoblox frequently releases updated NIOS software. Contact Infoblox Support to learn what file name to use when
downloading the new upgrade file, or watch your e-mail for periodic notifications that a new software upgrade is
available. To get the latest upgrades, your local network must be capable of downloading a file from the Internet.
To upgrade an independent appliance or HA pair, see Upgrading Software on an Independent Appliance or HA Pair
on page 265. To upgrade a grid, see Upgrading NIOS Software on a Grid on page 313.
Downgrading Software
Infoblox-500, -1000, and -1200 appliances support software downgrades from DNSone 3.2r1 or later to any previous
DNSone release beginning with 3.1r1. Infoblox-550, -1050, -1550, and -1552 appliances support software
downgrades from DNSone 3.2r9-2 or later to any previous DNSone release beginning with 3.2r9-1. The downgrade
procedure is for single independent appliances only. Infoblox does not support software downgrades for grid
members, but you can revert to the last grid upgrade file (see the next section) on a grid master.
Caution: Although the downgrade process preserves license information and basic network settings, it does not
preserve data. After you complete the downgrade procedure, all data in the database is lost.
To downgrade software on a single independent appliance running NIOS 4.0 or later:
1. For an appliance running DNSone with Keystone: From the Grid perspective, click Grid -> Downgrade.
or
For an appliance running DNSone: From the Device perspective, click Device -> Downgrade.
2. Read the warning carefully, and then click OK to confirm your decision to downgrade.
3. Navigate to the downgrade image file, and then click OK.
4. Clear the Java cache on your system.
5. Close the browser, open another browser instance, and then log back in.
Reverting to the Previously Running Software Version
NIOS 4.3r1 Infoblox Administrator Guide (Rev. A) 221
Reverting to the Previously Running Software Version
You can revert to the previous version of software that was running on your NIOS appliance. The NIOS appliance
stores the previous version in its backup software partition. You can see if there is a software version to which you
can revert and what that version is in the Alternate Revision column in the Upgrade Status viewer. From the Grid or
Device perspective, click View -> Upgrade Status.
Be aware that when you revert to this software, any configurations made to the currently running software are lost.
So that you can later determine what configuration changes are missing, you can back up the current data before you
revert.
To revert to a version of software running previously on a grid or on an independent appliance or HA pair:
1. From the Grid or Device perspective, click Grid or Device -> Revert.
2. Read the warning carefully, and then click OK to confirm your decision to revert.
3. Close the Java application and restart it.
Clearing the Java cache is unnecessary because JWS automatically updates its cache with the application for the
currently running version of software.
4. Log back in to the grid master, independent appliance, or independent HA pair.
Changing Software and Merging Files
222 Infoblox Administrator Guide (Rev. A) NIOS 4.3r1
Backing Up and Restoring a Configuration File
You can back up your system files locally on the appliance, or to a TFTP (Trivial File Transfer Protocol) or FTP (File
Transfer Protocol) server. The backup file is a .tar.gz file that contains the configuration settings, data set, and TFTP
files. For information about the TFTP feature, see Chapter 20, File Distribution Services, on page 605. You can also
save an existing backup file, or create and save a new one to your local management system, TFTP server, or FTP
server.
These sections describe how to use the backup and restore functions:
Back Up and Restore Overview on page 222
Automatically Backing Up a Data File on page 223
Downloading a Backup File on page 224
Restoring a Configuration File on page 225
Loading a Configuration File on a Different Appliance on page 226
Note: Infoblox highly recommends you always back up the current configuration file before upgrading, restoring, or
reverting the software on the appliance.
Back Up and Restore Overview
The NIOS appliance allows you to back up and restore the system files. You can configure the appliance to
automatically back up the files on a weekly, daily, or hourly basis. You can also restore an existing configuration file
on the appliance from which it originated, or restore a configuration file from a different appliance (referred to as a
forced restore).
Infoblox recommends that you back up the system files during off-hours to minimize any effect on network services.
By default, the automatic backup function is turned off. You must log in with a superuser account to back up and
restore files.
There are three primary ways to back up and restore a configuration file:
Back up to and restore from a local directory or the management system used to operate the appliance.
Back up to and restore from a TFTP server.
Back up to and restore from a remote server using FTP. This option requires that you have a valid user name and
password for the FTP server prior to attempting to back up or restore.
When you back up the system files locally, the appliance uses the following format to name the file:
year_month_day_time. For example, 2008_11_30_23_00 translates to November 30th, 2008 at 11:00 PM.
The appliance saves up to 20 configuration files, regardless of how often files are saved (weekly, hourly, or daily. The
size of the configuration file should be factored because the storage limit on an appliance is 5 Gb (gigabytes). If your
configuration file is 500 Mb (megabytes), then the appliance stores 10 configuration files. When uploading
configuration files on a TFTP or FTP server, you must consider the file size on that server as well.
Backing Up and Restoring a Configuration File
NIOS 4.3r1 Infoblox Administrator Guide (Rev. A) 223
Automatically Backing Up a Data File
Infoblox recommends that you back up your configuration files regularly, and the easiest way to accomplish this task
is to configure the appliance to back up the configuration file automatically. You can choose when and how often files
are backed up: weekly, daily, or hourly. When you automatically back up a configuration file on the appliance, the file
is named with the format: year_month_day_time. The default time for an automatic backup is 3:00 AM. Configuration
files should be backed up during the slowest period of network activity.
To automatically back up a database file on an independent appliance or grid master:
1. From the Grid perspective, click grid -> Edit -> Grid Properties.
or
From the Device perspective, click hostname -> Edit -> Device Properties.
2. In the Grid (or Device) editor, click Scheduled Backups.
3. In the Scheduled Backups section, enter the following information:
Backup: Choose the destination of the backup file from the left drop-down list (LOCAL, TFTP, FTP) and how
often to back up the file from the right drop-down list (Weekly, Daily, Hourly). By default, a grid master
generates a backup file and saves it locally in its own storage daily at 3:00 AM.
Be aware that backing up the grid and saving it locally on an hourly basis increases the turnover of files
stored on the grid master. Backing it up hourly to a TFTP or FTP server increases the overall amount of traffic
on your network.
Weekday: (Weekly Only) Choose a day from the Weekday drop-down list, an hour from the Hours drop-down
list, and a minute from the Minutes drop-down list. The grid master then creates a backup file at that time
and day every week.
Hours [0-23]: (Weekly and Daily) Type the hour when you want the grid master to create a backup file.
Minutes [0-59]: (Weekly, Daily, Hourly) Type the minute when you want the grid master to create a backup
file.
User Name: (FTP Only) Type the user name for your FTP account.
Password: (FTP Only) Type the password for your FTP account.
Retype Password: (FTP Only) Type the password for your FTP account again to confirm its accuracy.
Backup Host: (FTP and TFTP) Type the IP address of the FTP or TFTP server where you want the grid master to
send the backup file.
Directory Path: (FTP Only) Type a directory pathfor example: /archive/backups (for Windows) or
/bin/backups (for Linux). The folder or directory you type must already exist on the specified server.
Disable schedule backups: Select this check box if you want to disable automatic backups from occurring,
but want to save the settings for future use.
4. Click the Save icon.
Changing Software and Merging Files
224 Infoblox Administrator Guide (Rev. A) NIOS 4.3r1
Downloading a Backup File
You can save an existing backup file, or create and save a new one to your local management system, TFTP server, or
FTP server.
To backup a grid or an independent appliance or HA pair to your management system:
1. For a grid: From the Grid perspective, click Grid -> Backup -> to Local File.
or
For an independent appliance or HA pair: From the Device perspective, click Device -> Backup -> to Local File.
2. To back up the current configuration and data set, choose None, and then click OK.
To download a previously made backup file (automatically created through the scheduled backup feature),
choose the backup file name, and then click OK.
3. Navigate to the directory on your local management system where you want to save the backup file, rename the
file if you like (by default, it is named databse.tar.gz), and then click Save or OK.
To backup a grid or an independent appliance or HA pair to a TFTP server:
From the Grid perspective, click Grid -> Backup -> to TFTP Server.
or
From the Device perspective, click Device -> Backup -> to TFTP Server.
1. Enter the following in the TFTP Backup dialog box:
Existing backup files: To back up the current configuration and data set, choose None. To download a
previously made backup file (made using the scheduled backup feature), choose the backup file name.
File name on TFTP server: Type a name for the backup file. If you are downloading a previously made backup
file and want to use that name, you can leave this field empty. A NIOS appliance names backup files by
concatenating the grid name or hostname with the date and time it creates the file, using this format:
For a grid: grid_yyyy_mm_dd_hh_mm.tar.gz
For an independent appliance or HA pair: hostname_yyyy_mm_dd_hh_mm.tar.gz
IP address of TFTP Server: Type the IP address of the TFTP server.
2. To download the specified backup file to the specified TFTP server, click OK.
To backup a grid or an independent appliance or HA pair to an FTP server:
1. From the Grid perspective, click Grid -> Backup -> to FTP Server.
or
From the Device perspective, click Device -> Backup -> to FTP Server.
2. Enter the following in the FTP Backup dialog box:
Existing backup files: To back up the current configuration and data set, choose None. To download a
previously made backup file (made using the scheduled backup feature), choose the backup file name.
File name on FTP server: Type a name for the backup file. If you are downloading a previously made backup
file and want to use that name, you can leave this field empty. A NIOS appliance names backup files by
concatenating the grid name or hostname with the date and time it creates the file, using this format:
For a grid: grid_yyyy_mm_dd_hh_mm.tar.gz
For an independent appliance or HA pair: hostname_yyyy_mm_dd_hh_mm.tar.gz
IP address of FTP server: Type the IP address of the FTP server.
Username on FTP server: Type the user name for your FTP account.
Password on FTP server: Type the password for your FTP account.
Re-type Password on FTP server: Type the account password again to ensure accuracy.
3. To download the specified backup file to the specified FTP server, click OK.
Backing Up and Restoring a Configuration File
NIOS 4.3r1 Infoblox Administrator Guide (Rev. A) 225
Restoring a Configuration File
You can restore a configuration file from an appliance running software modules v.3.1r4 or later, or v3.2, to an
appliance running software modules v3.2.x. The procedure presented below allows you to restore a configuration file
from the same appliance it was originally backed up. To load a configuration file backed up from a different appliance,
see Loading a Configuration File on a Different Appliance on page 226.
To restore a configuration file to the same independent appliance or grid master:
1. From the Grid perspective, click Grid -> Restore Grid -> From Local File or From TFTP Server or From FTP Server or
From Grid Master.
or
From the Device perspective, click Device -> Restore Device -> From Local File or From TFTP Server or From FTP
Server or From Grid.
2. Do one of the following:
From Local File: Navigate to the location of the configuration file, select the file, and then click OK.
or
From TFTP Server: In the Restore Grid From TFTP dialog box, enter the following, and then click OK:
TFTP Server IP Address: Type the IP address of the TFTP server in whose root directory the backup
file is stored.
File Name: Type the name of the backup file. (Because the file must be in .tar.gz format, the file
type is included as a read-only extension of the file name.)
File Path: Type the directory path to where the backup file is stored.
or
From FTP Server: In the Restore Grid From FTP dialog box, enter the following, and then click OK:
FTP Server IP address: Type the IP address of the FTP server in whose root directory the backup file
is stored.
File Name: Type the name of the backup file. Do not include .tar.gz at the end of the file name.
User Name: Type the name of the FTP server account.
Password: Type the password of the FTP server account.
Retype Password: To ensure accuracy, type the account password again.
File Path: Type the directory path to where the backup file is stored.
or
From Grid Master: Select a configuration file from the drop-down list, and then click OK.
3. When the Confirm Grid Restore message appears, click OK to load the configuration file.
After the file loads, the appliance reboots.
4. Close your current browser window or JWS (Java Web Start) application, wait a few minutes, and then reconnect
to the NIOS appliance.
Changing Software and Merging Files
226 Infoblox Administrator Guide (Rev. A) NIOS 4.3r1
Loading a Configuration File on a Different Appliance
When you force restore a NIOS appliance, you load a configuration file saved from one appliance onto a different
appliance. To restore a configuration file to the same appliance or grid master, use the Restore function explained in
Restoring a Configuration File on page 225.
To load a configuration file from one appliance onto a different appliance:
1. From the Grid perspective, click Grid -> Force Restore Grid -> From Local File or From TFTP Server or From FTP Server
or From Grid Master.
or
From the Device perspective, click Device -> Force Restore Device -> From Local File or From TFTP Server or From
FTP Server or From Grid.
2. Do one of the following:
3. Grid Master IP Address Option:
From Local File: In the Force Restore Grid From Local File dialog box, indicate whether you want the
appliance to keep its current grid master IP settings or to obtain its IP settings from the backup, and then
click OK.
Navigate to the location of the configuration file, select the file, and then click OK.
or
From TFTP Server: In the Force Restore Grid From TFTP dialog box, enter the following, and then click OK:
TFTP Server IP Address: Type the IP address of the TFTP server in whose root directory the backup
file is stored.
File Name: Type the name of the backup file. (Because the file must be in . t ar . gz format, the file
type is included as a read-only extension of the file name.)
File Path: Type the directory path to where the backup file is stored.
Grid Master IP Address Option: Indicate whether you want the appliance to keep its current grid
master IP settings or to obtain its IP settings from the backup.
or
From FTP Server: In the Force Restore Grid From FTP dialog box, enter the following, and then click OK:
FTP Server IP address: Type the IP address of the FTP server in whose root directory the backup file
is stored.
File Name: Type the name of the backup file. Do not include .tar.gz at the end of the file name.
User Name: Type the name of the FTP server account.
Password: Type the password of the FTP server account.
Retype Password: To ensure accuracy, type the account password again.
File Path: Type the directory path to where the backup file is stored.
Grid Master IP Address Option: Indicate whether you want the appliance to keep its current grid
master IP settings or to obtain its IP settings from the backup.
or
From grid: In the Force Restore From Grid Master dialog box, enter the following, and then click OK:
Select a backup file from the drop-down list, and then click OK.
Grid Master IP Address Option: Indicate whether you want the appliance to keep its current grid
master IP settings or to obtain its IP settings from the backup.
4. When the Confirm Grid Restore confirmation message appears, click OK to load the backup file.
After the file loads, the appliance reboots.
5. Close your current browser window or JWS (Java Web Start) application, wait a few minutes, and then reconnect
to the NIOS appliance.
Downloading a Support Bundle
NIOS 4.3r1 Infoblox Administrator Guide (Rev. A) 227
Downloading a Support Bundle
When you need assistance troubleshooting a NIOS appliance, you can log in to the appliance as a superuser,
download the support bundle of the appliance and send it to Infoblox Support for analysis. A support bundle is a
tar.gz file that contains configuration files and the appliance system files. You can download a support bundle for an
independent appliance and for each member in a grid. When you download a support bundle for an HA pair, it
includes the files of both nodes in the HA pair.
By default, the appliance includes the following files in the support bundle: core files, log files, VitalQIP files (if a
VitalQIP license is installed on the appliance). Because core files can be quite large and take a significant amount of
time to download, Infoblox recommends that you include core files in the support bundle only when requested by
Infoblox Support.
To download a support bundle:
1. From the Grid perspective, click + (for grid ) -> + (for Members ) -> grid_member -> Tools -> Download Support
Bundle.
or
From the Device perspective, click hostname -> Tools -> Download Support Bundle.
2. In the Download Support Bundle dialog box, select which files you would like to include in the support bundle,
and then click OK:
Core Files: Infoblox recommends that you include these files only when requested by Infoblox Support.
Log Files: Infoblox recommends that you always include these files in the support bundle.
QIP: If a VitalQIP license is installed on the appliance, include the VitalQIP files in the support bundle.
3. In the Save as... dialog box, navigate to where you want to save the file and change the file name. Do not change
the . t ar . gz file extension in the file name.
4. Send this file to Support in an e-mail message.
Changing Software and Merging Files
228 Infoblox Administrator Guide (Rev. A) NIOS 4.3r1
NIOS 4.3r1 Infoblox Administrator Guide (Rev. A) 229
Part 2 Appliance Deployment
This section provides information about deploying and managing independent appliances and grids. It includes the
following chapters:
Chapter 8, "Deploying Independent Appliances", on page 231
Chapter 9, "Deploying a Grid", on page 267
230 Infoblox Administrator Guide (Rev. A) NIOS 4.3r1
NIOS 4.3r1 Infoblox Administrator Guide (Rev. A) 231
Chapter 8 Deploying Independent
Appliances
This chapter explains how to deploy single independent appliances and independent HA pairs. Independent
appliances run NIOS without the Keystone upgrade and are deployed independently from a grid. The user guide or
quick start guide that ships with your product explains how to connect ethernet cables and power cords before
configuring a NIOS appliance as a single independent appliance and an independent HA pair. Refer to these guides
when necessary as you read this chapter. There is also cabling information for Infoblox-500, -1000, and -1200
appliances in Connecting the Ethernet Cables on page 725.
The topics in this chapter include:
Independent Deployment Overview on page 232
Deploying a Single Independent Appliance on page 233
Method 1 Using the LCD on page 234
Method 2 Using the CLI on page 234
Method 3 Using the Infoblox NIOS Startup Wizard on page 236
Method 4 Using the GUI on page 237
Configuration Example: Deploying a NIOS Appliance for External DNS on page 238
Deploying an Independent HA Pair on page 245
Method 1 Using the Infoblox NIOS Startup Wizard on page 247
Method 2 Using the GUI on page 249
Configuration Example: Configuring an HA Pair for Internal DNS and DHCP on page 251
Verifying the Deployment on page 263
Single Independent Appliance on page 263
Independent HA Pair on page 263
Forcing an HA Failover on page 263
Infoblox Tools for Migrating Data on page 264
Upgrading Software on an Independent Appliance or HA Pair on page 265
Acquiring Software Upgrade Files on page 265
Distributing Software Upgrade Files on page 265
Running the Software Upgrade on page 265
Deploying Independent Appliances
232 Infoblox Administrator Guide (Rev. A) NIOS 4.3r1
Independent Deployment Overview
You can deploy NIOS appliances collectively in a grid or independently (in what is sometimes referred to as a
stand-alone deployment). Although grids offer many advantages for large organizations, an independent
deployment might be sufficient for smaller sites. For example, if your ISP hosts one name server to respond to
external DNS queries, it might be enough to deploy a single independent NIOS appliance as the other name server,
as shown in Figure 8.1.
Note: You cannot deploy a NIOS virtual appliance as a single, independent appliance.
Figure 8.1 Single Independent Appliance as an External DNS Server
Using primary and secondary name servers provides DNS protocol redundancy and configuring two DHCP servers as
DHCP failover peers provides DHCP protocol redundancy. However, you can only have hardware redundancy if you
deploy appliances in an HA (high availability) pair. Should the active node in an HA pair fail, the passive node
becomes active and begins serving data, as shown in Figure 8.2.
Figure 8.2 Independent HA Pair
The following sections describe the procedures for deploying independent appliances singly and in HA pairs.
ISP
Site
Internal
Network
Firewall
Servers for Public Access
Internet
Switch
domain name =
corp100.com
The primary and secondary name servers
provide DNS protocol redundancy. If one
of them cannot respond to a query for the
corp100.com domain, the other can.
A NIOS appliance is the primary DNS server
for the corp100.com domain. It answers
queries from the Internet for public-facing
servers in the DMZ network.
The ISP hosts a secondary
DNS server for the
corp100.com domain.
LAN or
LAN1 Port
DMZ
The ISP hosts a secondary
DNS server for the
corp100.com domain.
This is the same situation as that in Figure 8.1,
but the primary DNS server is an independent
HA pair to provide hardware redundancy.
ISP
Site
Firewall
Primary DNS Server
(Independent HA Pair)
Internet
Active Node
Secondary
DNS Server
If the active node fails,
the passive node
becomes active and
continues serving DNS. Internal
Network
Switch
LAN (LAN1)
and HA Ports
LAN (LAN1)
and HA Ports
Servers for Public Access
Passive Node
DMZ
Deploying a Single Independent Appliance
NIOS 4.3r1 Infoblox Administrator Guide (Rev. A) 233
Deploying a Single Independent Appliance
To deploy a single independent NIOS appliance, you cable its LAN or LAN1 port to the network and change its default
IP settings so that it can connect to its surrounding IP address space. The default LAN settings are as follows:
IP address: 192.168.1.2
Netmask: 255.255.255.0
Gateway: 192.168.1.1
Note: On Infoblox-500, -1000, and -1200 appliances, the LAN port is labeled LAN. On Infoblox-550, -1050, -1550,
and -1552 appliances, use the port labeled LAN1. (The LAN2 port on these appliances is reserved for future
use.)
Infoblox provides the following methods for performing a basic configuration to deploy a single independent
appliance:
Method 1 Using the LCD
Requirements: Physical access to a powered up NIOS appliance
Advantage: You do not need any other equipment.
Method 2 Using the CLI
Requirements: A serial connection from your management system to the console port on the NIOS
appliance (You can also enable remote console access so that you can use the CLI over a network
connection. For information, see Enabling Remote Console Access on page 128.)
Advantage: You do not have to change the IP address of the management system to connect to the NIOS
appliance.
Method 3 Using the Infoblox NIOS Startup Wizard
Requirements: An HTTPS connection from your management system to the LAN or LAN1 port on the NIOS
appliance
Advantage: The wizard provides step-by-step guidance for changing not only IP settings for the LAN or LAN1
port, but also changing the appliance host name and admin password, setting the system clock, andif
using NTP (Network Time Protocol)enabling the NIOS appliance to be an NTP server.
Method 4 Using the GUI
Requirements: An HTTPS connection from your management system to the LAN or LAN1 port on the NIOS
appliance
Advantage: If you have logged in previously and disabled the startup wizard, you can still use the GUI to
configure the LAN network settings.
These methods are explained in the following subsections.
After you set the network settings, you can then migrate data and settings from legacy DNS and DHCP servers to the
NIOS appliances. Several tools and methods are available for migrating data and configuration settings. For a list of
the available options, see Infoblox Tools for Migrating Data on page 264.
Deploying Independent Appliances
234 Infoblox Administrator Guide (Rev. A) NIOS 4.3r1
Method 1 Using the LCD
NIOS appliances have an LCD and navigation buttons on the front panel that allow you to view system status and
license information as well as configure network settings for the LAN or LAN1 port.
Figure 8.3 Infoblox LCD and Navigation Buttons
You can deploy a single independent NIOS appliance by setting its LAN or LAN1 port IP address, netmask, and
gateway through the LCD. This is the simplest method because you do not need anything other than physical access
to the appliance to complete the initial configuration.
1. Connect the power cable from the NIOS appliance to a power source and turn on the power.
At startup, the Infoblox logo appears in the LCD on the front panel of the appliance. Then the LCD scrolls
repeatedly through a series of display screens.
2. To change the network settings for the LAN or LAN1 port, press one of the navigation buttons.
The LCD immediately goes into input mode, in which you can enter the IP address, netmask, and gateway for the
LAN or LAN1 port.
3. Use the navigation buttons to enter an IP address, netmask, and gateway address for the LAN or LAN1 port.
4. Cable the LAN or LAN1 port of the NIOS appliance to a network as described in Independent Appliance Cabling
Using the LAN or Serial Port on page 725.
Method 2 Using the CLI
The Infoblox CLI allows you to make an initial network configuration through the set net wor k command. To access
the CLI, make a direct serial connection from your management system.
Note: You can also access the CLI from a remote location using an SSHv2 client. By default, remote console access
that is, SSHv2 (Secure Shell version 2) accessis disabled. You must first enable remote console access
through the GUI or CLI, and then you can make an SSHv2 connection to the appliance.
1. Connect a console cable from the console port on your workstation to the male DB-9 console port on the NIOS
appliance.
The DB-9 pin assignments follow the EIA232 standard. You can use the RJ-45 rollover cable and two female
RJ-45-to-female DB-9 adapters that ship with the appliance, or a female DB-9-to-female DB-9 null modem cable.
Infoblox
LCD Navigation Buttons
The LCD panel is on the
front of a NIOS appliance.
Deploying a Single Independent Appliance
NIOS 4.3r1 Infoblox Administrator Guide (Rev. A) 235
Figure 8.4 Console Connection
2. Using a serial terminal emulation program such as Hilgraeve Hyperterminal
operating systems), launch a session. The connection settings are:
Bits per second: 9600
Data bits: 8
Parity: None
Stop bits: 1
Flow control: Xon/Xoff
3. Log in using the default user name and password admin and infoblox . User names and passwords are
case-sensitive.
4. To change the network settings from the default, enter the set network command. Then enter information as
prompted to change the IP address, netmask, and gateway for the LAN or LAN1 port.
Note: In the following commands, the variable ip_addr1 is the IP address of the LAN or LAN1 port and ip_addr2 is
the IP address of the gateway for the subnet on which you set the ip_addr1 address.
I nf obl ox > set network
NOTI CE: Al l HA conf i gur at i on i s per f or med f r omt he GUI . Thi s i nt er f ace i s used onl y
t o conf i gur e a st andal one node or t o j oi n a gr i d.
Ent er I P addr ess: ip_addr1
Ent er net mask: [ Def aul t : 255. 255. 255. 0] : netmask
Ent er gat eway addr ess [ Def aul t : n. n. n. 1] : ip_addr2
Become gr i d member ? ( y or n) : n
After you confirm your network settings, the Infoblox application automatically restarts.
5. Cable the LAN or LAN1 port to a network as described in Independent Appliance Cabling Using the LAN or Serial
Port on page 725.
Management
System
NIOS
appliance
Male DB-9
Console Port
Male DB-9
Console Port
RJ -45 Rollover Cable with
Two RJ -45-to-Female DB-9 Adapters
(Ships with Every Appliance)
or
Female DB-9-to-Female DB-9 Null Modem Cable
To Power
Source
Deploying Independent Appliances
236 Infoblox Administrator Guide (Rev. A) NIOS 4.3r1
Method 3 Using the Infoblox NIOS Startup Wizard
When you first make an HTTPS connection to a NIOS appliance, the Infoblox NIOS Startup Wizard appears. To ease
the initial configuration process, the wizard guides you through various deployment options and basic network
settings, and presents opportunities for changing the password of the superuser admin and for setting the system
clock.
To make an HTTPS connection to the appliance, you must be able to reach its IP address from your management
system.
Note: If you have already set the IP address of the LAN or LAN1 port through the LCD or CLI so that you can reach it
over the networkand you have already cabled the appliance to the networkyou can skip the first step.
1. If you have not changed the default IP address (192.168.1.2/24) of the LAN or LAN1 port through the LCD or CLI
and the subnet to which you connect the appliance does not happen to be 192.168.1.0/24put your
management system in the 192.168.1.0/24 subnet and connect an ethernet cable between your management
system and the NIOS appliance.
2. Open a web browser and make an HTTPS connection to the IP address of the LAN or LAN1 port. (To reach the
default IP address, enter: https://192.168.1.2)
Several certificate warnings appear during the login process. This is normal because the preloaded certificate is
self-signed (and, therefore, is not in the trusted certificate stores in your browser, Java application, and Java
Web Start application) and has the hostname www.infoblox.com, which does not match the destination IP
address you entered in step 1. To stop the warning messages from occurring each time you log in to the GUI, you
can generate a new self-signed certificate or import a third-party certificate with a common name that matches
the FQDN (fully qualified domain name) of the appliance. This is a very simple process. For information about
certificates, see Managing Certificates on page 48.
3. Click LAUNCH DEVICE MANAGER.
4. Log in to the NIOS appliance. The default login name and password are admin and infoblox. For detailed
information about logging in to the GUI, see Accessing the Infoblox GUI on page 38.
The Infoblox NIOS Startup Wizard appears. The first screen provides basic information about the wizard, and the
second screen displays license agreement information.
5. Beginning on the third screen, enter the following, where
ip_addr1 and netmask are the IP address and netmask of the LAN or LAN1 port
ip_addr2 is the IP address of the gateway for the subnet on which the LAN or LAN1 port is set
hostname is a valid domain name for the appliance
string is a single alphanumeric string (no spaces) for a password that is at least four characters long
ip_addr3 is the IP address of an NTP server:
Wizard Screen Enter or Select
Deployment Type Independent Device or HA Pair
Independent Device Deployment Type Independent Device
Network Settings IP Address: ip_addr1
Netmask: netmask
Gateway: ip_addr2
Host Name: hostname
Admin Account Password Change Admin Password: (select), string
Deploying a Single Independent Appliance
NIOS 4.3r1 Infoblox Administrator Guide (Rev. A) 237
Note: The startup wizard provides options such as not changing the default password and manually entering the
time and date. However, changing the password and using an NTP server provide increased security and
accuracy (respectively), and so these choices are presented above.
The last screen of the startup wizard states that the changed settings require the application to restart. When
you click Finish, it restarts.
6. Open a new web browser instance and make an HTTPS connection to the new IP address of the LAN or LAN1 port.
7. Log back in using the default user name (admin ) and your new password. When you log in the second time, you
access the Infoblox GUI application. For system requirements to use the GUI, see Management System
Requirements on page 38.
Method 4 Using the GUI
To deploy a single independent appliance through the GUI, make an HTTPS connection to the appliance and then
bypass the startup wizard. (The following procedure assumes that the appliance has the DNSone package installed.)
1. If you have not changed the default IP address (192.168.1.2/24) of the LAN or LAN1 port through the LCD or CLI
and the subnet to which you connect the appliance does not happen to be 192.168.1.0/24put your
management system in the 192.168.1.0/24 subnet and connect an ethernet cable between your management
system and the NIOS appliance.
Note: The ethernet ports on the Infoblox-550, -1050, -1550, and -1552 appliances are autosensing, so you can
use either a straight-through or cross-over ethernet cable for this connection. For the Infoblox-500, -1000,
and -1200 appliances, use a cross-over ethernet cable to connect the appliance to your management
system and a straight-through ethernet cable to connect the appliance to a switch.
2. Open a web browser and make an HTTPS connection to the IP address of the LAN or LAN1 port. To reach the
default IP address, enter: https://192.168.1.2 . For detailed information on logging in to the GUI, see Accessing
the Infoblox GUI on page 38.
3. Click LAUNCH DEVICE MANAGER.
4. Log in using the default user name (admin ) and password (infoblox ).
The Infoblox NIOS Startup Wizard appears.
5. To bypass the wizard, click Cancel or the Close button ().
6. From the Device perspective, click infoblox.localdomain -> Edit -> Device Properties.
7. In the Device editor, click Device Properties, and then enter the following network settings:
Host Name: Type the FQDN (fully qualified domain name) of the appliance.
(V)IP Address: Type the IP address of the LAN or LAN1 port.
Subnet Mask: Choose the netmask for the subnet to which the LAN or LAN1 port connects.
Gateway: Type the IP address of the default gateway of the subnet to which the LAN or LAN1 port connects.
Comment: Type a comment that provides some useful information about the appliance, such as its
location.
8. Click Save, and then close the management window.
9. Initiate a new management session, and log in to the appliance using its new IP address.
Time Settings Enable NTP: (select)
NTP Server List: ip_addr3 (click Add)
Time zone: (choose the time zone for the location of the
appliance)
Wizard Screen Enter or Select
Deploying Independent Appliances
238 Infoblox Administrator Guide (Rev. A) NIOS 4.3r1
Configuration Example: Deploying a NIOS Appliance for External DNS
In this example, you configure the NIOS appliance as the external primary DNS server for corp100.com. Its FQDN
(fully-qualified domain name) is ns1.corp100.com. The interface IP address of the LAN1 port is 10.1.5.2/24. Because
this is a private IP address, you must also configure the firewall to perform NAT (network address translation),
mapping the public IP address 1.1.1.2 to 10.1.5.2. Using its public IP address, ns1 can communicate with appliances
on the public network.
The FQDN and IP address of the external secondary DNS server are ns2.corp100.com and 2.2.2.2. The ISP hosts this
server.
The primary and secondary servers answer queries for the following public-facing servers in the DMZ:
www.corp100.com
mail.corp100.com
ftp.corp100.com
When you create the corp100.com zone on the NIOS appliance, you import zone data from the legacy DNS server at
10.1.5.3.
Figure 8.5 Example 1 Network Diagram
The NIOS appliance is the external primary DNS server for the corp100.com domain. It answers queries from
the Internet for the three public-facing servers in the DMZ network:
www.corp100.com
mail.corp100.com
ftp.corp100.com
Internet
ISP
External Secondary DNS Server
ns2: 2.2.2.2
NTP Server
3.3.3.3
The device is in the Pacific
time zone (UMT-8:00)
ftp
10.1.5.7
www
10.1.5.5
NAT on Firewall
1.1.1.2 >10.1.5.2
1.1.1.5 >10.1.5.5
1.1.1.6 >10.1.5.6
1.1.1.7 >10.1.5.7
DMZ Network
10.1.5.0/24
mail
10.1.5.6
Switch
NIOS appliance
External Primary
DNS Server
ns1: 10.1.5.2
ethernet2
10.1.5.1/24
ethernet1
1.1.1.1/24
Firewall
To Internal
Network
Legacy Primary DNS Server
ns1: 10.1.5.3
(Replaced by the NIOS appliance)
Configuration Example: Deploying a NIOS Appliance for External DNS
NIOS 4.3r1 Infoblox Administrator Guide (Rev. A) 239
Cable the Appliance to the Network and Turn On Power
Connect an ethernet cable from the LAN1 port of the NIOS appliance to a switch in the DMZ network and turn on the
power. For information about installing and cabling the appliance, refer to the user guide or installation guide that
ships with the product.
Specify Initial Network Settings
Before you can configure the NIOS appliance through the GUI, you must be able to make a network connection to it.
The default network settings of the LAN1 port are 192.168.1.2/24 with a gateway at 192.168.1.1 (the HA and MGMT
ports do not have default network settings). To change these settings to suit your network, use either the LCD or the
console port.
In this example, you change the IP address/netmask of the LAN1 port to 10.1.5.2/24, and the gateway to 10.1.5.1.
LCD
The NIOS appliance has an LCD and navigation buttons on its front panel.
At startup, the Infoblox logo appears in the LCD on the front panel of the appliance. Then the LCD scrolls repeatedly
through a series of display screens.
1. To change the network settings from the default, press one of the navigation buttons.
The LCD immediately goes into input mode, in which you can enter the IP address, netmask, and gateway for the
LAN1 port.
2. Use the navigation buttons to enter the following information:
IP Address: 10.1.5.2
Netmask: 255.255.255.0
Gateway: 10.1.5.1
Console Port
The NIOS appliance has a male DB-9 console port on the front panel. You can log in to the appliance through this port
and specify initial network settings using the Infoblox CLI.
1. Connect a console cable from the console port of the management system to the console port of the NIOS
appliance.
2. Access the Infoblox CLI. For more information about the Infoblox CLI, refer to the Infoblox CLI Guide.
3. To change the network settings from the default, enter the set network command. Then enter information as
prompted to change the IP address, netmask, and gateway for the LAN1 port.
I nf obl ox > set network
NOTI CE: Al l HA conf i gur at i on i s per f or med f r omt he GUI . Thi s i nt er f ace i s used onl y t o
conf i gur e a st andal one node or t o j oi n a gr i d.
Ent er I P addr ess: 10.1.5.2
Ent er net mask: [ Def aul t : 255. 255. 255. 0] :
Ent er gat eway addr ess [ Def aul t : 10. 1. 5. 1] :
Become gr i d member ? ( y or n) : n
After you confirm your network settings, the appliance automatically restarts.
Deploying Independent Appliances
240 Infoblox Administrator Guide (Rev. A) NIOS 4.3r1
Specify Appliance Settings
When you make the initial HTTPS connection to the NIOS appliance, you see the Appliance Startup Wizard, which
guides you through the basic deployment of the appliance on your network. Use the wizard to enter the following
information:
Deployment: single independent appliance
Host name: ns1.corp100.com
Password: SnD34n534
NTP (Network Time Protocol) server: 3.3.3.3; time zone: (UMT 8:00 Pacific Time (US and Canada), Tijuana
1. Open a browser window and enter https://10.1.5.2.
2. Accept the certificate when prompted.
Several certificate warnings appear during the login process. This is normal because the preloaded certificate is
self-signed (and, therefore, is not in the trusted certificate stores in your browser, Java application, and Java
Web Start application) and has the hostname www.infoblox.com, which does not match the destination IP
address you entered in step 1. To stop the warning messages from occurring each time you log in to the GUI, you
can generate a new self-signed certificate or import a third-party certificate with a common name that matches
the FQDN (fully-qualified domain name) of the appliance. This is a very simple process. For information about
certificates, see Managing Certificates on page 48.
3. Click LAUNCH DEVICE MANAGER.
4. If the browser prompts you for an application to use, see Accessing the Infoblox GUI on page 38.
5. Log in using the default user name and password admin and infoblox.
Note: User names and passwords are case-sensitive.
6. The Infoblox Appliance Startup Wizard opens with a splash screen that provides basic information about the
wizard, and then displays license agreement information. Beginning on the third screen, enter the following:
The last screen of the wizard states that the changed settings require the application to restart. When you click
Finish, the Infoblox GUI application restarts.
7. Log back in to the appliance. When you log in the second time, you access the Infoblox GUI application. For
system requirements to use the GUI, see Management System Requirements on page 38.
Wizard Screen Enter or Select
Deployment type Standalone
Node type Standalone appliance
Node information Host name: ns1.corp100.com
Default password Change admins password: (select), SnD34n534
Time settings Enable NTP: (select)
NTP Server: 3.3.3.3 (click Add)
Time zone: (UMT 8:00 Pacific Time (US and Canada),
Tijuana
Configuration Example: Deploying a NIOS Appliance for External DNS
NIOS 4.3r1 Infoblox Administrator Guide (Rev. A) 241
Define a NAT Address
Because the firewall translates the public IP address 1.1.1.2 to the interface IP address 10.1.5.2, all DNS queries
originating outside the firewall use 1.1.1.2 (not 10.1.5.2) to reach the NIOS appliance. Accordingly, you must
configure the appliance to indicate to other external DNS servers that its address is 1.1.1.2.
1. From the Device perspective, click ns1.corp100.com -> Edit -> Device Properties.
2. In the Device editor, click NAT and enter the following:
Enable NAT compatibility: Select check box.
Group: None
NAT (V)IP Address: 1.1.1.2
3. Click the Save icon.
The glue record is an A record for a name server. The appliance automatically generates the A record for
ns1.corp100.com using either the interface address or NAT address (if configured). To verify that the A record uses
the NAT address (1.1.1.2) instead of the interface address (10.1.5.2):
1. Click DNS to open the DNS perspective, and then click DNS Members -> + (for Infoblox) -> ns1.corp100.com -> Edit
-> Member DNS Properties.
2. In the Member DNS Properties editor, click General.
3. In the table labelled Possible views for member, select the default view and click Modify.
4. In the Select Member Address dialog box, select NAT IP address.
5. Click the Save and Restart Services icons.
Enable Zone Transfers on the Legacy Name Server
To allow the appliance to import zone data from the legacy server at 10.1.5.3, you must configure the legacy server
to allow zone transfers to the appliance at 10.1.5.2.
Legacy BIND Server
1. Open the named.conf file using a text editor and change the allow-transfer statement as shown below:
For All Zones To set the allow-transfer statement as a global statement in the named.conf file for all zones:
opt i ons {
zone- st at i st i cs yes;
di r ect or y "/ var / named/ named_conf " ;
ver si on " " ;
r ecur si on yes;
l i st en- on { 127. 0. 0. 1; 10. 1. 5. 3; };
allow-transfer {10.1.5.2; };
t r ansf er - f or mat many- answer s;
};
For a Single Zone To set the allow-transfer statement in the named.conf file for the corp100.com zone:
zone " cor p100. com" i n {
t ype mast er ;
allow-transfer {10.1.5.2; };
not i f y yes;
};
2. After editing the named.conf file, restart DNS service for the change to take effect.
Deploying Independent Appliances
242 Infoblox Administrator Guide (Rev. A) NIOS 4.3r1
Legacy Windows 2000/2003 Server
1. Click Start -> All Programs -> Administrative Tools -> DNS.
2. Click + (for ns1) -> + (for Forward Lookup Zones) -> corp100.com.
3. Right-click corp100.com, and then select Properties -> Zone Transfers.
4. On the Zone Transfers page in the corp100.com Properties dialog box, enter the following:
5. Allow zone transfers: Select check box.
6. Only to the following servers: Select.
7. IP address: Enter 10.1.5.2, and then click Add.
8. To save the configuration change and close the corp100.com Properties dialog box, click OK.
Import Zone Data
You can import zone data from a legacy server or manually enter it. When you import both forward- and
reverse-mapping zone data, the NIOS appliance automatically creates Infoblox host records if corresponding A and
PTR records are present. You can then modify the host records to add MAC addresses. However, if you only import
forward-mapping zone data, the NIOS appliance cannot create host records from just the A records. In that case,
because you cannot later convert A records to host records, it is more efficient to create the corp100.com zone, and
define host records manually.
Infoblox host records are data models that represent IP devices within the Infoblox semantic database. The NIOS
appliance uses a host object to define A, PTR, and CNAME resource records in a single object as well as a DHCP fixed
address if you include a MAC address in the host object definition. The host object prevents costly errors because
you only maintain a single object for multiple DNS records and a DHCP fixed address. Therefore, it is advantageous
to use host records instead of separate A, PTR, and CNAME records.
Note: If you only have forward-mapping zones on your legacy servers and you want to add reverse-mapping zones
and automatically convert A records to host records in the imported forward-mapping zones and create reverse
host records in corresponding reverse-mapping zones, create the reverse-mapping zones on the NIOS
appliance and then import the forward-mapping zones data. The NIOS appliance automatically converts the
imported A records to host records in the forward-mapping zones and creates reverse host records in the
reverse-mapping zones.
You also have the option of using the Data Import Wizard for loading DNS and DHCP configurations and data. For large
data sets, this option is an efficient approach. To download the Data Import Wizard, visit www.infoblox.com/support,
log in with your support account, and then click the Data Import Wizard hyperlink in the DNSone section.
In this example, when you create the corp100.com forward-mapping zone, you import zone data for the existing
corp100.com zone from the legacy server at 10.1.5.3. When you create the 1.1.1.0/24 reverse-mapping zone, you
also import the reverse-mapping zone records from the legacy server. After the appliance has both the forward- and
reverse-mapping zone data, it converts the A and PTR records to Infoblox host records.
1. Open a browser window, and log in to the appliance at https://10.1.5.2, using the user name admin and the
password SnD34n534.
2. From the DNS perspective, click Infoblox Views -> + (for Infoblox Views) -> + (for default) -> Forward Mapping
Zones -> Edit -> Add Forward Mapping Zone -> Authoritative.
3. In the Authoritative Zone Properties section of the Add Forward Authoritative Zone editor, enter the following:
Name: corp100.com
Comment: External DNS zone
4. In the Primary Server Assignment section, click Select Member to open the Select Grid Member dialog box.
5. Select ns1.corp100.com, and then click OK to close the dialog box.
6. In the Secondary Server Assignment section, click Add in the External Secondaries table to open the Zone
External Secondary Server Item dialog box.
Configuration Example: Deploying a NIOS Appliance for External DNS
NIOS 4.3r1 Infoblox Administrator Guide (Rev. A) 243
7. Enter the following information, and then click OK to close the dialog box:
Name: ns2.corp100.com
IP Address: 2.2.2.2
Stealth: Clear check box.
8. Click the Save and Restart Services icons.
9. Edit the zone that you just created as follows: in the Infoblox Views panel of the DNS perspective, click + (for
Forward Mapping Zones) -> corp100.com -> Edit -> Authoritative Zone Properties.
Note: To import zone data, you must first create a zone, save it, and then edit it.
10. In the Forward Authoritative Zone editor, click Settings and enter the following:
E-mail address: admin@corp100.com
Import zone from: Select check box, and enter 10.1.5.3 in the adjacent text field.
11. Click the Save icon.
12. After successfully importing the zone data, click corp100.com in the Infoblox Views panel.
You can see all the imported forward-mapping zone data in the Records panel. Because you have not yet
imported the reverse-mapping zone data, most of the records appear as A records.
13. From the DNS perspective, click Infoblox Views -> + (for Infoblox Views) -> + (for default) -> Reverse Mapping
Zones -> Edit -> Add Reverse Mapping Zone -> Authoritative.
14. In the Authoritative Zone Properties section of the Add Reverse Authoritative Zone editor, enter the following:
Network Address: 1.1.1.0
Subnet Mask: /24 (255.255.255.0)
Comment: External DNS zone
15. In the Primary Server Assignment section, click Select Member to open the Select Grid Member dialog box.
16. Select ns1.corp100.com, and then click OK to close the dialog box.
17. In the Secondary Server Assignment section, click Add in the External Secondaries table to open the Zone
External Secondary Server dialog box.
18. Enter the following information, and then click OK to close the dialog box:
Name: ns2.corp100.com
IP Address: 2.2.2.2
Stealth: Clear check box.
19. Click the Save icon.
20. In the Infoblox Views panel of the DNS perspective, click + (for Reverse Mapping Zones) -> 1.1.1.in-addr.arpa ->
Edit -> Authoritative Zone Properties.
21. In the Authoritative Reverse Zone editor, click Settings and enter the following:
E-mail address: admin@corp100.com
Import zone from: Select check box, and enter 10.1.5.3 in the adjacent text field.
22. Click the Save and Restart Services icons.
23. Click 1.1.1.in-addr.arpa -> View -> Records.
You can see all the imported reverse-mapping zone data in the Records panel.
24. Click corp100.com in the Forward Mapping Zones list.
Because you have now imported both the forward- and reverse-mapping zone data, most of the records appear
as host records.
25. Finally, you must remove the ns1 host record for the legacy server (value 1.1.1.3). To remove it, select ns1 (the
host record for 1.1.1.3), and then click Edit -> Remove.
Deploying Independent Appliances
244 Infoblox Administrator Guide (Rev. A) NIOS 4.3r1
Designate the New Primary on the Secondary Name Server (at the ISP Site)
In this example, the external secondary name server is maintained by an ISP, so you must contact your ISP
administrator to change the IP address of the primary (or master) name server. (If you have administrative access to
the secondary name server, you can make this change yourself.)
Because a firewall performing NAT exists between the secondary and primary name servers, specify the NAT address
1.1.1.2 for the primary name server instead of 10.1.5.2.
Secondary BIND Server
1. Open the named.conf file using a text editor and set ns1 (with NAT address 1.1.1.2) as the primary (or master)
from which ns2 receives zone transfers in the named.conf file for the corp100.com zone:
zone " cor p100. com" i n {
t ype sl ave;
masters {1.1.1.2;};
not i f y yes;
f i l e / var / named/ db. cor p100. com;
};
2. After editing the named.conf file, restart DNS service for the change to take effect.
Secondary Windows 2000/2003 Server
1. Click Start -> All Programs -> Administrative Tools -> DNS.
2. Click + (for ns2) -> + (for Forward Lookup Zones) -> corp100.com.
3. Right-click corp100.com, and then select Properties -> General.
4. On the General page in the corp100.com Properties dialog box, enter the following:
Zone file name: corp100.com.dns
IP address: Enter 1.1.1.2, and then click Add.
In the IP Address field, select 1.1.1.3 (the NAT IP address of the legacy DNS server), and then click Remove.
5. To save the configuration change and close the corp100.com Properties dialog box, click OK.
Configure NAT and Policies on the Firewall
Change the NAT and policy settings on the firewall to allow bidirectional DNS traffic to and from ns1.corp100.com and
NTP traffic from ns1.corp100.com to the NTP server at 3.3.3.3.
For example, enter the following commands on a Juniper firewall running ScreenOS 4.x or later:
set address dmz ns1 10.1.5.2/32
set address untrust ntp_server 3.3.3.3/32
set interface ethernet1 mip 1.1.1.2 host 10.1.5.2
set policy from dmz to untrust ns1 any dns permit
set policy from untrust to dmz any mip(1.1.1.2) dns permit
set policy from dmz to untrust ns1 ntp_server ntp permit
At this point, the new DNS server can take over DNS service from the legacy server. You can remove the legacy server
and unset any firewall policies permitting traffic to and from 10.1.5.3.
Deploying an Independent HA Pair
NIOS 4.3r1 Infoblox Administrator Guide (Rev. A) 245
Deploying an Independent HA Pair
An independent HA (high availability) pair provides hardware redundancy for the source of your network identity
services. The two nodes that form an HA pairidentified as Node 1 and Node 2are in an active/passive
configuration. The active node receives, processes, and responds to all service requests. The passive node constantly
keeps its database synchronized with that of the active node, so it can take over service if a failover occurs. (A failover
is basically the reversal of the active/passive roles of each node; that is, when a failover occurs, the previously active
node becomes passive and the previously passive node becomes active.) Events can trigger a failover or you can
deliberately force it to happen (see Forcing an HA Failover on page 263).
So that the two physical nodes can appear as a single entity on the network, they share a single VIP (virtual IP)
address and virtual MAC address. The VIP and virtual MAC addresses link to the HA port on each node. Whichever
node is currently active is the one whose HA port owns the VIP and virtual MAC addresses. If a failover occurs, these
addresses shift from the HA port of the previous active node to the HA port of the new active node (see Figure 8.6).
Figure 8.6 VIP Address and Virtual MAC Address and HA Failover
The HA ports on each node of an HA pair
share the VIP (virtual IP) address and
virtual MAC address. Because Node 1 is
currently active, it owns these addresses.
HA Port HA Port
VIP
and
Virtual MAC
Address
Node 1
Active
Node 2
Passive
bloxSYNC
The clients always make service requests
toand receive replies fromthe VIP
and virtual MAC address.
Infoblox HA Pair
Network Clients
Node 2
Active
Node 1
Passive
Encrypted VPN Tunnel
After an HA Failover
VIP
and
Virtual MAC
Address
The clients still make service requests
toand receive replies fromthe
same VIP and virtual MAC address.
After an HA failover occurs, Node 2
becomes the active node. Because Node 2
is now active, it now owns the VIP address
and virtual MAC address.
Network Clients
HA Port HA Port
Deploying Independent Appliances
246 Infoblox Administrator Guide (Rev. A) NIOS 4.3r1
The two nodes in an HA pair include a VRID (virtual router ID) in all VRRP advertisements and use it to recognize VRRP
advertisements intended just for themselves. Only another appliance on the same subnet configured to use the same
VRID responds to the announcements. The VRID must be a unique number between 1 and 255 for the subnet on
which the HA pair is located. (There is no default VRID number.) For more information, see RFC 3768, Virtual Router
Redundancy Protocol (VRRP), and also VRRP Advertisements on page 280.
Figure 8.7 VRRP Advertisements with a Unique VRID
To deploy an independent HA pair, you cable the HA and LAN (or LAN1) ports to the network and configure the IP
settings for these ports and the VIP address within the same subnet.
Note: On Infoblox-500, -1000, and -1200 appliances, the LAN port is labeled LAN . On Infoblox-550, -1050, -1550,
and -1552 appliances, use the port labeled LAN1 . (The LAN2 port is reserved for future use.)
The default LAN settings are as follows:
IP address: 192.168.1.2
Netmask: 255.255.255.0
Gateway: 192.168.1.1.
Infoblox provides two methods for configuring an HA pair:
Method 1 Using the Infoblox NIOS Startup Wizard
Requirements: HTTPS connections from your management system to the ethernet ports on the two
appliances
Advantage: The startup wizard provides step-by-step guidance for configuring the network settings of the
VIP address and HA and LAN (or LAN1) ports on both nodes, for setting the host name, admin password,
and system clock, andif using NTP (Network Time Protocol)for enabling the HA pair as an NTP server.
Method 2 Using the GUI
Requirements: HTTPS connections from your management system to the ethernet ports on the two
appliances
Advantage: If you have logged in previously and disabled the startup wizard, you can still use the GUI to
configure an independent HA pair.
These methods are explained in the following subsections.
MATCH!
After you finish configuring Node 1 of the HA pair to use
VRID 10a number that is unique for this subnetit starts
listening for VRRP advertisements with that VRID. When it
does not receive any for three seconds, it becomes the
active node in the HA pair and begins multicasting VRRP
advertisements with a VRID 10 from its HA port.
Any device on that subnet that is not
configured to listen for VRRP advertisements
with VRID 10 drops the packet.
VRRP
Advertisements
Switch
Subnet
Node 1
(Active)
Node 2
(Passive)
After you finish configuring Node 2
to join the HA pair, it initiates a
connection with Node 1. The two
appliances establish a VPN tunnel
between themselves, using the HA
connection name and shared
secret to authenticate each other.
Node 2 downloads the database
from Node 1 and learns its VRID.
Node 2 then begins listening for
VRRP advertisements on its HA
port. When it receives an
advertisement from Node 1, Node
2 recognizes it and becomes the
passive node.
Deploying an Independent HA Pair
NIOS 4.3r1 Infoblox Administrator Guide (Rev. A) 247
Method 1 Using the Infoblox NIOS Startup Wizard
When you first make an HTTPS connection to the NIOS appliance, the Infoblox NIOS Startup Wizard appears. To ease
the initial configuration process, the wizard guides you through various deployment options, basic network settings,
and opportunities for changing the password of the superuser admin and for setting the system clock.
Configuring the Connecting Switch
To ensure that VRRP (Virtual Router Redundancy Protocol) works properly, configure the following settings on the
network switch to which you cable the two nodes:
Portfast: enable
Trunking: disable
Port list: disable
Port channeling: disable
Note: By default, a NIOS appliance automatically negotiates the optimal connection speed and transmission type
(full or half duplex) on the physical links between its LAN (or LAN1), HA, and MGMT ports and the ethernet
ports on the connecting switch. If the two appliances fail to auto-negotiate the optimal settings, see Modifying
Ethernet Port Settings on page 135 for steps you can take to resolve the problem.
Putting Both Nodes on the Network
1. Use one of the methods described in Deploying a Single Independent Appliance on page 233 to configure the
network settings of the LAN or LAN1 port of each node so that they are on the same subnet and you can reach
them across the network.
2. Cable the LAN (or LAN1) port and the HA port on each node to the network switch.
Note: The ethernet ports on the Infoblox-550, -1050, -1550, and -1552 appliances are autosensing, so you can
use either a straight-through or cross-over ethernet cable for these connections. For the Infoblox-500,
-1000, and -1200 appliances, use straight-through ethernet cables to connect an appliance to a switch.
3. Cable your management system to the network switch.
Configuring Node 1
1. Open a web browser and make an HTTPS connection to the IP address of the LAN or LAN1 port of Node 1.
Several certificate warnings appear during the login process. This is normal because the preloaded certificate is
self-signed (and, therefore, is not in the trusted certificate stores in your browser, Java application, and Java
Web Start application) and has the hostname www.infoblox.com, which does not match the destination IP
address you entered in step 1. To stop the warning messages from occurring each time you log in to the GUI, you
can generate a new self-signed certificate or import a third-party certificate with a common name that matches
the FQDN (fully qualified domain name) of the appliance. This is a very simple process. For information about
certificates, see Managing Certificates on page 48.
2. Click LAUNCH DEVICE MANAGER.
3. Log in to Node 1. For detailed information about logging in to the GUI, see Accessing the Infoblox GUI on page 38.
The Infoblox NIOS Startup Wizard appears. The first screen provides basic information about the wizard, and the
second screen displays license agreement information.
4. Beginning on the third screen, enter the following, where
string1 is a text string that the two nodes use to authenticate each other when establishing a VPN tunnel for
ensuing bloxSYNC traffic. (The default grid name is Infoblox.)
string2 is a text string that both nodes use as a shared secret to authenticate each other when establishing
a VPN tunnel for ensuing bloxSYNC traffic. (The default shared secret is test.)
vip_addr and netmask are the VIP (virtual IP) address and its netmask.
Deploying Independent Appliances
248 Infoblox Administrator Guide (Rev. A) NIOS 4.3r1
ip_addr1 is the IP address of the gateway for the subnet on which the LAN or LAN1 port is set.
hostname is a valid domain name for the appliance.
ip_addr2-5 are the IP addresses of the LAN and HA ports for Nodes 1 and 2.
number is the VRID (virtual router ID). This must be a unique VRID numberfrom 1 to 255for this subnet.
string3 is a single alphanumeric string (no spaces) for a password that is at least four characters long.
ip_addr6 is the IP address of an NTP (Network Time Protocol) server.
Note: The startup wizard provides options such as not changing the default password and manually entering the
time and date. However, changing the password and using an NTP server improve security and accuracy
(respectively), and so these choices are presented above.
The last screen of the startup wizard states that the changed settings require the appliance to restart. When you
click Finish, the appliance restarts.
Wizard Screen Enter or Select
Deployment Type Independent Device or HA Pair
Independent Device Deployment Type HA Node 1
HA Pair Settings HA Pair Name: string1
Shared Secret: string2
Node 1 Network Settings VIP Address: vip_addr
Netmask: netmask
Gateway: ip_addr1
Host Name: hostname
Node 1: LAN/LAN1 Address: ip_addr2
HA Address: ip_addr3
Node 2: LAN/LAN1 Address: ip_addr4
HA Address: ip_addr5
Virtual Router ID: number
Admin Account Password Change Admin Password: (select), string3
Time Settings Enable NTP: (select)
NTP Server List: ip_addr6 (click Add)
Time zone: (choose the time zone for the location of the
appliance)
Deploying an Independent HA Pair
NIOS 4.3r1 Infoblox Administrator Guide (Rev. A) 249
Configuring Node 2
1. Open a new browser instance and make an HTTPS connection to the IP address of the LAN or LAN1 port of Node 2.
2. The Infoblox NIOS Startup Wizard opens with a splash screen that provides basic information about the wizard,
and then displays license agreement information. Beginning on the third wizard screen, enter the following to set
up Node 2 (the variables are explained in the previous section for Node 1):
The setup of the HA pair is complete. When you next make an HTTPS connection to the HA pair, use the VIP address.
Method 2 Using the GUI
To deploy an independent HA pair through the GUI, you need to make an HTTPS connection to each appliance and
then bypass the startup wizard. (The following procedure assumes that the appliance has the DNSone package
installed.)
Configuring the Connecting Switch
To ensure that VRRP (Virtual Router Redundancy Protocol) works properly, configure the following settings on the
network switch to which you cable the two nodes:
Portfast: enable
Trunking: disable
Port list: disable
Port channeling: disable
Note: By default, a NIOS appliance automatically negotiates the optimal connection speed and transmission type
(full or half duplex) on the physical links between its LAN (or LAN1), HA, and MGMT ports and the ethernet
ports on the connecting switch. If the two appliances fail to auto-negotiate the optimal settings, see Modifying
Ethernet Port Settings on page 135 for steps you can take to resolve the problem.
Putting Both Nodes on the Network
1. Use one of the methods described in Deploying a Single Independent Appliance on page 233 to configure the
network settings of the LAN or LAN1 port of each node so that they are on the same subnet and you can reach
them across the network.
2. Cable the LAN (or LAN1) port and the HA port on each node to a switch on the network.
Note: The ethernet ports on a NIOS appliance are autosensing, so you can use either a straight-through or
cross-over ethernet cable for these connections. For the Infoblox-500, -1000, and -1200 appliances, use
straight-through ethernet cables to connect an appliance to a switch.
3. Connect your management system to the network.
Wizard Screen Enter or Select
Deployment Type Independent Device or HA Pair
Independent Device Deployment Type HA Node 2
Node 2 Network Settings IP Address: ip_addr4
Netmask: netmask
Gateway: ip_addr1
HA Pair Properties Virtual IP Address: vip_addr
HA Pair Name: string1
Shared Secret: string2
Deploying Independent Appliances
250 Infoblox Administrator Guide (Rev. A) NIOS 4.3r1
Configuring Node 1
1. Open a web browser and make an HTTPS connection to the IP address of the LAN or LAN1 port of Node 1.
2. Click LAUNCH DEVICE MANAGER.
3. Log in to Node 1. For detailed information about logging in to the GUI, see Accessing the Infoblox GUI on page 38.
The Infoblox NIOS Startup Wizard appears.
4. To bypass the wizard and access the Device Manager GUI, click Cancel or the Close button ().
5. From the Device perspective, click hostname -> Edit -> Device Properties.
Note: (For the DNSone with Keystone package) From the Grid perspective, click + (for Infoblox) -> + (for Members)
-> hostname -> Edit -> Member Properties.
6. In the Device editor, click Device Properties, and then enter the following network settings:
Host Name: Type the FQDN (fully qualified domain name) for the HA pair.
(V)IP Address: Type the VIP (virtual IP) address for the HA pair.
Subnet Mask: Choose the netmask for the subnet to which the VIP address connects.
Gateway: Type the IP address of the default gateway of the subnet to which the VIP address connects.
Comment: Type a comment that provides some useful information about the HA pair, such as its location.
High-availability Pair: (select)
Virtual Router ID: Enter a unique VRID numberfrom 1 to 255for the local subnet.
Note: The VIP address and the IP addresses for all the following ports must be in the same subnet.
Node #1:
LAN Address: Enter an IP address for the LAN (or LAN1) port of Node 1.
HA Address: Enter an IP address for the HA port of Node 1.
Node #2:
LAN Address: Enter an IP address for the LAN (or LAN1) port of Node 2.
HA Address: Enter an IP address for the HA port of Node 2.
7. In the Device editor, click High Availability Connection, and then enter the following settings:
Name: Type a name for the HA pair. (The default name is Infoblox.)
Shared Secret: Type the shared secret that both nodes use to authenticate each other when establishing a
VPN tunnel for ensuing bloxSYNC traffic. (The default shared secret is test.)
Retype Shared Secret: Retype the shared secret you entered in the Shared Secret field.
VPN Port Number: Leave as the default number (1194), or enter a different number for the two nodes to use
when building a VPN tunnel between themselves.
8. Click Save.
The management window closes.
Configuration Example: Configuring an HA Pair for Internal DNS and DHCP
NIOS 4.3r1 Infoblox Administrator Guide (Rev. A) 251
Configuring Node 2
1. Open a web browser and make an HTTPS connection to the IP address of the LAN or LAN1 port of Node 2.
2. Click LAUNCH DEVICE MANAGER.
3. Log in to Node 2.
The Infoblox NIOS Startup Wizard appears.
4. To bypass the wizard, click Cancel or the Close button ().
5. From the Device perspective, click hostname -> Edit -> Join HA Pair.
Note: For the DNSone with Keystone package, from the Grid perspective, click + (for Infoblox) -> + (for Members)
-> hostname -> Edit -> Join Grid.
6. In the Join HA Pair dialog box, enter the following network settings:
Virtual IP of HA Pair: Type the VIP (virtual IP) address for the HA pair.
HA Connection Name: Type the same text string that you typed in the Name field in the High Availability
Connection section of the Device editor on Node 1. The default HA connection name is Infoblox.
Shared Secret: Type the shared secret that both nodes use to authenticate each other when establishing a
VPN tunnel for ensuing bloxSYNC traffic. The default shared secret is test.
Retype Shared Secret: Retype the shared secret you entered in the Shared Secret field.
VPN Port Number: Leave as the default number (1194), or enter a different number for the two nodes to use
when building a VPN tunnel between themselves.
7. Click Save.
The management window closes.
Configuration Example: Configuring an HA Pair for Internal DNS
and DHCP
In this example, you set up an HA pair of NIOS appliances to provide internal DNS and DHCP services. The HA pair
answers internal queries for all hosts in its domain (corp100.com). It forwards internal queries for external sites to
ns1.corp100.com at 10.1.5.2 and ns2.corp100.com at 2.2.2.2. It also uses DHCP to provide dynamic and fixed
addresses.
The HA pair consists of two appliances (nodes). The IP addresses of the VIP (virtual IP) address of the HA pair and the
HA and LAN1 ports on each node, are as follows:
The virtual router ID number for the HA pair is 150. The ID number must be unique for this network segment.
When you create the corp100.com zone on the HA pair, you import DNS data from the legacy server at 10.1.4.11.
HA Pair IP Addresses
VIP 10.1.4.10 (the address that the active node of the HA pair uses)
Node 1 Node 2
LAN1 10.1.4.6
HA 10.1.4.7
LAN1 10.1.4.8
HA 10.1.4.9
Deploying Independent Appliances
252 Infoblox Administrator Guide (Rev. A) NIOS 4.3r1
Figure 8.8 Example 2 Network Diagram
Cable Appliances to the Network and Turn On Power
Connect ethernet cables from the LAN1 and HA ports on both NIOS appliances to a switch in the Server network and
turn on the power for both appliances. For information about installing and cabling the appliance, refer to the user
guide or installation guide that ships with the product.
An HA pair of NIOS appliances provides internal DNS services. It answers internal queries for all hosts in its
domain. It forwards internal queries for external sites to ns1 and ns2. It also serves DHCP, providing both
dynamic and fixed addresses. For information on configuring the NIOS appliance external primary DNS server,
see Configuration Example: Deploying a NIOS Appliance for External DNS on page 238.
MGT Network
Dev Network
10.1.1.0/24
10.1.1.10 -
10.1.1.50
10.1.2.10 -
10.1.2.50
10.1.2.0/24
Address
Range
Address
Range
printer1
10.1.1.2
aa:aa:aa
printer2
10.1.2.2
bb:bb:bb
ethernet2
10.1.2.1/24
ethernet1
10.1.1.1/24
ethernet0
10.1.6.1/24
ethernet4
10.1.4.1/24
External Primary
DNS Server
ns1: 10.1.5.2
ethernet1
1.1.1.1/24
ethernet2
10.1.5.1/24
ethernet3
10.1.6.2/24
Firewall
Relay Agent on
e2 interface)
External Secondary
DNS Server
ns2: 2.2.2.2
www
10.1.5.5
55:55:55:55
ftp
10.1.5.7
77:77:77:77
mail
10.1.5.6
66:66:66:66
DMZ Network
10.1.5.0/24
Internet
ISP
Server Network
HA Pair Internal Primary
DNS Server
DHCP, IPAM
ns3 VIP: 10.1.4.10
10.1.4.0/24
proxyweb
10.1.4.5
11:11:11:11
proxymail
10.1.4.f
ff:ff:ff:ff
storage2
10.1.4.3
ee:ee:ee:ee
storage1
10.1.4.2
dd:dd:dd:dd
Legacy Primary DNS Server
ns3: 10.1.4.11
(Replaced by the HA Pair)
NOTE: The first six
hexadecimal characters of
all MAC addresses in the
example are 00:00:00:00.
Only the last six
hexadecimal characters are
shown here.
Configuration Example: Configuring an HA Pair for Internal DNS and DHCP
NIOS 4.3r1 Infoblox Administrator Guide (Rev. A) 253
Specify Initial Network Settings
Before you can configure the appliances through the GUI, you must be able to make a network connection to them.
The default network settings of the LAN1 port are 192.168.1.2/24 with a gateway at 192.168.1.1 (the HA and MGMT
ports do not have default network settings). To change these settings, you can use the LCD or make a console
connection to each appliance.
Node 1
Using the LCD or console port on one of the appliances, enter the following information:
IP Address: 10.1.4.6 (for the LAN1 port)
Netmask: 255.255.255.0
Gateway: 10.1.4.1
Node 2
Using the LCD or console port on the other appliance, enter the following information:
IP Address: 10.1.4.8 (for the LAN1 port)
Netmask: 255.255.255.0
Gateway: 10.1.4.1
After you confirm your network settings, the Infoblox GUI application automatically restarts.
Specify Appliance Settings
When you make the initial HTTPS connection to a NIOS appliance, you see the Infoblox Appliance Startup Wizard,
which guides you through the basic deployment of the appliance on your network. To set up an HA pair, you must
connect to and configure each appliance individually.
Node 1
1. Open a browser window and connect to https://10.1.4.6.
Note: For details about making an HTTPS connection to a NIOS appliance, see Specify Appliance Settings on
page 240.
2. Log in using the default user name and password admin and infoblox.
Note: User names and passwords are case-sensitive.
3. The Infoblox Appliance Startup Wizard opens with a splash screen that provides basic information about the
wizard, and then displays license agreement information. Beginning on the third wizard screen, enter or select
the following to set up node 1 of the HA pair:
Wizard Screen Enter
Deployment type Stand alone
Node type First HA node
Grid information Grid Name: Infoblox
Shared Secret: 37eeT1d
(Note: The nodes use the shared secret to form an
encrypted VPN tunnel between themselves. They
synchronize the shared database through this tunnel.)
Deploying Independent Appliances
254 Infoblox Administrator Guide (Rev. A) NIOS 4.3r1
The last screen of the wizard states that the changed settings require the application to restart. When you click
Finish, the Infoblox GUI application restarts.
Node 2
1. In the JWS (Java Web Start) login window, type 10.1.4.8 in the Hostname field.
When you enter the IP address, JWS queries the appliance at that address, checking for a login banner. The
following default Infoblox banner appears above the Hostname field: Restricted Access Login Required.
2. Log in using the default user name and password admin and infoblox.
Note: User names and passwords are case-sensitive.
3. The Infoblox Appliance Startup Wizard opens with a splash screen that provides basic information about the
wizard, and then displays license agreement information. Beginning on the third wizard screen, enter or select
the following to set up node 2 of the HA pair:
On the last screen of the wizard, click Finish. The Infoblox GUI application terminates.
Node information Virtual IP: 10.1.4.10
Subnet Mask: 255.255.255.0
Gateway: 10.1.4.1
Host Name: ns3.corp100.com
Node 1:
LAN1 Address: 10.1.4.6
HA Address: 10.1.4.7
Node 2:
LAN1 Address: 10.1.4.8
HA Address: 10.1.4.9
Virtual Router ID: 150
Default password New admin password: SnD34n534
Time settings Enable NTP: Select check box.
IP address: 3.3.3.3
Time zone: (UMT 8:00 Pacific Time (US and Canada),
Tijuana
Wizard Screen Enter or Select
Deployment type Stand alone
Node type Second HA node
Node information IP Address: 10.1.4.8
Subnet Mask: 255.255.255.0
Gateway: 10.1.4.1
Node provisioning Masters Virtual IP: 10.1.4.10
Grid Name: Infoblox
Shared Secret: 37eeT1d
Wizard Screen Enter
Configuration Example: Configuring an HA Pair for Internal DNS and DHCP
NIOS 4.3r1 Infoblox Administrator Guide (Rev. A) 255
The setup of the HA pair is complete. From now on, when you make an HTTPS connection to the HA pair, use the VIP
address 10.1.4.10.
Enable Zone Transfers on the Legacy Name Server
To allow the NIOS appliance to import zone data from the legacy server at 10.1.4.11, you must configure the legacy
server to allow zone transfers to the appliance at 10.1.4.10.
Legacy BIND Server
1. Open the named.conf file using a text editor and change the allow-transfer statement to allow zone transfers to
the appliance at 10.1.4.10. For a sample of the required changes to the named.conf file, see Legacy BIND Server
on page 241.
2. After editing the named.conf file, restart DNS service for the change to take effect.
Legacy Windows 2000/2003 Server
Navigate to the corp100.com Properties dialog box, and add 10.1.4.10 to the list of IP addresses to which you want
to allow zone transfers. For more detailed navigation and configuration instructions, see Legacy Windows 2000/2003
Server on page 242.
Import Zone Data
You can import zone data from a legacy server or manually enter it. When you import both forward- and
reverse-mapping zone data, the NIOS appliance automatically creates Infoblox host records if corresponding A and
PTR records are present. You can then modify the host records to add MAC addresses. However, if you only import
forward-mapping zone data, the NIOS appliance cannot create host records from just the A records. In that case,
because you cannot later convert A records to host records, it is more efficient to create the corp100.com zone, and
define host records manually.
Infoblox host records are data models that represent IP devices within the Infoblox semantic database. The NIOS
appliance uses a host object to define A, PTR, and CNAME resource records in a single object as well as a DHCP fixed
address if you include a MAC address in the host object definition. The host object prevents costly errors because
you only maintain a single object for multiple DNS records and a DHCP fixed address. Therefore, it is advantageous
to use host records instead of separate A, PTR, and CNAME records.
Note: If you only have forward-mapping zones defined on your legacy servers and you want to add reverse-mapping
zones and automatically create host records in the imported forward-mapping zones and reverse host records
in corresponding reverse-mapping zones, create the reverse-mapping zones and then import the
forward-mapping zones data. The NIOS appliance automatically converts the imported A records to host
records in the forward-mapping zones and creates the necessary reverse host records in the reverse-mapping
zones.
You also have the option of using the Data Import Wizard for loading DNS and DHCP configurations and data. For large
data sets, this option is an efficient approach. To download the Data Import Wizard, visit www.infoblox.com/support,
log in with your support account, and then click the Data Import Wizard hyperlink in the DNSone section.
In this example, when you create the corp100.com forward-mapping zone, you import zone data for the existing
corp100.com zone from the legacy server at 10.1.4.11. When you create the 1.10.in-addr.arpa reverse-mapping
zone, you also import the zone records for the existing 1.10.in-addr.arpa zone from the legacy server. After the
appliance has both the forward- and reverse-mapping zone data, it converts the A and PTR records to Infoblox host
records.
1. Open a browser window, and log in to the HA pair at https://10.1.4.10, using the user name admin and the
password SnD34n534.
2. To check that the HA pair is set up and functioning properly, from the Device perspective, click ns3.corp100.com
and check that the status indicators are all green.
Deploying Independent Appliances
256 Infoblox Administrator Guide (Rev. A) NIOS 4.3r1
3. Click DNS to open the DNS perspective, and then click Infoblox Views -> + (for Infoblox Views) -> + (for default) ->
Forward Mapping Zones -> Edit -> Add Forward Mapping Zone -> Authoritative.
4. In the Authoritative Zone Properties section of the Add Forward Authoritative Zone editor, enter the following:
Name: corp100.com
Comment: Internal DNS zone
5. In the Primary Server Assignment section, click Select Member to open the Select Grid Member dialog box.
6. Select ns3.corp100.com, and then click OK to close the dialog box.
7. Click the Save icon.
8. In the Infoblox Views panel of the DNS perspective, click + (for Forward Mapping Zones) -> corp100.com -> Edit ->
Authoritative Zone Properties.
9. In the Forward Authoritative Zone editor, click Settings and enter the following:
E-mail address: admin@corp100.com
Import zone from: Select this check box, and enter 10.1.4.11 in the adjacent text field.
10. Click the Save icon.
11. After successfully importing the zone data, click corp100.com in the Infoblox Views panel.
You can see all the imported forward-mapping zone data in the Records panel. Because you have not yet
imported the reverse-mapping zone data, most of the records appear as A records.
12. From the DNS perspective, click Infoblox Views -> + (for Infoblox Views) -> + (for default) -> Reverse Mapping
Zones -> Edit -> Add Reverse Mapping Zone -> Authoritative.
13. In the Authoritative Zone Properties section of the Add Reverse Authoritative Zone editor, enter the following:
Network Address: 10.1.0.0
Subnet Mask: 255.255.0.0
Comment: Internal DNS zone
14. In the Primary Server Assignment section, click Select Member to open the Select Grid Member dialog box.
15. Select ns3.corp100.com, and then click OK to close the dialog box.
16. Click the Save icon.
17. In the Infoblox Views panel of the DNS perspective, click + (for Reverse Mapping Zones) -> 1.1.1.in-addr.arpa ->
Edit -> Authoritative Zone Properties.
18. In the Authoritative Reverse Zone editor, click Settings and enter the following:
E-mail address: admin@corp100.com
Import zone from: Select this check box, and enter 10.1.4.11 in the adjacent text field.
19. Click the Save and Restart Services icons.
20. Click 1.1.1.in-addr.arpa -> View -> Records.
You can see all the imported reverse-mapping zone data in the Records panel.
21. Click corp100.com in the Infoblox Views panel.
Because you have now imported both the forward- and reverse-mapping zone data, most of the records appear
as host records.
22. Finally, you must remove the ns1 host record for the legacy server (value 10.1.4.11). To remove it, select ns3, and
then click Edit -> Remove.
Configuration Example: Configuring an HA Pair for Internal DNS and DHCP
NIOS 4.3r1 Infoblox Administrator Guide (Rev. A) 257
Define Networks, Reverse-Mapping Zones, DHCP Ranges, and Infoblox Hosts
In this task, you enter data manually because the configuration is fairly simple. For large data sets, you have the
option of using the Data Import Wizard for loading DNS and DHCP configurations and data to make the process more
efficient. To download the Data Import Wizard, visit www.infoblox.com/support, log in with your support account, and
then click the Data Import Wizard hyperlink in the DNSone section.
Networks
You can create all the subnetworks individually (which in this example are 10.1.1.0/24, 10.1.2.0/24, 10.1.4.0/24,
and 10.1.5.0/24), or you can create a parent network (10.1.0.0/16) that encompasses all the subnetworks and then
use the Infoblox split network feature to create the individual subnetworks automatically. The split network feature
accomplishes this by using the IP addresses that exist in the forward-mapping zones to determine which subnets it
needs to create. This example uses the split network feature. For information about creating networks, see
Configuring a DHCP Network on page 461.
1. From the DHCP and IPAM perspective, click Networks -> Edit -> Add Network -> Network.
2. In the Network Properties section of the Add Configure Network editor, enter the following:
Network Address: 10.1.0.0
Netmask: /16 (255.255.0.0)
3. Click Member Assignment -> Add to open the Select Grid Members dialog box.
4. Select ns3.corp100.com, and then click OK to close the dialog box.
5. Click the Save icon.
6. Click + (for Networks) -> 10.1.0.0/16 -> Edit -> Split Network.
Subnetworks: Move the slider to 24.
Immediately add only networks with ranges and fixed addresses: Select this check box.
The appliance immediately creates the following 24-bit subnets for the imported Infoblox hosts:
10.1.1.0/24
10.1.2.0/24
10.1.4.0/24
10.1.5.0/24
7. Click -> + (for Networks) -> + (for 10.1.0.0/16) -> 10.1.1.0/24 -> Edit -> Network Properties.
8. In the Configure Network editor, enter information in the following sections:
Network Properties
Comment: MGT
Member Assignment
Members: ns3.corp100.com
9. Click the Save icon.
10. To modify the other networks, repeat steps #8 10 for each network and use the following information:
10.1.2.0/24 Network:
Comment: Dev
Members: ns3.corp100.com
10.1.4.0/24 Network:
Comment: Server
Members: ns3.corp100.com
10.1.5.0/24 Network:
Comment: DMZ
Members: ns3.corp100.com
Deploying Independent Appliances
258 Infoblox Administrator Guide (Rev. A) NIOS 4.3r1
Reverse-Mapping Zones
When you create a network, the appliance automatically creates a corresponding reverse-mapping zone and
reparents the relevant resource records from the parent zone (10.1.0.0/16) to that zone. To enable DNS service for
the new zone, you need to assign ns3.corp100.com as the primary DNS server for each zone. In this example, the
appliance creates four reverse-mapping zones. You must modify each zone by assigning ns3.corp100.com as its
primary DNS server.
1. From the DNS perspective, click Infoblox Views -> + (for Infoblox Views) -> + (for default) -> + (for Reverse Mapping
Zones) -> + (for 1.10.in-addr.arpa) -> 1.1.10.in-addr.arpa -> Edit -> Authoritative Zone Properties.
2. In the Primary Server Assignment section, click Select Member to open the Select Grid Member dialog box.
3. Select ns3.corp100.com, and then click OK to close the dialog box.
4. Click the Save icon.
5. Repeat steps #14 for the 2.1.10.in-addr.arpa, 4.1.10.in-addr.arpa, and 5.1.10.in-addr.arpa reverse-mapping
zones.
DHCP Ranges
1. From the DHCP and IPAM Perspective, select Networks -> + (for Networks) -> + (for 10.1.0.0/16) -> 10.1.1.0/24 ->
Edit -> Add DHCP Range.
2. In the DHCP Range section, enter the following:
Start Address: 10.1.1.10
End Address: 10.1.1.50
3. In the Member Assignment section, select ns3.corp100.com from the Grid Member drop-down list.
4. Click the Save icon.
5. From the DHCP and IPAM Perspective, select Networks -> + (for Networks) -> + (for 10.1.0.0/16) -> 10.1.2.0/24 ->
Edit -> Add DHCP Range.
6. In the DHCP Range section, enter the following:
Start Address: 10.1.2.10
End Address: 10.1.2.100
7. In the Member Assignment section, select ns3.corp100.com from the Grid Member drop-down list.
8. Click the Save icon.
Infoblox Hosts
Defining both a MAC and IP address for an Infoblox host definition creates a DHCP host entrylike a fixed address
that you can manage through the host object. To add a MAC address to each host record that the appliance created
when you imported forward- and reverse-mapping zone records, you must first delete the IP address for that host,
and then add the same IP address with the MAC address.
1. From the DNS perspective, click Infoblox Views -> + (for Infoblox Views) -> + (for default) -> + (for Forward Mapping
Zones) -> + (for corp100.com).
2. Double-click 10.1.1.2 to open the Host editor.
3. In the Host Record Properties section, select 10.1.1.2, and then click Remove.
4. Click Add next to the IP Address field to open the Host Address dialog box.
5. Enter the following, and then click OK to close the dialog box:
IP Address: 10.1.1.2
MAC Address: 00:00:00:aa:aa:aa
6. Click the Save icon.
Configuration Example: Configuring an HA Pair for Internal DNS and DHCP
NIOS 4.3r1 Infoblox Administrator Guide (Rev. A) 259
7. Follow steps 1 6 to modify hosts with the following information:
printer2
IP Address: 10.1.2.2
MAC Address: 00:00:00:bb:bb:bb
storage1
IP Address: 10.1.4.2
MAC Address: 00:00:00:dd:dd:dd
storage2
IP Address: 10.1.4.3
MAC Address: 00:00:00:ee:ee:ee
proxymail
IP Address: 10.1.4.4
MAC Address: 00:00:00:ff:ff:ff
proxyweb
IP Address: 10.1.4.5
MAC Address: 00:00:00:11:11:11
www
IP Address: 10.1.5.5
MAC Address: 00:00:00:55:55:55
mail
IP Address: 10.1.5.6
MAC Address: 00:00:00:66:66:66
ftp
IP Address: 10.1.5.7
MAC Address: 00:00:00:77:77:77
Define Multiple Forwarders
Because ns3.corp100.com is an internal DNS server, you configure it to forward DNS queries for external DNS name
resolution to the primary and secondary DNS serversns1.corp100.com at 10.1.5.2 and ns2.corp100.com at
2.2.2.2.
1. From the DNS perspective, click DNS Members -> Infoblox -> Edit -> Grid DNS Properties.
2. In the Grid DNS Properties editor, click Forwarders, and then enter the following:
IP Address: Type 2.2.2.2, and then click Add.
IP Address: Type 10.1.5.2, and then click Add.
Use Forwarders Only: Clear the check box.
3. Click the Save icon.
The NIOS appliance initially sends outbound queries to forwarders in the order that they appear in the Forwarders
list, starting from the top of the list. If the first forwarder does not reply, the appliance tries the second one. The
appliance keeps track of the response time of both forwarders and uses the quicker one for future queries. If the
quicker forwarder does not respond, the appliance then uses the other one.
Deploying Independent Appliances
260 Infoblox Administrator Guide (Rev. A) NIOS 4.3r1
Enable Recursion on External DNS Servers
Because the HA pair forwards outbound queries to the two external DNS servers ns1.corp100.com (10.1.5.2) and
ns2.corp100.com (2.2.2.2) for resolution, you must enable recursion on those servers. When a DNS server employs
recursion, it queries other DNS servers for a domain name until it either receives the requested data or an error that
the requested data cannot be found. It then reports the result back to the server that queriedin this case, the
internal DNS server ns3.corp100.com (10.1.4.10), which in turn reports back to the DNS client.
Infoblox Server in the DMZ Network (ns1.corp100.com, 10.1.5.2)
1. Log in to ns1.corp100.com at 10.1.5.2.
2. From the DNS perspective, click DNS Members -> Infoblox -> Edit -> Grid DNS Properties.
3. In the Grid DNS Properties editor, click Queries, and then select the Allow Recursion check box.
4. Click the Save icon.
BIND Server at ISP Site (ns2.corp100.com, 2.2.2.2)
1. Open the named.conf file using a text editor and change the recursion and allow-recursion statements to allow
recursive queries from 1.1.1.8 (the NAT address of ns3).
opt i ons {
zone- st at i st i cs yes;
di r ect or y "/ var / named/ named_conf " ;
ver si on " ";
recursion yes;
l i st en- on { 127. 0. 0. 1; 2. 2. 2. 2; };
allow-recursion {1.1.1.8;};
t r ansf er - f or mat many- answer s;
};
2. After editing the named.conf file, restart DNS service for the change to take effect.
Windows 2000/2003 Server at ISP Site (ns2.corp100.com, 2.2.2.2)
1. Click Start -> All Programs -> Administrative Tools -> DNS.
2. Right-click ns3, and then select Properties -> Advanced.
3. On the Advanced page in the ns3 Properties dialog box, clear the Disable recursion check box.
4. To save the configuration change and close the ns3 Properties dialog box, click OK.
Modify the Firewall and Router Configurations
Configure the firewall and router in your internal network to allow the following DHCP, DNS, and NTP traffic:
To allow messages to pass from the DHCP clients in the DMZthe web, mail, and FTP serversto ns3 in the
Server network, configure policies and DHCP relay agent settings on the firewall.
To forward DHCP messages from DHCP clients in the MGT and Dev networks to ns3 in the Server network,
configure relay agent settings on the router.
To translate the private IP address of ns3 (10.1.4.10) to the public IP address (1.1.1.8) when forwarding DNS
queries from ns3 to ns2, set a MIP (mapped IP) address on the firewall.
To allow DNS queries from ns3 to ns1 and ns2 and NTP traffic from ns3 to the NTP server, configure firewall
policies.
Configuration Example: Configuring an HA Pair for Internal DNS and DHCP
NIOS 4.3r1 Infoblox Administrator Guide (Rev. A) 261
Firewall
For example, enter the following commands on a Juniper firewall running ScreenOS 4.x or later:
DHCP Relay Configuration
set addr ess t r ust ns3 10. 1. 4. 10/ 32
set i nt er f ace et her net 2 dhcp r el ay ser ver - name 10. 1. 4. 10
set pol i cy f r omdmz t o t r ust ns1 ns3 DHCP- Rel ay per mi t
DNS Forwarding
set i nt er f ace et her net 1 mip 1.1.1.8 host 10.1.4.10
set pol i cy f r omt r ust t o unt r ust ns3 ns2 dns per mi t
set pol i cy f r omt r ust t o dmz ns3 ns1 dns per mi t
NTP
set pol i cy f r omdmz t o unt r ust ns1 nt p_ser ver nt p per mi t
Router
For example, enter the following commands on a Cisco router running IOS for release 12.x or later:
DHCP Relay Configuration
i nt er f ace et her net 1
i p hel per - addr ess 10. 1. 4. 10
i nt er f ace et her net 2
i p hel per - addr ess 10. 1. 4. 10
Enable DHCP and Switch Service to the NIOS Appliance
With the Infoblox in place and the firewall and router configured for relaying DHCP messages, you can switch DHCP
service from the legacy DHCP server at 10.1.4.11 to the HA pair at 10.1.4.10 (VIP address).
Tip: To minimize the chance of duplicate IP address assignments during the transition from the legacy DHCP server
to the appliance, shorten all lease times to a one-hour length in advance of the DHCP server switch. Then, when
you take the legacy DHCP server offline, the DHCP clients quickly move to the new server when their lease
renewal efforts fail and they broadcast DHCPDISCOVER messages. To determine how far in advance you need to
shorten the lease length, find the longest lease time (for example, it might be two days). Then change the lease
length to one hour at a slightly greater interval of time before you plan to switch DNS service to the appliance
(for example, three days before the switch over). By changing the lease length this far in advance, you can be
sure that all DHCP leases will be one-hour leases at the time of the switch-over. If the longest lease length is
longersuch as five daysand you want to avoid the increased amount of traffic caused by more frequent lease
renewals over a six-day period, you can also employ a stepped approach: Six days before the switch-over,
change the lease lengths to one-day leases. Then two days before the switch-over, change them to one-hour
leases.
1. Open a browser window, and log in to the HA pair at https://10.1.4.10, using the user name admin and the
password SnD34n534.
2. From the DHCP and IPAM Perspective, select DHCP Members -> + (for Infoblox) -> ns3.corp100.com -> Edit ->
Member DHCP Properties.
3. In the Member DHCP Properties editor, click General Properties and select Enable DHCP Server.
4. Click the Save and Restart Services icons.
The HA pair is ready to provide DHCP service to the network.
5. Take the legacy DHCP server at 10.1.4.11 offline.
When the DHCP clients are unable to renew their leases from the legacy DHCP server, they broadcast
DHCPDISCOVER messages to which the new DHCP server responds.
Deploying Independent Appliances
262 Infoblox Administrator Guide (Rev. A) NIOS 4.3r1
Manage and Monitor
Infoblox provides tools for managing IP address usage and several types of logs to view events of interest and DHCP
and DNS data. After configuring the appliance, you can use the following resources to manage and monitor IP address
usage, DNS and DHCP data, and administrator and appliance activity.
IPAM (IP Address Management)
IPAM offers the following services:
Simple IP address modification Within a single IP address-centric data set, you can modify the Infoblox host,
DHCP, and DNS settings associated with that IP address.
Address type conversion Through IPAM functionality, you can make the following conversions:
Currently active dynamic addresses -> fixed addresses, reserved addresses, or Infoblox hosts
Fixed addresses -> reserved addresses or hosts
Reserved addresses -> hosts
Device classification You can make detailed descriptions of appliances in DHCP ranges and appliances
defined as Infoblox hosts and as fixed addresses.
Three distinct views of IP address usage To monitor the usage of IP addresses on your network, you can see
the following different views:
High-level overall network view: From the DHCP and IPAM perspective, click DHCP Members -> + (for
Infoblox) -> 10.1.4.10 -> View -> DHCP Statistics.
Run-time view that allows you to zoom in and out to varying levels of detail: From the DHCP and IPAM
perspective, click Networks -> network -> View -> IP Address Management -> ip_addr -> View -> Properties.
DHCP lease history records: From the DHCP and IPAM perspective, click View -> DHCP Lease History.
Logs
The following are some useful logs:
Logs
Audit Log Contains administrator-initiated events
System Log Contains events related to hardware and software operations
DNS
DNS Cache Contains cached DNS-to-IP address mappings
DNS Configuration Contains DNS server settings for the Infoblox DNS server
Zone Statistics Contains a record of the results of all DNS queries per zone
DHCP
DHCP Configuration Contains DHCP server settings and network, DHCP range, and host settings for the
Infoblox DHCP server
DHCP Leases Contains a real-time record of DHCP leases
DHCP Lease History Contains an historical record of DHCP leases
DHCP Statistics Contains the number of currently assigned static and dynamic addresses, and the high
and low watermarks per network
Network Statistics Contains the number of static hosts, dynamic hosts, and available hosts per network
Verifying the Deployment
NIOS 4.3r1 Infoblox Administrator Guide (Rev. A) 263
Verifying the Deployment
After you deploy a single independent appliance or HA pair, you can make an HTTPS connection to it, log in, and check
its status.
Single Independent Appliance
From the Device perspective, check the Status column in the Device panel.
If the Status icon is green, the appliance has a network connection and is operating properly.
If the Status icon is red, there is a problem. To determine what it is, look at the system log file for this
appliance by clicking device_name -> File -> System Log -> Node 1.
Independent HA Pair
1. Make an HTTPS connection to the VIP address of the HA pair, log in, and check the status of both nodes.
2. From the Device perspective, check the Status column in the Device panel.
If the Status icon is green, both nodes have connectivity with each other and are operating properly.
If the Status icon is yellow, the two nodes are in the process of forming an HA pair.
If the Status icon is red, the passive node is offline or there is a problem. To determine what it is, look at the
system log file for each node by clicking host_name -> File -> System Log -> Node 1 or Node 2. You can also
gather information from the Detailed Status viewer. Click host_name -> View -> Detailed Status.
You can also check the status of each node in the Information section in the Device Properties viewer:
1. From the Device perspective, click View -> Properties -> + (for Information) -> + (for Node #1) and + (for Node #2).
2. Check the value in the Status row for each node. The three status values are:
Active: The node is functioning properly as the active node in the HA pair.
Passive: The node is functioning properly as the passive node in the HA pair.
Offline: The active node cannot make a network connection to this node.
Forcing an HA Failover
If you want to change which node in an HA pair is active and which is passive, you can force a failover to occur. You
might want to do this if you need to move or perform maintenance on a currently active node. Within five seconds
after initiating a failover, the previously passive node becomes active and assumes ownership of the VIP address.
To force an HA failover:
1. Log in as a superuser.
2. From Device perspective, click ha_pair -> Edit -> Force Failover.
3. A message appears, prompting you to confirm the failover operation and noting that a forced failover causes a
temporary service disruption.
4. To proceed with the forced failover, click OK.
5. Close the management window, and then log back in.
6. To confirm that the two nodes have reversed their rolesthat is, the previously passive node is now active, and
the previously active node is now passivefrom the Device perspective, click hostname -> View -> Detailed
Status.
Deploying Independent Appliances
264 Infoblox Administrator Guide (Rev. A) NIOS 4.3r1
Infoblox Tools for Migrating Data
Typically, the next step after cabling a single independent appliance to a network and configuring its network
settingsor cabling two independent appliances to a network and configuring them as an HA pairis to import data
from legacy DNS, DHCP, and TFTP servers. Infoblox provides several tools to accomplish this:
The Infoblox Data Import Wizard is a useful tool that simplifies the importation of DNS, DHCP and IPAM (IP
address management), and TFTP settings and data into a NIOS appliance. For large data sets, this option is an
efficient approach. To download the Data Import Wizard, visit www.infoblox.com/support, log in with your
support account, and then click the Data Import Wizard hyperlink in the DNSone section. For guidance in
selecting and using the different options in the wizard, refer to the online Help that accompanies it.
You can use prewritten Infoblox Perl API scripts or write your own scripts to ease the execution of large and
repetitive operations such as importing data for large numbers of networks and zones. To download script
packs, log in to www.infoblox.com/support, and navigate to the Downloads section. Each script has a
corresponding HTML Help file. For a more general introduction to using the Infoblox API, see the Infoblox API
Reference Guide, which is available in the Technical Library section of the Infoblox Support site.
For smaller DNS data sets, you can use the zone import feature, which allows you to import data on a per-zone
basis (seeImporting Zone Data on page 359).
You can also manually enter the settings and data for network identity services. For information, see the
relevant service-specific chapters in this guide.
Upgrading Software on an Independent Appliance or HA Pair
NIOS 4.3r1 Infoblox Administrator Guide (Rev. A) 265
Upgrading Software on an Independent Appliance or HA Pair
Upgrading an independent appliance or HA pair involves three steps:
Downloading the software upgrade files to a local system (Acquiring Software Upgrade Files on this page)
Distributing the software upgrade files (Distributing Software Upgrade Files on this page)
Running the software upgradewhich involves rebooting the appliances and then running the new software
(Running the Software Upgrade on page 265)
Note: You cannot upgrade directly to NIOS 4.2 from certain DNS releases, such as DNS 3.1 and 3.2, and NIOS
releases, such as 4.0r1. Refer to the release notes for the appropriate upgrade and revert paths.
Acquiring Software Upgrade Files
Infoblox frequently releases updated NIOS software. Contact Infoblox Technical Support to learn about new software
upgrades, or watch your e-mail for periodic notifications that a new software upgrade is available. After you have the
new upgrade file stored on your local network, proceed to the next section.
Distributing Software Upgrade Files
Software distribution varies depending on how appliances are deployed:
The active node of an independent HA pair distributes the software to the passive node and to itself.
A single independent appliance distributes the software to itself.
To distribute the latest software:
1. From the Device perspective, click Device -> Distribute -> Upload NIOS Software.
When you perform a distribution, the NIOS appliance uploads the file to a backup partition and unpacks the
contents, which overwrites any existing backup software that might have been there.
2. Navigate to the .bin file that you want to upload, select it, and then click Open or OK.
3. To view the file distribution status, look at the Upgrade Status panel.
From the Device perspective, click View -> Upgrade Status.
The process takes a few minutes and is complete when the Upgrade Status panel displays file distribution as
complete and all files unpacked. The new software is now staged and is ready for use.
Running the Software Upgrade
After you successfully distribute (stage) the software upgrade, you can then run it. Essentially, each appliance is going
to switch between the two software partitions on its system, activating the staged software and saving the previously
active software and database as backup.
Note: Before you upgrade the software, Infoblox recommends backing up the current configuration and database.
To run the software upgrade:
1. From the Device perspective, click Device -> Upgrade.
The upgrade process begins immediately.
Due to the nature of the upgrade sequence, HA pairs fail over during the upgrade. Therefore, be aware that the
active and passive nodes reverse roles. The GUI session terminates when the independent HA pair fails over
from Node 1 to Node 2, or when the single independent appliance reboots and goes offline.
2. Log back in and check the status of each upgraded appliance in the Detailed Status panels. From the Device
perspective, click hostname -> View -> Detailed Status.)
Deploying Independent Appliances
266 Infoblox Administrator Guide (Rev. A) NIOS 4.3r1
NIOS 4.3r1 Infoblox Administrator Guide (Rev. A) 267
Chapter 9 Deploying a Grid
To deploy a grid, it is important to understand what a grid is, how to create a grid master and add members, and how
to manage the grid. This chapter explains these tasks in the following sections:
Introduction to Grids on page 269
Grid Communications on page 270
NAT Groups on page 271
Automatic Software Version Coordination on page 274
Grid Bandwidth Considerations on page 276
Creating a Grid Master on page 278
VRRP Advertisements on page 280
Port Numbers for Grid Communication on page 281
Creating an HA Grid Master on page 282
Creating a Single Grid Master on page 284
Adding Grid Members on page 288
Adding a Single Member on page 288
Adding an HA Member on page 289
Configuration Example: Configuring a Grid on page 291
Enabling IPv6 On a Grid Member on page 304
Managing a Grid on page 308
Changing Grid Properties on page 308
Setting the MTU for VPN Tunnels on page 308
Removing a Grid Member on page 309
Promoting a Master Candidate on page 309
Replacing a Failed Grid Master on page 309
Using the Recycle Bin on page 310
Disabling the Recycle Bin on page 310
Enabling the Recycle Bin on page 311
Viewing the Recycle Bin on page 311
Emptying the Recycle Bin on page 312
Deploying a Grid
268 Infoblox Administrator Guide (Rev. A) NIOS 4.3r1
Upgrading NIOS Software on a Grid on page 313
Lite Upgrades on page 313
Uploading NIOS Software on page 314
About Upgrade Groups on page 314
Distributing Software Upgrade Files on page 315
Testing a Software Upgrade on page 319
Performing a Software Upgrade on page 320
Monitoring Distribution and Upgrade Status on page 324
Introduction to Grids
NIOS 4.3r1 Infoblox Administrator Guide (Rev. A) 269
Introduction to Grids
A grid is a group of two or more NIOS appliances that share sections of a common, distributed, built-in database and
which you configure and monitor through a single, secure point of access: the grid master. A grid can include Infoblox
appliances and NIOS virtual appliances. A NIOS virtual appliance is a Riverbed Steelhead appliance running the
Riverbed Services Platform on which the NIOS software is installed. You can configure Infoblox appliances as a grid
master, grid master candidate, or grid members, but you can configure NIOS virtual appliances only as grid members.
Figure 9.1 shows the basic concept of a grid and database distribution (or replication).
Figure 9.1 Grid and Partitioned Database Replication
The grid master can be either an HA master or a single master; that is, an HA (high availability) pair or a single
appliance. Similarly, a grid member can be either a single member or an HA member. The grid master communicates
with every grid member in a hub-and-spoke configuration. For an HA member, the grid master communicates with the
active node, which in turn communicates with the passive node, as shown in Figure 9.2.
Figure 9.2 Grid Communications to an HA Member
The administrator makes a secure
connection to the grid master to
configure and manage all grid
members.
and it replicates the
entire database to the
master candidate.
The grid master replicates the
section of the database that
applies to each member
Administrator
VPN Tunnel
Grid Master Master Candidate
Grid
NIOS
Virtual
Appliance
HA Member
HA Member
Database
Note: In addition to the VPN tunnel securing administrative traffic to the grid
master, all grid communications between the grid master and grid members
pass through encrypted VPN tunnels (not shown).
1
2
VPN Tunnel
Grid Master HA Member
Node 1
Active
Node 2
Passive
VPN Tunnel
The grid master communicates with
the active node of the HA member.
The active node communicates
with the passive node.
VIP
(on HA Port) VIP
(on HA Port)
LAN Port
LAN Port
Deploying a Grid
270 Infoblox Administrator Guide (Rev. A) NIOS 4.3r1
Although you can configure a NIOS virtual appliance as a grid member, you cannot configure it as an HA member.
When adding NIOS virtual appliances to a grid, you centralize the management of core network services of the virtual
appliances through the grid master. The NIOS virtual appliance supports most of the features of the Infoblox NIOS
software. However, due to limited system resources on the RSP (Riverbed Services Platforms), the NIOS virtual
appliance has the following limitations:
On a grid with a NIOS virtual appliance, the maximum storage space for HTTP, FTP and TFTP is limited to 1GB (a
grid with only Infoblox appliances provides a maximum of 2 GB for these services).
On a NIOS virtual appliance, the maximum size of core files is limited to 100 MB, and syslog and inflobox.log
files are limited to 20MB each.
The LAN interface is the only network interface available on NIOS virtual appliances. You cannot configure the
speed and transmission type (full or half duplex) of the network interface.
You can control the IP traffic capture only on the LAN port.
The NIOS virtual appliances do not support the following features:
Anycast addressing
Configuration as a DHCP lease history logging member
Configuration as a RADIUS accounting server
Dedicated MGMT port
On a NIOS virtual appliance, the shutdown command restarts the NIOS appliance instead of halting it. Infoblox
recommends that you use the Riverbed no rsp enable command to perform a shutdown.
For more information about the NIOS virtual appliances and how to install the NIOS software on a RSP, refer to the
Quick Start Guide for Installing NIOS Software on Riverbed Services Platforms.
By default, grid communications use the UDP transport with a source and destination port of 1194. This port number
is configurable, but for a port change to take effect, the HA master must fail over or the single master must reboot.
After adding an appliance or HA pair to a grid, you no longer access the Infoblox GUI on that appliance. Instead, you
access the GUI running on the grid master. Although you can create multiple administrator accounts to manage
different services on various grid members, all administrative access is through the grid master. So even if someone
has administrative privileges to a single grid member, that administrator must access the GUI running on the grid
master to manage that member.
You can access the Infoblox GUI through an HTTPS connection to one of the following IP addresses and ports on the
grid master:
The VIP address, which links to the HA port on the active node of an HA grid master
The IP address of the LAN port on a single grid master
The IP address of the MGMT port (if enabled) of the active node of an HA or single grid master. See Using the
MGMT Port on page 136.
Grid Communications
The grid master synchronizes data among all grid members using bloxSync through encrypted VPN tunnels. The
default source and destination UDP port number for VPN tunnels is 1194. You can continue using the default port
number or change it. For example, if you have multiple grids, you might want each grid to use a different port so that
you can set different firewall rules for each. Whatever port number you choose to use for the VPN tunnels in a grid, all
the tunnels in that grid use that single port number.
Before an appliance or HA pair forms a tunnel with the master, they first authenticate each other using the
Challenge-Response Authentication Mechanism (CRAM). The source and destination port number for this traffic is
2114. During the CRAM handshake, the master tells the appliance or HA pair what port number to use when building
the subsequent VPN tunnel.
Introduction to Grids
NIOS 4.3r1 Infoblox Administrator Guide (Rev. A) 271
Figure 9.3 VPN Tunnels within a Grid
Another type of traffic, which flows outside the tunnels, is the VRRP (Virtual Router Redundancy Protocol)
advertisements that pass between the active and passive nodes in an HA pair. The VRRP advertisements act like
heartbeats that convey the status of each node in an HA pair. If the active node fails, the passive node can become
active. The VIP (virtual IP) address for that pair then shifts from the previously active node to the currently active node.
NAT Groups
NAT groups are necessary if the grid master is behind a NAT appliance and there are members on both sides of that
NAT appliance. Any members on the same side as the master go into the same NAT group as the master and use their
interface addresses for grid communications with each other. Grid members on the other side of that NAT appliance
do not go in the same NAT group as the master and use the master's NAT address for grid communications. These
other members outside the NAT appliance canbut do not always need to bein a different NAT group. To see when
NAT groups become necessary for grid communications, compare Figure 9.4 below with Figure 9.5 and Figure 9.6 on
page 273.
LAN 10.1.1.14
(on Passive Node
of Grid Master)
LAN 10.1.1.20
(on Passive Node
of HA Member)
LAN 10.1.1.18
(on Active Node of
HA Member)
VIP 10.1.1.11
(on Active Node)
Encrypted
VPN Tunnels
Node 1 (Active)
Node 2 (Passive)
Node 1 (Active)
Node 2 (Passive)
HA Grid Master
Single Member
HA Member
HA 10.1.1.15
HA 10.1.1.13
LAN 10.1.1.16
Grid
VIP 10.1.1.22
(on Active Node)
HA 10.1.1.21
HA 10.1.1.19
Note: The default source and destination UDP
ports for all VPN tunnels in a grid is 1194.
If the grid master is a single appliance, it
communicates with the grid members
from its LAN port.
If you enable grid communications on
the MGMT port of an HA member, the
active node communicates from its
MGMT port to the grid master and the
passive node communicates from its
MGMT port to the VIP on the HA port
on the active node.
Deploying a Grid
272 Infoblox Administrator Guide (Rev. A) NIOS 4.3r1
Figure 9.4 NAT without NAT Groups
Note: A single or HA member using its MGMT port for grid communications cannot be separated from the grid master
behind a NAT appliance. For more information, see Using the MGMT Port on page 136.
Figure 9.5 Grid Master in NAT Group
Member 2
Interface 1.2.2.20
NAT
Member 3
(Master Candidate)
Interface 192.168.1.30
NAT 1.3.3.30
Member 4
Interface 10.1.0.40
NAT 1.4.4.40
Member 5
Interface 10.1.0.50
NAT 1.4.4.50
Member 1
(Grid Master)
Interface 10.1.1.10
NAT 1.1.1.10
In this case, there is no need for NAT groups. The
master (Member 1) always uses its NAT address
(1.1.1.10) when communicating with the grid members.
Also, if you ever promote Member 3 to master, it only
has to use its NAT address (1.3.3.30) to communicate
with the other grid members. Whichever appliance is
master, there is no other member behind the same NAT
appliance with which it needs to use its interface
The grid members use the addresses in bold for
grid communications through their LAN ports.
Grid
Network
Member 2
Interface 1.2.2.20
NAT
Member 3
(Master Candidate)
Interface 192.168.1.30
NAT 1.3.3.30
Member 4
Interface 10.1.0.40
NAT 1.4.4.40
Member 5
Interface 10.1.0.50
NAT 1.4.4.50
Member 1
(Grid Master)
Interface 10.1.1.10
NAT 1.1.1.10
The master (Member 1) uses its interface address
(10.1.1.10) for grid communications with Member 6 and
its NAT address (1.1.1.10) when communicating with
the other grid members. Member 6 uses its interface
address (10.1.1.60) when communicating with the
master. If Member 3 (a master candidate) ever became
the grid master, then both Members 1 and 6 would use
their NAT addresses when communicating with it.
Members 2 5 use the addresses in black bold for grid communications.
Members 1 and 6 use their interface addresses in underlined blue bold.
Grid
Member 6
Interface 10.1.1.60
NAT 1.1.1.60
NAT Group 1
Network
Introduction to Grids
NIOS 4.3r1 Infoblox Administrator Guide (Rev. A) 273
The same use of NAT groups that applies to a grid master also applies to master candidates. If there are no other
members behind the same NAT appliance as a master candidate, then the master candidate does not need to be in
a NAT group. It always uses its NAT address for grid communications. If another member is behind the same NAT
appliance as the master candidate, then both the candidate and that member need to be in the same NAT group so
thatif the candidate becomes masterthey can use their interface addresses to communicate with each other (see
Figure 9.6 ).
Figure 9.6 Grid Master and Master Candidate in NAT Groups
Although some members might not need to be in a NAT group, it is good practice to put all members in NAT groups in
anticipation of adding or rearranging grid members within the network. For example, in Figure 9.4 Figure 9.6,
Member 4 did not need to be in a NAT group until it became configured as a master candidate in Figure 9.6 . At that
point, because Member 5 is also behind the same NAT appliance, it became necessary to create NAT Group 2 and add
Members 4 and 5 to it. Similarly, if you add another member behind the NAT appliance in front of Member 3, then you
must create a new NAT group and add Member 3 and the new member to it. Always using NAT groups can simplify
such changes to the grid and ensure that NAT appliances never interrupt grid communications.
To create a NAT group:
1. From the Grid perspective, click id_grid -> Edit -> Grid Properties -> NAT Groups.
2. In the NAT Groups section of the Grid editor, click Add.
3. In the NAT Group dialog box, enter a name in the Group Name field and a useful comment in the Comment field,
and then click OK.
4. Click the Save icon.
To add members to the NAT group:
1. In the Grid perspective, click + (for id_grid) -> + (for Members) -> member -> Edit -> Member Properties -> NAT.
2. In the NAT section of the Grid Member editor, enter the following:
Enable NAT compatibility: (select)
Group: From the drop-down list, select the NAT group you previously created.
Member 2
Interface 1.2.2.20
NAT
Member 3
(Master Candidate)
Interface 192.168.1.30
NAT 1.3.3.30
Member 4
Interface 10.1.0.40
NAT 1.4.4.40
Member 5
Interface 10.1.0.50
NAT 1.4.4.50
Member 1
(Grid Master)
Interface 10.1.1.10
NAT 1.1.1.10
Members 3 and 4 are master candidates. Because
Member 3 is alone behind a NAT appliance, it does not
need to be in a NAT group. It always uses its NAT
address for grid communications. However, Member 4 is
behind the same NAT appliance as Member 5, so they
are put in the same NAT group. If Member 4 ever
became the grid master, it would use its interface
address to communicate with Member 5 and its NAT
address to communicate with all other members.
Members 1 5 use the addresses in black bold for grid communications.
Members 1 and 6 use their interface addresses in underlined blue bold.
If Member 4 became master, it would use its interface address in double
underlined green bold to communicate with Member 5, and its NAT
address to communicate with all other members.
Grid
Member 6
Interface 10.1.1.60
NAT 1.1.1.60
NAT Group 1
NAT Group 2
Network
Deploying a Grid
274 Infoblox Administrator Guide (Rev. A) NIOS 4.3r1
NAT (V)IP Address: For a single grid master or member, enter the address configured on the NAT appliance
that maps to the interface address of the LAN port. A single master or member that serves DNS uses this
NAT address for grid communications andif it serves DNSfor its NS records.
For an HA grid master or member, enter the address configured on the NAT appliance that maps to its VIP
address. An HA master uses its VIP NAT address when communicating with grid members. An HA member
that serves DNS uses its VIP NAT address for its NS records. It uses its LAN port NAT address for grid
communications.
Node 1 (if HA)
NAT IP Address: Enter the address configured on the NAT appliance that maps to the interface
address of the LAN port on Node 1. When Node 1 of an HA member is active, it uses its NAT
address for grid communications.
Node 2 (if HA)
NAT IP Address: Enter the address configured on the NAT appliance that maps to the interface
address of the LAN port on Node 2. When Node 2 of an HA member is active, it uses its NAT
address for grid communications.
3. Click the Save icon.
Automatic Software Version Coordination
When you add an appliance or HA pair to a grid as a new member, it is important that it is running the same version
of software as the other members in the grid. Infoblox provides two methods for coordinating the software version:
Manual Upgrade and Downgrade: Before adding an appliance or HA pair to a grid, you can manually upgrade or
downgrade the software on the appliance or HA pair to the version used by the rest of the grid.
Automatic Upgrade and Downgrade: The grid master automatically compares the software version of each
appliance attempting to enter a grid with that in use by the rest of grid. If the versions do not match, the grid
master downloads the correct version to the new appliance or HA pair.
Note: The grid master checks the software version every time an appliance or HA pair joins the grid. The software
version check occurs during the initial join operation and when a member goes offline and then rejoins
the grid.
Introduction to Grids
NIOS 4.3r1 Infoblox Administrator Guide (Rev. A) 275
Figure 9.7 Automatic Upgrade of an appliance Joining a Grid
When a single appliance attempts to join the grid for the first time, the following series of events takes place:
1. The appliance establishes an encrypted VPN tunnel with the grid master.
2. The master detects that the software version on the appliance is different from that in the rest of the grid. For
example, the appliance is running DNSone 3.2r10 software but the rest of the grid is running NIOS 4.0r1
software.
3. The grid master sends the NIOS 4.0r1 software through the tunnel to the appliance, which loads it.
4. After the upgrade is complete, the NIOS application automatically restarts.
5. After the appliance reboots, it again contacts the grid master and step 1 is repeated. Because the software
versions now match, the appliance can complete its attempt to join the grid.
When an HA pair attempts to join the grid for the first time, the following series of events takes place:
1. The active node of the HA pair establishes an encrypted VPN tunnel with the grid master.
2. The master detects that the software version on the node is different from that in the rest of the grid. For example,
the active node is running DNSone 3.2r10 software but the rest of the grid is running NIOS 4.0r1 software.
3. The grid master sends the NIOS 4.0r1 software through the tunnel to the active node, which loads it.
4. After the upgrade is complete, the NIOS application on the active node automatically restarts. This causes an HA
failover.
5. The new active node (which was previously the passive node) attempts to join the grid, repeating steps 1 4.
6. When the NIOS application on the currently active node restarts, there is another failover, and the currently
passive node becomes active again.
7. The active node again contacts the grid master and step 1 is repeated. Because the software versions now match,
it can complete its attempt to join the grid.
When an appliance with a different
version of NIOS attempts to join the
grid, the grid master sends the
software that the rest of the grid is
using to the appliance through a
tunnel.
The appliance loads the NIOS software that it
receives from the grid master, reboots, and
reestablishes a tunnel with the grid master.
Thenassuming everything else is in
orderthe appliance successfully joins the
grid.
NIOS 4.0r1
Software
Download
Appliance J oining the Grid
(DNSone 3.2r10 ->NIOS 4.0r1)
The grid master synchronizes
configuration and data changes with
grid members through VPN tunnels
HA Grid Member Single Grid Member
Grid Master
Grid
(NIOS 4.0r1)
Deploying a Grid
276 Infoblox Administrator Guide (Rev. A) NIOS 4.3r1
Grid Bandwidth Considerations
Infoblox grid technology relies upon database replication for its core functionality. When designing a grid, it is
important to consider the amount of traffic generated by this replication and the overall number of grid members.
Other communication between grid members (such as log retrieval and monitoring functions) occurs as well. All of
this traffic is securely communicated between the grid master and grid members through encrypted VPN tunnels.
One component of the traffic through the tunnels is database replication traffic. There are three types to consider:
1. Complete database replication to a master candidate Occurs when a master candidate joins or rejoins a grid.
The grid master sends the complete database to a master candidate so that it has all the data it needs if it ever
becomes promoted from member to master.
2. Partial database replication Occurs when an appliance or HA pair joins or rejoins the grid as a regular member
(which is not configured as a master candidate). The grid master sends it the section of the database that mainly
applies just to the member.
3. Ongoing database updates Occurs as changes are made to the grid configuration and data. The grid master
sends all ongoing database updates to master candidates and individual member-specific updates to regular
members.
If there are no or very few DNS dynamic updates, and no or very few DHCP lease offers and renewals issued,
then this type of replication traffic is minimal.
If there are many DDNS (dynamic DNS) updates (many per second) and/or many DHCP lease offers and
renewals (many per second), then the replication traffic is the largest component of the VPN traffic among grid
members.
Note: A grid master replicates data to single members and to the active node of HA members. The active node then
replicates the data to the passive node in the HA pair.
At a minimum, there must be 256 Kbps (kilobits per second) bandwidth between the grid master and each member,
with a maximum round-trip delay of 500 milliseconds. For ongoing database updates, the amount of data sent or
received is 15 Kb for every DDNS update, and 10 Kb for every DHCP lease -offer/renew. The baseline amount for
heartbeat and other maintenance traffic for each member is 2 Kbps. Measure the peak DNS and DHCP traffic you see
in your network to determine the bandwidth needed between the grid master and its members for this activity.
For example, you might decide to place your grid members in the locations shown in Figure 9.6 on page 273.
Introduction to Grids
NIOS 4.3r1 Infoblox Administrator Guide (Rev. A) 277
Figure 9.8 Grid Deployment
In this example, the grid master is optimally placed in the Data Center West. There are a total of seven members: the
HA grid master, three HA members, and three single members. If all the members are master candidates, the grid
master replicates all changes to the other six members. Assuming that the master receives 20 dynamic updates per
minute and 40 DHCP lease renews per minute, the calculation for grid bandwidth is:
Another component is the upgrade process. See Upgrading NIOS Software on a Grid on page 313 for more
information.
Bandwidth requirements, database size, and update rate determine the maximum size of the grid you can deploy.
Based on the various factors discussed above, you can determine the amount of bandwidth your grid needs. If your
calculations exceed the available bandwidth, then you might need to modify your deployment strategy, perhaps by
splitting one large grid into two or more smaller ones.
Note: This calculation does not take into account existing traffic other than DNS and DHCP services, so factor and
adjust accordingly.
For international networks, because of bandwidth and delay requirements, a geographical grouping of grid members
might be the best approach. For example, if you have a global presence, it may make the most sense to have a North
American grid, a South American grid, a European grid, and an Asia/Pacific grid.
20 DDNS updates/minute/60 secs = 0.333 DDNS updates/sec * 15 Kb = 5 Kbps *6 members = 30 Kbps
40 DHCP leases/minute/60 secs = 0.666 DHCP leases/sec * 10 Kb = 6.7 Kbps * 6 members = 40.2 Kbps
2 Kbps of grid maintenance traffic * 6 members = 12 Kbps
Total 82.2 Kbps
Network Diagram
Large Branch
West
Large Branch
Central
Data Center
West
Data Center
East
West Site
West Site East Site
East
Site
East
Site
East
Site
Deploying a Grid
278 Infoblox Administrator Guide (Rev. A) NIOS 4.3r1
Creating a Grid Master
To create a grid, you first create a grid master and then add members. Although the grid master can be a single
appliance (a single master), a more resilient design is to use an HA pair (an HA master) to provide hardware
redundancy. The basic procedure for forming two appliances into an HA master is shown in Figure 9.9.
Note: You cannot configure a NIOS virtual appliance as a grid master, a grid master candidate, or an HA pair.
Figure 9.9 Initially Configuring a Pair of Appliances as a Grid Master
After the two nodes form an HA pair, Node 2 initiates a key exchange and creates an encrypted VPN tunnel with
Node 1. The two nodes communicate between the VIP interface linked to the HA port on Node 1 and the LAN port on
Node 2. The initialization of VPN communications between the two nodes is shown in Figure 9.10 on page 279.
To Network
Connect your management
system to a switch and set its
IP address to 192.168.1.3.
Connect Node 1 to the switch, log in to its
default IP address (192.168.1.2), check
that a Keystone license is installed, and
configure the following:
VIP address, netmask, gateway
Hostname
HA and LAN addresses of Node 1
HA and LAN addresses of Node 2
VRID (virtual router ID)
NTP settings
Grid name
Shared secret
Connect Node 2 to the switch, log in to its
default IP address (192.168.1.2), check
that a Keystone license is installed, and
configure the following:
VIP address (for Node 1)
LAN address, netmask, gateway
Hostname
Grid name
Shared secret
2 4
Node 2
Management
System
Switch
Node 1
After you configure Node 1, it listens for three
seconds for VRRP advertisements containing
its VRID number. When it does not receive
any, it assumes the active role in the HA pair
and starts sending advertisements.
3
After you configure Node 2, it contacts
the VIP address on Node 1 and initiates
a key exchange using the shared secret.
The nodes then construct an encrypted
VPN tunnel to secure grid
communications.
5
Note: For more information about VRRP advertisements,
see VRRP Advertisements on page 280.
Note: Because you do not set the VRID for
Node 2, it cannot listen for VRRP
advertisements yet. It learns its VRID
after it joins the grid and downloads the
database from Node 1. Then, when
Node 2 receives an advertisement
containing its VRID from Node 1, it
assumes the passive role in the HA pair.
1
Creating a Grid Master
NIOS 4.3r1 Infoblox Administrator Guide (Rev. A) 279
Figure 9.10 Establishing a VPN Tunnel for Grid Communications
After the nodes establish a VPN tunnel between themselves, Node 1 sends Node 2 its entire database (its
configuration settings and service data). Because the configuration contains the VRID (virtual router ID) for the HA
pair, Node 2 starts listening for VRRP advertisements containing that VRID number. Because Node 1 is already
sending such advertisements, Node 2 receives one and assumes the passive role in the HA pair.
After the initial transmission of its database, Node 1 continues to send Node 2 real-time database updates using an
Infoblox proprietary mechanism called bloxSYNC through the VPN tunnel.
Node 1 maintains the synchronization of the database throughout the gridwhich, at this point, has no other
memberssends VRRP advertisements indicating its physical and network health, andif configured to do so
provides network services. Node 2 maintains a state of readiness to assume mastership in the event of a failover. You
can see the flow of HA- and grid-related traffic from ports on the active node to ports on the passive node in
Figure 9.11. This illustration also shows the ports that you can use for management traffic and network service.
Figure 9.11 Traffic and Ports that an HA Grid Master Uses
Node 1 Node 2
Source and Destination
Port Numbers:
LAN VIP
2114 (nonconfigurable)
1194 default VPN port
number (configurable)
Key
Exchange
Tunnel Established
The two nodes authenticate each other and
perform a VPN key exchange.
The passive node establishes an encrypted
VPN tunnel with the active node.
Switch
VPN
Tunnel
Node 1 Node 2 Switch
To Network
Management
System
Active Passive
SSHv2 / CLI
VIP
HA
LAN
HA
LAN
HA Master
bloxSYNC inside
VPN Tunnel
VRRP
Advertisements
VIP is a logical
interface linking
to the HA port on
the active node
of the HA pair.
HTTPS / GUI
SSHv2 / CLI
Note: If you enable the
MGMT port, you can only
make an HTTPS connection
to the IP address of the active
node. If you try to connect to
the IP address of the passive
node, the appliance redirects
your browser to the IP
address of the active node.
SSHv2, however, behaves
differently from HTTPS. If
you enable the MGMT port
and define its network
settings for both nodes in the
HA pair, you can make an
SSHv2 connection to the IP
addresses of the LAN and
MGMT ports on both the
active and passive nodes.
Deploying a Grid
280 Infoblox Administrator Guide (Rev. A) NIOS 4.3r1
From the management system, you can manage the active node of the HA master by making an HTTPS connection to
the VIP interface and using the GUI, and by making an SSHv2 connection to the LAN port (and MGMT port, if enabled)
and using the CLI. If you enable the MGMT port on an HA pair, you can make an HTTPS connection through the MGMT
port on the active node, and you can make an SSHv2 connection through the LAN or MGMT port on the active and
passive nodes.
Note: For information about enabling and using the MGMT port, the Infoblox GUI, and SSH, see Using the MGMT Port
on page 136, Accessing the Infoblox GUI on page 38, and Enabling Remote Console Access on page 128.
VRRP Advertisements
VRRP advertisements are periodic announcements of the availability of the HA node linked to the VIP. The active node
in an HA pair sends advertisements as multicast datagrams every second. It sends them from its HA port using the
source IP address of the HA port (not from the VIP address) and the source MAC address 00:00:5e:00:01:vrrp_id . The
last two hexadecimal numbers in the source MAC address indicate the VRID (virtual router ID) number for this HA pair.
For example, if the VRID number is 143, then the source MAC address is 00:00:5e:00:01:8f (8f in hexadecimal
notation = 143 in decimal notation).
The destination MAC and IP addresses for all VRRP advertisements are 01:00:5e:00:00:12 and 224.0.0.18. Because
a VRRP advertisement is a multicast datagram that can only be sent within the immediate logical broadcast domain,
the nodes in an HA pair must be in the same subnet together.
Only an appliance configured to listen for VRRP advertisements with the same VRID number processes the
datagrams, while all other appliances ignore them. The passive node in an Infoblox HA pair listens for these on its HA
port and the active node listens on its LAN port. If the passive node does not receive three consecutive
advertisements or if it receives an advertisement with the priority set to 0 (which occurs when you manually perform
a forced failover), it changes to the active state and assumes ownership of the VIP address and virtual MAC address.
If both nodes go offline, the one that comes online first becomes the active node. If they both come online
simultaneously, or if they enter a dual-active statethat is, a condition arises in which both appliances assume an
active role and send VRRP advertisements, possibly because of network issuesthen the nodes apply the following
rules to resolve their roles:
The appliance with the numerically higher VRRP priority becomes the active node.
In NIOS, a node receives the priority value 30 when it first becomes active. If that node sends an advertisement
from its HA port but does not receive it on its own LAN port, it lowers its priority value by one to 29. If it does not
receive the next advertisement, it lowers the priority value to 28. This can continue until the priority reaches 10,
at which point the decrementation process stops. (Because the active node in an HA pair can function without
its LAN port, the decrementation process stops before the priority value reaches zero, which would cause an
appliance failover.) If the node starts receiving its own advertisements again, it starts increasing its priority
value by one for each received advertisement, stopping the incrementation process when it returns to 30.
If both nodes have the same priority, then the appliance whose HA port has a numerically higher IP address
becomes the active node. For example, if the IP address of the HA port on Node 1 is 10.1.1.80 and the IP
address of the HA port on Node 2 is 10.1.1.20, then Node 1 becomes the active node.
The basic decision tree that a NIOS appliance configured as a node in an HA node uses to determine if it is the active
or passive node is shown in Figure 9.12 on page 281.
Creating a Grid Master
NIOS 4.3r1 Infoblox Administrator Guide (Rev. A) 281
Figure 9.12 Using VRRP Advertisements to Determine the Active Node in an HA Pair
Port Numbers for Grid Communication
If connectivity between grid members must pass through a firewall, the firewall policies must allow the initial key
exchange and subsequent VPN traffic to pass. The key exchange uses UDP with a source and destination port of 2114.
VPN traffic uses UDP with a default source and destination port of 1194.
The VPN port number is configurable. From the Grid perspective on the grid master, click id_grid -> Edit -> Grid
Properties -> Grid Properties, type a new port number in the VPN Port Number field, and then click the Save icon. After
changing the port number, you must reboot the single master or the active node of an HA master (which forces an HA
failover). From the Grid perspective, click + (for id_grid) -> + (for Members) -> master -> Edit -> Reboot.
A member and master first perform a handshake to authenticate each other and exchange encryption keys. Then they
build an encrypted VPN tunnel between themselves. The member typically initiates both of these connections. The
master only initiates a key exchange if you manually promote a member to the role of master (see Promoting a Master
Candidate on page 309). Figure 9.10 on page 279 shows the typical connection exchange and default port usage not
only between the two nodes forming an HA pair but also between a member and master when the member joins a
grid.
The member and master key exchange occurs when an appliance joins a grid, during master promotion, and when a
member reconnects to a grid after becoming disconnected. At all other times, grid-related communications occur
through encrypted VPN tunnels.
A VRRP-enabled
appliance comes online
Does an
advertisement
with its VRID
arrive within
3 secs?
Yes
No
Does
other appliance
have higher
priority?
Does
other appliance
have higher IP
address?
Become the active
node and start sending
VRRP advertisements.
Enter
passive
state
Enter
passive
state
Remain
active
Remain
active
Enter
passive
state
If another VRRP-enabled
appliance sends VRRP
advertisements with the
same VRID
Yes Yes
No No
Same
Deploying a Grid
282 Infoblox Administrator Guide (Rev. A) NIOS 4.3r1
Creating an HA Grid Master
To create a grid, you first create a grid master and then add members. Although you can define a single appliance as
a grid master, using an HA pair provides hardware redundancy for this vital component of a grid. The following
procedure explains how to put two NIOS appliances on the network and use the Infoblox NIOS Startup Wizard to
configure them as Nodes 1 and 2 to form an HA grid master. You cannot configure a NIOS virtual appliance as an HA
grid master.
To create an HA grid master using the Infoblox NIOS Startup Wizard:
Configuring the Connecting Switch
To ensure that VRRP (Virtual Router Redundancy Protocol) works properly, configure the following settings on the
network switch to which you cable the two nodes:
Portfast: enable
Trunking: disable
Port list: disable
Port channeling: disable
Note: By default, a NIOS appliance automatically negotiates the optimal connection speed and transmission type
(full or half duplex) on the physical links between its LAN (or LAN1), HA, and MGMT ports and the ethernet
ports on the connecting switch. If the two appliances fail to auto-negotiate the optimal settings, see Modifying
Ethernet Port Settings on page 135 for steps you can take to resolve the problem.
Putting Both Appliances on the Network
1. Connect the power cable from each NIOS appliance to a power source and turn on the power. If possible, connect
the appliances to separate power circuits. If one power circuit fails, the other might still be operative.
2. Connect ethernet cables from the LAN (or LAN1) port and the HA port on each appliance to a switch on the
network.
Note: The ethernet ports on the Infoblox-550, -1050, -1550, and -1552 appliances are autosensing, so you can
use either a straight-through or cross-over ethernet cable for these connections. For the Infoblox-500,
-1000, and -1200 appliances, use straight-through ethernet cables.
3. Use the LCD on one appliance or make a console connection to it, and configure the network settings of its LAN
or LAN1 port so that it is on the local subnet and you can reach it on the network.
Note: For details about using the LCD and console, see Using the LCD Panel on page 723 and Using the Serial
Console on page 723.
4. Similarly, configure the LAN or LAN1 port on the other appliance so that it is in the same subnet as the first
appliance.
5. Connect your management system to the network so that it can reach the IP addresses of the LAN or LAN1 ports.
HA Master Node 1
1. On your management system, open a browser window, and connect to https://ip_addr, where ip_addr is the
address of the LAN or LAN1 port on Node 1.
2. Click LAUNCH GRID MANAGER.
3. Log in using the default user name and password admin and infoblox. For detailed information about logging in
to the GUI, see Accessing the Infoblox GUI on page 38.
The Infoblox NIOS Startup Wizard appears. The first screen provides basic information about the wizard, and the
second screen displays license agreement information.
Creating a Grid Master
NIOS 4.3r1 Infoblox Administrator Guide (Rev. A) 283
4. Beginning on the third screen, enter the following, where
string1 is a text string that the two appliances use to authenticate each other when establishing a VPN
tunnel for ensuing bloxSYNC traffic. (The default grid name is Infoblox.)
string2 is a text string that both appliances use as a shared secret to authenticate each other when
establishing a VPN tunnel for ensuing bloxSYNC traffic. (The default shared secret is test.)
vip_addr and netmask are the VIP (virtual IP) address and its netmask.
ip_addr1 is the IP address of the gateway for the subnet on which the ports are set.
hostname is a valid domain name for the appliance.
ip_addr2-5 are the IP addresses of the LAN and HA ports for Nodes 1 and 2.
number is the VRID (virtual router ID). This must be a unique VRID numberfrom 1 to 255for this subnet.
string3 is a single hexadecimal string (no spaces) for a password that is at least four characters long.
ip_addr6 is the IP address of an NTP (Network Time Protocol) server. You can enter IP addresses for multiple
NTP servers.
Note: The startup wizard provides options such as not changing the default password and manually entering the
time and date. However, changing the password and using an NTP server improve security and accuracy
(respectively), and so these choices are presented here.
The last screen of the startup wizard states that the changed time settings require the application to restart.
When you click Finish, the application restarts.
5. Close the management window.
The configuration for Node 1 is complete.
Wizard Screen Enter or Select
Deployment Type Grid Master or Member
License Validation Check that a Keystone license is installed.
Grid Master or Member Grid Master
Single or HA Grid Master HA Grid Master; Node 1
HA Pair Settings HA Pair Name: string1
Shared Secret: string2
HA Pair Network Settings VIP Address: vip_addr
Netmask: netmask
Gateway: ip_addr1
Host Name: hostname
Node 1: LAN/LAN1 Address: ip_addr2
HA Address: ip_addr3
Node 2: LAN/LAN1 Address: ip_addr4
HA Address: ip_addr5
Virtual Router ID: number
Admin Account Password Change Admin Password: (select), string3
Time Settings Enable NTP: (select)
NTP Server List: ip_addr6 (click Add)
Time zone: (choose the time zone for the location of the
appliance)
Deploying a Grid
284 Infoblox Administrator Guide (Rev. A) NIOS 4.3r1
HA Master Node 2
1. On your management system, open a new browser window, and connect to https://ip_addr, where ip_addr is the
address of the LAN or LAN1 port on Node 2.
2. Log in using the default user name and password admin and infoblox.
The Infoblox NIOS Startup Wizard appears.
3. Beginning on the third wizard screen, enter the following to set up Node 2 (the variables are explained in the
previous section for Node 1):
4. After completing the wizard, close the management window.
The setup of the HA master is complete. From now on, when you make an HTTPS connection to the HA pair, use
the VIP address.
Creating a Single Grid Master
Although using an HA master is ideal because of the hardware redundancy it provides, you can also use a single
appliance as the grid master. You cannot configure a NIOS virtual appliance as a grid master.
Setting up an appliance as a single grid master is very easy. If the appliance has the DNSone package with the
Keystone upgrade, it is already a grid master. You simply need to define the network settings for its LAN or LAN1 port.
The various procedures for defining the network settings for the LAN or LAN1 port of a single independent appliance
apply here as well; that is, you can use any of the following procedures to define the network settings for the LAN or
LAN1 port of the appliance that you want to make a single grid master:
LCD See Method 1 Using the LCD on page 234.
Console port Method 2 Using the CLI on page 234.
You can also use the Infoblox NIOS Startup Wizard and the Infoblox Grid Manager to create a single grid master. In
addition to providing a simple method accompanied by helpful information, the startup wizard allows you to change
the admin password and configure time settings for the appliance. Through the GUI, you can configure other settings
(although the configuration presented here covers just the basics):
Infoblox NIOS Startup Wizard See Using the Startup Wizard on page 285.
Infoblox Grid Manager See Using the Infoblox GUI on page 286.
Wizard Screen Enter or Select
Deployment Type Grid Master or Member
License Validation Check that a Keystone license is installed.
Grid Master or Member Grid Master
Single or HA Grid Master HA Grid Master; Node 2
Node 2 Network Settings IP Address: ip_addr4
Netmask: netmask
Gateway: ip_addr1
Grid Properties Masters IP Address: vip_addr
Grid Name: string1
Shared Secret: string2
Creating a Grid Master
NIOS 4.3r1 Infoblox Administrator Guide (Rev. A) 285
Using the Startup Wizard
To create a single grid master using the Infoblox NIOS Startup Wizard:
1. Connect the power cable from the NIOS appliance to a power source and turn on the power.
2. Connect an ethernet cable from the LAN (or LAN1) port on the appliance to a switch on the network.
Note: The ethernet ports on the Infoblox-550, -1050, -1550, and -1552 appliances are autosensing, so you can
use either a straight-through or cross-over ethernet cable for this connection. For the Infoblox-500, -1000,
and -1200 appliances, use a straight-through ethernet cable.
3. If you have not changed the default IP address (192.168.1.2/24) of the LAN or LAN1 port through the LCD or CLI
and the subnet to which you connect the appliance does not happen to be 192.168.1.0/24put your
management system in the 192.168.1.0/24 subnet and connect an ethernet cable between your management
system and the NIOS appliance.
4. Open a web browser and make an HTTPS connection to the IP address of the LAN or LAN1 port. To reach the
default IP address, enter: https://192.168.1.2 .
Several certificate warnings appear during the login process. This is normal because the preloaded certificate is
self-signed (and, therefore, is not in the trusted certificate stores in your browser, Java application, and Java
Web Start application) and has the hostname www.infoblox.com, which does not match the destination IP
address you entered in step 3. To stop the warning messages from occurring each time you log in to the GUI, you
can generate a new self-signed certificate or import a third-party certificate with a common name that matches
the FQDN (fully qualified domain name) of the appliance. This is a very simple process. For information about
certificates, see Managing Certificates on page 48.
5. Click LAUNCH GRID MANAGER.
6. Log in to the NIOS appliance. The default login name and password are admin and infoblox. For detailed
information about logging in to the GUI, see Accessing the Infoblox GUI on page 38.
The Infoblox NIOS Startup Wizard appears. The first screen provides basic information about the wizard, and the
second screen displays license agreement information.
7. Beginning on the third screen, enter the following, where
string1 is a text string that the grid master and appliances joining the grid use to authenticate each other
when establishing a VPN tunnel for ensuing bloxSYNC traffic. (The default grid name is Infoblox.)
string2 is a text string that the grid master and appliances joining the grid use as a shared secret to
authenticate each other when establishing a VPN tunnel for ensuing bloxSYNC traffic. (The default shared
secret is test.)
ip_addr1 and netmask are the IP address and netmask for the LAN or LAN1 port.
ip_addr2 is the IP address of the gateway for the subnet on which the LAN or LAN1 port is set.
hostname is a valid domain name for the appliance.
string3 is a single alphanumeric string (no spaces) for a password that is at least four characters long.
ip_addr3 is the IP address of an NTP (Network Time Protocol) server.
Wizard Screen Enter or Select
Deployment Type Grid Master or Member
License Validation Check that a Keystone license is installed.
Grid Master or Member Grid Master
Single or HA Grid Master Single Grid Master
Grid Settings Grid Name: string1
Shared Secret: string2
Deploying a Grid
286 Infoblox Administrator Guide (Rev. A) NIOS 4.3r1
Note: The startup wizard provides options such as not changing the default password and manually entering the
time and date. However, changing the password and using an NTP server improve security and accuracy
(respectively), and so these choices are presented above.
Record and retain this information in a safe place. If you forget the shared secret, you need to contact
Infoblox Technical Support for help. When you add an appliance to the grid, you must configure it with the
same grid name, shared secret, and VPN port number that you configure on the grid master.
The last screen of the startup wizard states that the changed settings require the appliance to restart. When you
click Finish, the appliance restarts.
The setup of the single master is complete. From now on, when you make an HTTPS connection to the appliance, use
its new IP address.
Using the Infoblox GUI
To create a single grid master using the Infoblox Grid Manager GUI:
1. Connect the power cable from a NIOS appliance to a power source and turn on the power.
2. Connect ethernet cables from the LAN (or LAN1) port and the HA port on the appliance to a switch on the network.
Note: The ethernet ports on the Infoblox-550, -1050, -1550, and -1552 appliances are autosensing, so you can
use either a straight-through or cross-over ethernet cable for this connection. For the Infoblox-500, -1000,
and -1200 appliances, use a straight-through ethernet cable.
3. If you have not changed the default IP address (192.168.1.2/24) of the LAN or LAN1 port through the LCD or CLI
and the subnet to which you connect the appliance does not happen to be 192.168.1.0/24put your
management system in the 192.168.1.0/24 subnet and connect an ethernet cable between your management
system and the NIOS appliance.
4. Open a web browser and make an HTTPS connection to the IP address of the LAN or LAN1 port. To reach the
default IP address, enter: https://192.168.1.2 .
Several certificate warnings appear during the login process. This is normal because the preloaded certificate is
self-signed (and, therefore, is not in the trusted certificate stores in your browser, Java application, and Java
Web Start application) and has the hostname www.infoblox.com, which does not match the destination IP
address you entered in step 3. To stop the warning messages from occurring each time you log in to the GUI, you
can generate a new self-signed certificate or import a third-party certificate with a common name that matches
the FQDN (fully qualified domain name) of the appliance. This is a very simple process. For information about
certificates, see Managing Certificates on page 48.
5. Click LAUNCH GRID MANAGER.
Network Settings IP Address: ip_addr1
Netmask: netmask
Gateway: ip_addr2
Host name: hostname
Admin Account Password Change Admin Password: (select), string3
Time Settings Enable NTP: (select)
NTP Server List: ip_addr3 (click Add)
Time zone: (choose the time zone for the location of the
appliance)
Wizard Screen Enter or Select
Creating a Grid Master
NIOS 4.3r1 Infoblox Administrator Guide (Rev. A) 287
6. Log in to the NIOS appliance. The default login name and password are admin and infoblox. For detailed
information about logging in to the GUI, see Accessing the Infoblox GUI on page 38.
The Infoblox NIOS Startup Wizard appears.
7. To bypass the wizard and access the Infoblox Grid Manager GUI, click Cancel or the Close button ().
8. From the Grid perspective, click + (for Infoblox) -> + (for Members) -> infoblox.localdomain -> Edit -> Member
Properties.
9. In the Grid Member editor, click Node Properties, and then enter the following:
Member Type: Choose the type of appliance for the grid member. The default is Infoblox.
Note: You can configure a NIOS virtual appliance only as a grid member, not a grid master.
Host Name: Type the FQDN (fully qualified domain name) of the appliance.
(V)IP Address: Type the IP address of the LAN or LAN1 port.
Subnet Mask: Choose the netmask for the subnet to which the LAN or LAN1 port connects.
Gateway: Type the IP address of the default gateway of the subnet to which the LAN or LAN1 port connects.
Comment: Type a comment that provides some useful information about the appliance, such as its
location.
10. Click Save, and then close the management window.
11. Initiate a new management session, and log in to the appliance using its new IP address.
12. From the Grid perspective, click + (for Infoblox) -> Edit -> Grid Properties.
13. In the Grid editor, click Grid Properties, and then enter the following information:
Name: Type the name of the grid. The default name is Infoblox.
Shared Secret: Type a shared secret that all appliances must use to authenticate themselves when joining
the grid. The default shared secret is test.
Retype Shared Secret: Type the shared secret again to confirm its accuracy.
VPN Port Number: Type the port number that the grid members use when communicating with the grid
master through encrypted VPN tunnels. The default port number is 1194.
After changing the port number, you must reboot the single master or the active node of an HA master
(which forces an HA failover). From the Grid perspective, click + (for id_grid) -> + (for Members) -> master ->
Edit -> Reboot. For more information, see Port Numbers for Grid Communication on page 281.
Enable Recycle Bin: Select the check box to enable the recycle bin feature. This option is supported only for
superusers. The recycle bin stores the deleted items when the user deletes grid, DNS, or DHCP
configuration items in the GUI for the grid member. Enabling the recycle bin allows you to undo the
deletions and to restore the items on the appliance at a later time. If you do not enable the recycle bin
feature, deleted items from the GUI are permanently removed from the database.
Note: Record and retain this information in a safe place. If you forget the shared secret, you need to contact
Infoblox Technical Support for help. When you add an appliance to the grid, you must configure it with the
same grid name, shared secret, and VPN port number that you configure on the grid master.
The setup of the single master is complete. From now on, when you make an HTTPS connection to the appliance,
use its new IP address.
Deploying a Grid
288 Infoblox Administrator Guide (Rev. A) NIOS 4.3r1
Adding Grid Members
You can add single appliances and HA pairs to a grid, forming single members and HA members respectively. A single
grid member can be either an Infoblox appliance or a NIOS virtual appliance. NIOS virtual appliances do not support
configuration as an HA pair, a grid master, or a grid master candidate.
You can also define an HA member on the grid master and then add two individual appliances to the grid as Node 1
and Node 2 to complete the HA member you defined on the master.
The process for adding either a single appliance or HA pair to a grid involves two steps:
1. Configuring the member on the grid master. In addition to defining the network and appliance settings for a
member, you can also configure service settings before you join the appliance or HA pair to the grid.
2. Defining the VIP or IP address of the grid master, the grid name, and the shared secret on the single appliance or
HA pair.
3. Joining the appliance or HA pair to the grid. If an appliance or HA pair cannot join the grid because of MTU
(maximum transmission unit) limitations on its network link, you can reduce the MTU that the master uses when
communicating with it. See Setting the MTU for VPN Tunnels on page 308.
Note: New members inherit all settings that you create at the grid level unless you override them at the member
level.
If you want to preserve some or all of the configuration and data on an appliance or HA pair after you join it to a grid,
you can use the merge function. For information about merging data from an appliance or HA pair to a grid, see
Backing Up and Restoring a Configuration File on page 222.
Adding a Single Member
The basic steps necessary to add a single member are as follows:
1. Define the network settings of the LAN port of the single appliance on the grid master.
2. Define the VIP or IP address of the grid master, the grid name, and the shared secret on the single appliance.
3. Initiate the join grid operation.
In addition, you can configure on the grid master the service settings such as DNS zones and records, DHCP networks
and address ranges, and so on for a member before or after you join the appliance to the grid. The basic steps for
adding a single member are presented below.
For information on how to configure a NIOS virtual appliance as a grid member, refer to the Quick Start Guide for
Installing NIOS Software on Riverbed Services Platforms.
Configuring the Single Member on the Grid Master
1. Log in to the grid master as a superuser.
2. From the Grid perspective, click id_grid -> Edit -> Add Grid Member.
3. In the Add Grid Member editor, click Node Properties, and then enter the following:
Host Name: Type the FQDN (fully qualified domain name) of the appliance.
(V)IP Address: Type the IP address of the LAN or LAN1 port.
Subnet Mask: Choose the netmask for the subnet to which the LAN or LAN1 port connects.
Gateway: Type the IP address of the default gateway of the subnet to which the LAN or LAN1 port connects.
Comment: Type a comment that provides some useful information about the appliance, such as its
location.
4. Click the Save icon to add the single member to the grid.
Adding Grid Members
NIOS 4.3r1 Infoblox Administrator Guide (Rev. A) 289
Joining an Appliance to a Grid
1. Log in to the appliance that you want to add to the grid. The appliance must be online and able to reach the grid
master.
2. From the Grid perspective, click + (for id_grid) -> + (for Members) -> hostname -> Edit -> Join Grid.
3. In the Join Grid dialog box, enter the following:
Virtual IP of Grid Master: Type the VIP address of the HA grid master or the LAN address of the single grid
master for the grid to which you want to add the appliance.
Grid Name: Type the name of the grid.
Grid Shared Secret: Type the shared secret of the grid.
Retype Grid Shared Secret: To ensure accuracy, retype the shared secret.
Use MGMT port to join grid: If you have already enabled the MGMT port (see Grid Communications on page
139), this option becomes available. Select it to connect to the grid through the MGMT port.
4. Click OK to begin the join operation.
5. To confirm that the appliance has successfully joined the grid, log in to the grid master and from the Grid
perspective, click + (for id_grid) -> + (for Members), and check the icon in the Status column (green = the
appliance has joined the grid and is functioning properly; yellow = the appliance is in the process of joining the
grid; red = the appliance has not joined the grid). Also, select the member, and then click View -> Detailed Status.
Note: You can also use the set net wor k command to join an appliance to a grid.
Adding an HA Member
Note: You cannot add a NIOS virtual appliance as an HA member.
The basic steps necessary to add an HA member are as follows:
1. Define the network settings of the HA pair on the grid master.
2. Define the VIP or IP address of the grid master, the grid name, and the shared secret on the HA pair.
3. Initiate the join grid operation.
In addition, on the grid master you can configure the service settings such as DNS zones and records, DHCP networks
and address ranges, and so on for a member before or after you join the HA pair to the grid. The basic steps for adding
an HA member are presented below.
Note: The procedure for adding an HA pair to a grid when it uses the MGMT port of the active node for grid
communications differs slightly from that described below. See Grid Communications on page 139.
Configuring the HA Member on the Grid Master
1. Log in to the grid master as a superuser.
2. From the Grid perspective, click id_grid -> Edit -> Add Grid Member.
3. In the Add Grid Member editor, click Node Properties, and then enter the following:
Host Name: Type the FQDN (fully qualified domain name) for the HA member.
(V)IP Address: Type the VIP (virtual IP) address for the HA member.
Subnet Mask: Choose the netmask for the subnet to which the VIP address connects.
Gateway: Type the IP address of the default gateway of the subnet to which the VIP address connects.
Comment: Type a comment that provides some useful information about the HA member, such as its
location.
HA Pair: (select)
Deploying a Grid
290 Infoblox Administrator Guide (Rev. A) NIOS 4.3r1
Virtual Router ID: Enter a unique VRID numberfrom 1 to 255for the local subnet.
Master Candidate: Select the check box if you want to be able to promote the HA member to that of grid
master (see Promoting a Master Candidate on page 309). Clear the check box if you want the HA member to
be a regular member (that is, a member that is not and cannot be a grid master). If you want the HA member
to use the MGMT port of its active node for grid communications, it cannot be a master or master candidate.
Note: The VIP address and the IP addresses for all the following ports must be in the same subnet.
Node #1:
LAN Address: Enter an IP address for the LAN (or LAN1) port of Node 1.
HA Address: Enter an IP address for the HA port of Node 1.
Node #2:
LAN Address: Enter an IP address for the LAN (or LAN1) port of Node 2.
HA Address: Enter an IP address for the HA port of Node 2.
4. Click the Save icon to add the HA member to the grid.
Joining an HA Pair to a Grid
1. Log in to the HA pair that you want to add to the grid. The HA pair must be online and able to reach the grid master.
2. From the Grid perspective, click + (for id_grid) -> + (for Members) -> hostname -> Edit -> Join Grid.
3. In the Join Grid dialog box, enter the following:
Virtual IP of Grid Master: Type the VIP address of the HA grid master or the LAN address of the single grid
master for the grid to which you want to add the HA pair.
Grid Name: Type the name of the grid.
Grid Shared Secret: Type the shared secret of the grid.
Retype Grid Shared Secret: To ensure accuracy, retype the shared secret.
Use MGMT port to join grid: If you have already enabled the MGMT port (see Grid Communications on page
139), this option becomes available. Select it to connect to the grid through the MGMT port of the active
node of the HA pair.
4. Click OK to begin the join operation.
5. To confirm that the HA pair has successfully joined the grid, log in to the grid master and from the Grid
perspective, click + (for id_grid) -> + (for Members), and check the icon in the Status column (green = the HA pair
has joined the grid and is functioning properly; yellow = the HA pair is in the process of joining the grid; red = the
HA pair has not joined the grid). Also, select the member, and then click View -> Detailed Status.
Configuration Example: Configuring a Grid
NIOS 4.3r1 Infoblox Administrator Guide (Rev. A) 291
Configuration Example: Configuring a Grid
In this example, you configure seven NIOS appliances in a grid serving internal DHCP and DNS for an enterprise with
the domain name corp100.com. There are four sites: HQ and three branch offices. A hub-and-spoke VPN tunnel
system connects the sites, with HQ at the hub. The distribution and roles of the NIOS appliances at the four sites are
as follows:
HQ site (four appliances in two HA pairs):
HA grid master hidden primary DNS server
HA member secondary DNS server and DHCP server for HQ
Site 1 (two appliances in an HA pair): HA member secondary DNS server and DHCP server for Site 1
Site 2(one appliance): single member secondary DNS server and DHCP server for Site 2
Note: When adding Infoblox-1050, -1550, and -1552 appliances to an existing grid, you must first upgrade the grid
to DNSone 3.2r9 or later.
To create a grid, you first create a grid master and then add members. The process involves these three steps:
1. Configuring two appliances at HQ as the grid master. See Create the Grid Master on page 293.
2. Logging in to the grid master and defining the members that you want to add to the grid; that is, you configure
grid member settings on the grid master in anticipation of later joining those appliances to the grid. See Define
Members on the Grid Master on page 295.
3. Logging in to the individual appliances and configuring them so that they can reach the grid master over the
network and join the grid. See Join Appliances to the Grid on page 296.
After creating the grid and adding members, you use the Data Import Wizard to import DHCP and DNS data from
legacy servers. See Import DHCP Data on page 298 and Import DNS Data on page 299.
Finally, you transition DHCP and DNS service from the legacy servers to the Infoblox grid members. See Enable DHCP
and Switch Service to the Grid on page 303.
Deploying a Grid
292 Infoblox Administrator Guide (Rev. A) NIOS 4.3r1
Figure 9.13 Network Diagram
Cable All Appliances to the Network and Turn On Power
Cable the NIOS appliances to network switches. After cabling each appliance to a switch and connecting it to a power
source, turn on the power. For information about installing and cabling the appliance, refer to the user guide or
installation guide that ships with the product.
1. At HQ and Site 1, connect ethernet cables from the LAN1 and HA ports on the appliances in each HA pair to a
switch, connect the appliances to power sources, and turn on the power for each appliance.
Note: When connecting the nodes of an HA pair to a power source, connect each node to a different power
source if possible. If one power source fails, the other might still be operative.
. . .
. . .
. . .
. . .
HQ Site
Zone: corp100.com
Zone: lab.corp100.com
Zone: site1.corp100.com
Network: 10.1.1.0/24
Address Range:10.1.1.50 - 10.1.1.200
Legacy Secondary DNS Server
ns3.site1.corp100.com; 10.1.1.5 and
DHCP server 10.1.1.20
HA Grid Member
ns3.site1.corp100.com
VIP: 10.1.1.10
VRID: 111
Secondary DNS Server
DHCP Server
Legacy Secondary DNS Server
ns4.site2.corp100.com; 10.2.1.5 and
DHCP server 10.2.1.20
Zone: site2.corp100.com
Single Grid Member
ns4.site2.corp100.com
LAN: 10.2.1.10
Secondary DNS Server
DHCP Server
Network: 10.2.1.0/24
Address Range:10.2.1.50 - 10.1.1.200
Branch Office: Site 2 Branch Office: Site 1
Network: 10.0.15.0/24
Network: 10.0.1.0/24
Address Range:10.0.1.50 - 10.0.1.200
Address Range:10.0.15.50 - 10.0.15.200
HA Grid Member
ns2.corp100.com
VIP: 10.0.2.10
VRID: 210
Secondary DNS Server
DHCP Server
Grid Master
ns1.corp100.com
VIP: 10.0.1.10
VRID: 143
Hidden Primary
DNS Server
Legacy Hidden Primary
DNS Server
ns1.corp100.com;
10.0.1.5
Legacy Secondary
DNS Server
ns2.corp100.com; 10.0.2.5
and
DHCP server 10.0.2.20
NTP Server
3.3.3.3
All Infoblox
appliances are in
the Pacific time
zone
Internet
Firewalls
VPN Tunnel
Configuration Example: Configuring a Grid
NIOS 4.3r1 Infoblox Administrator Guide (Rev. A) 293
2. At Site 2, connect an ethernet cable from the LAN1 port on the single appliance to a switch, connect the appliance
to a power source, and turn on the power for that appliance.
Create the Grid Master
Configure two appliances at HQ to be the two nodes that make up the HA pair forming the grid master.
Grid Master Node 1
1. By using the LCD or by making a console connection to the appliance that you want to make Node 1 of the HA pair
for the grid master, change the default network settings of its LAN1 port to the following:
IP Address: 10.0.1.6
Netmask: 255.255.255.0
Gateway: 10.0.1.1
2. Connect your management system to the HQ network, open a browser window, and connect to https://10.0.1.6.
3. Log in using the default user name and password admin and infoblox.
The Infoblox Appliance Startup Wizard opens.
4. Enter the following to set up Node 1 of the HA pair:
When you click Finish, the Infoblox GUI application restarts. Close the browser window, leaving the JWS (Java
Web Start) login window open.
Wizard Screen Enter
Deployment type Grid master/member
License validation Check that a Keystone license is installed.
Grid type Grid master
HA node type First HA node
Grid information Grid Name: corp100
Shared Secret: Mg1kW17d
Node information Virtual IP: 10.0.1.10
Subnet Mask: 255.255.255.0
Gateway: 10.0.1.1
Host Name: ns1.corp100.com
Node 1:
LAN1 Address: 10.0.1.6
HA Address: 10.0.1.7
Node 2:
LAN1 Address: 10.0.1.8
HA Address: 10.0.1.9
Virtual Router ID: 143
Default password New admin password: 1n85w2IF
Time settings Enable NTP: Select check box.
IP address: 3.3.3.3
Time zone: (UMT 8:00 Pacific Time (US and Canada),
Tijuana
Deploying a Grid
294 Infoblox Administrator Guide (Rev. A) NIOS 4.3r1
Grid Master Node 2
1. By using the LCD or by making a console connection to the appliance that you want to make Node 2 of the HA pair
for the grid master, change the default network settings of its LAN1 port to the following:
IP Address: 10.0.1.8
Netmask: 255.255.255.0
Gateway: 10.0.1.1
2. In the JWS login window, type 10.0.1.8 in the Hostname field.
3. Log in using the default user name and password admin and infoblox.
4. When the Infoblox Appliance Startup Wizard opens, enter the following to set up Node 2 of the HA pair:
5. Confirm the configuration, and then on the last screen of the wizard, click Finish.
The HTTPS session terminates, but the JWS login window remains open.
6. In the JWS login window, type 10.0.1.10 (the VIP address for the grid master) in the Hostname field.
7. Log in using the default user name admin and the password 1n85w2IF.
8. To check the status of the two nodes forming the grid master, from the Grid perspective, click + (for corp100) ->
+ (for Members) -> 10.0.1.10. Check that the status indicators are all green in the Detailed Status panel.
During the joining process, an appliance passes through the following four phases:
1. Offline the state when a grid memberin this case, the second node of the HA pair composing the grid master
is not in contact with the active node of the master
2. Connecting the state when an appliance matching a member configuration contacts the master to join the grid
and negotiates secure communications and grid membership
3. Synchronizing the master transmits its entire database to the member
4. Running the state when a member is in contact with the master and is functioning properly
Note: Depending on the network connection speed and the amount of data that the master needs to synchronize
with the member, the process can take from several seconds to several minutes to complete.
Wizard Screen Enter
Deployment type Grid master/member
License validation Check that a Keystone license is installed.
Grid node type Grid master
HA node type Second HA node
Node information IP Address: 10.0.1.8
Subnet Mask: 255.255.255.0
Gateway: 10.0.1.1
Node provisioning Masters Virtual IP: 10.0.1.10
Grid Name: corp100
Shared Secret: Mg1kW17d
Configuration Example: Configuring a Grid
NIOS 4.3r1 Infoblox Administrator Guide (Rev. A) 295
Define Members on the Grid Master
Before logging in to and configuring the individual appliances that you want to add to the grid, define them first on
the grid master.
HQ Site HA Member
1. On the grid master, open the Grid perspective, and then click corp100 -> Edit -> Add Grid Member.
2. In the Add Grid Member editor, click Node Properties, and then enter the following:
Host Name: ns2.corp100.com
(V)IP Address: 10.0.2.10
Subnet Mask: /24 (255.255.255.0)
Gateway: 10.0.2.1
Comment: HQ Site - ns2.corp100.com
HA Pair: Select check box.
Virtual Router ID: 210
Node 1:
LAN Address: 10.0.2.6
HA Address: 10.0.2.7
Node 2:
LAN Address: 10.0.2.8
HA Address: 10.0.2.9
3. Click the Save icon.
Site 1 HA Member
1. On the grid master, open the Grid perspective, and then click corp100 -> Edit -> Add Grid Member.
2. In the Add Grid Member editor, click Node Properties, and then enter the following:
Host Name: ns3.site1.corp100.com
(V)IP Address: 10.1.1.10
Subnet Mask: 255.255.255.0
Gateway: 10.1.1.1
Comment: Site 1 - ns3.site1.corp100.com
HA Pair: Select check box.
Virtual Router ID: 111
Node 1:
LAN Address: 10.1.1.6
HA Address: 10.1.1.7
Node 2:
LAN Address: 10.1.1.8
HA Address: 10.1.1.9
3. Click the Save icon.
Deploying a Grid
296 Infoblox Administrator Guide (Rev. A) NIOS 4.3r1
Site 2 Single Member
1. On the grid master, open the Grid perspective, and then click corp100 -> Edit -> Add Grid Member.
2. In the Add Grid Member editor, click Node Properties, and then enter the following:
Host Name: ns4.site2.corp100.com
(V)IP Address: 10.2.1.10
Subnet Mask: 255.255.255.0
Gateway: 10.2.1.1
Comment: Site 2- ns4.site2.corp100.com
3. Click the Save icon.
4. Log out from the grid master by clicking File -> Logout.
Join Appliances to the Grid
To complete the process of adding appliances to the grid, log in to and configure each individual appliance so that it
can contact the grid master.
HQ Site HA Grid Member (Node 1)
Make a console connection to the appliance that you want to make Node 1 in the HA pair, and enter the following:
I nf obl ox > set network
NOTI CE: Al l HA conf i gur at i on i s per f or med f r omt he GUI . Thi s i nt er f ace i s used onl y
t o conf i gur e a st andal one node or t o j oi n a gr i d.
Ent er I P addr ess: 10.0.2.6
Ent er net mask [ Def aul t : 255. 255. 255. 0] :
Ent er gat eway addr ess [ Def aul t : 10. 0. 2. 1] :
Become gr i d member ? ( y or n) : y
Ent er Gr i d Mast er VI P: 10.0.1.10
Ent er Gr i d Name: corp100
Ent er Gr i d Shar ed Secr et : Mg1kW17d
New Net wor k Set t i ngs:
I P addr ess: 10. 0. 2. 6
Net mask: 255. 255. 255. 0
Gat eway addr ess: 10. 0. 2. 1
J oi n gr i d as member wi t h at t r i but es:
Gr i d Mast er VI P: 10. 0. 1. 10
Gr i d Name: cor p100
Gr i d Shar ed Secr et : Mg1kW17d
WARNI NG: J oi ni ng a gr i d wi l l r epl ace al l t he dat a on t hi s node!
I s t hi s cor r ect ? ( y or n) : y
Ar e you sur e? ( y or n) : y
The Infoblox application restarts. After restarting, the appliance contacts the grid master and joins the grid as Node 1.
Configuration Example: Configuring a Grid
NIOS 4.3r1 Infoblox Administrator Guide (Rev. A) 297
HQ Site HA Member (Node 2)
Make a console connection to the appliance that you want to make Node 2 in the HA pair, and enter exactly the same
data you entered for Node 1 except that the IP address is 10.0.2.8.
After the application restarts, the appliance contacts the grid master and joins the grid as Node 2, completing the HA
member configuration for the HQ site.
Site 1 HA Grid Member (Node 1)
Make a console connection to the appliance that you want to make Node 1 in the HA pair at Site 1, and use the set
network command to configure its basic network and grid settings. Use the following data:
IP Address: 10.1.1.6
Netmask: 255.255.255.0
Gateway: 10.1.1.1
Grid Master VIP: 10.0.1.10
Grid Name: corp100
Grid shared secret: Mg1kW17d
The Infoblox application restarts. After restarting, the appliance contacts the grid master and joins the grid as Node 1.
Site 1 HA Grid Member (Node 2)
Make a console connection to the appliance that you want to make Node 2 in the HA pair at Site 1, and enter exactly
the same data you entered for Node 1 except that the IP address is 10.1.1.8.
After the application restarts, the appliance contacts the grid master and joins the grid as Node 2, completing the HA
member configuration for Site 1.
Site 2 Single Grid Member
Make a console connection to the appliance that you want to make Node 1 in the HA pair at Site 1, and use the set
net wor k command to configure its basic network and grid settings. Use the following data:
IP Address: 10.2.1.10
Netmask: 255.255.255.0
Gateway: 10.2.1.1
Grid Master VIP: 10.0.1.10
Grid name: corp100
Grid shared secret: Mg1kW17d
The Infoblox application restarts. After restarting, the appliance contacts the grid master and joins the grid.
To check the status of all the grid members, log in to the grid master at 10.0.1.10, and from the Grid perspective, click
+ (for corp100) -> + (for Members) -> 10.0.1.10. Check that the status indicators are all green in the Detailed Status
panel. As an appliance joins a grid, it passes through the following phases: Offline, Connecting, (Downloading
Release from Master), Synchronizing, and Running.)
Note: Depending on the network connection speed and the amount of data that the master needs to synchronize
with the member, the process of joining a grid can take from several seconds to several minutes to complete.
The grid setup is complete.
Deploying a Grid
298 Infoblox Administrator Guide (Rev. A) NIOS 4.3r1
Import DHCP Data
The Data Import Wizard is a software tool that you can download from the Infoblox Support site to your management
system. With it, you can import data from legacy DHCP and DNS servers to NIOS appliances. In this example, you use
it to import both DHCP and DNS data to the grid master at 10.0.1.10, which then uses the database replication
mechanism to send the imported data to other grid members. In the wizard, you also specify which grid members
serve the imported data. The wizard supports various types of DHCP formats, such as the following:
ISC DHCP
Lucent VitalQIP
Microsoft
Nortel NetID
CSV (comma-separated values); you can also import IPAM data in CSV format
In this example, all the DHCP data is in standard ISC DHCP format.
Note: Before using the Data Import Wizard, you must make an initial connection to the Infoblox GUI using JWS (Java
Web Start), which downloads to your management system the Java application files that you need to run the
wizard. Because you used JWS in Create the Grid Master on page 293, you already have the necessary files
installed.
Importing DHCP Data for HQ and Site 2
1. Save the DHCP configuration file from your legacy DHCP server at 10.0.2.20 to a local directory.
2. Visit www.infoblox.com/support , log in with your support account, and download the Data Import Wizard. The
Data Import Wizard application downloads to a container within a Java sandbox on your management system and
immediately launches, displaying the Welcome page.
3. After reading the information in the left panel, click Next.
4. Select Import to Infoblox Appliance, enter the following, and then click Next:
Hostname or IP address: 10.0.1.10
Username: admin
Password: 1n85w2IF
5. Select the following, and then click Next:
What kind of data would you like to import? DHCP/IPAM
Which legacy system are you importing from? ISC DHCP
Which appliance will be serving this data? 10.0.2.10
6. Type the path and file name of the DHCP configuration file saved from the legacy server, and then click Next.
or
Click Browse, navigate to the file, select it, click Open, and then click Next.
7. In the Global DHCP Configuration table, double-click the Value cell for the domain-name-servers row, and change
the IP addresses to 10.0.2.10.
8. When satisfied with the data, click Import.
You can view the status of the importation process and a summary report in the Data Import Wizard Log.
9. To enable DDNS updates, log in to the grid master, open the DHCP and IPAM perspective and click DHCP
Members -> corp100 -> Edit -> Grid DHCP Properties.
10. In the Grid DHCP Properties editor, click DNS Updates.
11. Select Enable dynamic DNS updates, and then click OK.
12. Click the Save and Restart Services icons.
13. To check the imported DHCP configuration file, click DHCP Members -> + (for corp100) -> 10.0.2.10 -> View -> DHCP
Configuration.
Configuration Example: Configuring a Grid
NIOS 4.3r1 Infoblox Administrator Guide (Rev. A) 299
14. In the DHCP configuration file, check that all the imported subnets are present, and navigate to the beginning of
the file and check that you see the ddns-updates on statement. ( If you see ddns-updates off , enable
DDNS updates for the grid as explained in steps 9-12.)
Importing DHCP Data for Site 1
1. Repeat the steps in Importing DHCP Data for HQ and Site 2, saving the DHCP configuration file from your legacy
DHCP server at 10.1.1.20, and importing it to the grid master at 10.0.1.10 for the member with IP address
10.1.1.10 to serve.
2. Check the imported DHCP configuration file by logging in to the grid master and from the DHCP and IPAM
perspective, click DHCP Members -> + (for corp100) -> 10.1.1.10 -> View -> DHCP Configuration.
Importing DHCP Data for Site 3
1. Repeat the steps in Importing DHCP Data for HQ and Site 2, saving the DHCP configuration file from your legacy
DHCP server at 10.1.1.20, and importing it to the grid master at 10.0.1.10 for the member with IP address
10.3.1.10 to serve.
2. After the importation process completes, check the imported DHCP configuration file by logging in to the grid
master and from the DHCP and IPAM perspective, click DHCP Members -> + (for corp100) -> 10.3.1.10 -> View ->
DHCP Configuration.
Import DNS Data
Using the Infoblox Data Import Wizard, import DNS data from the legacy hidden primary server at 10.0.1.5 to the new
hidden primary server at 10.0.1.10 (the grid master). There are three phases to this task:
Before Using the Wizard on page 299:
Save the named.conf file from the legacy server to a file in a local directory on your management system.
Enable the legacy server to perform zone transfers to the NIOS appliance.
Configure three name server groups for the grid, and allow the grid master/hidden primary DNS server at
10.0.1.10 to receive DDNS updates from the grid members at 10.0.2.10, 10.1.1.10, and 10.3.1.10. These
members act as secondary DNS servers and DHCP servers.
Using the Wizard on page 300: Define the source, destination, and type of DNS data in the DNS configuration
file (named.conf) that you want to import.
After Using the Wizard on page 302: Check the imported DNS configuration file.
In this example, all the DNS data is in BIND 9 format. The Data Import Wizard supports various types of DNS formats,
such as the following:
BIND 4, 8, and 9
Microsoft
Lucent VitalQIP
Nortel NetID
Before Using the Wizard
You must set up the legacy server and grid master before using the Data Import Wizard.
Legacy Server
1. Log in to the legacy name server at 10.0.1.5 and save the named.conf file, which contains all the DNS settings
that you want to import into the Infoblox name server, to a local directory on your management system.
2. On the legacy server, enable zone transfers to the NIOS appliance.
Deploying a Grid
300 Infoblox Administrator Guide (Rev. A) NIOS 4.3r1
Infoblox Grid Master DDNS Updates
1. Log in to the grid master at 10.0.1.10, open the DNS perspective and click DNS Members -> + (for corp100) ->
10.0.1.10 -> Edit -> Member DNS Properties.
2. In the Member DNS Properties editor, click Updates and enter the following:
3. Override grid update settings: Select check box.
4. Allow dynamic updates from: Click Add.
5. In the Dynamic Updater Item dialog box, enter the following, and then click OK:
6. IP Address Option: Select this option, and enter 10.0.2.10 in the adjacent field.
7. Permission: Allow
8. Click the Save icon.
9. Repeat steps 2 to 4 to add 10.1.1.10 and 10.2.1.10 as IP addresses from which you allow DDNS updates.
Note: When all DNS servers are members in the same grid, the members use database replication to synchronize all
their dataincluding DNS zone data. You can change the default behavior so that grid members use zone
transfers instead. In this example, grid members use database replication.
Infoblox Grid Master Name Server Groups
1. From the DNS perspective, click DNS Members -> corp100 -> Edit -> Grid DNS Properties.
2. In the Grid DNS Properties editor, click Name Server Groups -> Add, to open the Grid Name Server Group dialog
box.
3. Enter the following:
Name Server Group Name: HQ-Group
Grid Primary: ns1.corp100.com; Stealth: Select check box.
Grid Secondaries: Click Add -> Select Member, select ns2.corp100.com in the Select Grid Member dialog
box, and then click OK. Select Grid replication (recommended), and then click OK to close the Name Server
Group Member Secondary dialog box and return to the Grid Name Server Group dialog box.
4. Click OK to close the Grid Name Server Group dialog box.
5. Repeat steps 2 to 4 to create another group. Name it Site1-Group, and use ns1.corp100.com as the hidden
primary server, ns3.site1.corp100.com as a secondary server, and grid replication for zone updates.
6. Repeat steps 2 to 4 to create another group. Name it Site2-Group, and use ns1.corp100.com as the hidden
primary server, ns4.site2.corp100.com as a secondary server, and grid replication for zone updates.
7. Click the Save and Restart Services icons.
Using the Wizard
While progressing through the Data Import Wizard, you must define the source, destination, and type of DNS data
that you want to import. You then make some simple modifications to the data and import it.
Defining the Source, Destination, and Type of DNS Data
1. Launch the Data Import Wizard.
2. After reading the information in the left panel of the welcome page, click Next.
3. Select Import to Infoblox Appliance, enter the following, and then click Next:
Hostname or IP address: 10.0.1.10
Username: admin
Password: 1n85w2IF
The Data Import Wizard Log opens in a separate window behind the wizard. Leave it open while you continue.
Configuration Example: Configuring a Grid
NIOS 4.3r1 Infoblox Administrator Guide (Rev. A) 301
4. Select the following, and then click Next:
What kind of data would you like to import? DNS
Which legacy system are you importing from? BIND 9
Which appliance will be serving this data? 10.0.1.10
5. Select the following, and then click Next:
What BIND 9 DNS configuration file would you like to use? Click Browse, navigate to the named.conf file you
saved from the legacy server, select it, and then click Open.
What type of BIND 9 DNS data do you want to import? DNS zone information and DNS record data
Where is the BIND 9 DNS record data? Zone transfer(s) from a DNS server; 10.0.1.5
The wizard displays two tables of data. The upper table contains global DNS server configuration parameters.
The lower table contains zone configurations.
The Data Import Wizard Log presents a summary listing the number of views, zones, and DNS records in the
configuration file.
Modifying DNS Data
While importing data from the legacy DNS server, you cancel the importation of global configuration settings, and
apply the name server groups you created in Before Using the Wizard on page 299 to the zones you want to import.
1. In the Global DNS Configuration table, select all rows by clicking the top row and then SHIFT+clicking the bottom
row.
2. Right-click the selected rows to display the Set Import Options dialog box, select Do not import, and then click
Apply.
3. In the DNS Zones table, clear the Import check box for the default view.
4. Select corp100.com, lab.corp100.com and all the corresponding reverse-mapping zones.
Tip: You can use SHIFT+click to select multiple contiguous rows and CTRL+click to select multiple
noncontiguous rows.
5. Right-click the selected rows, and then select Set Import Options.
6. In the Set Import Options dialog box, enter the following, and then click Apply:
Set Zone Type: No change
Set Import Option: No change
Set View: default
Set Member: HQ-Group master
7. Select site1.corp100.com and all the reverse-mapping zones with 1 in the second octet in the zone name
(1.1.10.in-addr.arpa, 2.1.10.in-addr.arpa, 3.1.10.in-addr.arpa, and so on).
8. Right-click the selected rows, and select Set Import Options.
9. In the Set Import Options dialog box, make the same selections as in Step 6 , but choose Site1-Group master
from the Set Member drop-down list.
10. Similarly, select site2.corp100.com and all the reverse-mapping zones with 2in the second octet in the zone
name.
11. Right-click the selected rows, and select Set Import Options.
12. In the Set Import Options dialog box, make the same selections as in Step 6 , but choose Site2-Group master
from the Set Member drop-down list.
Deploying a Grid
302 Infoblox Administrator Guide (Rev. A) NIOS 4.3r1
Importing DNS Data
1. Click Import.
The wizard imports the global DNS parameters and zone-specific configuration settings from the named.conf
file and performs a zone transfer of the data from the legacy server.
2. Use the Data Import Wizard Log to monitor progress and review results afterward.
The log lists all the zones that the wizard imports and concludes with a total of all the successfully and
unsuccessfully imported zones.
Note: If the wizard is unable to import a zone, an error message with an explanation appears in the log.
3. To close the Data Import Wizard, click Exit. This closes the Data Import Wizard Log as well.
After Using the Wizard
After you import data, you must restart services on the grid master and delete the A records for the legacy servers
from the corp100.com zone. You can also confirm that the imported data is correct and complete by checking the DNS
configuration and the forward- and reverse-mapping zones.
1. Log in to the grid master (10.0.1.10), and then click the Restart Services icon.
Note: When importing data through the wizard rather than entering it through the GUI, the Restart Services icon
does not change to indicate you must restart service for the appliance to apply the new data. Still,
restarting service on the grid master is necessary for the imported configuration and data to take effect.
2. To remove A records for the legacy servers, from the DNS perspective, click Infoblox Views -> + (for Infoblox Views)
-> + (for default) -> + (for Forward Mapping Zones) -> corp100.com.
3. CTRL+click the following A records in the corp100.com zone, and then click Edit -> Remove Multiple:
ns1 (for 10.0.1.5)
ns2 (for 10.0.2.5)
ns3.site1.corp100 (for 10.1.1.5)
ns4.site3.corp100 (for 10.2.1.5)
4. Remove the respective A records for legacy servers from the site1.corp100 and site3.corp100 subzones.
5. To check the imported DNS configuration file, from the DNS perspective, click DNS Members -> + (for corp100) ->
10.0.1.10 -> View -> DNS Configuration.
Note: If you do not see the imported DNS configuration file, make sure you enabled DNS and restarted services.
6. Scroll through the DNS configuration log to check that each imported zone has an al l ow- updat e statement like
the following one for the 10.1.10.in-addr.arpa reverse-mapping zone:
zone " 10. 1. 10. i n- addr . ar pa" i n {
al l ow- updat e { key DHCP_UPDATER; 10. 0. 2. 10; 10. 1. 1. 10; 10. 2. 1. 10; };
};
Configuration Example: Configuring a Grid
NIOS 4.3r1 Infoblox Administrator Guide (Rev. A) 303
Enable DHCP and Switch Service to the Grid
Finally, you must enable DHCP service on the three grid members at 10.0.2.10, 10.1.1.10, and 10.2.1.10, and switch
DNS and DHCP service from the legacy DNS and DHCP servers to them.
1. Log in to the grid master (10.0.1.10), from the DHCP and IPAM perspective, click DHCP Members -> + (for
corp100) -> 10.0.2.10 -> Edit -> Member DHCP Properties -> General Properties, select Enable DHCP Server , and
then click the Save icon.
2. Click 10.1.1.10 -> Edit -> Member DHCP Properties -> General Properties, select Enable DHCP Server , and then
click the Save icon.
3. Click 10.3.1.10 -> Edit -> Member DHCP Properties -> General Properties, select Enable DHCP Server , and then
click the Save and Restart Services icons.
Note: DNS service is enabled by default. To confirm that it is enabled, from the DNS perspective, click DNS
Members -> + (for corp100) -> 10.0.2.10 -> Edit -> Member DNS Properties -> General Properties, and make
sure the Enable DNS Server check box is selected.
The grid members are ready to serve DHCP and DNS, and send DDNS updates.
4. Take the legacy DHCP and DNS servers offline.
Deploying a Grid
304 Infoblox Administrator Guide (Rev. A) NIOS 4.3r1
Enabling IPv6 On a Grid Member
You can configure NIOS appliances to provide DNS services over IPv4 (Internet Protocol version 4) and IPv6 (Internet
Protocol version 6) networks. You can configure the grid member as a dual-mode name server, capable of serving DNS
data in response to both IPv4 and IPv6 queries. An IPv4 query returns an IPv4 response, while an IPv6 query returns
an IPv6 response.
Configuring a grid containing an IPv4 primary server and IPv6 secondary servers is not supported. You must make
enable IPv6 on both the primary and secondary servers within the grid to enable them to communicate with each
other. Infoblox highly recommends that you enable IPv6 on your grid appliances before configuring IPv6 secondaries,
forwarders, delegations, and subnets.
The NIOS appliance supports one IPv6 address on the grid member. Infoblox integrates IPv6 address management
into many of the same places where IPv4 addresses are entered. Data validation occurs on all IP address fields and
automatic validation is done to ensure proper entry of either an IPv4 address or an IPv6 address.
This section includes the following topics:
About IPv6 Addresses on page 304
Configuring IPv6 on a Grid Member on page 305
About IPv6 Addresses
An IPv6 address is a 128-bit number in colon hexadecimal notation. It consists of eight 16-bit groups of hexadecimal
digits separated by colons (example: 12ab:0000:0000:0123:4567:89ab:0000:cdef).
Figure 9.14 IPv6 Address Structure
When you enter an IPv6 address, you can use double colons to compress a contiguous sequence of zeros. You can
also omit any leading zeros in a four-hexadecimal group. For example, the complete IPv6 address
2006:0000:0000:0123:4567:89ab:0000:cdef can be shortened to 2006::123:4567:89ab:0:cdef. Note that if there
are multiple noncontiguous groups of zeros, the double colon can only be used for one group to avoid ambiguity. The
NIOS appliance displays an IPv6 address in its shortened form, regardless of its form when it was entered. For more
information about DNS for IPv6, see RFC 3596, DNS Extensions to Support IP Version 6. For more information about
DNS management options, see Managing DNS Data on page 331.
Global Routing Prefix Subnet ID Interface ID
n bits m bits 128-n-m bits
Network Prefix Interface ID
Enabling IPv6 On a Grid Member
NIOS 4.3r1 Infoblox Administrator Guide (Rev. A) 305
Configuring IPv6 on a Grid Member
You can configure a grid member to support both IPv4 and IPv6 connections by configuring an IPv6 address on the
member, in addition to the standard IPv4 address.
When you enable IPv6 on a member, you can manually enter the IPv6 gateway address or enable the member to
automatically acquire the address from router advertisements. Routers periodically send router advertisements that
contain link-layer addresses and configuration parameters. A NIOS appliance that supports IPv6 can listen for router
advertisements and obtain the default gateway IP address and link MTU (maximum transmission unit). The link MTU
is the maximum packet size, in octets, that can be conveyed in one transmission unit over a link. Thus you can set
parameters on a router once and automatically propagate it to all attached hosts.
To configure the member to support IPv6:
1. Log in to the grid master as a superuser.
2. From the Grid perspective, click grid -> grid_member -> Edit -> Member Properties.
3. In the Edit Grid Member editor, click Node Properties to open up that section, and then enter the following:
Enable IPv6: Select this check box to enable IPv6 support.
(V)IP Address: Type the IPv6 address for the grid member on the interface. An IPv6 address is a 128-bit
number in colon hexadecimal notation. It consists of eight 16-bit groups of hexadecimal digits separated
by colons (example: 12ab:0000:0000:0123:4567:89ab:0000:cdef).
CIDR Prefix: Choose the CIDR netmask for the subnet to which the VIP address connects. CIDR is an
alternative to subnet masking that organizes IP addresses into subnetworks. Also known as supernetting,
CIDR allows multiple subnets to be grouped together for network routing. The prefix length can range from 0
to 128, due to the larger number of bits in the IPv6 address.
Obtain router configuration automatically: Select this check box to enable the appliance to acquire the IP
address of the default gateway and the link MTU from router advertisements. When you select this check
box, you cannot enter a gateway IP address.
Gateway: Type the IPv6 address of the default gateway of the subnet to which the VIP address connects.
Comment: Type a comment that provides some useful information about the IPv6 interface.
4. Click the Save icon.
Configuration Example: Configuring IPv6 on a Grid Member
Let us revisit the example network topology from the previous section Configuration Example: Configuring a Grid on
page 291. In the previous example, you configured seven NIOS appliances in a grid serving internal DHCP and DNS
for an enterprise with the domain name corp100.com. There were four sites: HQ and three branch offices. The
distribution and roles of the NIOS appliances at the four sites are as follows:
HQ site (four appliances in two HA pairs):
HA grid master hidden primary DNS server.
Enable this member (node 1 and node2) as a dual-mode member, supporting both IPv4 and IPv6
connections.
HA member secondary DNS server and DHCP server for HQ
Site 1 (two appliances in an HA pair): HA member secondary DNS server and DHCP server for Site 1.
Site 2(one appliance): single member secondary DNS server and DHCP server for Site 2.
For this example, let us consider only the steps required to update the HA grid master as a dual-mode appliance,
supporting both IPv4 and IPv6 connections.
Deploying a Grid
306 Infoblox Administrator Guide (Rev. A) NIOS 4.3r1
Figure 9.15 Network Diagram for IPv6 Grid Member Example
To configure the grid master to support both IPv4 and IPv6:
Node 1
1. Log in to the node 1 of the grid master as a superuser.
2. From the Grid perspective, click id_grid --> ns1.corp100.com -> Edit -> Member Properties.
3. In the Edit Grid Member editor, click Node Properties to open up that section, and then enter the following:
Enable IPv6: Select the check box to enable IPv6.
(V)IP Address: Type the IPv6 address 2001::10.
CIDR Prefix: Choose /64 as the CIDR prefix.
. . .
. . .
. . .
. . .
HQ Site
Zone: corp100.com
Zone: lab.corp100.com
Zone: site1.corp100.com
Network: 10.1.1.0/24
Address Range:10.1.1.50 - 10.1.1.200
Legacy Secondary DNS Server
ns3.site1.corp100.com; 10.1.1.5 and
DHCP server 10.1.1.20
HA Grid Member
ns3.site1.corp100.com
VIP: 10.1.1.10
VRID: 111
Secondary DNS Server
DHCP Server
Legacy Secondary DNS Server
ns4.site2.corp100.com; 10.2.1.5 and
DHCP server 10.2.1.20
Zone: site2.corp100.com
Single Grid Member
ns4.site2.corp100.com
LAN: 10.2.1.10
Secondary DNS Server
DHCP Server
Network: 10.2.1.0/24
Address Range:10.2.1.50 - 10.1.1.200
Branch Office: Site 2 Branch Office: Site 1
Network: 10.0.15.0/24
Network: 10.0.1.0/24 (IPv4)
Network: 2001::/64 (IPv6)
Address Range:10.0.15.50 - 10.0.15.200
HA Grid Member
ns2.corp100.com
VIP: 10.0.2.10
VRID: 210
Secondary DNS Server
DHCP Server
Grid Master
ns1.corp100.com
VIP: 10.0.1.10 (IPv4)
Gateway: 10.0.1.1
VIP: 2001::10 (IPv6)
Gateway: 2001::1
VRID: 143
Hidden Primary
DNS Server
Legacy Hidden Primary
DNS Server
ns1.corp100.com;
10.0.1.5
Internet
Firewalls
VPN Tunnel
Enabling IPv6 On a Grid Member
NIOS 4.3r1 Infoblox Administrator Guide (Rev. A) 307
Gateway: Type the IPv6 gateway address 2001::1.
Comment: Type any useful comment.
4. Click the Save icon.
Node 2
1. Log in to the node 2 of the grid master as a superuser.
2. From the Grid perspective, click id_grid --> ns1.corp100.com -> Edit -> Member Properties.
3. In the Edit Grid Member editor, click Node Properties to open up that section, and then enter the following:
Enable IPv6: Select the check box to enable IPv6.
(V)IP Address: Type the IPv6 address 2001::11.
CIDR Prefix: Choose /64 as the CIDR prefix.
Gateway: Type the IPv6 gateway address 2001::1.
Comment: Type any useful comment.
4. Click the Save icon.
Deploying a Grid
308 Infoblox Administrator Guide (Rev. A) NIOS 4.3r1
Managing a Grid
After you configure a grid master and add members, you might need to perform the following tasks:
Changing Grid Properties
Setting the MTU for VPN Tunnels
Removing a Grid Member
Promoting a Master Candidate on page 309
Replacing a Failed Grid Master on page 309
Changing Grid Properties
You can change a grid name, its shared secret, and the port number of the VPN tunnels that the grid uses for
communications. If you make such changes after populating a grid with members, all current members will lose grid
connectivity and you will have to rejoin them to the grid manually.
To modify the properties of a grid:
1. From the Grid perspective, click id_grid -> Edit -> Grid Properties.
2. In the Grid editor, click Grid Properties, and then enter the following:
Name: Type the name of a grid. The default name is Infoblox.
Shared Secret: Type a shared secret that all grid members use to authenticate themselves when joining the
grid. The default shared secret is test.
Retype Shared Secret: Type the shared secret again to confirm its accuracy.
VPN Port Number: Type the port number that the grid members use when communicating with the grid
master through encrypted VPN tunnels. The default port number is 1194. After changing the port number,
you must reboot the single master or the active node of an HA master (which forces an HA failover). For
more information, see Port Numbers for Grid Communication on page 281.
Enable Recycle Bin: Select the check box to enable the recycle bin feature. This option is supported only for
superusers. The recycle bin stores the deleted items when the user deletes grid, DNS, or DHCP
configuration items in the GUI for the grid member. Enabling the recycle bin allows you to undo the
deletions and to restore the items on the appliance at a later time. If you do not enable the recycle bin
feature, deleted items from the GUI are permanently removed from the database.
3. Click OK to save your changes.
4. (If necessary after changing the VPN port number) From the Grid perspective, click + (for id_grid) -> + (for
Members) -> master -> Edit -> Reboot.
Setting the MTU for VPN Tunnels
You can configure the VPN MTU (maximum transmission unit) for any appliance with a network link that does not
support the default MTU size (1500 bytes) and that cannot join a grid because of this limitation. If an appliance on
such a link attempts to establish a VPN tunnel with a grid master to join a grid, the appliance receives a PATH-MTU
error, indicating that the path MTU discovery process has failed. For information about the MTU discovery process,
see RFC 1191, Path MTU Discovery .
To avoid this problem, you can set a VPN MTU value on the grid master for any appliance that cannot link to it using
a 1500-byte MTU. When the appliance contacts the master during the key exchange handshake that occurs during
the grid-joining operation, the master sends the appliance the MTU setting to use.
To set the VPN MTU for a grid member:
1. From the Grid perspective, click + (id_grid ) -> + (for Members) -> member -> Edit -> Member Properties.
2. In the Grid Member editor, click VPN, select Set VPN MTU, and then enter a value between 600 and 1500.
3. Click the Save icon to save the VPN MTU settings for this member.
Managing a Grid
NIOS 4.3r1 Infoblox Administrator Guide (Rev. A) 309
Removing a Grid Member
You might want or need to remove a member from a grid, perhaps to disable it or to make it an independent appliance
or an independent HA pair.
To remove a grid member:
1. Log in to the grid master as a superuser.
2. From the Grid perspective, click + (for id_grid) -> + (for Members) -> member -> Edit -> Remove member.
Promoting a Master Candidate
To be able to promote a master candidate, you must have previously designated a grid member as a master candidate
before anything untoward happens to the current master. When adding or modifying a grid member, select the
Master Candidate check box in the Node Properties section in the Grid Member editor for that member.
To promote a master candidate, you can make a direct serial connection to the Console port on the active node of an
HA candidate or to the Console port on single candidate. You can also make a remote serial connection (using SSH
v2) to the candidate. Then enter the following Infoblox CLI command: set promote_master
Note: For information about making a serial connection, see Method 2 Using the CLI on page 234 and Using the
Serial Console on page 723.
To promote a master candidate, do the following:
1. Establish a serial connection (through a serial console or remote access using SSH) to the master candidate.
2. At the prompt, enter the command:
set promote_master
3. Log in to the Infoblox Grid Manager GUI on the new master using the VIP address for an HA master or the IP
address of the LAN or LAN1 port for a single master.
4. From the Grid perspective, click + (for id_grid) -> + (for Members) -> master .
5. Look at the IP address of the master in the IP Address column to ensure it is the member you promoted.
6. To verify the new master is operating properly, check the icon in the Status column. Also, select the master, and
then click View -> Detailed Status.
Replacing a Failed Grid Master
If a grid master goes down due to network issues or a power or system failure and there is no master candidate, you
can convert an existing member into a new grid master. This procedure assumes the current grid master is
inaccessible. Keep in mind that this is a disaster recovery procedure that is not part of normal appliance management
and maintenance. You must have an accessible grid member currently operating to perform this procedure.
To replace a grid master:
1. Determine which member you want to assume the grid master role. The following steps refer to the two nodes
which form an HA member. The active node is Node 1, and the passive node is Node 2. If you are unfamiliar with
using the Console port, see Method 2 Using the CLI on page 234 or Using the Serial Console on page 723.
2. Make a console connection to Node 2, and then enter the CLI command reset database
3. Make a console connection to Node 1, and then enter the CLI command set nogrid
These commands remove the HA pair from the grid and separate the two nodes that formed the HA pair. Node 1
becomes its own grid master. The result of this action is that this new grid master has all the service data as the
existing grid, but with all the member information removed.
4. Log in to the GUI of Node 1 using its LAN IP address. Configure the new master to be an HA pair. The VIP (virtual
IP) address of this HA pair will become the VIP address of the rebuilt grid. You do not need to use the same VIP
address of the failed grid master. Also, configure the grid name and shared secret.
Deploying a Grid
310 Infoblox Administrator Guide (Rev. A) NIOS 4.3r1
5. Using a serial console connected to Node 2, enter the set network command, and enter the network IP
address, netmask, and gateway settings. When prompted, join it to the new grid by entering the VIP address, grid
name, and shared secret that you set on Node 1.
6. Log in to the new grid master GUI using the grid master VIP. Add the remaining grid members to the new grid.
7. Set the DNS or DHCP properties as required.
8. Assign zones and networks for each member.
9. For each member in the grid, use the serial console to enter the reset database command. After logging back
in, enter set network, and enter the network IP address, netmask, and gateway settings. When prompted, join
it to the new grid by entering the VIP address, grid name, and shared secret that you set on the new grid master.
The grid is now rebuilt with a new grid master.
Using the Recycle Bin
You can use the recycle bin on the NIOS appliance to store deleted grid, DNS, and DHCP configuration items. Items
stored in the recycle bin can be restored to the active configuration on the appliance at a later time, or can be
permanently removed from the appliance database. If you do not use the recycle bin, the appliance deletes items
permanently from the database.
The recycle bin provides the capability to protect against major deletions of data. It is intended to provide a way to
restore data where the deletion of the object (such as a zone) would result in a major data loss.
This section discusses the following topics:
Disabling the Recycle Bin on page 310
Enabling the Recycle Bin on page 311
Viewing the Recycle Bin on page 311
Restoring Items in the Recycle Bin on page 311
Emptying the Recycle Bin on page 312
Disabling the Recycle Bin
The recycle bin is enabled by default. You can disable the recycle bin feature globally in the Grid perspective. If you
disable the recycle bin, you cannot restore nor empty the recycle bin. The recycle bin feature is enabled by default on
the NIOS appliance. If you do not have superuser privileges, a warning appears prompting you to relogin as superuser
before disabling the recycle bin.
To disable the recycle bin feature:
1. From the Grid perspective, click id_grid -> Edit -> Grid Properties.
2. In the Grid editor, click Grid Properties, and then enter the following:
Enable Recycle Bin: Deselect the check box to turn off the recycle bin feature. If you do disable the recycle
bin feature, deleted items from the GUI are permanently removed and unrecoverable.
3. Click OK to save your changes.
Using the Recycle Bin
NIOS 4.3r1 Infoblox Administrator Guide (Rev. A) 311
Enabling the Recycle Bin
You can enable the recycle bin feature globally in the Grid perspective. You must enable the recycle bin before
restoring and emptying the recycle bin from the ID Grid perspective or any other perspective. The recycle bin feature
is enabled by default on the NIOS appliance. If you do not have superuser privileges, a warning appears prompting
you to relogin as superuser before enabling the recycle bin.
To enable the recycle bin feature for items:
1. From the Grid perspective, click id_grid -> Edit -> Grid Properties.
2. In the Grid editor, click Grid Properties, and then enter the following:
Enable Recycle Bin: Select the check box to enable the recycle bin feature. When you delete configuration
items in the GUI for the grid member, the recycle bin stores the deleted items. Enabling the recycle bin
allows you to undo the deletions and to restore the deleted items on the appliance at a later time. If you do
not enable the recycle bin feature, deleted items from the GUI are permanently removed and unrecoverable.
3. Click OK to save your changes.
Viewing the Recycle Bin
You can display the Recycle Bin panel and view all deleted items stored in the recycle bin. If you view the recycle bin
panel within the Grid perspective, all items for the grid are displayed. This includes all DHCP and DNS configuration
items. By default, records are sorted by Name. To display the Recycle Bin panel and to view the deleted configuration
items stored in the recycle bin:
1. From the Grid perspective, click id_grid -> View -> Recycle Bin. The Recycle Bin panel appears.
2. Scroll through the Recycle Bin panel pages using the page arrows located on the lower-left corner of the Recycle
Bin panel. The panel page length is set by the administrator as discussed in Authenticating Administrators on
page 101. The panel displays each item with the following information:
Name: Name of the configuration item deleted.
Object Type: Type of configuration deleted.
Parent/Container: Where the item was deleted.
Admin: Who deleted the item.
Time: When the item was deleted.
Restoring Items in the Recycle Bin
You can restore any configuration items in the recycle bin displayed in the Recycle Bin panel. The restore functionality
is available only if the recycle bin is enabled, and if an item is selected in the panel. Deleted items are stored in the
recycle bin until the recycle bin is emptied.
To restore items from the Recycle Bin panel:
1. From the Grid perspective, click grid -> View -> Recycle Bin. The Recycle Bin panel appears.
2. Select the configuration item you want to restore.
3. Click Edit -> Restore Selected Object. A warning message appears prompting you to confirm that you wish to
continue with the restore.
4. Confirm that the item was restored to the active configuration. You can do this by confirming that the item does
not appear in the Recycle Bin panel any longer, and that it is reestablished in the appropriate perspective.
Deploying a Grid
312 Infoblox Administrator Guide (Rev. A) NIOS 4.3r1
Emptying the Recycle Bin
You can empty the contents of the recycle bin, permanently removing all of the items displayed in the Recycle Bin
panel from the appliance database. The empty functionality is available only if the recycle bin is enabled, and only
for superusers. To empty the recycle bin:
1. From the Grid perspective, click grid -> View -> Recycle Bin. The Recycle Bin panel appears.
2. Click Edit -> Empty Recycle Bin. A warning message appears prompting you to confirm that you wish to empty the
recycle bin.
3. Confirm that all items were removed from the Recycle Bin panel.
Upgrading NIOS Software on a Grid
NIOS 4.3r1 Infoblox Administrator Guide (Rev. A) 313
Upgrading NIOS Software on a Grid
Infoblox frequently releases updated NIOS software. To get the latest upgrades, your local network must be capable
of downloading a file from the Internet. After you have the new upgrade file stored on your local network, complete
the following tasks to upgrade an Infoblox independent appliance or grid.
Upload the new software to the grid master, as described in Uploading NIOS Software.
Distribute the software upgrade files, as described in Distributing Software Upgrade Files on page 315.
Optionally, test the upgrade, as described in Testing a Software Upgrade on page 319.
Perform the software upgrade, as described in Performing a Software Upgrade on page 320.
To minimize the impact of grid upgrades to your operations, you can organize members into upgrade groups and
schedule their software distribution. This is useful, for example, in a large grid spanning multiple time zones and
there are fluctuating network and downtime considerations at the various locations. You can group grid members
according to their locations or time zones, and schedule their distribution. Note that you can also schedule their
upgrade if the NIOS software upgrade is an Upgrade Lite compatible release. (See Lite Upgrades.) For information on
upgrade groups, see About Upgrade Groups on page 314.
Note: You cannot upgrade directly to NIOS 4.2 from certain DNS releases, such as DNS 3.1 and 3.2, and NIOS
releases, such as 4.0r1. Refer to the release notes for the appropriate upgrade and revert paths.
Before upgrading, Infoblox recommends that all members in the grid be connected to the network and operating
normally. If one or more members are offline when you upgrade the grid, they automatically receive the distributed
software and upgrade when they join the grid or come back online.
Caution: Do not attempt to add or remove a member from the grid, or convert an HA pair to single members or vice
versa during a distribution or upgrade.
Lite Upgrades
Whenever possible, NIOS uses the Upgrade Lite mode to speed up the upgrade process. A lite upgrade occurs only if
the format of the database and replication stream between the existing NIOS version and the upgrade version are the
same. Upgrade Lite reduces the risks associated with upgrades by not performing a database conversion and
upgrading only selected binary or configuration updates to the system.
Deploying a Grid
314 Infoblox Administrator Guide (Rev. A) NIOS 4.3r1
Uploading NIOS Software
After you download the NIOS software upgrade to your management station, upload it to the grid master, as follows:
1. From the Grid perspective, click the Grid menu item -> Upload NIOS Software.
2. Navigate to the directory where you stored the NIOS software, and then click OK.
The appliance displays the status of the upload.
After the NIOS software is successfully uploaded, the appliance displays a confirmation dialog that includes the
following information:
If the software is not upgrade lite compatible and if there is an active upgrade schedule configured, the
appliance displays a message indicating that the release cannot be scheduled for upgrade and sets the
upgrade schedule to inactive. It also provides instructions on distributing the software.
If the software is upgrade lite compatible, it indicates that the release can be scheduled for upgrade, and
provides instructions on distributing the software.
Note: When you upload the NIOS software upgrade to an HA grid master, only the active node receives the software.
The passive node does not. Therefore, if the grid master fails over before a distribution starts, you must upload
the software again. If you do not, the distribution fails because the new active node does not have the
uploaded software.
About Upgrade Groups
You can divide grid members into upgrade groups and schedule their distribution for times that are convenient for
your organization.
Note: You can schedule upgrades as well, if the software upgrade is an Upgrade Lite compatible release.
Infoblox provides two permanent upgrade groups that you cannot edit or delete:
Grid Master After you configure the grid master, it automatically becomes the only member of this group.
UnassignedThis is the default upgrade group to which NIOS automatically assigns grid members. If you do not
explicitly assign a member to an upgrade group, it remains in the Unassigned group.
The grid master distributes software upgrade files simultaneously to the members of this group after all
members of all groups have completed their distribution. The members of this group also upgrade
simultaneously, after all other grid members have upgraded as well.
Creating Upgrade Groups
When you create an upgrade group, you select the grid members for that group, and specify whether the software
distribution and upgrade occurs on all group members at the same time, or successively in the order they are listed
in the Group Members list. A grid member can belong to only one upgrade group.
Note: Infoblox recommends that you assign DHCP failover peers to separate upgrade groups, to minimize the risk of
a loss in DHCP service. For example, if DHCP failover peers are in the same upgrade group and its members
upgrade simultaneously, the upgrade causes a loss in DHCP service. Note that the appliance displays a
warning message when you create an admin group that includes DHCP failover peers.
To create an upgrade group:
1. In the Grid perspective, click the Upgrade Groups tab -> Edit -> Add Upgrade Group.
2. In the Add Upgrade Group editor, expand the Upgrade Group Properties section and enter the following:
Name: Enter a name for the upgrade group. The name can contain any alphanumeric character, spaces,
underscores, hyphens, and dashes.
Comment: Enter relevant information, such as location.
Upgrading NIOS Software on a Grid
NIOS 4.3r1 Infoblox Administrator Guide (Rev. A) 315
3. Expand the Group Member Assignment section and do the following:
Group Members: Click Add, select grid members to add to the group, and then click OK. Note that if you
choose to distribute and upgrade members sequentially, distribution and upgrade occur in the order in
which members are listed. You can reorder the list by selecting a member and clicking Move Up or Move
Down.
Tip: Use SHIFT+click to select multiple contiguous members and CTRL+click to select multiple noncontiguous
members.
After you add a member, the appliance adds it to the Group Members list. The first grid member in the list
determines the time zone of the group when you schedule the distribution and upgrade. Therefore the
appliance displays the time zone of the first grid member in the list. (For information about setting time
zones, see Managing Time Settings on page 117.)
Distribute to members: Specify the manner in which the grid master distributes software to the members in
the group:
Simultaneously: Select to distribute software upgrade files all at once to all group members.
Sequentially: Select to distribute software upgrade files to each member, in the order they are listed in
the Group Members list.
Upgrade Members: Specify the manner in which the group members upgrade to the new software version:
Simultaneously: Select to upgrade all members at the same time.
Sequentially: Select to upgrade members one by one, in the order they are listed in the Group Members
list.
4. Click the Save icon.
Viewing and Managing Upgrade Groups
To view the upgrade groups of a grid, from the Grid perspective, click the Upgrade Groups tab -> + (for grid). The
appliance lists the upgrade groups you configured, as well as the Grid Master and Unassigned groups. To view the
members in each group, click + beside each group.
You can move members from one group to another and reorder the members in an upgrade group before a
distribution or upgrade starts. After a distribution starts, you can pause it and remove members from a group, as long
as their distribution has not started. The members you remove automatically join the Unassigned group. (For
information, see Pausing and Resuming Distribution on page 318.) You cannot reorder members while a distribution
or upgrade is in progress.
Distributing Software Upgrade Files
Distributing the software upgrade files involves unpacking the software files and loading the new software. When you
perform a distribution, the NIOS appliance loads the new software code into an alternate disk partition, which
overwrites any previously saved version of code already there. Therefore starting the distribution disables the
appliance from reverting to a release prior to the current version.
The time this process takes depends on the number of appliances to which the software is distributed; the more
appliances, the longer it takes. Therefore, you might want to schedule the grid distribution during times when your
network is less busy. You can schedule the distribution of any software upgrade file, even if it is not Upgrade Lite
compatible.
Scheduling a Distribution
The grid master distributes the software upgrade to each member in the grid, including itself. When you create a
distribution schedule, you schedule the distribution of the grid master as well as the upgrade groups. The grid master
distribution must always occur before the distribution of the upgrade groups. You do not schedule the distribution of
the Unassigned group because its distribution automatically occurs simultaneously on all its members after all
upgrade groups complete their distribution.
Deploying a Grid
316 Infoblox Administrator Guide (Rev. A) NIOS 4.3r1
To schedule the software distribution for a grid:
1. From the Grid perspective, click the Grid menu item -> Distribute -> Schedule Distribution.
2. In the Distribution Schedule dialog box, do the following:
Activate distribution schedule: Select this check box to enable the distribution schedule. Clear it if you are
creating a distribution schedule you plan to activate at a later date.
Distribution Start Time: Enter the grid master distribution date and time, and time zone that applies to the
time you enter. The distribution date and time must be before those of the upgrade groups.
Date: Enter the start date of the grid master distribution in MM/DD/YYYY format.
Time: Enter the start time of the grid master distribution in HH:MM:SS format.
Time Zone: Select the time zone that applies to the start time you entered. If this time zone is different
from the grid time zone, the appliance converts the time you entered to the time zone of the grid, after
you save this schedule. When you display this schedule again, it displays the time converted to the grid
time zone. (For information about setting the grid and member time zones, see Managing Time Settings
on page 117.)
For example, you specified the following time and time zone:
Time: 05:00:00
Time Zone: (UTC - 5:00) Eastern Time (US and Canada)
If the grid time zone is Pacific time, the appliance displays the time after you save the schedule, as
follows:
Time: 02:00:00
Time Zone: (UTC - 8:00) Pacific Time (US and Canada), Tijuana
Admin Local Time: Displays the grid master distribution date and start time in the time zone of the
administrator that is logged in to the appliance or the management system that is connected to the
appliance, depending on what was configured in the Administrators perspective, as explained in
Creating Local Admins on page 101.
Group Distribution Schedule: The dialog box lists the configured upgrade groups. Specify the following for
each upgrade group:
Distribute After: You can enter a distribution date and time, or specify that the distribution occurs after
that of the grid master or another upgrade group.
Date/Time: Select this option to enter the distribution start date and time.
Grid Master: Select this option to start the distribution immediately after the completion of the grid
master distribution. If you select this option, you cannot enter a date and time.
Select the upgrade group that must complete its distribution before the group you are configuring.
If you select this option, you cannot enter a date and time.
Date: Enter the distribution start date in MM/DD/YYYY format.
Time: Enter the distribution start time in HH:MM:SS format.
Time Zone: By default, the appliance displays the time zone of the first grid member in the Upgrade
Group. You can change this time zone, if you want to enter the time using a different time zone. After
you save the schedule though, the appliance converts the time you entered to the time zone of the
upgrade group, if it is different. (For information about setting the grid and member time zones, see
Managing Time Settings on page 117.) To change the default time zone of the upgrade group, change
the first group member in the Upgrade Group list, as explained in Creating Upgrade Groups on page
314.
For example, you specified the following distribution time and time zone:
Time: 05:00:00
Time Zone: (UTC - 5:00) Eastern Time (US and Canada)
If the time zone of the first member of the upgrade group is Pacific time, the appliance displays the time
in the member time zone (Pacific time) after you save the schedule, as follows:
Time: 02:00:00
Upgrading NIOS Software on a Grid
NIOS 4.3r1 Infoblox Administrator Guide (Rev. A) 317
Time Zone: (UTC - 8:00) Pacific Time (US and Canada), Tijuana
Admin Local Time: If you entered a start date and time, this field displays them in the time zone of the
administrator that is logged in to the appliance or the management system that is connected to the
appliance, depending on what was configured in the Administrators perspective, as explained in
Creating Local Admins on page 101.
Distribute to Members: Indicates whether the distribution within the group occurs simultaneously or
sequentially. You cannot edit this field here. This was defined when you created the upgrade group.
3. Click OK to close the dialog box and save the schedule.
The appliance confirms that the schedule is saved and indicates whether the distribution schedule is active. It
also displays a warning message if an upgrade group contains members that are in the same DHCP failover
association.
Note that the appliance does not save the schedule and displays an error message if the schedule contains the
following:
Circular dependencies between upgrade groups; for example, the distribution of Group A is scheduled after
Group B, and the distribution of Group B Is scheduled after Group A.
The distribution time is in the past.
Distributing Software Immediately
As an alternative to scheduling the grid distribution, you can distribute the software upgrade throughout the grid
immediately, as follows:
1. From the Grid perspective, click the Grid menu item -> Distribute -> Distribute Now.
2. When the confirmation dialog box displays, click OK to start the distribution.
The distribution starts and if there is an active distribution schedule, the appliance changes its status to
inactive.
Software Distribution Process
The following series of events occur after a grid distribution starts:
The appliance checks if a NIOS software upgrade was uploaded.
If the upgrade files were not uploaded, distribution stops. The appliance displays an error message and if
the distribution was scheduled, the appliance deactivates the distribution schedule.
If the upgrade files were uploaded, the distribution proceeds.
A single grid master uploads the file to a backup partition and unpacks the contents, which overwrites any
existing backup software that might have been there. For an HA grid master, it is the active node that uploads
the file to a backup partition and unpacks the contents.
The grid master (or active node of the HA grid master) sends a command to all nodes that are online to copy
their database and software to a backup software partition.
For an HA grid master, the active node sends the command to the passive node as well.
The nodes performs rsync on their backup partition, retrieving only the changed files from the grid master.
After the active node of an HA member receives the software, it then distributes it to the passive node.
When the distribution successfully completes, the appliance updates the distribution status and sets the schedule,
if configured, to inactive. The new software is now staged on all member appliances and is ready for use.
Deploying a Grid
318 Infoblox Administrator Guide (Rev. A) NIOS 4.3r1
Pausing and Resuming Distribution
You can pause a distribution and do the following:
Change the start times of upgrade groups that did not start their distribution. The start times must be in the
future.
Remove members from an upgrade group, if their distribution did not start.
You cannot create new upgrade groups or add members to a group after a distribution starts.
To pause a distribution:
1. From the Grid perspective, click Grid -> Distribute -> Pause Distribution.
2. When the appliance displays a confirmation dialog box, click OK to pause the distribution.
The Upgrade Group Status indicates that the distribution was paused, as shown in Figure 9.16. For information on
the Upgrade Group Status panel, see Monitoring Distribution and Upgrade Status on page 324.
Figure 9.16 Paused Distribution
To resume a distribution:
1. From the Grid perspective, click Grid -> Distribute -> Resume Distribution.
2. When the appliance displays a dialog box confirming that you want to resume the distribution, click OK to
continue.
Members that did not complete their distribution and did not start although their schedules are past, resume
distribution.
Ending Distribution
You can stop a distribution immediately, for example, if there are offline members and you do not want to wait for
them to come back online or if you realize that you uploaded the wrong software version. When you end the
distribution, you can do the following:
If the grid master completed its distribution, you can upgrade the grid immediately. This forces members that do
not have a complete distribution to synchronize their releases with the grid master.
If the grid master does not have a valid distribution, you can restart the distribution or upload another software
upgrade.
Ending the distribution does not affect the upgrade schedule (if configured). The grid upgrade starts as scheduled,
as long as the grid master completes its distribution.
To stop a distribution:
From the Grid perspective, click Grid -> Distribute -> Stop Distribution.
Upgrading NIOS Software on a Grid
NIOS 4.3r1 Infoblox Administrator Guide (Rev. A) 319
Testing a Software Upgrade
After you successfully distribute the software upgrade to the grid master, you can test the upgrade on the grid master
before actually implementing it. This allows you to resolve potential data migration issues before the actual upgrade.
The length of time the upgrade test takes depends on various factors, such as the amount of data and the difference
between the current NIOS version and the software upgrade. The test does not affect NIOS services, and you can
perform other administrative tasks during the upgrade test.
To start an upgrade test:
From the Grid perspective, click the Grid menu item -> Upgrade -> Start Upgrade Test.
After you start the upgrade test, you can view its status in the Upgrade Status panel.
From the Grid perspective, click View -> Upgrade Status.
After you start the upgrade test, you can stop it at anytime. To stop an upgrade test:
From the Grid perspective, click the Grid menu item -> Upgrade -> End Upgrade Test.
Note that if an admin restarts the grid services or reboots the grid master, or if an HA failover occurs on the grid master
during the upgrade test, the appliance automatically stops the test. The appliance always resets the status of the grid
to Distributed when it stops the upgrade test.
If the appliance encounters an error during the test, it stops it and displays a message in the Upgrade Status panel
indicating that the upgrade test failed and the reason for the failure, such as a data translation error or an error during
the data import. You must then download the Support Bundle and contact Infoblox Technical Support.
After the test successfully finishes, the appliance displays a message indicating that the upgrade test was successful.
You can then perform the actual upgrade as described in Performing a Software Upgrade on page 320.
Deploying a Grid
320 Infoblox Administrator Guide (Rev. A) NIOS 4.3r1
Performing a Software Upgrade
Performing the software upgrade involves rebooting the appliances and then running the new software. Essentially,
each appliance switches between the two software partitions on its system, activating the staged software and saving
the previously active software and database as backup.
Note: Before you upgrade the software, Infoblox recommends that you back up the current configuration and
database.
When upgrading to software releases that are Upgrade Lite compatible, you can schedule the grid upgrade as
described in the next section.
Scheduling an Upgrade
When you schedule the upgrade of a grid to an Upgrade Lite compatible release, you schedule the upgrade of the grid
master as well as the upgrade groups. The grid master must always upgrade before the upgrade groups. The members
of the Unassigned group always upgrade simultaneously after all members of all groups have completed their
upgrade.
To create an upgrade schedule:
1. From the Grid perspective, click the Grid menu item -> Upgrade -> Schedule Upgrade.
2. In the Upgrade Schedule dialog box, do the following:
Activate upgrade schedule: Select this check box to enable the upgrade schedule. Clear it if you are creating
an upgrade schedule that you plan to activate at a later date.
Upgrade Start Time: Enter the grid master upgrade date and time, and time zone that applies to the start
time you entered. The date and time must be before those of the upgrade groups.
Date: Enter the start date of the grid master upgrade in MM/DD/YYYY format.
Time: Enter the start time of the grid master upgrade in HH:MM:SS format.
Time Zone: Select the time zone that applies to the start time that you entered. If this time zone is
different from the grid time zone, the appliance converts the time you entered to the time zone of the
grid, after you save this schedule. When you display this schedule again, it displays the time converted
to the grid time zone. (For information about setting the grid and member time zones, see Managing
Time Settings on page 117.)
For example, you specified the following time and time zone:
Time: 05:00:00
Time Zone: (UTC - 5:00) Eastern Time (US and Canada)
If the grid time zone is Pacific time, the appliance displays the time and time zone after you save the
schedule, as follows:
Time: 02:00:00
Time Zone: (UTC - 8:00) Pacific Time (US and Canada), Tijuana
Admin Local Time: Displays the grid master upgrade date and start time in the time zone of the
administrator that is logged in to the appliance or the management system that is connected to the
appliance, depending on what was configured in the Administrators perspective. (For information, see
Creating Local Admins on page 101.)
Group Upgrade Schedule: The dialog box lists the configured upgrade groups. Specify the following for each
upgrade group:
Upgrade After: You can enter an upgrade date and time, or specify that the upgrade occurs after that of
the grid master or another upgrade group.
Date/Time: Select this option to enter the upgrade start date and time.
Grid Master: Select this option to start the upgrade immediately after the grid master upgrades. If
you select this option, you cannot enter a date and time.
Upgrading NIOS Software on a Grid
NIOS 4.3r1 Infoblox Administrator Guide (Rev. A) 321
Select the upgrade group that must upgrade before the group you are configuring. If you select this
option, you cannot enter a date and time.
Date: Enter the upgrade start date in MM/DD/YYYY format.
Time: Enter the upgrade start time in HH:MM:SS format.
Time Zone: By default, the appliance displays the time zone of the first grid member in the Upgrade
Group. You can change this time zone, if you want to enter the time using a different time zone. After
you save the schedule though, the appliance converts the time you entered to the time zone of the
upgrade group, if it is different. (For information about setting the grid and member time zones, see
Managing Time Settings on page 117.)
For example, you specified the following upgrade time and time zone:
Time: 05:00:00
Time Zone: (UTC - 5:00) Eastern Time (US and Canada)
If the time zone of the first member of the upgrade group is Pacific time, the appliance displays the time
in the member time zone after you save the schedule:
Time: 02:00:00
Time Zone: (UTC - 8:00) Pacific Time (US and Canada), Tijuana
Admin Local Time: Displays the start date and time in the time zone of the administrator that is logged
in to the appliance or the management system that is connected to the appliance, depending on what
was configured in the Administrators perspective. (For information, see Creating Local Admins on page
101.)
Upgrade Members: Indicates whether the upgrade within the group occurs simultaneously or sequentially.
You cannot edit this field here. This was defined when you created the Upgrade Group.
3. Click OK to close the dialog box and save the schedule.
The appliance does not save the schedule and displays an error message if the schedule contains the following:
Circular dependencies between upgrade groups; for example, the upgrade of Group A is scheduled after
Group B, and the upgrade of Group B Is scheduled after Group A.
The upgrade time is in the past.
Otherwise, the appliance confirms that the schedule is saved and indicates whether the upgrade schedule is
active. It also displays a warning message if an upgrade group contains members that are in the same DHCP
failover association.
Upgrading Immediately
You cannot schedule upgrades to releases that are not Upgrade Lite compatible. The grid members must upgrade at
the same time when upgrading to these releases. For Upgrade Lite compatible releases, you can schedule the
upgrade as described in the preceding section, or upgrade the grid at the same time.
To upgrade a grid immediately:
From the Grid perspective, click Grid -> Upgrade -> Upgrade Now.
The grid upgrades immediately and if there is an active upgrade schedule, it becomes inactive.
Deploying a Grid
322 Infoblox Administrator Guide (Rev. A) NIOS 4.3r1
Upgrade Process
When an upgrade starts, the grid master checks if all grid members successfully completed the software distribution.
If they have not, the upgrade process stops. The appliance displays an error message and if it is a scheduled upgrade,
the appliance deactivates the schedule as well. Otherwise, the upgrade process continues.
Due to the nature of the upgrade sequence, HA pairs fail over during the upgrade. Therefore, be aware that the active
and passive nodes reverse roles. The order in which grid members upgrade, including when HA pairs fail over, is
shown in Figure 9.18 (for an HA grid master) and Figure 9.18 on page 323 (for a single grid master).
Figure 9.17 Upgrade Sequence for an HA Grid Master and Grid Members
3
5
4
1
2
3
3
Failover
Active
HA Grid
Member
Node 1
Grid
HA Grid
Master
Node 2
Node 1 Node 2
Passive
Active Passive
Single
Grid
Member
Node 1 (now passive) of the HA
member upgrades.
Node 1 (now passive) of the
grid master upgrades. The
passive node (Node 2) of the
HA member and the single grid
member upgrade.
The passive node (Node 2) of
the grid master upgrades.
The grid master fails over from
Node 1 to Node 2.
At this point, the grid master is
using upgraded code. The HA
grid member fail overs (because
the code on Node 1 does not
match that on the grid master,
but the code on Node 2 does).
Failover
1
2
3
5
4
Upgrading NIOS Software on a Grid
NIOS 4.3r1 Infoblox Administrator Guide (Rev. A) 323
Figure 9.18 Upgrade Sequence for a Single Grid Master and Grid Members
The GUI session terminates when the HA grid master fails over from Node 1 to Node 2, or when the single grid master
reboots and goes offline.
For scheduled upgrades, you can edit the start time of upgrade groups that have not yet started upgrading while an
upgrade is in progress. When the upgrade finishes, the Upgrade schedule is set to inactive.
3
1
3
4
2
1
4
2
2
Failover
Active
HA Grid
Member
Grid
Single Grid
Master
Node 1 Node 2
Passive
Single Grid
Member
Node 1 (now passive) of the
HA member upgrades.
Node 2 (passive) of the HA
member and the single
member upgrade.
Single grid master upgrades.
The HA member fails over
from Node 1 to Node 2.
Deploying a Grid
324 Infoblox Administrator Guide (Rev. A) NIOS 4.3r1
Monitoring Distribution and Upgrade Status
The Upgrade Status panel displays status and version information on the top half. The bottom half of the panel
displays status icons indicating the distribution or upgrade status, as shown in Upgrade Status PanelFigure 9.19.
Figure 9.19 Upgrade Status Panel
The appliance status icon can be one of the following colors:
Icon Color Meaning
Green The distribution or upgrade has successfully completed.
Yellow The distribution or upgrade is in progress.
Gray No distribution or upgrade is in progress.
Red The distribution or upgrade failed, or the grid member is offline because it is rebooting.
Upgrading NIOS Software on a Grid
NIOS 4.3r1 Infoblox Administrator Guide (Rev. A) 325
You can view the distribution and upgrade status of a grid as follows:
To view the distribution and upgrade status of each member in a grid, from the Grid, select the grid and then
click View -> Upgrade Status.
As shown in Figure 9.20, the Upgrade Status panel displays the status of each grid member.
Figure 9.20 Status of Grid Members
Deploying a Grid
326 Infoblox Administrator Guide (Rev. A) NIOS 4.3r1
To view the distribution and upgrade status of each group in the grid, as shown in Figure 9.21, from the Upgrade
Groups tab, select the grid and then click View -> Upgrade Status.
The Upgrade Status panel displays the status of each upgrade group in the grid.
Figure 9.21 Status of Upgrade Groups
To view the status of members in an upgrade group, from the Grid perspective, click the Upgrade Groups tab -> +
(for grid) -> upgrade_group -> View -> Upgrade Status.
The Upgrade Status panel displays the status of each member in the group.
Figure 9.22 Status of Upgrade Group Members
Upgrading NIOS Software on a Grid
NIOS 4.3r1 Infoblox Administrator Guide (Rev. A) 327
To view the status of each grid member, from the Grid perspective, click the Upgrade Groups tab -> + (for grid) ->
upgrade_group -> grid_member -> View -> Upgrade Status.
The Upgrade Status panel displays the distribution status of the member. It displays the status of each step in
the distribution process.
Figure 9.23 Status of a Grid Member
You can view the upgrade status in the same way as the distribution status. The only difference is that during an
upgrade, the GUI session terminates when the HA grid master fails over from Node 1 to Node 2, or when the single
grid master reboots and goes offline. You can log back in and view the upgrade status of the members. Note that when
members are rebooting, the status panel displays a red icon that indicates the members are not connected, as shown
in Figure 9.24.
Figure 9.24 Upgrade Status with Members Rebooting
Deploying a Grid
328 Infoblox Administrator Guide (Rev. A) NIOS 4.3r1
NIOS 4.3r1 Infoblox Administrator Guide (Rev. A) 329
Part 3 Service Configuration
This section describes how to configure NIOS appliances to provide various services on your network. It includes the
following chapters:
Chapter 10, "Managing DNS Data", on page 331
Chapter 11, "Shared Records", on page 411
Chapter 12, "Configuring DNS Services", on page 423
Chapter 13, "Configuring IP Routing Options", on page 449
Chapter 14, "Managing DHCP Data", on page 459
Chapter 15, "Configuring DHCP Services", on page 483
Chapter 16, "Using Network Discovery", on page 519
Chapter 17, "Configuring DDNS Updates from DHCP", on page 537
Chapter 18, "Managing IP Data IPAM", on page 557
Chapter 19, "NAC Foundation", on page 581
Chapter 20, "File Distribution Services", on page 605
Chapter 21, "RADIUS Services", on page 613
Chapter 22, "IPAM WinConnect", on page 643
Chapter 23, "VitalQIP", on page 647
330 Infoblox Administrator Guide (Rev. A) NIOS 4.3r1
NIOS 4.3r1 Infoblox Administrator Guide (Rev. A) 331
Chapter 10 Managing DNS Data
DNS (Domain Naming System) translates IP addresses to host names and back. The types of DNS servers are:
Root name servers that are in each top-level domain (com, edu, gov, and net). They determine where the
individual records are stored.
Static servers that every computer on the Internet can access.
Authoritative servers that contain the actual information about each individual domain. This information is
stored in a zone file. The root name servers query authoritative servers to determine the hostname or the IP
address.
DNS uses an efficient, reliable, distributed, and generic mapping system.
Efficientit uses caching and maps most names locally; only a few require Internet traffic.
Reliablea single machine failure does not break the system.
Distributeda set of servers operating at multiple sites together solve the mapping.
Genericit is not restricted to machine names.
The NIOS appliance uses a standard, BIND-based DNS protocol engine; it operates with any other name server that
follows the DNS RFCs (see DNS RFC Compliance on page 690). Managing DNS data includes configuring and
managing Infoblox views, zones, adding records, and managing hosts and records.
Note: Limited-access admin groups can access certain DNS resources only if their administrative permissions are
defined. For information on setting permissions for admin groups, see Managing DNS Resource Permissions
on page 83.
This chapter explains these topics and is organized as follows:
Configuring DNS Overview on page 334
DNS Configuration Checklist on page 335
Restarting Services on page 336
Using Infoblox DNS Views on page 337
Default View on page 339
Creating Views on page 339
Specifying Match Lists on page 341
Adding Zones to a View on page 342
Adding Records to a Zone on page 342
Managing Views on page 344
Configuration Example: Configuring a View on page 345
Managing DNS Data
332 Infoblox Administrator Guide (Rev. A) NIOS 4.3r1
Understanding DNS for IPv6 on page 347
IPv6 Overview on page 347
Delegating Zone Authority to Name Servers on page 349
Specifying a Primary Server on page 349
Specifying a Secondary Server on page 350
Configuring Authoritative Zones on page 353
Creating an Authoritative Forward-Mapping Zone on page 353
Creating an Authoritative Reverse-Mapping Zone on page 354
Adding an Authoritative Subzone on page 356
Creating a Root Zone on page 358
Importing Zone Data on page 359
Allowing Zone Transfers to an Appliance on page 362
Importing Data into Zones on page 362
Configuring Delegated, Forward, and Stub Zones on page 365
Configuring a Delegated Zone on page 365
Configuring a Forward Zone on page 366
Configuring Stub Zones on page 368
Using Name Server Groups on page 376
Creating Name Server Groups on page 376
Applying Name Server Groups on page 378
Managing Zones on page 379
Locking and Unlocking Zones on page 379
Removing Zones on page 380
Enabling and Disabling Zones on page 382
Using the Recycle Bin on page 382
Viewing the Recycle Bin on page 383
Restoring Items in the Recycle Bin on page 383
Emptying the Recycle Bin on page 383
Specifying Host Name Restrictions on page 384
Adding Hosts on page 387
Adding Bulk Hosts on page 389
Specifying Bulk Host Name Formats on page 389
Before Defining Bulk Host Name Formats on page 389
Configuring Bulk Hosts on page 391
Adding Resource Records on page 394
Adding NS Records on page 395
Adding AAAA Records on page 395
Adding PTR Records on page 396
Adding MX Records on page 397
Adding SRV Records on page 398
Adding TXT Records on page 399
Adding CNAME Records on page 400
Adding DNAME Records on page 402
Specifying Time To Live Settings on page 407
NIOS 4.3r1 Infoblox Administrator Guide (Rev. A) 333
Managing Hosts and Resource Records on page 408
Modifying, Disabling, or Removing a Host or Record on page 408
Viewing DNS Record Listings on page 409
Managing DNS Data
334 Infoblox Administrator Guide (Rev. A) NIOS 4.3r1
Configuring DNS Overview
An overview of the complete DNS configuration process is outlined in the following diagram, illustrating the required
steps for preparing a NIOS appliance for use:
Begin the initial configuration of DNS zones and resource records.
Decide on the type of
DNS zones to configure
Forward zone
Primary or secondary zone Delegated zone
Choose type of
authoritative zone
- Specify the IP address of the DNS
primary server
- Repeat this step to define other
forward zones or define other
types of zones (optional)
- Specify the IP address and the
FQDN of the DNS primary server
- Repeat this step to define other
delegated zones or define other
types of zones (optional)
- Choose the primary member
- Add resource records
- Specify the IP address and FQDN
of the external primary
- Choose the secondary members
Primary only zone
Secondary only zone
- Choose the primary member(s)
- Choose the secondary member(s)
- Specify the IP addresses and FQDN for external secondaries
- Proceed to add resource records
Primary and
secondary zone
Add resource records
- Select the zone to which you want to add records
- Choose a record zone type
- Enter the necessary data for the selected record
- Repeat these steps to add additional records (optional)
Do you want to create
more zones?
Initial configuration of DNS zones and resource records is complete
Yes
Configuring DNS Overview
NIOS 4.3r1 Infoblox Administrator Guide (Rev. A) 335
DNS Configuration Checklist
Each step in the previous flowchart above is covered in the following checklist:
Table 10.1 DNS Configuration Checklist
Step For more information
Decide if you want to create a new view,
in addition to the default view.
Creating Views on page 339
Adding Zones to a View on page 342
Ordering Views on page 343
Managing Views on page 344
Configuration Example: Configuring a View on page 345
Decide which type of DNS zone you want
to configure
Configuring Authoritative Zones on page 353
Configuring a Delegated Zone on page 365
Configuring a Forward Zone on page 366
Configuring Stub Zones on page 368
Creating an Authoritative Reverse-Mapping Zone on page 354
Configure the zone
Creating an Authoritative Forward-Mapping Zone on page 353
Adding an Authoritative Subzone on page 356
Importing Zone Data on page 359
Configure a host
Adding Hosts on page 387
Adding Bulk Hosts on page 389
Add resource records
Adding A Records on page 394
Adding NS Records on page 395
Adding AAAA Records on page 395
Adding PTR Records on page 396
Adding MX Records on page 397
Adding SRV Records on page 398
Adding TXT Records on page 399
Adding CNAME Records on page 400
Adding DNAME Records on page 402
Managing DNS Data
336 Infoblox Administrator Guide (Rev. A) NIOS 4.3r1
Restarting Services
When you make changes to the services for a grid or member, you must restart services. You can make multiple
changes before restarting the service, however. This process invalidates the cache. To clear the DNS cache, from the
DNS perspective, click the DNS Members tab -> + (for grid ) -> member -> Edit -> Clear Cache.
Note: Restarting services restarts both DNS and DHCP services on the selected nodes.
Restarting Services for a Grid
To restart services for a grid and all its members:
1. From the DNS perspective, click the DNS Members tab -> grid.
2. Select Restart Grid Services, and choose from the following options:
Sequentially: If you have multiple nodes in the grid, this option restarts the services on each of the nodes
according to the number of seconds you enter in the field. For example, if 10 is entered in the field, each
subsequent node restarts services 10 seconds after the previous node restarted services. You must enter
numbers, not text.
Immediately: This option restarts the services on all of the nodes in a grid immediately.
3. Click Restart Details to view the services being restarted.
4. Click Refresh to initiate the restart request. The more zones and networks that the member manages, the longer
this takes. When the term Request i ng changes to Yes, the node is ready to be restarted.
5. Click OK.
Restarting Services for a Member
To restart services for a specific member of a grid:
1. From the DNS perspective, click the DNS Members tab -> + (for grid ) -> member.
2. Click the Restart Services icon, and select from the following options:
Restart Services: This option only restarts the services displayed in the Restart Service Status dialog box.
Force Restart Services: This option restarts all of the services managed by the member.
3. Click Restart Details to view the services being restarted on this member.
4. Click Refresh to verify the services being restarted. Only the service(s) with a Yes are restarted.
5. Click OK.
Using Infoblox DNS Views
NIOS 4.3r1 Infoblox Administrator Guide (Rev. A) 337
Using Infoblox DNS Views
Infoblox views provide the ability to serve one version of DNS data to one set of clients and another version to another
set of clients. With Infoblox views, the NIOS appliance can provide a different answer to the same DNS query,
depending on the source of the query.
In Figure 10.1, the appliance has two views: an internal view that contains private IP addresses and an external view
that contains public IP addresses. The appliance receives queries from both internal and external clients. When it
receives a query from Client A (an internal client) the appliance accesses the internal view and responds with the
private IP address of the site. When it receives a query from Client B (an external client) the appliance accesses the
external view and responds with the public IP address of the requested site.
Figure 10.1 Internal and External Views
You can configure both forward and reverse mapping zones in views and provide DNS services, such as name
resolution, zone transfers and dynamic DNS updates. For information about these services, see Configuring DNS
Services on page 424.
You can provide multiple views of a given zone with a different set of records in each view. In Figure 10.2, both views
contain the corp100.com zone and the sales.corp100.com zone. The finance.corp100.com zone is only in the internal
view, and only internal users are allowed access records in that zone. Resource records can also exist in multiple
zones. In the Figure 10.2 example, the A records for serv1.sales.corp100.com and serv2.sales.corp100.com are in
the sales.corp100.com zones in both views.
Figure 10.2 Zone Data in Each View
A-1 A-2
A-3
B-1
B-2 B-3
Client A, an internal client, sends a
request for sales.corp100.com.
The appliance retrieves the
answer from the internal view.
The appliance responds
with 10.1.1.5.
Internal View
External View
The appliance retrieves the
answer from the external view.
The appliance responds
with 1.1.1.5.
Client B, an external client, sends
a request for sales.corp100.com.
corp100.com zone
10.1.1.5 sales.corp100.com
corp100.com zone
1.1.1.5 sales.corp100.com
Client B
Client A
MX rmail.corp100.com
NS dnsoneA.corp100.com
A host1.corp100.com
A host2.corp100.com
External View
corp100.com Internal View
corp100.com
sales.corp100.com
sales.corp100.com
finance.corp100.com
MX email.corp100.com
A web1.corp100.com
A web2.corp100.com
A serv1.sales.corp100.com
A serv2.sales.corp100.com
A serv3.sales.corp100.com
A printer.sales.corp100.com
A host1.sales.corp100.com
A host2.sales.corp100.com
A web3.sales.corp100.com
A ftp.sales.corp100.com
A serv1.sales.corp100.com
A serv2.sales.corp100.com
A server.finance.corp100.com
A printer.finance.corp100.com
A fin1.finance.corp100.com
A fin2.finance.corp100.com
Managing DNS Data
338 Infoblox Administrator Guide (Rev. A) NIOS 4.3r1
You can control which clients access a view by through the use of a match list specifying IP addresses and/or TSIG
(transaction signature) keys. When the NIOS appliance receives a request from a client, it tries to match the source IP
address and/or TSIG key with its match list when determining which view, if any, the client can access. After the
appliance determines that a client can access a view, it checks the zone level settings to determine if it can provide
the service the client is requesting.
For information on TSIG keys or defining zone transfer settings, see Enabling Zone Transfers on page 426. For more
information on match lists, see Specifying Match Lists on page 341. For information on defining query settings, refer
to Specifying DNS Queries on page 428.
Figure 10.3 illustrates how the NIOS appliance resolves a query for a domain name in a zone of a view. In the example,
the internal view is listed before the external view. Therefore, when the appliance receives a query, it checks the
match list of the internal view first. When it does not find the source address in the match list of the internal view, it
checks the match list of the external view. The match list of the external view allows all IP addresses.
Next, the NIOS appliance checks the zone level settings to determine if it is allowed to resolve queries from the client
for domain names in that zone. After the appliance determines it is allowed to respond to queries from this client, it
resolves the query and sends back the response to the client.
Figure 10.3 Query Resolution
When you create more than one view, as shown in Figure 10.3, the order of the views is important. View order
determines the order in which the NIOS appliance checks the match lists. In Figure 10.3, the internal view is listed
before the external view. If the views were reversed, no hosts would receive DNS replies from the internal view
because the match list of the external view allows replies to clients with any IP address. For information on how to
order views, see Ordering Views on page 343.
In a grid, each grid member can host its own set of views. A grid member can serve as the primary or secondary server
for multiple views of a particular zone. For information about specifying primary and secondary servers, see
Configuring DNS Zone Services on page 434.
1
2
3
4
5
Client sends a query for
web1.corp100.com.
Client
The appliance
sends the answer
back to the client.
NIOS appliance checks if
the host IP address is
allowed in the match list of
the internal view. It does
not find the client address
in the match list
Internal View
External View
Match List
NIOS
Appliance
Match
Any
Match List
NIOS appliance checks if the
host IP address is allowed in
the match list of the external
view. The match list allows all
IP addresses.
NIOS appliance checks if it can respond to queries for
domain names in the corp100.com zone from this client.
It determines that it can. The appliance then looks for the
requested domain name in the corp100.com zone.
corp100.com
finance.corp100.com
cs.corp100.com
corp100.com
cs.corp100.com
Using Infoblox DNS Views
NIOS 4.3r1 Infoblox Administrator Guide (Rev. A) 339
Default View
The NIOS appliance provides one default view, with the ability to create multiple custom views. When you upgrade or
migrate from a name server, or an earlier version of software that does not support views, the appliance places all
the zones defined in the older release in the default view. You can then create additional views and organize the
zones in each view.
Note: Creating a network causes the appliance to create a reverse zone in the default view, if that reverse zone does
not exist in any other view. For information about creating a network, see Configuring a DHCP Network on page
461
The default view allows all IP addresses access, and has the same recursion setting as its associated member host.
You can rename the default view and modify its settings, but you cannot remove it.
Creating Views
You can create up to 255 views. This section decribes the process for creating and configuring new views.
If you have multiple views, you can order the views, as described in Ordering Views on page 343.
Once created, you can modify the view by:
Specifying Match Lists on page 341
DNS and BIND (or other industry reference) book for information on how to
change the al l ow- t r ansf er substatements for the source name server.
Allowing Zone Transfers and Queries
Specifying zone transfers and queries allows the destination appliance access to the zone data being imported. This
procedure must be performed before attempting to import zone data to a destination appliance.
You can specify whether zone transfers are allowed to a single address or a network. The difference between the two
is simple: use an IP address to designate a single system, use the network option for a range of addresses on a
network.
To allow zone transfers and queries, perform the following steps on the source appliance:
1. From the DNS perspective, click the DNS Members tab -> + (for grid) -> member -> Edit -> Member DNS Properties.
2. In the Member DNS Properties editor, click Zone Transfers.
3. Click the Override grid zone transfer settings check box.
4. Click Add and in the IP Address Option section do the following:
IP Address: Select and enter a system IP address.
Network: Select and enter a network IP Address and select a CIDR from the drop-down menu.
Any: Select this option to allow or deny zone transfers for any IP address.
5. Under Permission, select one of the following:
Allow: Select to allow zone transfers.
Deny: Select to restrict permissions for zone transfers.
6. Click OK.
7. Click the Save and Restart Services icons.
Importing Data into Zones
After you create a new authoritative zone, you can import data from another server. When you import zone data into
an existing zone, the local appliance retains only the NS and SOA resource records for the zone and replaces all other
recordsA, PTR, MX, TXT, SRV, CNAME, DNAME, host, and bulk host. The local appliance also retains subzones and
records in the subzones that exist locally.
Note: When the local server successfully imports the zone data, a Confirmation message appears. If the local server
cannot import the zone data, an Error message appears, recommending that you verify the correctness of the
IP address of the remote server and zone information.
To import data into a zone:
1. From the DNS perspective, click the Infoblox Views tab -> + (for Infoblox Views) -> + (for view ) -> + (for
Forward-Mapping Zones, IPv4 Reverse-Mapping Zones, or IPv6 Reverse-Mapping Zones) -> zone -> Edit ->
Authoritative Zone Properties.
2. In the Authoritative Zone Properties editor, click Settings.
3. Click the Import Zone from check box, and specify the following:
The IP address of the name server from which you want to import data.
Optional: Click the Automatically create Infoblox host records from A records check box.
4. Click the Save and Restart Services icons.
Restoring Zone Data
NIOS 4.3r1 Infoblox Administrator Guide (Rev. A) 363
How Specific Zones and Records Are Imported
The following table explains how a NIOS appliance imports each type of zone and record.
Table 10.3 The Resource Records and Subzones
If you import data directly from an authoritative zone or subzone, the destination server imports the resource records
for the imported zone. If you import data from a zone that contains an authoritative subzone, the destination server
imports the subzoneand redefines it as a delegated zonebut does not import the resource records for the
subzone. To import such records, change the imported subzone type from delegated to authoritative on the
destination server, and directly import the records for the zone.
Restoring Zone Data
After you import or delete a zone, if you want the original zone back, you can restore it using the Recycle Bin.
When you import a zone for the first time, the NIOS appliance saves the zone and its resource records as a single
object in the recycle bin. It keeps the subzones with the zone. See Restoring Zone Data After a Zone Import Example
on page 364.
When you reimport data into a zone, the software saves the zones, its resource records, and the delegated subzones
created by the previous import operation in the recycle bin. It keeps the subzones (not created during the zone
import) with the zone. See Restoring Zone Data After a Zone Reimport Example on page 364
If the zone import succeeds, the system adds resource records from the source to the target zone. It also adds
delegated subzones for the source subzones. If the zone import fails, the system does not create records and
delegated subzones. In either case, you can retrieve the original zone and its subzones from the recycle bin as
follows:
1. Delete the zone using the steps described in the section Removing Zones on page 380.
2. Select Remove zone only to remove the zone and its resource records. The NIOS appliance reparents all subzones
to the parent zone of the zone that you remove. Do not select Also remove all subzones.
Automatically created AD (Active Directory) subzones are an exception. Even if you select Remove zone only, the
NIOS appliance still removes AD subzones.
3. From the DNS perspective, click View -> Recycle Bin. The Recycle Bin panel appears.
4. Select the zone you want to restore.
5. Click Edit -> Restore Selected Object. A warning message appears.
6. Click Yes.
The zone is restored back to its original state. The resource records are reparented back under it.
If the source name
server for
the imported
authoritative
zone is a:
then the destination name server imports the following:
authoritative
zone resource
records
authoritative, forward, or
delegated subzones redefined
as delegated subzones
stub subzone
subzone
resource
records
primary server,
secondary server,
Managing DNS Data
364 Infoblox Administrator Guide (Rev. A) NIOS 4.3r1
Restoring Zone Data After a Zone Import Example
In the example shown in Figure 10.10:
1. You import data from a source zone with subzones Sub x and Sub y into zone B with subzones Sub B1 and Sub
B2.
The appliance stores zone B and its resource records in the recycle bin.
To retrieve zone B after the import:
2. Delete subzone B using the Remove zone only option.
The appliance reparents subzones Sub B1 and Sub B2 to the Zone A, which is the zone above Zone B.
3. After the import, you can restore zone B from the recycle bin. The appliance reparents the subzones Sub B1 and
Sub B2 back to zone B.
Figure 10.10 Restoring Zones After a Zone Import
Restoring Zone Data After a Zone Reimport Example
In the example shown in Figure 10.11:
1. You reimport data from the source zone with subzones Sub x and Sub y into zone B with subzones Sub B1 and
Sub B2.
To retrieve zone B after the import:
2. Delete the delegated subzones x and y and then remove subzone B using the Remove zone only option.
The appliance stores zone B and its resource records and the previously-imported subzones Sub x and Sub y (as
delegated subzones) in the recycle bin. It reparents subzones Sub B1 and Sub B2 to the zone above zone B
(Zone A).
3. After the import, you can restore zone B and the subzones Sub x and Sub y from the recycle bin. The appliance
reparents the subzones Sub B1 and Sub B2 back to zone B.
1
2
3
Source Zone B
Zone B
Zone B
Zone A
You import
subzones x and y
to Zone B
To restore Zone B
after the import,
delete Zone B and
select the Remove
Zone only option.
Sub B1
Sub B2 Sub y
Sub x
Zone A
The appliance
reparents the
subzones B1 and B2
Restore Zone B
from the recycle bin.
The appliance
reparents subzones
B1 and B2 back to
Zone B.
The appliance saves
Zone B and its
resource records in the
recycle bin.
Configuring Delegated, Forward, and Stub Zones
NIOS 4.3r1 Infoblox Administrator Guide (Rev. A) 365
Figure 10.11 Restoring Zones After a Zone Reimport
Configuring Delegated, Forward, and Stub Zones
In addition to authoritative zones, the NIOS appliance allows you to configure delegated, forward, and stub zones. A
delegated zone is a zone managed by (delegated to) someone else, who owns the authority for the zone. A forward
zone is where queries are sent before being forwarded to primary name servers. A stub zone contains records that
identify the authoritative name servers in another zone. This section covers the following topics:
Configuring a Delegated Zone on page 365
Configuring a Forward Zone on page 366
Configuring Stub Zones on page 368
Configuring a Delegated Zone
Instead of a local name server, remote name servers (which the local server knows) maintain delegated zone data.
When the local name server receives a query for a delegated zone, it either responds with the NS record for the
delegated zone server (if recursion is disabled on the local server) or it queries the delegated zone server on behalf
of the resolver (if recursion is enabled).
For example, there is a remote office with their own name servers, and you want them to manage their own local data.
On the name server at the main corporate office, define the remote office zone as delegated, and then specify the
remote office name servers as authorities for the zone.
You can delegate a zone to one or more remote name servers, which are typically the authoritative primary and
secondary servers for the zone. If recursion is enabled on the local name server, it queries multiple delegated name
servers using a round-robin technique.
1
2
3
Source Zone B
Zone B
Zone A Zone A
Sub x
Sub y
Sub x
Sub y
Sub x
Sub y
Sub B1
Sub B2
Zone B
You import
subzones x and y
into Zone B.
To restore Zone B after
the import, delete the
delegated subzones x
and y under Zone B
and then remove Zone
B by selecting the
Remove Zone only
option.
The appliance
reparents the
subzones B1 and
B2 to Zone A.
The appliance saves
Zone B and the subzones
x and y from the previous
import (as delegated
zones) in the recycle bin.
Restore Zone B and
subzones x and y from
the recycle bin. The
appliance reparents its
subzones B1 and B2
back to Zone B.
Managing DNS Data
366 Infoblox Administrator Guide (Rev. A) NIOS 4.3r1
To create a delegated zone:
1. From the DNS perspective, click Infoblox Views -> + (for view ) -> + (for Forward-Mapping Zones, IPv4
Reverse-Mapping Zones, or IPv6 Reverse-Mapping Zones) -> zone -> Edit -> Add Forward Mapping Zone ->
Delegated.
2. In the Add Forward Mapping Delegated Zone editor, click Delegated Zone Properties.
3. Specify the following information:
Name: Enter the domain name of the delegated zone.
Note: You do not need to enter an FQDN (fully qualified domain name). The NIOS appliance appends the
delegated zone name to the name of its parent zone.
Comment: Enter a suitable comment.
Disable this zone: Click this check box to temporarily disable this zone.
Lock this zone: Click this check box to lock the zone so that you can make changes to it, and also prevent
others making conflicting changes.
4. Click Delegated Servers.
5. In the Delegated Servers editor, click Add, specify the following information, and then click OK:
Server Name: Enter the name of a remote name server to which you want the local server to redirect queries
for data for the zone.
Server Address: Enter the IP address of the delegated server.
6. Optional: Repeat the previous step to define multiple delegated servers.
You can define multiple delegated servers, such as the primary and secondary servers that serve DNS data for
that zone.
7. Click the Save and Restart Services icons.
For information about modifying, removing, or disabling zones, refer to Managing Zones on page 379.
Configuring a Forward Zone
When you want to forward queries for data in a particular zone, define the zone as a forward zone and specify a name
server that can resolve queries for the zone. For example, define a forward zone so that the NIOS appliance forwards
queries about a partners internal site to a name server, which the partner hosts, configured just for other partners to
access.
Note: The use of a forward zone is different from that of a forwarder. (A forwarder is a name server that performs
recursive lookups on behalf of the name servers that forward queries to it. For more information, see Using
Forwarders with a Grid on page 432.) A NIOS appliance forwards queries to the name server of a forward zone
because the name server can resolve queries for the zone. A NIOS appliance forwards queries to a forwarder
regardless of zones.
To configure a forward zone for a forward-mapping zone:
1. From the DNS perspective, click the Infoblox Views tab -> + (for Infoblox Views) -> + (for view ) -> + (for
Forward-Mapping Zones) -> zone -> Edit -> Add Forward-Mapping Zone -> Forward.
2. Enter the following information:
Forward Zone Properties
Name: Enter the domain name for which you want the NIOS appliance to forward queries.
Comment: Enter a descriptive comment.
Disable this zone: Click this check box to temporarily disable this zone.
Lock this zone: Click this check box to lock the zone so that you can make changes to it, and also prevent
others making conflicting changes.
Configuring Delegated, Forward, and Stub Zones
NIOS 4.3r1 Infoblox Administrator Guide (Rev. A) 367
Forwarders
For Forwarders, click Add, specify the following information, and then click OK.
Forwarder Name: Enter a domain name for the server to which you want the NIOS appliance to forward
queries for the specified domain name.
Forwarder Address: Enter the IP address of the server to which you want the NIOS appliance to forward
queries.
In the Forwarding Servers section, click Add, select the NIOS appliance from which you want to forward
queries, and then click OK. For an independent deployment, select the local appliance (it is the only
choice). For a grid, you can select one or more grid members.
3. Click the Save and Restart Services icons.
To configure a forward zone for an IPv4 reverse-mapping zone:
1. From the DNS perspective, click the Infoblox Views tab -> + (for Infoblox Views) -> + (for view ) -> + (for IPv4
Reverse-Mapping Zones) -> zone -> Edit -> Add IPv4 Reverse-Mapping Zone -> Forward.
2. Enter the following:
Forward Zone Properties
Network Address: Enter the 32-bit IPv4 address for which you want the NIOS appliance to forward queries.
Subnet Mask: Choose the subnet mask that defines the IPv4 network address space.
Comment: Enter a descriptive comment.
RFC 2317 Prefix: Use this field when the subnet mask is greater than 24 bits; for a mask between 25 and 31
bits. Enter a prefix, such as the name of the allocated address block. The prefix can be alphanumeric
characters, without blank spaces; for example: 128/26 , 128-189 , or sub-B . For more information, see
Enabling an RFC 2317 Prefix.
Disable this zone: Click this check box to temporarily disable this zone.
Lock this zone: Click this check box to lock the zone so that you can make changes to it, and also prevent
others from making conflicting changes.
Forwarders
For Forwarders, click Add, specify the following information, and then click OK:
Forwarder Name: Enter a domain name for the DNS server to which you want the NIOS appliance to
forward queries.
Forwarder Address: Enter the IP address of the server to which you want the NIOS appliance to forward
queries.
In the Forwarding Servers section, click Add, select the NIOS appliance that you want to forward queries for
the defined address space, and then click OK. For an independent deployment, select the local appliance
(it is the only choice). For a grid, you can select one or more grid members to forward queries.
3. Click the Save and Restart Services icons.
To configure a forward zone for an IPv6 reverse-mapping zone:
1. From the DNS perspective, click the Infoblox Views tab -> + (for Infoblox Views) -> + (for view ) -> + (for IPv6
Reverse-Mapping Zones) -> zone -> Edit -> Add IPv6 Reverse-Mapping Zone -> Forward.
Forward Zone Properties
IPv6 Network Address: Enter the 128-bit IPv6 address for which you want the NIOS appliance to forward all
queries. The format of an IPv6 address is eight groups of up to four hexadecimal digits, each group
separated by a colon. Example: 2006:0000:0123:4567:89ab:cdef:0000:0123.
Network Prefix: Choose the network prefix that defines the IPv6 network address space.
Comment: Enter a descriptive comment.
Disable this zone: Click this check box to temporarily disable this zone.
Lock this zone: Click this check box to lock the zone so that you can make changes to it, and also prevent
others from making conflicting changes.
Managing DNS Data
368 Infoblox Administrator Guide (Rev. A) NIOS 4.3r1
Forwarders
For Forwarders, click Add, specify the following information, and then click OK.
For Forwarders, click Add, specify the following information, and then click OK:
Forwarder Name: Enter a domain name for the DNS server to which you want the NIOS appliance to
forward queries.
Forwarder Address: Enter the IP address of the server to which you want the NIOS appliance to forward
queries.
In the Forwarding Servers section, click Add, select the NIOS appliance that you want to forward queries for
the defined address space, and then click OK. For an independent deployment, select the local appliance
(it is the only choice). For a grid, you can select one or more grid members to forward queries.
2. Click the Save and Restart Services icons.
Configuring Stub Zones
A stub zone contains records that identify the authoritative name servers in the zone. It does not contain resource
records for resolving IP addresses to hosts in the zone. Instead, it contains the following records:
SOA (Start of Authority) record of the zone
NS (name server) records at the apex of the stub zone
A (Address) records that map the name servers to their IP addresses
Stub zones, like secondary zones, obtain their records from other name servers. Their records are read only;
therefore, administrators do not manually add, remove, or modify the records.
Stub zone records are also periodically refreshed, just like secondary zone records. However, secondary name
servers contain a complete copy of the zone data on the primary server. Therefore, zone transfers from a primary
server to a secondary server, or between secondary servers, can increase CPU usage and consume excessive
bandwidth. A name server hosting a stub zone maintains a much smaller set of records; therefore, updates are less
CPU intensive and consume less bandwidth.
When a name server hosting a stub zone receives a query for a domain name that it determines is in the stub zone,
the name server uses the records in the stub zone to locate the correct name server to query, eliminating the need to
query the root server.
Figure 10.12 and Figure 10.13 illustrate how the NIOS appliance resolves a query for a domain name for which it is
not authoritative. Figure 10.12 illustrates how the appliance resolves a query when it does not have a stub zone.
Figure 10.13 illustrates how the appliance resolves the query with a stub zone.
Configuring Delegated, Forward, and Stub Zones
NIOS 4.3r1 Infoblox Administrator Guide (Rev. A) 369
In Figure 10.12, a client sends a query for ftp.sales.corp200.com to the NIOS appliance. When the appliance receives
the request from the client, it checks if it has the data to resolve the query. If the appliance does not have the data,
it tries to locate the authoritative name server for the requested domain name. It sends nonrecursive queries to a root
name server and to the closest known name servers until it learns the correct authoritative name server to query.
Figure 10.12 Processing a Query without a Stub Zone
3
4
5
6
7
2 1
The appliance
responds to the
client with the
requested data
Client sends a query
for ftp.sales.corp200
.com to the NIOS
appliance.
The appliance sends a query
to a corp200.com server...
The appliance
determines it
does not have
the record to
resolve the
query.
The appliance sends a
query to a root server.
...which responds with a referral
to the .com servers.
NIOS appliance
Resource
Records
The appliance sends a query to
a sales.corp200.com server.
The appliance sends a query to
a .com server...
...which responds with a referral
to the corp200.com servers.
...which responds with a
referral to the
sales.corp200.com servers.
The sales.corp200.com server
checks its resource records
and responds with the
requested data.
Client
. (root)
.com
corp200.com
sales.corp200.com
Managing DNS Data
370 Infoblox Administrator Guide (Rev. A) NIOS 4.3r1
In Figure 10.13, when the NIOS appliance receives the request for the domain name in corp200.com, it determines it
does not have the resource records to resolve the query. It does, however, have a list of the authoritative name
servers in the stub zone, corp200.com. The appliance then sends a query directly to the name server in corp200.com.
Figure 10.13 Processing a Query with a Stub Zone
3
4
2 1
5 The appliance
responds to the
client with the
requested data.
Client sends query for
ftp.sales.corp200.com
to the NIOS appliance.
The appliance send a query
directly to a corp200.com server...
The appliance
has a
corp200.com
stub zone.
NIOS Appliance
The appliance send a query to a
sales.corp200.com server.
... which respond with a referral to
the sales.corp200.com servers.
The sales.corp200.com
server checks its resource
records and responds with
the requested data.
Resource
Records
. (root)
corp200.com
sales.corp200.com
.com
Stub Zone
Configuration
Client
Configuring Delegated, Forward, and Stub Zones
NIOS 4.3r1 Infoblox Administrator Guide (Rev. A) 371
Stub zones facilitate name resolution and alleviate name server traffic in your network. For example, the client in the
previous examples is in corp100.com. The corp100.com and corp200.com zones are partners, and send all their
communications through a VPN tunnel, as shown in Figure 10.14 on page 371. The firewall protecting corp100.com
is configured to send all messages for the 10.2.2.0/24 network through the VPN tunnel. Infoblox_A hosts the stub
zone for corp200.com. Therefore, when the host in corp100.com sends a query for ftp.sales.corp200.com, Infoblox_A
obtains the IP address of Infoblox_B (10.2.2.7) from its stub zone records and sends the query to the firewall
protecting corp100.com.
Because the destination of the query is in the 10.2.2.0/24 network, the firewall (configured to encrypt all traffic to
the network) sends the request through a VPN tunnel to Infoblox_B. Infoblox_B resolves the query and sends back
the response through the VPN tunnel. All name server traffic went through the VPN tunnel to the internal servers,
bypassing the root servers and external name servers.
Figure 10.14 Stub Zone Configuration
In parent-child zone configurations, using stub zones also eases the administration of name servers in both zones.
For example, as shown in Figure 10.14, sales.corp200.com is a child zone of corp200.com. On the corp200.com
name servers, you can create either a delegated zone or a stub zone for sales.corp200.com.
When you create a delegated zone, you must first specify the name servers in the delegated zone and manually
maintain information about these name servers. For example, if the administrator in sales.corp200.com changes the
IP address of a name server or adds a new name server, the sales.corp100.com administrator must inform the
corp200.com administrator to make the corresponding changes in the delegated zone records.
If, instead, you create a stub zone for sales.corp200.com, you set up the stub zone records once, and updates are
then done automatically. The name servers in corp200.com that are hosting a stub zone for sales.corp200.com
automatically obtain updates of the authoritative name servers in the child zone.
In addition, a name server that hosts a stub zone can cache the responses it receives. Therefore, when it receives a
request for the same resource record, it can respond without querying another name server.
Creating Stub Zones
When you create a stub zone on the NIOS appliance, you specify the following:
The grid member that is hosting the stub zone
You can specify multiple appliances if you want the stub zones on multiple name servers. If you do, the
appliances store identical records about the stub zone.
The IP address of the primary server(s) that the NIOS appliance can query in the stub zone
The primary server can be a grid member or an external primary server. If you specify multiple primary servers,
the appliance queries the primary servers, starting with the first server on the list.
The primary server and the name server hosting the stub zone can belong to the same grid, as long as the
authoritative zone and the stub zone are in different Infoblox views. You cannot configure one zone as both
authoritative and stub in the same view.
Infoblox_A
10.1.1.3
Infoblox_B
10.2.2.7
Host
corp100.com corp200.com
sales.corp200.com
Managing DNS Data
372 Infoblox Administrator Guide (Rev. A) NIOS 4.3r1
After you create a stub zone, the NIOS appliance does the following:
1. It sends a query to the primary server for the SOA (Start of Authority) record of the stub zone.
The primary server returns the SOA record.
2. Then, it sends a query for the NS (name server) records in the zone.
The primary server returns the NS records and the A (address) records of the name servers. (These A records are
also called glue records.)
If the primary server is a NIOS appliance, you might have to manually create the A record and add it to the stub
zone. A NIOS appliance that is the primary server for a zone always creates an NS record, but does not always
create an A record.
The appliance automatically creates an A record when its host name belongs to the name space of the
zone. For example, if the zone is corp100.com and the primary server host name is server1.corp100.com,
the appliance automatically creates the NS and A records and sends these records when it is queried by the
stub zone name server.
The appliance does not automatically create an A record when its host name is in a name space that is
different from the zone. For example, if the zone is corp200.com and the primary server host name is
server1.corp100.com, then the appliance creates the NS record only and sends it when it is queried by the
stub zone name server. In this case, you must manually create the A record and add it to the zone by
navigating to the DNS perspective and clicking the Infoblox Views tab -> + (for Infoblox Views) -> + (for view )
-> + (for Forward-Mapping Zones) -> zone -> Edit -> Add Resource Records -> A Record.
Maintaining Stub Zones
The NIOS appliance maintains the stub zone records and updates them based on the values in the SOA record as
follows:
The refresh interval indicates when the appliance sends a discrete query to the primary name server in the stub
zone. The appliance learns about any changes in the stub zone and updates the NS and A records in the stub
zone accordingly.
If the update fails, the retry interval indicates when the appliance resends a discrete query.
If the query continues to fail, the expiry value indicates when the appliance stops using the zone data.
Adding Stub Zones
To add a stub zone, you must identify the appliance that hosts the stub zone, and provide the IP address of the
primary server. You can configure a stub zone for forward mapping or reverse mapping zones.
To add a stub zone:
1. From the DNS perspective, click the Infoblox Views tab -> + (for Infoblox Views) -> + (for view ) -> + (for
Forward-Mapping Zones, IPv4 Reverse-Mapping Zones, or IPv6 Reverse-Mapping Zones) -> zone -> Edit -> Add
Forward-Mapping Zone, IPv4 Reverse-Mapping Zones, or IPv6 Reverse-Mapping Zones -> Stub.
2. In the Add Stub Zone editor, click Stub Zone Properties and enter the following information:
Name: Enter the name for the stub zone.
Comment: Enter a useful comment, such as the admin to contact for the stub zone.
Disable this zone: Click this check box to temporarily disable this zone.
Lock this zone: Click this check box to lock the zone so that you can make changes to it, and also prevent
others from making conflicting changes.
3. Click Stub Server Assignment.
4. In the Stub Members section, click Add.
5. In the Stub Zone Member Server Item dialog select the grid member(s) hosting the stub zone, and then click OK.
6. In the Stub Primaries section, click Add.
7. In the Stub Primary Item dialog, enter the Name and IP Address of the primary server in the stub zone, and then
click OK.
Configuring Delegated, Forward, and Stub Zones
NIOS 4.3r1 Infoblox Administrator Guide (Rev. A) 373
If the primary server is a grid member, you must enter the host name and IP address of the grid member. The
NIOS appliance does not validate these entries. Therefore, if you change the IP address of a grid member listed
here, you must update the grid member information in this list as well.
You can specify multiple primary servers for redundancy. If the primary server is a NIOS appliance, the appliance
must have the Minimal Response feature disabled so it can propagate the data to the stub server. For
information about the Minimal Response feature, see Specifying Minimal Response Returns on page 432.
8. Optional: Click the Disable Forwarding check box to indicate that the name servers hosting the stub zone should
not forward queries that end with the domain name of the stub zone to any configured forwarders.
9. Click the Save and Restart Services icons.
Viewing SOA Records
The timer values in the SOA record determine when the stub zone records are updated. A zone contains one SOA
record that accounts for the following properties for the zone:
Name of the primary DNS serverThe domain name for the primary DNS server for the zone. The zone should
contain a matching NS record.
E-mail address of the responsible personThe e-mail address of the person responsible for maintaining the
zone.
Serial numberThe number used by secondary DNS servers to check if the zone has changed. If the serial
number is higher than what the secondary server currently has, a zone transfer is initiated. This number is
automatically increased when changes are made to the zone or its record.
Refresh intervalThe time lapse between checks the secondary server makes for changes to the zone.
Retry intervalThe time lapse after which the secondary server checks for changes if the first refresh fails.
Expire intervalThe time period the zone remains valid after a successful refresh.
Minimum TTLThe default TTL for new records created within the zone.
To view zone SOA record values:
1. From the DNS perspective, click the Infoblox Views tab -> + (for Infoblox Views) -> + (for view ) -> + (for
Forward-Mapping Zones, IPv4 Reverse-Mapping Zones, or IPv6 Reverse-Mapping Zones) -> zone -> Authoritative
Zone Properties.
2. In the Forward Authoritative Zone editor, click Settings.
3. Click Override grid settings, and specify the following:
Refresh every: The interval at which the NIOS appliance sends a discrete query to the primary name server
in the stub zone.
Retry every: The interval at which the appliance retries sending a discrete query to the primary name server.
Expires after: Specifies when the appliance should stop using the zone data if it is unable to refresh the
data.
Default TTL: Specifies how long a name server can cache the record.
Negative TTL: Specifies how long a name server caches negative responses from the name servers that are
authoritative for the zone.
Set primary for SOA: Enter the primary server for the zone.
Increment serial number by: Click this check box and enter an incremental value in the text box that
appears. The Serial number option is disabled (grayed out) when this check box is selected.
Serial numbers: Enter serial numbers for the zone data file.
Email Address: Enter the e-mail address of the contact for the zone.
Import zone data from: To import data from another zone, click this check box and specify the following:
Enter the FQDN (fully qualified domain name) of a zone from which you want to import data.
Optional: Click the Automatic reverse mapping during import check box.
Disable forwarding: Click this check box to disable the forwarding function.
4. Click the Save and Restart Services icons.
Managing DNS Data
374 Infoblox Administrator Guide (Rev. A) NIOS 4.3r1
Configuration Example: Configuring a Stub Zone in a Grid
This example illustrates how to configure a stub zone and assign it to a grid member. Figure 10.15, shows the items
you are configuring. You configure a grid, Corp100, with a single grid master and grid member. The grid member,
member1.corp100.com, is the primary name server for the corp100.com zone in the internal view. The grid master,
gm-corp100.com, hosts the stub zone for corp100.com in the external view. Thus, when the grid master, receives a
query for the corp100.com zone, it sends it directly to member1.corp100.com, the primary name server for the zone.
Figure 10.15 DNS Members Configuration
In this example, you configure the following:
1. Turn off minimal responses on member1.corp100.com, the primary name server for the corp100.com zone. See
Disable Minimal Responses.
2. Create the internal and external views. See Create the Views.
3. Create the corp100.com authoritative zone and stub zone. See Create the Zones.
Disable Minimal Responses
After you create the grid, turn off minimal responses for member1.corp100.com. Disabling minimal responses
ensures that member1.corp100.com propagates the required data to the server hosting the stub zone.
1. In the DNS perspective, click DNS Members -> + for Corp100 -> member1.corp100.com -> Edit -> Member DNS
Properties.
2. In the Member DNS Properties editor, expand the General section.
3. Clear the Return minimal responses check box.
4. Click the Save and Restart Services icons.
Create the Views
Create the internal and external views. To create each view:
1. In the DNS perspective, click the Infoblox Views tab -> Infoblox Views > Edit > Add Infoblox View.
2. In the IB View editor, enter the name of the view. In this example, enter either External or Internal.
3. In the Match members section, click Match all grid members to allow queries from grid members.
4. Click the Save and Restart Services icons.
Stub zone in the
external view.
Authoritative zone in
the internal view.
Grid member is the
primary name server.
Grid master hosts
the stub zone.
Configuring Delegated, Forward, and Stub Zones
NIOS 4.3r1 Infoblox Administrator Guide (Rev. A) 375
Create the Zones
Create the corp100.com zone in the internal view and assign member1.corp100.com as the grid primary server:
1. In the DNS perspective, click the Infoblox Views tab -> + for Infoblox Views -> + for internal view ->
Forward-Mapping Zones -> Edit -> Add Forward-Mapping Zone -> Authoritative.
2. In the Forward Authoritative Zone editor, do the following:
In the Authoritative Zone Properties section, enter the zone name, corp100.com.
In the Primary Server Assignment section, select member1.corp100.com as the grid primary server.
3. Click the Save and Restart Services icons.
After you create the zone, you can view the NS and A records which were automatically created. Select the zone and
click View -> Records. The following figure displays the NS and A records for corp100.com:
Figure 10.16 Authoritative Zone
Create the stub zone, corp100.com, in the external view, assign gm-corp100.com as the stub member and
member1.corp100.com as the stub primary server.
1. In the DNS perspective, click the Infoblox Views tab -> + for Infoblox Views -> + for internal view ->
Forward-Mapping Zones -> Edit -> Add Forward-Mapping Zone -> Stub.
2. In the Stub Zone editor, do the following:
Expand the Stub Zone Properties section, and enter the name of the stub zone, corp100.com.
Expand the Stub Server Assignment section, and do the following:
Click Add for Stub Members. In the Stub Zone Member Server Item dialog box, select gm-corp100.com
and click OK.
Click Add for Stub Primaries. In the Stub Primary Item dialog box, enter the following for the primary
name server, and click OK:
Name: member1.corp100.com
Address: 10.35.0.222
3. Click the Save and Restart Services icons.
After you create the stub zone, the server hosting the stub zone, gm-corp100.com, sends queries to the primary
server, member1.corp100.com, for the SOA and NS records. member1.corp100.com then returns its NS records and
A (address) records. The following figure displays the NS and A records in the stub zone.
Figure 10.17 Stub Zone
Managing DNS Data
376 Infoblox Administrator Guide (Rev. A) NIOS 4.3r1
Using Name Server Groups
A name server group is a collection of one primary DNS server and one or more secondary DNS servers. Grouping a
commonly used set of primary and secondary DNS servers together simplifies zone creation by enabling you to
specify a single name server group instead of specifying multiple name servers individually.
Note: Only superusers can create and manage name server groups.
Creating Name Server Groups
To create a name server group:
1. From the DNS perspective, click the DNS Members tab -> member -> Edit -> Grid DNS Properties.
2. In the Grid DNS Properties editor, click Name Server Groups.
3. In the Name Server Groups section, click Add, enter the following information, and then click OK:
Name Server Group Name: Type a name that provides a meaningful reference for this set of servers.
Grid Primary: To create a name server group for a grid with the primary name server as a member of the grid,
click Select Member, choose the member from the Select Grid Member dialog list, and then click OK.
Stealth: To hide the NS record for the primary name server from DNS queries, select this check box. The
NIOS appliance does not create an NS record for the primary name server in the zone data. To display the
NS record for the primary name server in responses to queries, clear the check box.
Use external primaries: If you are not using a grid or you want the primary name server to be an appliance
outside a grid, select Use external primaries, click Add, specify the following information, and click OK:
Name: Type the FQDN (fully qualified domain name) of the primary name server.
IP Address: Type the IP address of the name server. If the external primary name server is behind a NAT
appliance, use the NAT address, not its interface address.
Use TSIG: To authenticate zone transfers using a TSIG (transaction signature), select check box.
Infoblox TSIGs use HMAC-MD5 hashes. These are keyed one-way hashes for message authentication
codes using the Message Digest 5 algorithm. For details, see RFC 1321, The MD5 Message-Digest
Algorithm, and RFC 2104, HMAC: Keyed-Hashing for Message Authentication.
Key name: Type or paste the name of the TSIG key you want to use. This must be the same name as
that of the TSIG key on other DNS appliances with which you intend to send and receive
TSIG-authenticated messages
Key: Type or paste a previously generated key. This key must be present on other DNS appliances
with which you intend to send and receive TSIG-authenticated messages.
You can generate a TSIG key in the TSIG Key dialog box (accessed from the Zone Transfers section), or
you can obtain the TSIG key name and key from the external name server, either by accessing the
appliance yourself or by requesting the appliance administrator to deliver them to you through some
out-of-band mechanism. Then type or copy-and-paste the name and key into these fields.
To send DNS messages without TSIG authentication, clear the Use TSIG check box.
Use DNS One 2.x TSIG: If you want to use TSIG authentication and the external primary name server is
running DNS One 2.x code, select check box. The NIOS appliance generates the required TSIG key to
use when authenticating DNS messages to and from appliances running DNS One 2.x code. If the
external primary name server is not running DNS One 2.x, clear the check box.
Stealth: To hide the NS record for the primary name server from DNS queries, select this check box. The
NIOS appliance does not create an NS record for the primary name server in the zone data. To display
the NS record for the primary name server in responses to queries, clear the check box.
Grid Secondaries: If you are creating a name server group for a grid and you want to use a grid member as a
secondary name server, click Add, enter the following information in the Name Server Group Member
Secondary dialog box, and click OK.
Using Name Server Groups
NIOS 4.3r1 Infoblox Administrator Guide (Rev. A) 377
Click Select member, select a member from the list in the Select Grid Member dialog box, and click OK.
Stealth: To hide the NS record for the secondary name server from DNS queries, select this check box.
The NIOS appliance does not create an NS record for the secondary name server in the zone data. To
display the NS record for the secondary name server in responses to queries, clear the check box.
Lead Secondary: Select if the primary name server is outside the grid, and you want the chosen
secondary name server to forward zone transfers it receives from the primary to other secondary name
servers, which can be either inside the grid or outside it.
Update zones usingSelect one of the following options:
Grid replication (recommended): Select this check box if the primary and secondary servers are
grid members and they use database replication for zone updates.
DNS zone transfers: Select this check box if the primary and secondary servers use zone transfers
for zone updates.
External Secondaries: If you are not using a grid or you want to add a secondary name server that is not part
of a grid, click Add, specify the following, and then click OK:
Name: Type the FQDN (Fully Qualified Domain Name) of the secondary name server.
IP Address: Type in the IP Address for the secondary name server.
Use TSIG: To authenticate zone transfers using a TSIG (transaction signature), select this check box.
Infoblox TSIGs use HMAC-MD5 hashes. These are keyed one-way hashes for message authentication
codes using the Message Digest 5 algorithm. For details, see RFC 1321, The MD5 Message-Digest
Algorithm, and RFC 2104, HMAC: Keyed-Hashing for Message Authentication.
Key name: Type or paste the name of the TSIG key you want to use. This must be the same name as
that of the TSIG key on other DNS appliances with which you intend to send and receive
TSIG-authenticated messages.
Key: Type or paste a previously generated key. This key must be present on other DNS servers with
which you intend to send and receive TSIG-authenticated messages.
You can generate a TSIG key in the TSIG Key dialog box (accessed from the Zone Transfers section), or
you can obtain the TSIG key name and key from the external name server, either by accessing the
appliance yourself or by requesting the appliance administrator to deliver them to you through some
out-of-band mechanism; then type or copy-and-paste the name and key into these fields.
To send DNS messages without TSIG authentication, clear the Use TSIG check box.
Use DNS One 2.x TSIG: If you want to use TSIG authentication and the external secondary name server
is running DNS One 2.x code, select this check box. The NIOS appliance generates the required TSIG
key to use when authenticating DNS messages to and from appliances running DNS One 2.x code. If the
external primary name server is not running DNS One 2.x, clear the check box.
Stealth: Click this check box to hide the NS record for the secondary name server from DNS queries. The
NIOS appliance does not create an NS record for the secondary name server in the zone data. To
display the NS record for the secondary name server in responses to queries, clear check box.
4. Click the Save icon to apply the new name server group configuration. A newly created name server group
appears in the Default Name Server Group drop-down list (in the Grid DNS Properties editor) only after you save
the configuration.
5. From the Default Name Server Group drop-down menu, select a name server group to be the default.
6. Click the Save and Restart Services icons.
Managing DNS Data
378 Infoblox Administrator Guide (Rev. A) NIOS 4.3r1
Applying Name Server Groups
To specify a name server group when creating a forward-mapping zone:
1. From the DNS perspective, click Infoblox Views -> + (for view ) -> Forward-Mapping Zones -> Edit -> Add Forward
Mapping Zone -> Authoritative.
2. In the Add Forward Authoritative Zone editor, specify the following:
Name: Enter the name of the forward-mapping zone.
Comment: Enter a meaningful comment.
Disable this zone: Click this check box to temporarily disable this zone.
Lock this zone: Click this check box to lock the zone so that you can make changes to it, and also prevent
others making conflicting changes.
NS Group: Select the group of name servers that you want to serve DNS for this zone.
3. Click the Save and Restart Services icons.
To specify a name server group when creating an IPv4 reverse-mapping zone:
1. From the DNS perspective, click Infoblox Views -> + (for view ) -> IPv4 Reverse-Mapping Zones -> Edit -> Add IPv4
Reverse-Mapping Zone -> Authoritative.
2. In the Add Authoritative Reverse Zone editor, specify the following:
Network Address: Enter the 32-bit IPv4 address for the reverse-mapping zone.
Subnet Mask: Choose the subnet mask that defines the IPv4 network address space.
Comment: Enter a descriptive comment.
RFC 2317 Prefix: Use this field when the subnet mask is greater than 24 bits; for a mask between 25 and 31
bits. Enter a prefix, such as the name of the allocated address block. The prefix can be alphanumeric
characters, without blank spaces; for example: 128/26 , 128-189 , or sub-B . For more information, see
Enabling an RFC 2317 Prefix.
Disable this zone: Click this check box to temporarily disable this zone.
Lock this zone: Click this check box to lock the zone so that you can make changes to it, and also prevent
others making conflicting changes.
NS Group: From the drop-down list, select the previously defined name server group that you want to serve
DNS for this zone.
3. Click the Save and Restart Services icons.
To specify a name server group when creating an IPv6 reverse-mapping zone:
1. From the DNS perspective, click Infoblox Views -> + (for view ) -> IPv6 Reverse-Mapping Zones -> Edit -> Add IPv6
Reverse-Mapping Zone -> Authoritative.
2. In the Add Authoritative Reverse Zone editor, specify the following:
IPv6 Network Address: Enter the 128-bit IPv6 address for the reverse-mapping zone.
Network Prefix: Choose the network prefix that defines the IPv6 network address space.
Comment: Enter a descriptive comment.
Disable this zone: Click this check box to temporarily disable this zone.
Lock this zone: Click this check box to lock the zone so that you can make changes to it, and also prevent
others making conflicting changes.
NS Group: Select the previously defined name server group that you want to serve DNS for this zone.
3. Click the Save and Restart Services icons.
Note: If you apply a name server group to at least one zone or specify it as the default group, you cannot rename or
remove it. To rename or remove a group, you must first disassociate it from all zones and unassign it as the
default group.
Managing Zones
NIOS 4.3r1 Infoblox Administrator Guide (Rev. A) 379
Managing Zones
The following sections describe how to edit, delete, enable, disable, lock, and unlock zones after you create them.
Locking and Unlocking Zones
Modifying Zones
Removing Zones
Enabling and Disabling Zones on page 382
Locking and Unlocking Zones
Administrators can lock a zone before changing its properties or records so that other administrators cannot make
conflicting changes. Administrators can select a zone, lock it, make changes, and then unlock it.
If you lock a zone and other administrators try to make changes to it, then the system displays a warning message
that the zone is locked by admin_name.
You can perform dynamic updates through mechanisms such as DDNS and nsupdate on a locked zone. The system
can also add auto-generated records such as glue A records and NS records to a locked zone. Locks on a zone do not
impact its child zones.
To lock a zone:
1. From the DNS perspective, click the Infoblox Views tab -> + (for Infoblox Views) -> + (for view ) -> + (for
Forward-Mapping Zones, IPv4 Reverse-Mapping Zones, or IPv6 Reverse-Mapping Zones) zone -> Edit -> Lock
Zone.
2. Click the Save and Restart Services icons.
You can also lock a zone using the zone editor as follows:
1. From the DNS perspective, click the Infoblox Views tab -> + (for Infoblox Views) -> + (for view ) -> + (for
Forward-Mapping Zones, IPv4 Reverse-Mapping Zones, or IPv6 Reverse-Mapping Zones) -> zone -> Edit
Properties.
2. In the Edit Zone Properties dialog box, select the check box Lock this zone.
A lock icon appears on the left panel next to the zone.
Only a superuser or the administrator who locked the zone can unlock it. Locks do not expire; you must manually
unlock a locked zone.
To unlock a zone:
1. From the DNS perspective, click the Infoblox Views tab -> + (for Infoblox Views) -> + (for view ) -> + (for
Forward-Mapping Zones, IPv4 Reverse-Mapping Zones, or IPv6 Reverse-Mapping Zones) zone -> Edit ->
Unlock Zone.
2. Click the Save and Restart Services icons.
You can also unlock a zone using the zone editor as follows:
1. From the DNS perspective, click the Infoblox Views tab -> + (for Infoblox Views) -> + (for view ) -> + (for
Forward-Mapping Zones, IPv4 Reverse-Mapping Zones, or IPv6 Reverse-Mapping Zones) -> zone -> Edit
Properties.
2. In the Edit Zone Properties dialog box, deselect the check box Lock this zone.
3. Click the Save and Restart Services icons.
A lock icon on the left panel next to the zone disappears indicating that the zone is unlocked.
Managing DNS Data
380 Infoblox Administrator Guide (Rev. A) NIOS 4.3r1
Modifying Zones
The NIOS appliance allows you to modify existing zone settings. The one item you cannot change is the name.
To change the zone settings:
1. From the DNS perspective, click Infoblox Views -> view -> Forward Mapping Zone or Reverse Mapping Zone -> zone
-> Edit -> Authoritative Zone Properties.
2. Click Settings, and make the necessary changes.
3. Make other changes, as necessary. For more information, see Configuring Delegated, Forward, and Stub Zones
on page 365.
4. Click the Save and Restart Services icons.
Removing Zones
When you remove a zone, the NIOS appliance removes the zone from the database, along with all resource records
in the zone. If a zone has subzones, you can choose to remove them and their resource records or reparent them
to the parent zone of the one you are removing. These two options are shown in Figure 10.18.
Figure 10.18 Removing or Reparenting Subzones
If you choose to reparent the subzones, be aware of the following caveats and possible effects of the reparenting:
You cannot remove a zone and reparent its subzones if at least one of the subzones is a delegated zone. You
must first remove any delegated subzones, and then you can remove the zone and reparent its subzones.
If there are AD (Active Directory) subzones (_msdcs, _sites, _tcp, _udp, domaindnszones, foresetdnszones) and
you opt to remove the parent zone only, the NIOS appliance reparents all subzones except the AD subzones,
which it removes regardless of the removal option you specify.
The subzone reparenting option is unavailable when you select multiple zones for removal.
When you remove a zone and reparent its subzones, any subzone that inherited its admin access settings from
its previous parent zone (as opposed to having specific access settings for the subzone) now receive their
settings from its new parent zone, which might be different. See Figure 10.19.
Zone B
Subzone C
Zone B
Subzone C
Remove Zone B and remove its subzones. reparent its subzones. or
The NIOS appliance removes zone B,
subzone C, and all their resource
records.
The NIOS appliance removes zone B and
its resource records. It reparents subzone
C to zone A. It creates a new NS record in
zone A for subzone C and possibly
changes admin privileges for subzone C.
Zone A Zone A Zone A
Zone B
Subzone C
Managing Zones
NIOS 4.3r1 Infoblox Administrator Guide (Rev. A) 381
Figure 10.19 Changed Admin Access Settings after Reparenting Subzones
Note: Instead of removing a zone, you can also disable it. For more information, refer to Enabling and Disabling
Zones on page 382.
To remove a zone:
1. From the DNS perspective, click + (for Infoblox Views) -> + (for view) -> + (for Forward-Mapping Zones,
IPv4 Reverse-Mapping Zones, or IPv6 Reverse-Mapping Zones) -> zone -> Edit -> Remove zone.
2. In the Confirm Delete Request dialog, enter the following:
Remove Zone: Select the check box to confirm the removal of the zone.
Note: Because of the potentially large loss of data that can occur when you remove a zone, by default the
Infoblox appliance requires a double confirmation of its removal. To change the default behavior so that
a zone removal does not require you to confirm its removal twice, in the DNS perspective click the DNS
Members tab -> grid -> Edit -> Grid DNS Properties -> General, clear the Enable double confirm for zone
deletion check box, and then click the Save icon.
Also remove all subzones: Select to remove the selected zone all its subzones and all the resource records
of the selected zone and its subzones.
Remove zone only: Select to remove the zone and its resource records. The Infoblox appliance reparents all
subzones to the parent zone of the zone that you remove. Automatically created AD (Active Directory)
subzones are an exception. Even if you select Remove zone only, the Infoblox appliance still removes AD
subzones.
3. Click OK.
Zone B
Deny
Subzone C
Inherits Deny
If you remove Zone B and reparent its subzones
Zone A
Read/Write
Zone A
Read/Write
Zone B
Deny
Subzone C
Inherits
Read/Write
the admin access settings for subzone C change because the privileges for its new parent
zone (zone A) are different from those of its previous parent zone (zone B).
Before you remove zone B, subzone C inherits a Deny admin access setting from zone B.
After the removal, subzone C inherits Read/Write access from its new parent zone, zone A.
Note that if you set a specific Deny admin access privilege for subzone C before removing its
parent zone (zone B), subzone C retains its specified Deny setting.
Managing DNS Data
382 Infoblox Administrator Guide (Rev. A) NIOS 4.3r1
Deleting Multiple Zones
Instead of deleting zones individually, you can select multiple zones and delete the entire selected group.
1. From the DNS perspective, click the Infoblox Views tab -> + (for Infoblox Views) -> + (for view ) -> + (for
Forward-Mapping Zones, IPv4 Reverse-Mapping Zones, or IPv6 Reverse-Mapping Zones).
2. Select the zones you want to remove in one of the following ways:
Select a contiguous set of zones, holding down the SHIFT key and clicking the zones.
Select noncontiguous zones, holding down the CTRL key and clicking the zones.
Note: You cannot remove the first reverse mapping zone. If the first reverse mapping zone is one of your
selections, the Remove menu option is grayed out and unavailable.
3. Click Edit -> Remove Multiple.
A removal confirmation message appears.
4. To confirm the removal of the selected zones, select Remove all the selected items, and click OK.
5. Click the Save and Restart Services icons.
Enabling and Disabling Zones
The NIOS appliance allows you to disable and enable existing zones, providing a viable option for removing them
from the database. This feature is especially helpful when you have to move or repair the server for a particular zone.
When you disable a zone, a red square appears next to the network listing in the tree view.
To disable a zone:
1. From the DNS perspective, click the Infoblox Views tab -> + (for Infoblox Views) -> + (for view ) -> + (for
Forward-Mapping Zones, IPv4 Reverse-Mapping Zones, or IPv6 Reverse-Mapping Zones) -> zone -> Edit ->
Authoritative Zone Properties.
2. In the Forward (or Reverse) Authoritative Zone editor, click Disable. A check mark appears.
3. Click the Save and Restart Services icons.
Using the Recycle Bin
You can use the recycle bin feature on the NIOS appliance to store deleted DNS configurations. Items contained in
the recycle bin can be restored to active configuration at a later time, or can be permanently removed from the
appliance database. If you do not use the recycle bin, the appliance deletes items permanently from the database.
The recycle bin is enabled by default on the NIOS appliance.
You can use the recycle bin to restore DNS views and zones. NIOS does not support restoring deleted DNS resource
records.
This section discusses the following topics:
Viewing the Recycle Bin on page 383
Restoring Items in the Recycle Bin on page 383
Emptying the Recycle Bin on page 383
Using the Recycle Bin
NIOS 4.3r1 Infoblox Administrator Guide (Rev. A) 383
Viewing the Recycle Bin
You can display the Recycle Bin panel and view all deleted items stored in the recycle bin. From the DNS perspective,
all deleted DNS items are shown if you have superuser privilege. If you are not a superuser, only the items deleted by
you are shown. By default, records are sorted by Name. To display the Recycle Bin panel and to view the deleted items
for DNS stored in the recycle bin:
1. From the DNS perspective, click View -> Recycle Bin. The Recycle Bin panel appears.
2. Scroll through the Recycle Bin panel pages using the page arrows located on the lower-left corner of the Recycle
Bin panel. The panel page length is set by the administrator as discussed in Authenticating Administrators on
page 101. The panel displays each item with the following information:
Name: Name of the configuration item deleted.
Object Type: Type of configuration deleted.
Parent/Container: Where the item was deleted.
Admin: Who deleted the item.
Time: When the item was deleted.
Restoring Items in the Recycle Bin
You can restore any configuration items in the recycle bin displayed in the Recycle Bin panel. The restore functionality
is available only if the recycle bin is enabled, and if an item is selected in the panel. Deleted items are stored in the
recycle bin until the recycle bin is emptied.
To restore items from the Recycle Bin panel:
1. From the DNS perspective, click View -> Recycle Bin. The Recycle Bin panel appears.
2. Select the configuration item you want to restore.
3. Click Edit -> Restore Selected Object.
A warning message appears.
4. Click Yes.
The item is restored to its original location in the GUI; it does not appear in the Recycle Bin panel any longer.
Emptying the Recycle Bin
You can empty the recycle bin, permanently removing all of the items displayed in the Recycle Bin panel from the
appliance database. The empty functionality is available only if the recycle bin is enabled, and only to superusers. To
empty the recycle bin:
1. From the DNS perspective, click View -> Recycle Bin. The Recycle Bin panel appears.
2. Click Edit -> Empty Recycle Bin.
A warning message appears.
3. Click Yes.
All items are removed from the Recycle Bin panel.
Managing DNS Data
384 Infoblox Administrator Guide (Rev. A) NIOS 4.3r1
Specifying Host Name Restrictions
Use the host name restriction feature to enforce a naming policy for the host names of A, AAAA, Host, MX, and NS
records based on user-defined or default patterns.
Records that you created before you enabled the host name checking policy, need not comply with the host name
restriction that you specify.
You can select one of three preconfigured policies or define your own host naming policy with a POSIX regular
expression. The policies Infoblox provides implement standard host naming restrictions according to RFC 952, DOD
Internet Host Table Specification, and RFC 1123, Requirements for Internet Hosts -- Application and Support.
Note: The host name restriction limits the host name of A, AAAA, Host, MX, and NS records only.
You can specify (and override) host name restrictions at the grid, member, and zone level.
Grid Level
To specify host name restrictions for a grid:
1. From the DNS perspective, click the DNS Members tab -> grid -> Edit -> Grid DNS Properties.
2. In the Grid DNS Properties editor, click Host Name Restrictions.
The Record Policies section lists the following default record policies:
Allow Any: You can use any host name.
Allow Underscore: You can only use host names with alphanumeric characters, dashes, and underscores
("-" and "_")
Strict Hostname Checking: You can only use host names that contain alphanumeric characters and dashes
(-).
3. Click Add to define your own host name checking policy. The Record Template dialog box appears. Enter a record
policy name and a regular expression string, and click OK. See Appendix B, "Regular Expressions", on page 693
for definitions of regular expressions.
The software does not validate the regular expressions that you enter. You can even specify an invalid regular
expression that might cause noncompliant errors when you create records.
You can only define your own host name restriction policy at the grid level. At the member level and at the zone
level, you can only select a policy.
Use the drop-down menu in the Host Name Restriction Policy section to select one of the following host name
checking policies: Allow Any, Allow Underscore, Strict Host Name Checking, or a user-defined policy. This sets
the policy for all the zones in the grid.
Apply Policy to dynamic updates and inbound zone transfers (required Strict Host Name Checking): If you
select the Strict Host Name Checking policy, this option is enabled by default. It enables the appliance to
apply the policy to dynamic DNS updates and zone transfers that it receives. You can then select which
action the appliance takes when it encounters names that do not conform to the policy. Select either Fail or
Warn. If you select Warn, the appliance allows the dynamic DNS update or zone transfer, but logs a syslog
message.
4. Click the Save and Restart Services icons.
After you specify a host name restriction policy, if you create a record name that does not comply with this policy and
try to save it by clicking the Save icon, an error message appears.
Specifying Host Name Restrictions
NIOS 4.3r1 Infoblox Administrator Guide (Rev. A) 385
Member Level
To configure the host name restriction policy for an individual member:
1. From the DNS perspective, click the DNS Members tab -> member -> Edit -> Member DNS Properties.
2. In the Edit Zone Properties dialog box, click Host Name Restrictions.
3. Click the Override grid host name restriction policy check box to override the grid host name restriction policy,
and specify the settings for this member. If you choose the override option, then you must select a host name
policy from the Host Name Restriction Policy drop-down menu.
Apply Policy to dynamic updates and inbound zone transfers (required Strict Host Name Checking): If you
select the Strict Host Name Checking policy, this option is enabled by default. It enables the appliance to
apply the policy to dynamic DNS updates and zone transfers that it receives. You can then select which
action the appliance takes when it encounters names that do not conform to the policy. Select either Fail or
Warn. If you select Warn, the appliance allows the dynamic DNS update or zone transfer, but logs a syslog
message.
4. Click the Save icon.
5. In the Host Name Restriction Policy section, select one of the following host name checking policies or a
user-defined policy:
Allow Any: You can use any host name.
Allow Underscore: You can only use host names with alphanumeric characters and underscores ("-" and
"_")
Strict Hostname Checking: You can only use host names that contain alphanumeric characters and dashes
(-).
Zone Level
To configure the host name restriction policy for an authoritative forward-mapping zone:
1. From the DNS perspective, click the Infoblox Views tab -> + (for Infoblox Views) -> + (for view ) -> + (for
Forward-Mapping Zones) -> zone -> Edit Properties.
You can only specify host name restrictions for authoritative forward-mapping zones. You cannot specify host
name restrictions for forward zones, stub zones, IPv4 reverse-mapping zones, and IPv6 reverse mapping zones.
2. In the Edit Zone Properties dialog box, click Host Name Restrictions.
3. Click the Override grid host name restriction policy check box to override the grid host name restriction policy,
and specify the settings for this zone. If you choose the override option, you must select a host name policy from
the Host Name Restriction Policy drop-down menu.
4. Use the drop-down menu in the Host Name Restriction Policy section to select one of the following host name
checking policies or a user-defined policy:
Allow Any: You can use any host name.
Allow Underscore: You can only use host names with alphanumeric characters, dashes, and underscores
("-" and "_")
Strict Hostname Checking: You can only use host names that contain alphanumeric characters and dashes
(-).
For example, if you create a zone myAuthZone and specify the host name restriction to be Strict Hostname Checking
and then you add an A record to myAuthZone and enter corp_100 as the domain name, the following error message
appears:
RR name cor p_100 does not compl y wi t h pol i cy St r i ct Host name Checki ng
To resolve this error, change the domain name to corp100.
Managing DNS Data
386 Infoblox Administrator Guide (Rev. A) NIOS 4.3r1
Obtaining a List of Invalid Record Names
To get a list of all record names that do not comply with the host name checking policy, from the DNS perspective,
click the Infoblox Views tab -> + (for Infoblox Views) -> + (for view ) -> + (for Forward-Mapping Zones) -> zone -> Host
Name Compliant Report.
The Host Name Compliance Report appears. It lists the record name, type, value, and comment for all existing records
that do not comply with the host name restriction policy defined (at the grid, member, or zone level). You can
right-click a record name and edit it to make it compliant or delete it.
Adding Hosts
NIOS 4.3r1 Infoblox Administrator Guide (Rev. A) 387
Adding Hosts
After adding zones, you are ready to add hosts and records for the zones. You can choose to add a bulk host, that
assigns a range of addresses to a set of hosts. While adding a host, you can choose to add an alias (CNAME record)
for the host.
A host record defines attributes for a node, such as the name-to-address and address-to-name mapping. This
alleviates having to specify an A record and a PTR record separately for the same node. A host can also define aliases
and DHCP fixed address nodes.
You must first create a zone before you can add a host record for the zone. For more information, see Adding an
Authoritative Subzone on page 356 To create a host record, you need to know the host name and one or more IP
addresses.
Note: The hosts in a zone can be located on different networks.
To add a host:
1. From the DNS perspective, click the Infoblox Views tab -> + (for Infoblox Views) -> + (for view ) -> + (for
Forward-Mapping Zones, IPv4 Reverse-Mapping Zones, or IPv6 Reverse-Mapping Zones) -> zone -> Edit -> Add
Resource Records -> Host.
2. In the Add Host editor, click Host Record Properties, and specify the following information:
In the Name field, enter a unique name for the host. For example, you might enter BigWin for the sales
organization host system. For A, AAAA, Host, MX, and NS records in the forward-mapping zones, ensure that
the name you enter complies with the host name restriction policy defined for the zone. If you create a
record name that does not comply with this policy and you try to save it by clicking the Save icon, an error
message appears.
Configure for DNS: Select this check box to enable DNS for this host. Click Select zone... to select the DNS
zone in the Select Forward Mapping Zone dialog. If you clear this check box, the appliance disables the
Select zone... button, the Aliases section, and the Time to Live Settings editor.
Note: The Configure for DNS check box and the Select zone... button appear only if you are adding a host using
the DHCP and IPAN perspective.
In the Comment field, enter a distinguishing comment.
Click Disable this host to temporarily disable the host.
3. In the IP Address section, click Add, enter the following information in the Host Address dialog box, and then click
OK.
IP Address: Enter the IP address of the host.
Configure for DHCP: Select this check box if you want DHCP to serve this host.
Note: When you select this check box, the appliance enables the following input fields.
Match On
MAC Address: Select this to assign the IP address to a host, provided that the MAC address of the
requesting host matches the MAC address that you specify here.
None (reserved): Select this to reserve this particular IP address for future use, or if the IP address is
statically configured on a system (the Infoblox server does not assign the address from a DHCP
request).
MAC Address: Enter a MAC address (such as the MAC address for a DHCP fixed address) for the host. You
must enter an IP address, however, entering the MAC address is optional. The MAC Address field defines a
fixed address for a DHCP host. For more information on fixed address host, see Adding Hosts on page 387.
NetBIOS Name: Enter the NetBIOS name for this IP address.
OS: Enter the operating system for this IP address.
Managing DNS Data
388 Infoblox Administrator Guide (Rev. A) NIOS 4.3r1
Last Discovered: The timestamp of the last discovery.
Override network domain name: Click this check box and enter a Domain Name in the text field.
Override network broadcast address: Click this check box and enter a Broadcast Address in the text field.
Override network routers: Click this check box, enter an IP Address in the text field, and click Add.
Override network DNS servers: Click this check box, enter an IP Address in the text field, and click Add.
Override network lease time: Click this check box and specify a new Lease Time in Days, Hours, Minutes,
and Seconds.
Override network PXE lease time setting: Click this check box, then click Enable PXE Lease Time, and
specify a new lease time in Days, Hours, Minutes, and Seconds.
Override network custom options: Click this check box, click Add Option, click Select Option, select an
option from the list and click OK, enter a value and click OK.
Override network BOOTP options: Click this check box and specify the following information:
Boot File name
Next Server name
Boot Server name
Override network Deny BOOTP request: Click this check box and select the Deny BOOTP request check box
that follows.
Override option list request: Click this check box and select the Ignore option list requested by client and
return all defined options check box that follows.
4. In the Aliases section, click Add, enter a fully qualified domain name (a CNAME record for the host), and then
click OK.
5. Click Time to Live Settings to set the time to live (TTL) for this record. The default is to use the zone TTL settings.
To specify other settings, click Override zone TTL settings, and enter the settings in Days, Hours, Mins, Secs. For
more information on TTL settings, see Specifying Time To Live Settings on page 407.
6. Click IPAM Device Info, and then enter the following:
Device Type: Choose the appliance type for this host from the drop-down list.
Device Labels: Type relevant information in the various fields. It is not necessary to enter information in
every field. Only use the ones that you want. The first four fields are predefined: Location, Owner,
Manufacturer, and Model. The remaining fields are titled Custom1 Custom20 by default. You can define
your own set of labels for these fields (see Classifying an IPAM Device on page 558).
7. Click the Save and Restart Services icons.
Adding Bulk Hosts
NIOS 4.3r1 Infoblox Administrator Guide (Rev. A) 389
Adding Bulk Hosts
If you need to add a large number of hosts, you can have the NIOS appliance add them as a group and automatically
assign host names based on a range of IP addresses and the host name format you specify. Such a group of hosts is
called a bulk host, which the appliance manages and displays as a single bulk host.
Specifying Bulk Host Name Formats
Bulk host name formats provide a flexible way to define bulk host names. You create multiple bulk host formats at
the grid level. Either select from the default bulk host formats or create your own. You can specify a different format
for each bulk host. When you assign a bulk host name format to a bulk host in a zone, the system applies the zones
host name policy to it.
A bulk host name consists of a prefix, a suffix, and the name of the domain to which the host belongs. Except a period,
the prefix can contain any printable character that complies with the zone host name policy. The suffix is derived from
an IP address in the bulk host IP address range.
The suffix format is a string of ASCII characters that uses $ (unpadded) or # (zero-padded) followed by 1,2,3,4 to refer
to the first, second, third, or fourth IP address octet; it uses $1,$2,$3,$4 or #1,#2,#3,#4. $2 refers to the second
unpadded octet and #4 refers to the fourth zero-padded octet.
For example:
The prefix of a bulk host = info
IP address = 213.19.32.133
Domain name = infoblox.com.
If you specify the default four-octet format -$1-$2-$3-$4, the bulk host name is info-213-19-23-133.infoblox.com.
If you specify a custom name format such as *#1*#2*#3*#4, the bulk host name is
info*213*019*023*133.infoblox.com.
Before Defining Bulk Host Name Formats
Before you specify a bulk host name format, ensure that it complies with the following rules:
The NIOS appliance uses the name space bulk-xx-xx-xx-xx for bulk hosts, so you should not use this name for
CNAMEs, DNAMEs, or host name aliases because it causes conflicts.
When you add a bulk host, if you enable the Automatically add reverse mapping option and there is a CNAME
record in the corresponding reverse zone that conflicts with a PTR record generated by the bulk host, the bulk
host insertion fails and an error message appears. For example, if there is a CNAME with the alias 15 in a
reverse zone 1.168.192.in-addr.arpa and if you add a bulk host foo/192.168.1.10/192.168.1.20 with the
Automatically add reverse mapping option selected, the insertion fails and an error message appears because
both the bulk host and the CNAME generate a record 15.1.168.192.in-addr.arpa in the reverse zone.
You cannot create or change a bulk host if a zone is locked by another user. If you select a different template for
the grid, it changes each record associated with the bulk host.
You can define bulk host name formats only at the grid level and override them at the bulk host level; not at the
zone or bulk host object level.
During an upgrade, the system migrates existing bulk hosts to NIOS 4.2r1 version. Note:
If you did not customize the bulk host IP format, there is no action required. All migrated bulk hosts
continue to use the grid-level default four-octet format -$1-$2-$3-$4. See Specifying Bulk Host Name
Formats on page 389.
If you customized the bulk host IP format, the system creates a new template called Migrated Default
template. All migrated bulk hosts override the grid-level default template and use the Migrated Default
template.
Managing DNS Data
390 Infoblox Administrator Guide (Rev. A) NIOS 4.3r1
Note: The NIOS appliance considers two bulk hosts that have the same prefix, start address, and end address as
duplicate hosts; even if they use different bulk host formats.
Bulk Host Name Format Rules
Table 10.4 describes the rules that you should follow when you create bulk host name formats. It also provides
examples of valid and invalid formats for each rule.
Table 10.4 Bulk Host Name Format Rules and Examples
Rule Example
The suffix format cannot have more
than four octets.
-$4-$5 is invalid.
The octets must be in order. -$2-$3-$4 is valid but -$3-$2-$4 is invalid.
Do not skip octets. -$2-$3-$4 is valid but -$2-$4 is invalid.
Do not use a combination of both the
$ and # symbols together as octet
references; use only one of them.
-$2-#3-$4 is invalid.
The suffix format must contain at least
the fourth octet. You must define at
least one -$4 or -#4.
-$4 is valid but -$3 is invalid.
The suffix format must not start with
the $ character.
$4 is invalid.
If the suffix format uses $ references,
it cannot be preceded by a digit. You
must add a non-digit prefix to each $
or # reference. You cannot use a
period (.) as a prefix.
-$2-$3-$4
The \ character is the designated
escape character for the $, # and \
characters.
You cannot use the $ or # symbols as
separators unless you prefix them
with an escape character \.
For the IP address 213.19.32.133, the format \#-#1-#2-#3-#4
expands to #213019032133.
The bulk host name format must
comply with its zone host name policy.
You cannot insert a bulk host name format -?-$4 in a zone that uses
Allow Underscore as host name policy because the policy does not
allows you to use the ? character in the host name.
The bulk host name must comply with
the maximum label length.
The sum of the bulk host name prefix and suffix cannot be longer than
63 characters. When you enter a suffix format, the NIOS appliance
determines the length of the longest bulk host defined, and checks
that the sum of the bulk host prefix and suffix length does not exceed
63 characters; if it exceeds, an error message appears.
The bulk host name cannot result in
FQDN longer than 255 characters.
Adding Bulk Hosts
NIOS 4.3r1 Infoblox Administrator Guide (Rev. A) 391
To specify bulk host name formats:
1. From the DNS perspective, click the DNS Members tab -> grid -> Edit -> Grid DNS Properties.
2. Click Host Name Restrictions in the Grid DNS Properties editor.
The Bulk Host Name Formats section displays the four default name suffix formats. The following example
shows the host name that each format generates for the zone test.com:
Four Octets: $1-$2-$3-$4 (Default)Generates foo-192-168-1-15.test.com
One Octet: -$4Generates foo-15.test.com
Three Octets: -$2-$3-$4Generates foo-168-1-15.test.com
Two Octets: -$3-$4Generates foo-1-15.test.com
For the IP address 10.100.0.10, the format -$1-$2-$3-$4 generates the host name suffix -10-100-0-10. The
format #1-#2-#3-#4 generates the host name suffix -010-100-000-010.
3. Click Add to specify a bulk host name format name and define the format in the Bulk Host Name Format dialog.
The format you define appears on the list of Name Formats. You can also select format and click Modify to
change the format name and definition in the Bulk Host Name Format dialog, or click Delete to remove the
format from the list.
4. Optional. Select the Default Bulk Host Name Format from the drop-down list if you want to change the grid default
bulk host name format to the format you specified in step 3.
Configuring Bulk Hosts
To add a bulk host:
1. From the DNS perspective, click the Infoblox Views tab -> + (for Infoblox Views) -> + (for view ) -> + (for
Forward-Mapping Zones) -> zone -> Edit -> Add Resource Records -> Bulk Host.
2. Click Bulk Host Properties in the Add Bulk Host editor.
3. In the Prefix field, enter a name (or series of characters) to insert at the beginning of each host name. Except a
period, you can enter any printable character that complies with the zone host name policy.
The NIOS appliance computes the
maximum length of the bulk host
suffix by expanding the bulk host IP
format using 255.255.255.255.
For the format string -$1-$2-$3-$4, the maximum length of the suffix
is -255-255-255-255 that is 16 characters. Therefore, the maximum
length of the host prefix is 47 characters.
The bulk host name must not be the
same as a CNAME/DNAME.
If there is a CNAME record with alias foo-003-015, you cannot insert a
bulk host foo/1.2.3.10/1.2.3.20 using template -#3-#4 because
foo-003-015 is also one of the synthetic host names in the bulk host.
Each host name in the bulk host must
be unique.
You cannot insert a bulk host foo/1.2.3.10/1.2.4.20 using the
template -$4 because the system resolves the host name foo-10 to
both 1.2.3.10 and 1.2.4.10. To ensure that the bulk host name is
unique, use the template -$3-$4.
You cannot insert a bulk host that
violates the uniqueness of two bulk
hosts that have the same prefix and
use the same name format.
If there is a bulk host foo/1.2.3.10/1.2.4.20 using the template
-$3-$4, you cannot insert another bulk host foo/1.3.4.10/1.3.5.20
using the same template because the system resolves host name
foo-4-15 to both 1.2.4.15 and 1.3.4.15. Instead, use the template
-$2-$3-$4 to ensure that the two bulk hosts are unique.
Table 10.4 Bulk Host Name Format Rules and Examples
Rule Example
Managing DNS Data
392 Infoblox Administrator Guide (Rev. A) NIOS 4.3r1
The sum of the bulk host prefix length and suffix length must not exceed 63 characters. When you enter a prefix,
the NIOS appliance computes the maximum length of the bulk host suffix to verify that the total prefix and suffix
length does not exceed 63 characters. If it does, the appliance displays an error message indicating the number
of characters that you must remove to make a valid prefix.
4. Enter the first IP address in the range of addresses for the group in the Starting IP Address field
5. Enter the last IP address in the range of addresses for the group in the Ending IP Address field.
6. To override the default four-octet suffix format and specify a different format, click Override grid bulk host name
format and select a host name format from the Name Formats drop-down menu.
The Name Formats drop-down menu lists the formats Four Octets, Three Octets, Two Octets, and One Octet
along with any other bulk host name formats that you have defined. See Specifying Bulk Host Name Formats on
page 389.
7. Enter a text string in the Comment field to help identify this record.
8. Click Automatically Add Reverse Mapping to have the appliance automatically add the reverse mapping address.
9. Click Disable this Bulk Host to disable the host.
10. Click Time to Live Settings to set the time to live (TTL) for this record. The default is to use the zone TTL settings.
To specify other settings, click Override zone TTL settings, and enter the settings in Days, Hours, Mins, Secs. For
more information on TTL settings, see Specifying Time To Live Settings on page 407.
11. Click the Save and Restart Services icons.
Example 1 - Responding to DNS AXFR Queries
This example shows the responses the bulk host foo/1.2.3.10/1.2.3.20 returns to DNS AXFR (Asynchronous Full
Transfer Zone) queries.
If the bulk host uses the template -$3-$4, the query returns:
f oo- 3- 10. t est . com
f oo- 3- 11. t est . com
. . . . . .
f oo- 3- 20. t est . com
If the bulk host uses the template -#2-#3-#4, the query returns:
f oo- 002- 003- 010. t est . com
f oo- 002- 003- 011. t est . com
. . . . . .
f oo- 002- 003- 020. t est . com
Example 2 - Importing Zones for Bulk Hosts
When you import zones for bulk hosts, the system selects the most specific match.
The following example can possibly match three octet, two octet, and one octet formats; however, the system selects
the most specific four octet default format.
The query:
f oo- 1- 2- 3- 4I N A 1. 2. 3. 4
f oo- 1- 2- 3- 5I N A 1. 2. 3. 5
Results in the match:
f oo/ 1. 2. 3. 4/ 1. 2. 3. 5( Four Oct et s)
Not in any of the following:
f oo- 1/ 1. 2. 3. 4/ 1. 2. 3. 5( Thr ee Oct et s)
f oo- 1- 2/ 1. 2. 3. 4/ 1. 2. 3. 5( Two Oct et s)
f oo- 1- 2- 3/ 1. 2. 3. 4/ 1. 2. 3. 5( One Oct et )
Associating Shared Record Groups With Zones
NIOS 4.3r1 Infoblox Administrator Guide (Rev. A) 393
Associating Shared Record Groups With Zones
Shared records are groups of DNS Resource Records that you can assign to one or more zones. Use shared records to
create and update multiple resource records shared by different zones. You can only create shared records in a shared
record group and assign the group to one ore more zones. The zones handle the shared records as any other resource
record.
See Chapter 11, Shared Records, on page 411 for information on shared record groups.
To link a shared record group to forward-mapping authoritative zones using the zone editor:
1. From the DNS perspective, click the Infoblox Views tab -> + (for Infoblox Views) -> + (for view ) -> + (for
Forward-Mapping Zones) -> Add Forward Mapping Zone -> Authoritative.
2. Click the Shared Record Groups section in the Add Forward Authoritative Zone editor.
3. Click Add.
The Shared Record Groups defined appear.
4. Click a group that you want to add to the zone and click OK.
The shared record group appears in the editor.
5. Click the Save icon.
Managing DNS Data
394 Infoblox Administrator Guide (Rev. A) NIOS 4.3r1
Adding Resource Records
After adding zones you can add resource records to those zones and hosts, with the option of disabling any record.
When you disable a record, the NIOS appliance does not answer queries for it, nor does it include disabled records
in zone transfers and zone imports. The appliance still displays disabled records in the GUI, marked with red to
indicate a disabled state.
The NIOS appliance allows you to create the following types of records:
Address (A)
Pointer (PTR)
Service location (SRV)
Mail exchanger (MX)
Text (TXT)
Canonical name (CNAME)
DNAME
The NIOS appliance also allows you to specify time-to-live (TTL) settings for each record. If you do not specify a TTL
for a record, the appliance applies the default TTL value of the zone to each record. +
This section covers the following topics:
Adding A Records on page 394
Adding NS Records on page 395
Adding AAAA Records on page 395
Adding MX Records on page 397
Adding PTR Records on page 396
Adding SRV Records on page 398
Adding TXT Records on page 399
Adding CNAME Records on page 400
Adding DNAME Records on page 402
Specifying Time To Live Settings on page 407
Adding A Records
An A (address) record maps a domain name to an IPv4 address. To define a specific name-to-address mapping, add
an A record to a previously defined authoritative forward-mapping zone (see Creating an Authoritative
Forward-Mapping Zone on page 353).
To add an A record:
1. From the DNS perspective, click the Infoblox Views tab -> + (for Infoblox Views) -> + (for view ) -> + (for
Forward-Mapping Zones) -> zone -> Edit -> Add Resource Records -> A Record.
2. Enter the following A Record Properties:
Domain Name: Enter a host name that you want to map to an IP address. The name you enter is prefixed to
the zone name. For example, if the zone name is corp100.com and you enter www , its full name becomes
www.corp100.com .
Infoblox also supports wildcard A records. A wildcard A record maps all names for which there is no specific
A record in a domain to a single IP address. For example, you can use a wildcard A record to map all names
in the corp100.com domain to the IP address of a public-facing web server. The NIOS appliance responds to
queries for names such as www1.corp100.com, ftp.corp100.com, main.corp100.com, and so on to the
same IP address. If there are also A records for specific names in the corp100.com domain, the NIOS
appliance first matches queries for those names to their records. However, if a query arrives for a name for
which a specific A record does not exist, the NIOS appliance can then use the wildcard card to map the
name to a default address. To make a wildcard A record, enter an asterisk ( * ) in the Domain name field.
Adding Resource Records
NIOS 4.3r1 Infoblox Administrator Guide (Rev. A) 395
Ensure that the domain name you enter complies with the host name restriction policy defined for the zone.
If you create a record name that does not comply with this policy and you try to save it by clicking the Save
icon, a Save Error message appears.
IP Address: Enter the IPv4 address to which you want the domain name to map. An IPv4 address is a 32-bit
number in dotted decimal notation. It consists of four 8-bit groups of decimal digits separated by decimal
points (example: 192.168.1.2).
Comment: Enter a descriptive comment for this record.
Disable this A record: Clear the check box to enable the record. Select the check box to disable it.
3. Click Time to Live Settings, and select the Override zone TTL settings check box to override the settings inherited
from the zone and configure TTL settings for this record. Enter the settings in the Days, Hours, Mins, and Secs
fields. For more information on TTL settings, see Specifying Time To Live Settings on page 407.
4. Click IPAM Data, and then enter the following:
MAC Address: Enter the MAC address for this IP address.
NetBIOS Name: Enter the NetBIOS Name for this IP Address.
OS: Enter the OS for this IP address.
Last Discovered: The last discovered timestamp.
5. Click the Save and Restart Services icons.
Adding NS Records
An NS record identifies the authoritative DNS server for a domain. NS records associate with one or more IP addresses
used for related A record and PTR record generation. You can configure an NS record for anycast IP addresses on the
appliance. For more information about anycast, see Anycast Addressing on page 452.
To add an NS(A) record:
1. From the DNS perspective, click the Infoblox Views tab -> + (for Infoblox Views) -> + (for view ) -> + (for
Forward-Mapping Zones) -> zone -> Edit -> Add Resource Records -> NS Record.
NS Record Properties
Zone: Display the DNS zone name for the NS record.
Name: Display the name for the NS record.
View: Display the Infoblox view for the NS record.
Name Server: Enter the host name you want to configure as the name server for the zone .
2. Enter the following associated IP addresses
IP addresses associated with NS record: Click Add. In the IP Address dialog box, do the following and click
OK:
IP Address: Enter the IP address for the NS record.
Automatically create corresponding PTR record: Click the check box to enable autogeneration of PTR
records for the IP address.
3. Click the Save and Restart Services icons.
Adding AAAA Records
An AAAA (quad A address) record maps a domain name to an IPv6 address. To define a specific name-to-address
mapping, add an AAAA record to a previously defined authoritative forward-mapping zone (see Creating an
Authoritative Forward-Mapping Zone on page 353).
To add an AAAA record:
1. From the DNS perspective, click the Infoblox Views tab -> + (for Infoblox Views) -> + (for view ) -> + (for
Forward-Mapping Zones) -> zone -> Edit -> Add Resource Records -> AAAA Record.
Managing DNS Data
396 Infoblox Administrator Guide (Rev. A) NIOS 4.3r1
2. Enter the following AAAA Record Properties:
Domain Name: Enter a host name that you want to map to an IP address. The name you enter is prefixed to
the zone name. For example, if the zone name is corp100.com and you enter www , its full name becomes
www.corp100.com .
Infoblox also supports wildcard AAAA records. A wildcard AAAA record maps all names for which there is no
specific AAAA record in a domain to a single IP address. For example, you can use a wildcard AAAA record to
map all names in the int.corp100.com domain to the IPv6 address of an internal web server. The NIOS
appliance responds to queries for names such as www1.int.corp100.com, home.int.corp100.com,
main.int.corp100.com, and so on to the same address. If there are also AAAA records for specific names in
the int.corp100.com domain, the NIOS appliance first matches queries for those names to their records.
However, if a query arrives for a name for which a specific AAAA record does not exist, the NIOS appliance
can then use the wildcard card to map the name to a default address. To make a wildcard AAAA record,
enter an asterisk ( * ) in the Domain name field.
Ensure that the host name you enter complies with the host name restriction policy defined for the zone. If
you create a record name that does not comply with this policy and you try to save it by clicking the Save
icon, a Save Error message appears.
IP Address: Enter the IPv6 address to which you want the domain name to map. An IPv6 address is a 128-bit
number in colon hexadecimal notation. It consists of eight 16-bit groups of hexadecimal digits separated
by colons (example: 12ab:0000:0000:0123:4567:89ab:0000:cdef).
Note: When you enter an IPv6 address, you can use double colons to compress a contiguous sequence of zeros.
You can also omit any leading zeros in a four-hexadecimal group. For example, the complete IPv6 address
2006:0000:0000:0123:4567:89ab:0000:cdef can be shortened to 2006::123:4567:89ab:0:cdef. Note
that if there are multiple noncontiguous groups of zeros, the double colon can only be used for one group
to avoid ambiguity. The NIOS appliance displays an IPv6 address in its shortened form, regardless of its
form when it was entered.
Comment: Enter a descriptive comment for this record.
Disable this AAAA record: Clear the check box to enable the record. Select the check box to disable it.
3. Select the Override zone TTL settings check box to override the settings inherited from the zone and configure
TTL settings for this record. Enter the settings in the Days, Hours, Mins, and Secs fields. For more information on
TTL settings, see Specifying Time To Live Settings on page 407.
4. Click the Save and Restart Services icons.
Adding PTR Records
A PTR (pointer) record maps an address to a host name, and can only be added for a reverse mapping zone. If you
have not already done so, you must first create a reverse mapping zone before adding a PTR record for the zone. For
more information, see Creating an Authoritative Forward-Mapping Zone on page 353. To create a PTR record, you
need to specify a domain name and host name.
Note: You must configure PTR records manually for IPv6 addresses. Unlike IPv4 PTR records, IPv6 PTR records are not
autogenerated.
To add an IPv4 or IPv6 PTR record:
1. From the DNS perspective, click the Infoblox Views tab -> + (for Infoblox Views) -> + (for view ) -> + (for IPv4
Reverse-Mapping Zones or IPv6 Reverse-Mapping Zones) -> zone -> Edit -> Add Resource Records -> PTR Record.
Adding Resource Records
NIOS 4.3r1 Infoblox Administrator Guide (Rev. A) 397
2. Enter the following PTR Record Properties:
IP Address: Enter the IPv4 or IPv6 address that you want to map to a domain name.
An IPv4 address is a 32-bit number in dotted decimal notation. It consists of four 8-bit groups of decimal
digits separated by decimal points (example: 192.168.1.2).
An IPv6 address is a 128-bit number in colon hexadecimal notation. It consists of eight 16-bit groups of
hexadecimal digits separated by colons (example: 12ab:0000:0000:0123:4567:89ab:0000:cdef).
Host Name: Enter the host name to which you want the PTR record to point (example: www.corp100.com).
Comment: Enter a descriptive comment for this record.
Disable this PTR record: Clear the check box to enable the record. Select the check box to disable it.
3. Click Time to Live Settings, and select the Override zone TTL settings check box to override the settings inherited
from the zone and configure TTL settings for this record. Enter the settings in the Days, Hours, Mins, and Secs
fields. For more information on TTL settings, see Specifying Time To Live Settings on page 407.
4. Click IPAM Data, and then enter the following:
MAC Address: Enter the MAC address for this IP address.
NetBIOS Name: Enter the NetBIOS Name for this IP Address.
OS: Enter the OS for this IP address.
Last Discovered: The last discovered timestamp.
5. Click the Save and Restart Services icons.
Adding MX Records
An MX (mail exchanger) record maps a domain name to a mail exchanger. A mail exchanger is a server that either
delivers or forwards mail. You can specify one or more mail exchangers for a zone, as well as the priority for using
each mail exchanger. A standard MX record applies to a particular domain or subdomain. A wildcard MX record
applies to a domain and all its subdomains. See Figure 10.20.
Figure 10.20 MX Records
Note: You must also create an A record for the host defined as a mail exchanger in an MX record.
corp100.com
site1.corp100.com
Mail Exchanger
mail1.corp100.com
1.2.2.10
An MX record for the mail exchanger that answers queries for
just the corp100.com domain (and its corresponding A record):
cor p100. comI N MX 0 mai l 1. cor p100. com
mai l 1. cor p100. comI N A 1. 2. 2. 10
An MX record for just site1.corp100.com, a subdomain of
corp100.com:
si t e1. cor p100. comI N MX 0 mai l 1. cor p100. com
A wildcard MX record for the corp100.com domain,
the site1.corp100.com subdomain, and any other
subdomains of corp100.com:
*. cor p100. comI N MX 0 mai l 1. cor p100. com
The following MX records
Domain
Subdomain
other subdomains of
corp100.com
direct queries for one or more domains to the same mail exchanger:
Managing DNS Data
398 Infoblox Administrator Guide (Rev. A) NIOS 4.3r1
To add an MX record:
1. From the DNS perspective, click the Infoblox Views tab -> + (for Infoblox Views) -> + (for view ) -> + (for
Forward-Mapping Zones) -> zone -> Edit -> Add Resource Records -> MX Record.
MX Record Properties
Domain Name: If you want to define an MX record for a domain whose name matches the zone in which you
define the MX record, leave this field empty. The NIOS appliance automatically adds the domain name (the
same as the zone name) to the MX record. For example, if you want to create an MX record for a mail
exchanger serving the corp100.com domain and you define the MX record in the corp100.com zone, leave
this field empty.
If you want to define an MX record for a subdomain, enter the subdomain name here. The NIOS appliance
prefixes the name you enter to the domain name for the zone in which you define the MX record. For
example, if you want to create an MX record for a mail exchanger serving site1.corp100.coma subdomain
of corp100.comand you define the MX record in the corp100.com zone, enter site1 in this field.
If you want to define an MX record for a domain and all its subdomains, enter an asterisk ( * ) here to create
a wildcard MX record.
Ensure that the host name you enter complies with the host name restriction policy defined for the zone. If
you create a record name that does not comply with this policy and you try to save it by clicking the Save
icon, a Save Error message appears.
Mail Exchanger: Enter the fully qualified domain name of the mail exchanger.
Priority: Enter an integer between 0-65535. The priority determines the order in which a client attempts to
contact the target mail exchanger. The highest priority is 0 and is queried first.
Comment: Enter a descriptive comment for this record.
Disable this MX record: Clear the check box to enable the record. Select the check box to disable it.
2. Select the Override zone TTL settings check box to override the settings inherited from the zone and configure
TTL settings for this record. Enter the settings in the Days, Hours, Mins, and Secs fields. For more information on
TTL settings, see Specifying Time To Live Settings on page 407.
3. Click the Save and Restart Services icons.
Adding SRV Records
An SRV (service location) record directs queries to hosts that provide specific services. For example, if you have an
FTP server, then you might create an SRV record that specifies the host which provides the service. You can specify
more than one SRV record for a host. To create an SRV record, you need to specify the domain name, priority, weight,
port, and target host. For more information about SRV records, see RFC 2052, A DNS RR for specifying the location of
services (DNS SRV) .
To add a SRV record:
1. From the DNS perspective, click the Infoblox Views tab -> + (for Infoblox Views) -> + (for view ) -> + (for
Forward-Mapping Zones) -> zone -> Edit -> Add Resource Records -> SRV Record.
SRV Record Properties
Domain Name: Enter a service name and protocol name to complete the domain name for the target host. If
the name of the service is defined in RFC 1700, ASSIGNED NUMBERS , use that name. Otherwise, you can
use a locally-defined name. (Do not use service port and protocol numbers.) To distinguish the service and
protocol name labels from the domain name, add an underscore as a prefix to the service name and
protocol name; for example, _http._tcp.corp100.com or _ftp._tcp.corp100.com
Priority: Enter an integer between 0-65535. The priority determines the order in which a client attempts to
contact the target host; the domain name host with the lowest number has the highest priority and is
queried first. Target host with the same priority is attempted in the order defined in the Weight field.
Weight: Enter an integer between 0-65535. Weight allows you to distribute the load between target hosts.
The higher the number, the more that host handles the load (compared to other target hosts). Larger
weights give a target host a proportionately higher probability of being selected.
Adding Resource Records
NIOS 4.3r1 Infoblox Administrator Guide (Rev. A) 399
Port: Enter the appropriate port number for the service running on the target host. You can use standard or
nonstandard port numbers, depending on the requirements of your network.
Target: Enter the canonical domain name of the host (not an alias); for example, www2.corp100.com
Note: In addition, you need to define an A record mapping the canonical name of the host to its IP address.
Comments: Enter a descriptive comment for the record.
Disable this SRV record: Clear the check box to enable the record. Select the check box to disable it.
2. Select the Override zone TTL settings check box to override the settings inherited from the zone and configure
TTL settings for this record. Enter the settings in the Days, Hours, Mins, and Secs fields. For more information on
TTL settings, see Specifying Time To Live Settings on page 407.
3. Click the Save and Restart Services icons.
Adding TXT Records
A TXT (text record) record contains supplemental information for a host. For example, if you have a sales server that
serves only North America, you can create a text record stating this fact. You can create more than one text record for
a domain name.
To add a TXT record:
1. From the DNS perspective, click the Infoblox Views tab -> + (for Infoblox Views) -> + (for view ) -> + (for
Forward-Mapping Zones) -> zone -> Edit -> Add Resource Records ->TXT Record.
TXT Record Properties
Domain Name: If you want to define a TXT record for a domain whose name matches the zone in which you
define the TXT record, leave this field empty. The NIOS appliance automatically adds the domain name (the
same as the zone name) to the TXT record. For example, if you want to create a TXT record for the
corp100.com domain and you define the TXT record in the corp100.com zone, leave this field empty.
If you want to define a TXT record for a host or subdomain, enter that name here. The NIOS appliance
prefixes the name you enter to the domain name for the zone in which you define the TXT record. For
example, if you want to create a TXT record for a web server whose host name is www2.corp100.com and
you define the TXT record in the corp100.com zone, enter www2 in this field.
Text: Enter the text that you want to associate with the record. It can contain up to 255 characters.
Comments: Enter a descriptive comment for this record.
Disable this TXT record: Clear the check box to enable the record. Select the check box to disable it.
2. Select the Override zone TTL settings check box to override the settings inherited from the zone and configure
TTL settings for this record. Enter the settings in the Days, Hours, Mins, and Secs fields. For more information on
TTL settings, see Specifying Time To Live Settings on page 407.
3. Click the Save and Restart Services icons.
Using TXT Records for SPF
SPF (Sender Policy Framework) is an anti-forgery mechanism designed to identify spam e-mail. SPF fights e-mail
address forgery and makes it easier to identify spam, worms, and viruses. Domain owners identify sending mail
servers in DNS. SMTP receivers verify the envelope sender address against this information, and can distinguish
legitimate mail from spam before any message data is transmitted.
SPF makes it easy for a domain to say, I only send mail from these machines. If any other machine claims that I'm
sending mail from there, they're not valid. For example, when an AOL user sends mail to you, an e-mail server that
belongs to AOL connects to an e-mail server that belongs to you. AOL uses SPF to publish the addresses of its e-mail
servers. When the message comes in, your e-mail servers can tell if the server that sent the e-mail belongs to AOL or
not.
Managing DNS Data
400 Infoblox Administrator Guide (Rev. A) NIOS 4.3r1
SPF records are actually specialized TXT records that identify what machines send mail from a domain. You can think
of SPF records as being reverse MX records that e-mail servers can use to verify if a machine is a legitimate sender of
an e-mail. Please refer to http://spf.pobox.com/draft-ietf-marid-protocol-00.txt for the current SPF protocol
specification.
SPF Record Examples
cor p100. com. I N TXT v=spf 1 mx al l
cor p100. net . I N TXT v=spf 1 a: mai l . cor p100. comal l
cor p100. net . I N TXT v=spf 1 i ncl ude: cor p100. com- al l
cor p100. net . I N TXT v=spf 1 mx - al l exp=get l ost . cor p100. com
cor p100. com. I N TXT v=spf 1 i ncl ude: cor p200. com- al l
Adding CNAME Records
A CNAME record maps an alias to a canonical name. You can use CNAME records in both forward- and IPv4
reverse-mapping zones to serve two different purposes. (At this time, you cannot use CNAME records with IPv6
reverse-mapping zones.)
CNAME Records in Forward-Mapping Zones
In a forward-mapping zone, a CNAME record maps an alias to a canonical (or official) name. CNAME records are often
more convenient to use than canonical names because they can be shorter or more descriptive. For example, you can
add a CNAME record that maps the alias qa to the canonical name engr.corp100.com.
Note: A CNAME record does not have to be in the same zone as the canonical name to which it maps.
To add a CNAME record to a forward-mapping zone:
1. From the DNS perspective, click the Infoblox Views tab -> + (for Infoblox Views) -> + (for view ) -> + (for
Forward-Mapping) -> zone -> Edit -> Add Resource Records -> CNAME Record.
Note: IPv6 reverse-mapping zones support only PTR records at this time.
CNAME Record Properties
Alias: Enter the alias for the canonical name.
Canonical Name: Enter the complete canonical (or official) name of the host.
Comments: Enter a descriptive comment for this record.
Disable this CNAME record: Clear the check box to enable the record. Select the check box to disable it.
2. Select the Override zone TTL settings check box to override the settings inherited from the zone and configure
TTL settings for this record. Enter the settings in the Days, Hours, Mins, and Secs fields. For more information on
TTL settings, see Specifying Time To Live Settings on page 407.
3. Click the Save and Restart Services icons.
Adding Resource Records
NIOS 4.3r1 Infoblox Administrator Guide (Rev. A) 401
CNAME Records in IPv4 Reverse-Mapping Zones
You can add CNAME records to an IPv4 reverse-mapping zone to create aliases to addresses maintained by a different
name server when the reverse-mapping zone on the server is a delegated child zone with fewer than 256 addresses.
This technique allows you to delegate responsibility for a reverse-mapping zone with an address space of fewer than
256 addresses to another authoritative name server. See Figure 10.21 and RFC 2317, Classless IN-ADDR.ARPA
delegation .
Figure 10.21 CNAME Records in a Reverse-Mapping Zone
You add CNAME records in the parent zone on your name server. The aliases defined in those CNAME records point
to the addresses in PTR records in the child zone delegated to the other server.
When you define a reverse-mapping zone that has a netmask from /25 (255.255.255.128) to /31
(255.255.255.254), you must include an RFC 2317 prefix. This prefix can be anything such as the address range
(examples: 0-127, 0/127) to descriptions (examples: first-network, customer1). On a NIOS appliance, creating such
a reverse-mapping zone automatically generates all the necessary CNAME records. However, if you need to add them
manually to a parent zone that has a child zone with fewer than 255 addresses:
1. From the DNS perspective, click the Infoblox Views tab -> + (for Infoblox Views) -> + (for view ) -> + (for IPv4
Reverse-Mapping) -> zone -> Edit -> Add Resource Records -> CNAME Record.
2. Enter the following CNAME Record Properties:
Alias: Enter the host portion of an IP address. For example, if the full IP address is 10.1.1.1 in a network
with a 25-bit netmask, enter 1. (The 10.1.1.0/25 network contains host addresses from 10.1.1.1 to
10.1.1.126. The network address is 10.1.1.0, and the broadcast address is 10.1.1.127.)
Parent Zone
10.1.1.0/24
Customer1
DNS Server
Delegated Child Zone
10.1.1.0/25
Delegated Child Zone
10.1.1.128/25
Customer2
DNS Server
Local DNS Server
PTR PTR
CNAME
CNAME
CNAME Records for Customer1
CNAME Records for Customer2
ALIAS CANONICAL NAME
1.1.1.10.in-addr.arpa 1.0/127.1.1.10.in-addr.arpa
2.1.1.10.in-addr.arpa 2.0/127.1.1.10.in-addr.arpa
. . . . . .
126.1.1.10.in-addr.arpa 126.0/127.1.1.10.in-addr.arpa
ALIAS CANONICAL NAME
129.1.1.10.in-addr.arpa 129.128/255.1.1.10.in-addr.arpa
130.1.1.10.in-addr.arpa 130.128/255.1.1.10.in-addr.arpa
. . . . . .
254.1.1.10.in-addr.arpa 254.128/255.1.1.10.in-addr.arpa
All the PTR records for
Customer1 use the
addresses defined as
canonical names in the
CNAME records on the
local DNS server.
Sample PTR records:
IP Address:
1.0/127.1.1.10.in-addr.arpa
Host Name:
host1.customer1.com
IP Address:
2.0/127.1.1.10.in-addr.arpa
Host Name:
host2.customer1.com
. . .
The PTR records for
Customer2 also use the
addresses defined as
canonical names in the
CNAME records on the
local DNS server.
Managing DNS Data
402 Infoblox Administrator Guide (Rev. A) NIOS 4.3r1
Canonical Name: Enter host_ip_addr.prefix.network.in-addr.arpa (host IP address + 2317 prefix + network
IP address + in-addr.arpa). For example, enter 1.0/25.1.1.10.in-addr.arpa. This IP address must match the
address defined in the PTR record in the delegated child zone.
Comments: Enter a descriptive comment for this record.
Disable this CNAME record: Clear the check box to enable the record. Select the check box to disable it.
3. Specify one of the following Time to Live Settings:
Use grid TTL settings: Select to apply the TTL settings inherited from the grid or zone (if you previously
configured TTL settings for the zone containing this record). By default, a resource record inherits its TTL
(time to live) settings.
Override grid TTL settings: Select to override the inherited settings. To configure TTL settings for this record,
enter the settings in the Days, Hours, Mins, Secs fields. For more information on TTL settings, see
Specifying Time To Live Settings on page 407.
4. Click the Save and Restart Services icons.
Adding DNAME Records
A DNAME record maps all the names in one domain to those in another domain, essentially substituting one domain
name suffix with the other (see RFC 2672, Non-Terminal DNS Name Redirection). For example, adding a DNAME record
to the corp100.com domain mapping corp100.com to corp200.com maps name-x.corp100.com to
name-x.corp200.com:
When a request arrives for a domain name to which a DNAME record applies, the NIOS appliance responds with a
CNAME record that it dynamically creates based on the DNAME definition. For example, if there is a DNAME record
cor p100. com. DNAME cor p200. com.
and a request arrives for server1.corp100.com, the NIOS appliance responds with the following CNAME record:
ser ver 1. cor p100. com. CNAME ser ver 1. cor p200. com.
If responding to a name server running BIND 9.0.0 or later, the NIOS appliance also includes the DNAME record in its
response, so that name server can also create its own CNAME records based on the cached DNAME definition.
The following are two common scenarios for using DNAME records:
One company buys another and wants people using both the old and new name spaces to reach the same
hosts.
A virtual Web hosting operation offers different vanity domain names that point to the same server or servers.
There are some restrictions that apply to the use of DNAME records:
You cannot have a CNAME record and a DNAME record for the same subdomain.
You cannot use a DNAME record for a domain or subdomain that contains any subdomains. You can only map
the lowest level subdomains (those that do not have any subdomains below them). For an example of using
DNAME records in a multi-tiered domain structure, see Figure 10.22 on page 403.
Domain Name Target Domain Name
server1.corp100.com > server1.corp200.com
server2.corp100.com > server2.corp200.com
server3.corp100.com > server3.corp200.com
. . . .corp100.com > . . . .corp200.com
Adding Resource Records
NIOS 4.3r1 Infoblox Administrator Guide (Rev. A) 403
Figure 10.22 Adding DNAME Records for the Lowest Level Subdomains
In the case of a domain structure consisting of a single domain (no subdomains), adding a DNAME record redirects
queries for every name in the domain to the target domain, as shown in Figure 10.23.
Figure 10.23 Adding a DNAME Record for a Single Domain
When using a DNAME record, you must copy the resource records for the source domain to the zone containing the
target domain, so that the DNS server providing service for the target domain can respond to the redirected queries.
For the example in Figure 10.23, copy these records:
After copying these records to the zone containing the corp100.corp200.com domain, delete them from the zone
containing the corp100.com domain.
Copy from corp100.com to corp100.corp200.com
www1 IN A 10.1.1.10 www1 IN A 10.1.1.10
www2 IN A 10.1.1.11 www2 IN A 10.1.1.11
ftp1 IN A 10.1.1.20 ftp1 IN A 10.1.1.20
mail1 IN A 10.1.1.30 mail1 IN A 10.1.1.30
Corp200 buys Corp100 and wants to redirect queries for
corp100.com to corp200.com; however, the multitiered
structure of corp100.com prohibits a complete mapping
of all its subdomains. In such a case, DNAME records
provide only a partial solution.
corp100.com
dev.corp100.com
mktg.corp100.com
art.mktg.corp100.com
dev100.corp200.com
art.mktg100.corp200.com
corp200.com
DNAME Record
Domain Name:
dev.corp100.com
Target Domain:
dev100.corp200.com
DNAME Record
Domain Name:
art.mktg.corp100.com
Target Domain:
art.mktg100.corp200.com
corp100.com corp100.corp200.com
corp200.com
DNAME Record
Domain Name:
corp100.com
Target Domain:
corp100.corp200.com
www1.corp100.com
www2.corp100.com ftp1.corp100.com
mail1.corp100.com www1.corp100.corp200.com
ftp1.corp100.corp200.com
mail1.corp100.corp200.com
www2.corp100.corp200.com
Corp200 buys Corp100 and wants to redirect
all queries for corp100.com to corp200.com.
To accomplish this, you add a single DNAME
record to corp100.com.
Managing DNS Data
404 Infoblox Administrator Guide (Rev. A) NIOS 4.3r1
If DNS service for the source and target domain names is on different name servers, you can import the zone data
from the NIOS appliance hosting the source domain to the appliance hosting the target domain. For information
about this procedure, see Importing Zone Data on page 359.
If DNS service for the source and target domain names is on the same name server and the parent for the target
domain is on a different server, you can delegate DNS services for the target domain name to the name server that
providedand continues to provideDNS service for the source domain name (see Figure 10.24 on page 404). By
doing this, you can continue to maintain resource records on the same server, potentially simplifying the
continuation of DNS administration.
Figure 10.24 Making the Target Zone a Delegated Zone
The following tasks walk you through configuring the two appliances in Figure 10.24 to redirect queries for
corp100.com to corp100.corp200.com using a DNAME record:
On the ns1.corp100.com name server, do the following:
1. Create a new forward-mapping zone called corp100.corp200.com. See Configuring Authoritative Zones on page
353.
2. Copy all the resource records for the domain or subdomain to which the DNAME record is going to apply from
corp100.com to corp100.corp200.com. See Copying Zone Records on page 342.
Note: Because you can only specify the records by type, not individually, you might have to copy some records
that you do not want and then delete them from the corp100.corp200.com zone.
3. In the corp100.com zone, delete all the resource records for the domain or subdomain to which the DNAME
record is going to apply.
4. Add a DNAME record to the corp100.com zone specifying corp100.com as the domain and
corp100.corp200.com as the target domain. Adding a DNAME record is explained in the next section.
5. On the ns1.corp200.com name server, add corp100.corp200.com as a delegated zone and specify
ns1.corp100.com as the name server for it. See Configuring a Delegated Zone on page 365.
corp100.corp200.com corp100.com
www1.corp100.corp200.com
ftp1.corp100.corp200.com
mail1.corp100.corp200.com
www2.corp100.corp200.com
corp200.com
On the primary name server for corp200.com
(ns1.corp200.com), specify corp100.corp200.com as a
delegated zone and specify ns1.corp100.com as the
name server for that zone.
ns1.corp100.com
Primary name server for corp100.com
and authoritative name server for
corp100.corp200.com
ns1.corp200.com
Primary name server
for corp200.com
Note: This is a conceptual representation of domain name mapping and
depicts the resulting hierarchical relationship of corp200.com as the parent
zone for corp100.corp200.com. The hosts are not physically relocated.
Resource Records
corp100.com IN SOA ns1.corp100.com
IN NS ns1.corp100.com
IN NS ns2.corp100.com
corp100.com IN DNAME corp100.corp200.com
Resource Records
corp100.corp200.com IN SOA ns1.corp200.com
IN NS ns1.corp200.com
IN NS ns2.corp200.com
www1 IN A 10.1.1.10
www2 IN A 10.1.1.11
ftp1 IN A 10.1.1.20
mail1 IN A 10.1.1.30
Adding Resource Records
NIOS 4.3r1 Infoblox Administrator Guide (Rev. A) 405
DNAME Records for Forward-Mapping Zones
To add a DNAME record to a forward-mapping zone:
1. From the DNS perspective, click the Infoblox Views tab -> + (for Infoblox Views) -> + (for view ) -> + (for
Forward-Mapping Zones) -> zone -> Edit -> Add Resource Records -> DNAME Record.
2. Enter the following DNAME Record Properties:
Domain Name: Enter the name of a subdomain. If you are adding a DNAME record for the entire zone, leave
this field empty. This field is for adding a DNAME record for a subdomain within the selected zone.
Target Domain: Enter the domain name to which you want to map all the domain names specified in the
Domain Name field.
Comments: Enter identifying text for this record, such as a meaningful note ore reminder.
Disable this DNAME record: Clear the check box to enable the record. Select the check box to disable it.
3. Specify one of the following Time to Live Settings:
Use grid TTL settings: Select to apply the TTL settings inherited from the grid or zone (if you previously
configured TTL settings for the zone containing this record). By default, a resource record inherits its TTL
(time to live) settings.
Override grid TTL settings: Select to override the inherited settings. To configure TTL settings for this record,
enter the settings in the Days, Hours, Mins, Secs fields. For more information on TTL settings, see
Specifying Time To Live Settings on page 407.
4. Click the Save and Restart Services icons.
Note: If you specify a subdomain in the Domain Name field when configuring a DNAME record and the
subdomain is also a subzone, the DNAME record appears in the list view for the subzone, not in the list
view for the parent zone selected in the process of adding the record.
DNAME Records for Reverse-Mapping Zones
You can use DNAME records to redirect reverse lookups from one reverse-mapping zone to another. You can use
DNAME records for reverse-mapping zones to simplify the management of subzones for classless address spaces
larger than a class C subnet (a subnet with a 24-bit netmask).
RFC 2672, Non-Terminal DNS Name Redirection, includes an example showing the delegation of a subzone for an
address space with a 22-bit netmask inside a zone for a larger space with a 16-bit netmask:
$ORI GI N 0. 192. i n- addr . ar pa.
8/ 22 NS ns. sl ash- 22- hol der . exampl e.
8 DNAME 8. 8/ 22
9 DNAME 9. 8/ 22
10 DNAME 10. 8/ 22
11 DNAME 11. 8/ 22
The reverse-mapping zone 0.192.in-addr.arpa. applies to the address space 192.0.0.0/16. Within this zone is a
subzone and subdomain with the abbreviated name 8/22. (Its full name is 8/22.0.192.in-addr.arpa.) This
subdomain contains its own subdomains corresponding to the 1024 addresses in the 192.0.8.0/22 subnet:
Subdomain 8/22 (8/22.0.192.in-addr.arpa)
Subdomain 8.8/22 for addresses 192.0.8.0 192.0.8.255 (or 192.0.8.0/24)
Subdomain 9.8/22 for addresses 192.0.9.0 192.0.9.255 (or 192.0.9.0/24)
Subdomain 10.8/22 for addresses 192.0.10.0 192.0.10.255 (or 192.0.10.0/24)
Subdomain 11.8/22 for addresses 192.0.11.0 192.0.11.255 (or 192.0.11.0/24)
The NS record delegates authority for the reverse-mapping subzone 8/22 to the DNS server
ns.slash-22-holder.example.
Managing DNS Data
406 Infoblox Administrator Guide (Rev. A) NIOS 4.3r1
Finally, the DNAME records provide aliases mapping domain names that correspond to the 192.0.8.0/24,
192.0.9.0/24, 192.0.10.0/24, and 192.0.11.0/24 subnets to the respective subdomains 8.8/22, 9.8/22, 10.8/22,
and 11.8/22 in the 8/22.0.192.in-addr.arpa subzone.
Note: NIOS appliances support DNAME records in reverse-mapping zones that map addresses to target zones with
a classless address space larger than a class C subnet. However, NIOS appliances do not support such target
zones.
You might also use DNAME records if you have a number of multihomed appliances whose IP addresses must be
mapped to a single set of domain names. An example of this is shown in Figure 10.25.
Figure 10.25 DNAME Records to Simplify DNS for Multihomed Appliances
Note: If you specify a subdomain in the Domain Name field when configuring a DNAME record, and the subdomain
is also a subzone, the DNAME record appears in the list view for the subzone, not in the list view for the parent
zone that was selected when adding it.
To add a DNAME record to a reverse-mapping zone:
1. From the DNS perspective, click the Infoblox Views tab -> + (for Infoblox Views) -> + (for view ) -> + (for IPv4
Reverse-Mapping Zones) -> zone -> Edit -> Add Resource Records -> DNAME Record.
Note: IPv6 reverse-mapping zones support only PTR records at this time.
2. Enter the following DNAME Record Properties:
Domain Name: If you are adding a DNAME record for the entire zone that you selected in the tree view (that
is, the zone selected in step 1), leave this field empty. If you are adding a DNAME record for a subdomain
within the selected zone, enter the name of the subdomain name here.
View: Shows the name of the current view.
.
.
.
1
2
3
4
Multihomed
Appliances
Instead of maintaining a PTR record for the IP address of
each interface on every multihomed appliance, you can
store all the PTR records in one reverse-mapping zone
and use DNAME records in the other zones to point
reverse lookups to the one set of PTR records.
All PTR records
are here.
All DNAME
records are
here.
Reverse-Mapping
Zones
Reverse-Mapping
Zones
1.1.10.in-addr.arpa.
2.1.10.in-addr.arpa. 4.1.10.in-addr.arpa.
3.1.10.in-addr.arpa.
Resource Records
3.1.1.10.in-addr.arpa IN NS ns1.corp100.com
3.1.1.10.in-addr.arpa IN NS ns2.corp100.com
1 IN PTR www1.corp100.com
2 IN PTR www2.corp100.com
3 IN PTR ftp1.corp100.com
4 IN PTR stor1.corp100.com
Resource Records
4.1.1.10.in-addr.arpa IN NS ns1.corp100.com
4.1.1.10.in-addr.arpa IN NS ns2.corp100.com
4.1.10.in-addr.arpa IN DNAME 3.1.10.in-addr.arpa
Resource Records
2.1.1.10.in-addr.arpa IN NS ns1.corp100.com
2.1.1.10.in-addr.arpa IN NS ns2.corp100.com
2.1.10.in-addr.arpa IN DNAME 3.1.10.in-addr.arpa
Resource Records
1.1.1.10.in-addr.arpa IN NS ns1.corp100.com
1.1.1.10.in-addr.arpa IN NS ns2.corp100.com
1.1.10.in-addr.arpa IN DNAME 3.1.10.in-addr.arpa
Adding Resource Records
NIOS 4.3r1 Infoblox Administrator Guide (Rev. A) 407
Target Domain: Type the name of the reverse-mapping zone to which you want to map all the addresses
specified in the Domain Name field.
Comments: Enter text to help identify this record or to provide a meaningful note or reminder about it.
Disable this DNAME record: Clear check box to apply the DNAME record. Select check box to disable it.
3. Specify one of the following Time to Live Settings:
Use grid TTL settings: Select to apply the TTL settings inherited from the grid or zone (if you previously
configured TTL settings for the zone containing this record). By default, a resource record inherits its TTL
(time to live) settings.
Override grid TTL settings: Select to override the inherited settings. To configure TTL settings for this record,
enter the settings in the Days, Hours, Mins, Secs fields. For more information on TTL settings, see
Specifying Time To Live Settings on page 407.
4. Click the Save and Restart Services icons.
Specifying Time To Live Settings
You can specify TTL (time to live) settings for Infoblox host records and resource records. TTL settings determine how
long the record will be valid in the cache of a caching DNS server. You can configure TTL settings at the grid, zone, and
record level.
To specify TTL settings for a grid:
1. From the DNS perspective, click the DNS Members tab -> grid -> Edit -> Grid DNS Properties.
2. In the Grid DNS Properties editor, click General.
3. In the Default TTL and Negative TTL fields, enter values for Days, Hours, Mins, Secs, as necessary. The default TTL
determines the period for which positive responses to queries remain valid. (You can override this setting for
specific zones and for individual host and resource records.) The negative TTL determines the period for which
negative responses remain valid. (You can override this setting for specific zones.)
4. Click the Save and Restart Services icons.
To configure TTL settings for an individual zone:
From the DNS perspective, click the Infoblox Views tab -> + (for Infoblox Views) -> + (for view ) -> + (for
Forward-Mapping Zones, IPv4 Reverse-Mapping Zones, or IPv6 Reverse-Mapping Zones) -> zone -> Edit ->
Authoritative Zone Properties -> Settings, and override the grid-level TTL settings.
To configure TTL settings for an Infoblox host or resource record:
From the DNS perspective, click the Infoblox Views tab -> + (for Infoblox Views) -> + (for view ) -> + (for
Forward-Mapping Zones, IPv4 Reverse-Mapping Zones, or IPv6 Reverse-Mapping Zones) -> + (for zone ) ->
View -> Records -> record -> Edit -> Record Properties, and override the grid- or zone-level TTL settings.
Managing DNS Data
408 Infoblox Administrator Guide (Rev. A) NIOS 4.3r1
Managing Hosts and Resource Records
After zones have been created, they need to be managed, which involves modifying, removing, disabling, and
enabling an Infoblox host or DNS resource record.
Modifying, Disabling, or Removing a Host or Record
The NIOS appliance allows you to modify or remove an existing host or record. An alternative to changing or deleting
a host or record is to disable it. This alleviates having to remove, and then add a host or record again when physical
repair or relocation of a network device occurs. When the changes to the physical device are complete, you can simply
re-enable the host or record.
To modify or disable a host or record:
1. From the DNS perspective, click the Infoblox Views tab -> + (for Infoblox Views) -> + (for view ) -> + (for
Forward-Mapping Zones, IPv4 Reverse-Mapping Zones, or IPv6 Reverse-Mapping Zones) -> zone -> View ->
Records.
2. In the Records viewer, double-click the host or record you want to modify. The host_record editor appears.
3. Do one of the following:
Make the necessary changes in the editor.
To disable the host or record, click the Disable this host_record check box.
To enable a host or record, clear the check box.
4. Click the Save and Restart Services icons.
Deleting a Host or Record
You can delete a host or record to permanently remove it from the system. You can delete a single record or host, or
select multiple objectsincluding a combination of hosts and various resource recordsand delete an entire
selected group.
1. From the DNS perspective, click the Infoblox Views tab -> + (for Infoblox Views) -> + (for view ) -> + (for
Forward-Mapping Zones, IPv4 Reverse-Mapping Zones, or IPv6 Reverse-Mapping Zones) -> zone -> View ->
Records.
2. In the Record viewer, click a host or record -> Edit -> Remove host_record.
3. To delete a set of hosts or records, click one object, then hold down the SHIFT key for contiguous objects or CTRL
for non contiguous objects, click the other objects, then click Edit -> Remove.
4. Click the Save and Restart Services icons.
5. Click the Restart Services icon.
Viewing DNS Record Listings
NIOS 4.3r1 Infoblox Administrator Guide (Rev. A) 409
Viewing DNS Record Listings
The NIOS appliance allows you to easily view record listings and search for specific types of records, sorting this
information, and filtering the search findings.
To view record listings for a zone:
1. In the DNS perspective, click the Infoblox Views tab -> + (for Infoblox Views) -> + (for view ) -> + (for
Forward-Mapping Zones, IPv4 Reverse-Mapping Zones, or IPv6 Reverse-Mapping Zones) -> zone -> View ->
Records.
2. In the Records viewer, choose one of the following Filter types from the drop-down list, to sort the records
accordingly:
All Types
A Record
AAAA Records
Bulkhost Record
CNAME Record
DNAME Record
Host Record
HOST ADDRESS Record
HOST ALIAS Record
MX Record
NS Record
PTR Record
SRV Record
TXT Record
3. To go directly to a specific record, enter the record name in the Go to text field.
Managing DNS Data
410 Infoblox Administrator Guide (Rev. A) NIOS 4.3r1
NIOS 4.3r1 Infoblox Administrator Guide (Rev. A) 411
Chapter 11 Shared Records
Shared records are groups of DNS resource records that you can assign to one or more zones. Use shared records to
create and update multiple resource records shared by different zones.
This chapter contains the following sections:
Understanding Shared Records on page 412
Using Shared Records on page 414
Adding Shared Records on page 417
Configuration Example on page 420
By default, only superusers can add, edit, and delete shared record groups. Limited-access admin groups can access
shared record groups, only if their administrative permissions are defined. For information on setting permissions for
shared record groups, see Administrative Permissions for Shared Record Groups on page 88.
Shared Records
412 Infoblox Administrator Guide (Rev. A) NIOS 4.3r1
Understanding Shared Records
You can create shared records in a shared record group and assign the group to one or more zones. The zones handle
the shared records as any other resource record.
To add a group of records in three different zones, you can just add the records in a shared record group and link the
group to the three zones. To add another set of records in only two of the zones, create another group and link the
group to the two specific zones.
You can create several zones that contain the same shared records. For example, if you have three views with two
zones containing 100 records each, you need not create and maintain 600 individual records. You can simply create
the 100 records and share them between two zones and three different views. When a shared record changes, the
system automatically updates them in each zone.
You need not restart the appliance when you create, delete, or modify shared records.
A unique icon identifies shared records both in the shared record group view and the regular DNS zone view.
The shared group icon highlights the groups and an icon overlay highlights shared records.
Figure 11.1 shows an example of how to create and use shared records.
In this example, you create two shared record groups: group1 that contains the A records ftp and printer1 and the MX
record mx1 and group2 that contains the A record web and the MX record mx2. Associate group1 with the internal
view zones sales.corp100.com and finance.corp100.com and the external view zone sales.corp100.com. Associate
group2 with the internal view zone marketing.corp100.com and the external view zones sales.corp100.com and
marketing.corp100.com.
Figure 11.1 Creating Shared Records
sales.corp100.com
finance.corp100.com
Each record is
shared by
several zones,
but stored as a
single database
object.
sales.corp100.com
marketing.corp100.com
marketing.corp100.com
Internal
view
External
view
Internal
view
External
view
group1
mx1
printer1
ftp
mx2
web
group2
sales.corp100.com
finance.corp100.com
Understanding Shared Records
NIOS 4.3r1 Infoblox Administrator Guide (Rev. A) 413
Shared Records Benefits
You can use shared records to:
Reduce object count by using one shared record instead of the creating the same record in multiple zones. For
example, for 10 zones and 500 records per zone, the object count reduces from 5278 objects to 781 objects.
Include multiple A, AAAA, SRV, MX, and TXT resource records in a group and share the group between many
zones.
Simplify and expedite the administration of resource records. When you create or update a shared record, the
appliance automatically updates it in all associated zones.
Shared Records Features
The following are the features of shared records. You can:
Include the following types of DNS resource records in a shared record group: A, SRV, MX, AAAA, TXT; you cannot
include CNAME, DNAME, PTR, Host, or Bulk host records. See Adding Shared Records on page 417.
Create shared records only in authoritative zones. You cannot create shared records in forward zones, stub
zones, or reverse mapping zones.
Link a shared record group to several zones. Zones that contain shared records can also contain regular DNS
records (not shared).
Add shared records only from the shared record group. Click the shared record group to see the views and zones
to which it is linked.
Change or delete shared records from both the shared record group view and the regular DNS zone view. When
you change or delete a record, it changes the canonical source of the shared record and impacts all the zones
that contain the record. These changes are specific only to the Infoblox GUI; not to the Public API.
Shared Records Limitations
You cannot do the following:
Include CNAME, DNAME, PTR, host, or bulk host records in shared record groups.
Copy shared records from a zone.
Use dotted names such as my.name as the shared record name.
Shared Records
414 Infoblox Administrator Guide (Rev. A) NIOS 4.3r1
Using Shared Records
This section describes the steps to create and use shared records.
1. Create a shared record group in which you can add related shared records. See Configuring Shared Record
Groups on page 414.
2. Add related A, SRV, MX, AAAA, or TXT records into the shared record group. See Adding Shared Records on page
417.
3. Check that the records you added appear in the appropriate shared record group. See Viewing Records in Shared
Record Groups on page 415
4. Associate the shared record group with different zones. See Associating Shared Record Groups With Zones on
page 415.
5. Check the zones you linked to the shared record group. SeeViewing Zones Associated With Shared Record
Groups on page 415.
You can also:
Delete a zone that you linked to the shared record group. See Removing Shared Record Group Zone
Associations on page 416
Delete a shared record group or recover it. See Associating Shared Record Groups With Zones on page 415.
Configuring Shared Record Groups
To add a shared record group:
1. From the DNS perspective, click the Infoblox Views tab -> Infoblox Views -> Shared Record Group -> Edit -> Add
Shared Record Group.
The Add Shared Record Group editor appears.
2. Click Shared Record Group Properties in the Add Shared Record Group editor, and specify the following:
Group Name: Enter the name of the shared record group. It can be up to 64 characters long and can contain
any combination of printable characters. You can change the shared record group name even after you
create the group. It does not impacts the shared records in the group.
Comment: Enter notes about the shared record group.
3. Click Host Name Restrictions, select the Override grid host name restriction policy check box to supersede the
host name restriction policy set at the grid level and use the drop-down menu to select one of the following host
name checking policies:
Allow Any: You can use any host name.
Allow Underscore: You can only use host names with alphanumeric characters, dashes, and underscores
("-" and "_")
Strict Hostname Checking: You can only use host names that contain alphanumeric characters and dashes
(-).
This sets the host name policy for the shared records in the group. See Specifying Host Name Restrictions on
page 384.
Note: The shared record group host name policy overrides the zone policy.
Using Shared Records
NIOS 4.3r1 Infoblox Administrator Guide (Rev. A) 415
Viewing Records in Shared Record Groups
To view shared records in a group, select the shared record group in the tree as follows:
1. From the DNS perspective, click the Infoblox Views tab -> + (for Shared Record Groups ) -> + (for
shared_record_group)
2. Select View -> Records.
The Records Panel appears on the right. It lists the shared record name, type, value, and comment fields. To edit the
shared record properties from this panel, click the shared record name and select Edit -> Shared A Record Properties.
Associating Shared Record Groups With Zones
You can associate a shared record group with a zone only if you have read/write access to All Shared Record Groups
and read/write access to the associated zone. Use the zone association panel or the zone editor to associate a shared
record group with a zone.
To associate a shared record group with a zone using the zone association panel:
1. From the DNS perspective, click the Infoblox Views tab -> + (for Shared Record Groups ) -> shared_record _group
-> Edit -> Add Zone Association.
2. Expand the list of zones and select the zones into which you want to add the shared record groups. Shift-click to
select multiple zones.
3. Click OK.
The system links the shared record group to the zones you select.
To associate a shared record group with a zone using the zone editor:
1. From the DNS perspective, click the Infoblox Views tab -> Infoblox Views -> + (for view ) -> + (for Forward-Mapping
Zone ) -> + (for zone ) -> Edit -> Authoritative Zone Properties.
2. Click Shared Record Groups in the zone editor.
3. Click Add.
The Shared Record Groups dialog appears. It lists the shared record groups that the zone can access.
4. Select a shared record group name and click OK. Shift-click to select multiple shared record groups.
The system adds the shared record group to the zone.
Viewing Zones Associated With Shared Record Groups
You can view, manage, sort and search zone associations of a shared record group using the views panel.
To view the list of zones that contain the shared record group:
1. From the DNS perspective, click the Infoblox Views tab -> + (for Shared Record Groups ) -> shared_record_group)
2. Select View -> Shared Record Group Associations.
The Associations panel that lists the views and zones in the group appears on the right. You can view and delete the
zones from this panel; however, you cannot edit them.
Shared Records
416 Infoblox Administrator Guide (Rev. A) NIOS 4.3r1
Removing Shared Record Group Zone Associations
You can delete a shared record group zone associations either by removing the zone from the shared record group or
by removing the shared record group from the zone.
To remove a zone from a shared record group:
1. From the DNS perspective, click the Infoblox Views tab -> + (for Shared Record Groups ) -> shared_record_group.
2. Select View -> Shared Record Group Associations.
The Associations panel that lists the views and zones in the group appears on the right.
3. Click the zone name and select Edit -> Remove zone.
The system deletes zone from the shared record group.
To remove a shared record group from a zone:
1. From the DNS perspective, click the Infoblox Views tab -> Infoblox Views -> + (for view ) -> + (for Forward-Mapping
Zone ) -> + (for zone ) -> Edit -> Authoritative Zone Properties.
2. Click Shared Record Groups in the zone editor.
3. Click the shared record group name, click Delete and then click OK to confirm that you want to remove the shared
record group.
The system removes the shared record group from the zone.
Deleting and Recovering Shared Record Groups
Before you delete a shared record group, you must remove the zone associations in the group; otherwise, an error
message appears when you delete. See Removing Shared Record Group Zone Associations on page 416.
To delete a shared record group, select:
From the DNS perspective, click the Infoblox Views tab -> + (for Shared Record Groups ) -> shared_record_group -> Edit
-> Remove shared record group.
Use the Recycle Bin feature to recover a deleted shared record group and retrieve the deleted zones. See Using the
Recycle Bin on page 382.
Using the Shared Record Group API
You can use the Shared Record Group API to:
Create, delete, modify shared record groups and associate them with zones.
Add, delete, and update shared records.
You cannot use the Shared Record Group API to update or delete shared records retrieved from a zone.
Adding Shared Records
NIOS 4.3r1 Infoblox Administrator Guide (Rev. A) 417
Adding Shared Records
This section describes how to add the following types of shared records. You cannot add CNAME, DNAME, PTR, Host,
or Bulk host records into a shared record group.
Adding Shared A Records on page 417
Adding Shared AAAA Records on page 417
Adding Shared MX Records on page 418
Adding Shared SRV Records on page 418
Adding Shared TXT Records on page 419
Adding Shared A Records
An A (address) record maps a domain name to an IP address. To define a specific name-to-address mapping, add an
A record to a previously defined authoritative forward-mapping zone (see Creating an Authoritative Forward-Mapping
Zone on page 353).
To add an A record:
1. From the DNS perspective, click the Infoblox Views tab -> + (for Shared Record Groups ) -> shared_record_group ->
Edit -> Add Shared Resource Records -> A Record.
2. Enter the following Shared A Record Properties:
Record Name: Enter the name of the A record that you want to include in the shared record group. The
record name cannot be a dotted name such as www.infoblox.com.
IP Address: Enter the IP address to which you want to map the domain name.
Comment: Enter a descriptive comment for this record.
Disable this A record: Clear the check box to enable the record. Select the check box to disable it.
3. Click Time to Live Settings and select the Override zone TTL settings check box to ignore the TTL settings that the
record inherited from the zone. To configure TTL settings for this record, enter the settings in the Days, Hours,
Mins, and Secs fields. For more information on TTL settings, see Specifying Time To Live Settings on page 407.
4. Click the Save icon.
Adding Shared AAAA Records
AAAA (quad A address) records map a domain name to an IPv6 address. To define a specific name-to-address
mapping, add an AAAA record to a previously defined authoritative forward-mapping zone (see Creating an
Authoritative Forward-Mapping Zone on page 353).
To add a shared AAAA record:
1. From the DNS perspective, click the Infoblox Views tab -> + (for Shared Record Groups ) -> shared_record_group ->
Edit -> Add Shared Resource Records -> AAAA Record.
2. Enter the following Shared AAAA Record Properties:
Record Name: Enter the name of the AAAA record that you want to include in the shared record group. The
record name cannot be a dotted name such as www.infoblox.com.
IP Address: Enter the IPv6 address to which you want the domain name to map. An IPv6 address is a 128-bit
number in colon hexadecimal notation. It consists of eight 16-bit groups of hexadecimal digits separated
by colons (example: 12ab:0000:0000:0123:4567:89ab:0000:cdef).
Shared Records
418 Infoblox Administrator Guide (Rev. A) NIOS 4.3r1
Note: When you enter an IPv6 address, you can use double colons to compress a contiguous sequence of zeros.
You can also omit any leading zeros in a four-hexadecimal group. For example, the complete IPv6 address
2006:0000:0000:0123:4567:89ab:0000:cdef can be shortened to 2006::123:4567:89ab:0:cdef. If
there are multiple noncontiguous groups of zeros, you can only use the double colon for one group to
avoid ambiguity. The NIOS appliance displays an IPv6 address in its shortened form, regardless of its form
when it was entered.
Comment: Enter a descriptive comment for this record.
Disable this shared AAAA record: Clear the check box to enable the record. Select the check box to disable
it.
3. Click Time to Live Settings and select the Override zone TTL settings check box to ignore the TTL settings that the
record inherited from the zone. To configure TTL settings for this record, enter the settings in the Days, Hours,
Mins, and Secs fields. For more information on TTL settings, see Specifying Time To Live Settings on page 407.
4. Click the Save icon.
Adding Shared MX Records
An MX (mail exchanger) record maps a domain name to a mail exchanger. A mail exchanger is a server that either
delivers or forwards mail. You can specify one or more mail exchangers for a zone, as well as the priority for using
each mail exchanger. A standard MX record applies to a particular domain or subdomain. A wildcard MX record
applies to a domain and all its subdomains.
To add a shared MX record:
1. From the DNS perspective, click the Infoblox Views tab -> + (for Shared Record Groups ) -> shared_record_group ->
Edit -> Add Shared Resource Records -> MX Record.
2. Enter the following Shared MX Record Properties:
Record Name: Enter the name of the MX record that you want to include in the shared record group. The
record name cannot be a dotted name such as www.infoblox.com.
Mail Exchanger: Enter the fully qualified domain name of the mail exchanger.
Priority: Enter an integer between 0-65535. The priority determines the order in which a client attempts to
contact the target mail exchanger. The highest priority is 0 and is queried first.
Comment: Enter a descriptive comment for this record.
Disable this MX record: Clear the check box to enable the record. Select the check box to disable it.
3. Click Time to Live Settings and select the Override zone TTL settings check box to ignore the TTL settings that the
record inherited from the zone. To configure TTL settings for this record, enter the settings in the Days, Hours,
Mins, and Secs fields. For more information on TTL settings, see Specifying Time To Live Settings on page 407.
4. Click the Save icon.
Adding Shared SRV Records
An SRV (service location) record directs queries to hosts that provide specific services. For example, you can create
an SRV record for an FTP server to specify the host that provides the FTP service. You can specify more than one SRV
record for a host. To create an SRV record, you need to specify the domain name, priority, weight, port, and target
host. For more information about SRV records, see RFC 2052, A DNS RR for specifying the location of services (DNS
SRV) .
To add a shared SRV record:
1. From the DNS perspective, click the Infoblox Views tab -> + (for Shared Record Groups ) -> shared_record_group ->
Edit -> Add Shared Resource Records -> SRV Record.
2. Enter the following SRV Record Properties:
Record Name: Enter the name of the SRV record that you want to include in the shared record group. The
record name cannot be a dotted name such as www.infoblox.com.
Adding Shared Records
NIOS 4.3r1 Infoblox Administrator Guide (Rev. A) 419
Priority: Enter an integer between 0-65535. The priority determines the order in which a client attempts to
contact the target host; the domain name host with the lowest number has the highest priority and is
queried first. Target host with the same priority is attempted in the order defined in the Weight field.
Weight: Enter an integer between 0-65535. Weight allows you to distribute the load between target hosts.
The higher the number, the more that host handles the load (compared to other target hosts). Larger
weights give a target host a proportionately higher probability of being selected.
Port: Enter the appropriate port number for the service running on the target host. You can use standard or
nonstandard port numbers, depending on the requirements of your network.
Target: Enter the canonical domain name of the host (not an alias); for example, www2.corp100.com
Note: In addition, you need to define an A record mapping the canonical name of the host to its IP address.
Comments: Enter a descriptive comment for the record.
Disable this shared SRV record: Clear the check box to enable the record. Select the check box to disable it.
3. Click Time to Live Settings and select the Override zone TTL settings check box to ignore the TTL settings that the
record inherited from the zone. To configure TTL settings for this record, enter the settings in the Days, Hours,
Mins, and Secs fields. For more information on TTL settings, see Specifying Time To Live Settings on page 407.
4. Click the Save icon.
Adding Shared TXT Records
A TXT (text record) record contains supplemental information for a host. For example, if you have a sales server that
serves only North America, you can create a text record describing it. You can create more than one text record for a
domain name.
To add a shared TXT record:
1. From the DNS perspective, click the Infoblox Views tab -> + (for Shared Record Groups ) -> shared_record_group ->
Edit -> Add Shared Resource Records ->TXT Record.
2. Enter the following shared TXT record Properties
Record Name: Enter the name of the TXT record that you want to include in the shared record group. The
record name cannot be a dotted name such as www.infoblox.com.
Text: Enter the text that you want to associate with the record. It can contain up to 255 characters.
Comments: Enter a descriptive comment for this record.
Disable this TXT record: Clear the check box to enable the record. Select the check box to disable it.
3. Click Time to Live Settings and select the Override zone TTL settings check box to ignore the TTL settings that the
record inherited from the zone. To configure TTL settings for this record, enter the settings in the Days, Hours,
Mins, and Secs fields. For more information on TTL settings, see Specifying Time To Live Settings on page 407.
4. Click the Save icon.
Shared Records
420 Infoblox Administrator Guide (Rev. A) NIOS 4.3r1
Configuration Example
The following example shows you how to configure shared records. In this example, you:
Create a zone Infoblox.com that is shared among the default, internal, and external views.
Create an A record www and an MX record mx1 in a shared record group (group1), which is associated with the
zone Infoblox.com in all three views.
Add another MX record in a new shared record group (group2), which is associated with the zone Infoblox.com
only in the default and internal views.
To include an A record www and an MX record mx1 in all three views:
1. Create a shared record group called group1.
a. From the DNS perspective, click the Infoblox Views tab -> Infoblox Views -> Shared Record Group -> Edit
-> Add Shared Record Group.
b. Click Shared Record Group Properties in the Add Shared Record Group editor, and specify the following:
c. Group Name: Enter the name of the shared record group as group1.
2. Add an A record www into group1.
a. From the DNS perspective, click the Infoblox Views tab -> + (for Shared Record Groups ) -> + group1 ->
Edit -> Add Shared Resource Records -> A Record.
b. Enter the following Shared A Record Properties:
Record Name: Enter www.
IP Address: Enter the IP address 10.9.0.0.
c. Click the Save icon.
3. Add an MX record mx1 into group1.
a. From the DNS perspective, click the Infoblox Views tab -> + (for Shared Record Groups ) -> + group1 ->
Edit -> Add Shared Resource Records -> MX Record.
b. Enter the following Shared MX Record Properties:
Record Name: Enter mx1.
Mail Exchanger: Enter www.infoblox.com.
Priority: Enter 10.
Comment: Enter mail exchanger record for shared record group1.
c. Click the Save icon.
4. Assign group1 to default/infoblox.com, internal/infoblox.com, and external/infoblox.com.
a. From the DNS perspective, click the Infoblox Views tab -> + (for Shared Record Groups ) -> + group1 ->
Edit -> Add Zone Association.
b. Expand the list of zones and select the zones default/infoblox.com, internal/infoblox.com,
external/infoblox.com into which you want to add group1. Shift-click to select multiple zones.
c. Click OK.
The shared record group group1 is added to the zones default/infoblox.com, internal/infoblox.com,
external/infoblox.com.
To include another MX record mx2 only in the default and internal views:
1. Create another shared record group called group2.
d. From the DNS perspective, click the Infoblox Views tab -> Infoblox Views -> Shared Record Group -> Edit
-> Add Shared Record Group.
e. Click Shared Record Group Properties in the Add Shared Record Group editor, and specify the following:
f. Group Name: Enter the name of the shared record group as group2.
Configuration Example
NIOS 4.3r1 Infoblox Administrator Guide (Rev. A) 421
2. Add an MX record mx2 into group2.
a. From the DNS perspective, click the Infoblox Views tab -> + (for Shared Record Groups ) -> + group2 ->
Edit -> Add Shared Resource Records -> MX Record.
b. Enter the following Shared MX Record Properties:
Record Name: Enter mx2.
Mail Exchanger: Enter www.infoblox.com.
Priority: Enter 15.
Comment: Enter mail exchanger record mx2 for shared record group2.
c. Click the Save icon.
3. Assign group2 to default/infoblox.com and internal/infoblox.com.
a. From the DNS perspective, click the Infoblox Views tab -> + (for Shared Record Groups ) -> + group2 ->
Edit -> Add Zone Association.
b. Expand the list of zones and select the zones default/infoblox.com and internal/infoblox.com into
which you want to add group2. Shift-click to select multiple zones.
c. Click OK.
Shared Records
422 Infoblox Administrator Guide (Rev. A) NIOS 4.3r1
NIOS 4.3r1 Infoblox Administrator Guide (Rev. A) 423
Chapter 12 Configuring DNS Services
The service configurations of a grid are inherited by all members, zones, and networks. For this reason, it is
recommended that you configure services at the grid level before configuring member, zone, and network services.
Note: Limited-access admin groups can access certain DNS resources only if their administrative permissions are
defined. For information on setting permissions for admin groups, see Managing DNS Resource Permissions
on page 83.
This chapter explains how to configure grid services, and is organized as follows:
Configuring DNS Services on page 424
Changing General DNS Properties for a Grid on page 424
Enabling Zone Transfers on page 426
Specifying DNS Queries on page 428
Specifying Root Name Servers on page 430
Specifying Sort Lists on page 431
Using Forwarders with a Grid on page 432
Using Forwarders with a Member on page 432
Specifying Minimal Response Returns on page 432
Disabling and Enabling DNS Service for a Grid Member on page 433
Configuring DNS Zone Services on page 434
Disabling Forwarding for a Zone on page 434
Specifying TTL Settings for a Zone on page 434
Changing the SOA Name for a Zone on page 435
Setting the Serial Number in the SOA Record on page 435
Adding an E-mail Address to the SOA Record on page 435
Allowing Zone Transfers for a Zone on page 436
Allowing Query Access for a Zone on page 437
Supporting Active Directory on page 438
Active Directory and Unauthenticated DDNS Updates on page 439
Active Directory and GSS-TSIG-Authenticated DDNS Updates on page 441
Viewing DNS Files on page 447
Viewing DNS Cache Files on page 447
Viewing a DNS Configuration File on page 447
Viewing DNS Zone Statistics on page 447
Configuring DNS Services
424 Infoblox Administrator Guide (Rev. A) NIOS 4.3r1
Configuring DNS Services
When you configure DNS services at the grid level, all grid members, and zones belonging to those members, inherit
the grid-level configuration settings unless you specifically override them for selected members and zones. You can
configure the following DNS services at the grid level:
Changing General DNS Properties for a Grid on page 424
Enabling Zone Transfers on page 426
Specifying DNS Queries on page 428
Specifying Root Name Servers on page 430
Specifying Sort Lists on page 431
Using Forwarders with a Grid on page 432
Using Forwarders with a Member on page 432
Specifying Minimal Response Returns on page 432
Disabling and Enabling DNS Service for a Grid Member on page 433
Configuring Additional IP Addresses for a Grid Member on page 433
Specifying Host Name Restrictions on page 384
Specifying Bulk Host Name Formats on page 389
Changing General DNS Properties for a Grid
The Grid DNS Properties panel offers the following capabilities:
Specifying TTL Settings on page 424
Specifying Zone Deletion Confirmation on page 425
Notifying External Secondary Servers on page 425
Setting Source Port Settings on page 426
From the Grid perspective, click + (for grid ) -> + (for Services) -> DNS -> Edit -> Service Properties.
Specifying TTL Settings
TTL (time to live) is the time that a name server is allowed to cache data. After the TTL expires, the name server is
required to update the data. Setting a high TTL reduces network traffic, but also reduces the accuracy of your cached
data. Conversely, setting a low TTL increases the accuracy of cached data, but also increases the traffic on your
network.
Note: If you choose to configure one TTL setting, you must provide values for all of them.
To specify TTL settings for a grid:
1. From the DNS perspective, click the DNS Members tab -> grid -> Edit -> Grid DNS Properties.
2. In the General section of the Grid DNS Properties editor, modify the following values as necessary:
Refresh Every: This interval tells the secondary how often to send a message to the primary for a zone to
check that its data is current, and retrieve fresh data if it is not. The default is three hours.
Retry Every: This interval tells the secondary how long to wait before attempting to recontact the primary
after a connection failure between the two occurs. The default is one hour.
Expire After: If the secondary fails to contact the primary for the specified interval, the secondary stops
giving out answers about the zone because the zone data is too old to be useful. The default is 30 days.
Configuring DNS Services
NIOS 4.3r1 Infoblox Administrator Guide (Rev. A) 425
Default TTL (Time to Live): This interval tells the secondary how long data can be cached.
Negative TTL (Time to Live): This interval tells the secondary how long data can be cached for Does Not
Respond responses.
3. Click the Save icon and the Restart Services icon if it flashes.
Specifying Zone Deletion Confirmation
To ensure that a zone is not deleted by accident, the Enable double confirm for zone deletion property is enabled by
default.
To disable and re-enable the double confirmation requirement before a zone is deleted:
1. From the DNS perspective, click the DNS Members tab -> grid -> Edit -> Grid DNS Properties.
2. In the General section of the Grid DNS Properties editor, clear the Enable double confirm for zone deletion check
box to disable the double confirmation requirement.
Select the check box again to re-enable the double confirmation requirement.
3. Click the Save icon and the Restart Services icon if it flashes.
Notifying External Secondary Servers
You can specify grid members (that are secondary name servers) to send notify messages to other secondary name
servers outside the grid. Enabling this option increases the number of notify messages; however, it ensures that an
external secondary name server receives notify messages when its master is a secondary name server in a grid. It is
enabled by default.
To disable secondary name servers from sending notify messages to secondary name servers outside the grid and
then and re-enable it:
1. From the DNS perspective, click the DNS Members tab -> grid -> Edit -> Grid DNS Properties.
2. In the General section of the Grid DNS Properties editor, clear the Enable member secondaries to notify external
secondaries check box. To re-enable the functionality, select the check box again.
3. Click the Save icon and the Restart Services icon if it flashes.
All authoritative name servers in a grid (all primary and secondary servers) send notify messages to external
secondary servers by default. Because grid members can use database replication to maintain up-to-date zone data
sets, even if the primary server fails, the secondary servers in the grid can keep their zone data synchronized. Any
external secondary servers can fall out of sync, however, if they rely only on the primary server to send notify
messages when there is new zone data.
For the external secondary servers to accept notify messages from the secondary name servers in the grid and then
request zone transfers from them, you must configure the authoritative name servers in the grid as primary servers
on the external servers. This ensures that the external secondary servers continue to receive notify messages, even
if the primary server is unavailable.
All authoritative name servers in the grid send notify messages to the external secondaries when zone data updates
occur. The external secondary servers then query all the name servers they have configured as primary for that zone.
After this, the external secondary servers request a zone transfer from the name server whose zone has the highest
serial number. If more than one response contains the highest serial number, the external secondary servers transfer
data from the first primary server in their list.
For more information on zone transfers, see Enabling Zone Transfers on page 426.
Configuring DNS Services
426 Infoblox Administrator Guide (Rev. A) NIOS 4.3r1
Setting Source Port Settings
When requesting zone transfers from the primary server, some secondary DNS servers use the source port number
(the primary server used to send the notify message) as the destination port number in the zone transfer request.
To specify source port numbers for notify messages at the grid level:
1. From the DNS perspective, click the DNS Members tab -> grid -> Edit -> Grid DNS Properties.
2. In the General section of the Grid DNS Properties editor, click the Set static source port for notify messages check
box.
3. Optionally, click the Set static source port for queries check box.
4. Click the Save icon and the Restart Services icon if it flashes.
For information on notify messages for zone transfers, see Establishing Zone Transfer Notify Messages on page 428.
Enabling Zone Transfers
A zone transfer is the process of sending zone data across a network from one name server to another. This is the
principle method a primary name server uses to send data to a secondary server. When the primary server detects a
change to its zone data, it notifies the secondary servers. The secondary servers reply by checking to see if the serial
number they have for the zone matches the serial number for the zone on the primary server. If not, the secondary
servers request a zone transfer.
In addition to receiving zone change notifications, a secondary server periodically polls the primary server to see if
their zone data is in sync. In response, the primary server can send a DNS message containing just the new zone data,
or the entire data set. The first type of transfer is known as an incremental zone transfer, or IXFR. The second type of
transfer is known as a full zone transfer, or AXFR.
A NIOS appliance, acting as the primary name server for a zone, by default allows zone transfers to its secondary
name servers. This includes all servers listed in the NS records for that zone. You can also specify zone transfers to
other name servers, such as when migrating zone data to a new server or to a management system. You can specify
one or more destinations to which the local appliance sends zone transfers. You can also specify the security and
format of the transfers.
By default, grid members automatically receive updated zone data via database replication (through an encrypted
VPN tunnel). You can change the default behavior to allow grid members to use zone transfers instead of grid
replication. This is helpful when the primary server is another grid member, as a zone transfer is significantly faster
than database replication.
Keep in mind that a database replication updates zone data for both the active and passive nodes of an HA member.
Therefore, if there is a failover, the new active node (the previous passive node) immediately begins serving zone
data with fresh information. In the case of a zone transfer, the passive node does not receive zone data until after a
failover, when it becomes an HA master. At that time it sends a notify message to the primary server, which then
performs a zone transfer. If there is a lot of zone data, the transfer can take up to several minutes, thereby causing a
break in the availability of the new HA master.
If there are no HA members as secondary servers, zone transfers improve performance without a potential drawback.
If you have HA members as secondary servers, zone transfers can result in service interruption when there is a
failover. Furthermore, if the primary server is down when the HA member fails over, the new active node cannot
receive zone data until the primary server comes back online.
To configure zone transfers at the grid level:
1. Under the DNS perspective, click the DNS Members tab -> grid -> Edit -> Grid DNS Properties.
2. Expand the Zone Transfers section of the Grid DNS Properties editor.
3. In Allow zone transfers to section, click Add, specify the following information, and then click OK:
IP Address: Select, and enter a destination IP address for zone transfers.
Network: Enter a destination network IP Address for zone transfers, and select a Subnet mask from the
drop-down menu (1-31).
Any: Select to allow or deny the local appliance to send zone transfers to any IP address.
Configuring DNS Services
NIOS 4.3r1 Infoblox Administrator Guide (Rev. A) 427
Allow: Select to allow zone transfers to the specified destination.
Deny: Select to deny zone transfers to the specified destination.
4. Optionally, you can make the following configuration adjustments:
Modify a zone: Select the zone from the list and click Modify.
Remove a zone: Select the zone from the list and click Remove.
Move a zone up the list: Select the zone and click Move up. The zone moves up the list incrementally with
each click of the button.
Move a zone down the list: Select the zone and click Move down. The zone moves down the list
incrementally with each click of the button.
5. Click the Save icon and the Restart Services icon if it flashes.
Using a TSIG Key for Zone Transfers
You can use TSIG (transaction signature) keys to authenticate zone transfer requests and replies. The same key name
and key value must be on the primary and secondary name servers for TSIG-authenticated zone transfers to occur.
When using TSIG, it is important that both appliances involved with the authentication procedure use NTP (Network
Time Protocol) for their time settings (see Using NTP for Time Settings on page 119).
You can use the key generation tool described in this section to create the TSIG key needed to secure transactions
between primary and secondary name servers. You can also enter an existing TSIG key, or click Generate to create
one.
Note: This TSIG function does not use GSS-TSIG (secure updates to Microsoft servers using a key from a Kerberos
server).
To generate a TSIG key at the grid level for a primary server:
1. From the DNS perspective, click the DNS Members tab -> grid -> Edit -> Grid DNS Properties.
2. In the Grid DNS Properties editor, click Zone Transfers.
3. In the Allow TSIG Transfers for section, click Add, specify the following information, and then click OK:
Key name: Enter a meaningful name for the key, such as a zone name or the name of the remote name
server with which the local server authenticates zone transfer requests and replies. This name must match
the name of the same TSIG key on other name servers that use it to authenticate zone transfers with the
local server.
Key: To use an existing TSIG key, type or paste the key in the Key field.
Generate: Click to create a new key.
Use DNS One 2.x TSIG: Select this check box when the other name server is an Infoblox appliance running
DNS One 2.x code.
4. Optionally, you can:
Modify a TSIG zone key: Select the member from the list and click Modify.
Remove a TSIG key: Select the member from the list and click Remove.
Move a TSIG key up the list: Select the member and click Move up. The member moves up the list
incrementally with each click of the button.
Move a TSIG key down the list: Select the member and click Move down. The member moves down the list
incrementally with each click of the button.
5. Click the Save icon and the Restart Services icon if it flashes.
Configuring DNS Services
428 Infoblox Administrator Guide (Rev. A) NIOS 4.3r1
Specifying a Zone Transfer Format
The zone transfer format determines the BIND format for a zone transfer. This provides tracking capabilities for single
or multiple transfers and their associated servers.
To specify a zone transfer format:
1. From the DNS perspective, click the DNS Members tab -> grid -> Edit -> Grid DNS Properties.
2. In the Grid Properties editor, click Zone Transfers.
3. In the Allow TSIG Transfers for section, select one of the following options from the Zone Transfer Format
drop-down menu:
Many Answers (Secondaries run BIND 8/9): includes as many records as the packet size allows
Many Answers except for these Servers: includes as many records as the packet size allows
One Answer (Secondaries run BIND 4): includes one record per packet
One Answer except for these Servers: includes one record per packet
Note: If you select Many-Answers except for these Servers or One-Answer except for these Servers, enter the IP
address of the Excluded Servers and click Add.
4. Click the Save and Restart Services icons.
Establishing Zone Transfer Notify Messages
When requesting zone transfers from the primary server, some secondary DNS servers use the source port number
(the primary server used to send the notify message) as the destination port number in the zone transfer request. If
the primary server uses a random source port number when sending the notify messagethat the secondary server
then uses as the destination port number when requesting a zone transferzone transfers can fail if there is an
intervening firewall blocking traffic to the destination port number.
You can specify a source port number for notify messages to ensure the firewall allows the zone transfer request from
the secondary server to the primary server. If you do not specify a source port number, the NIOS appliance sends
messages from a random port number above 1024. For information about specifying source port numbers for notify
messages, see Setting Source Port Settings on page 426.
Specifying DNS Queries
The inheritance feature allows you to specify grid configuration options, individual member options, network level
options, and zone level options. This allows you to specify options at the granular level, and override grid options.
For example, you can configure grid members to perform queries in a different way than the grid. You can configure
queries in the following ways:
Specifying Queries at the Grid Level
Specifying Recursive Queries for a Grid
Specifying Queries at the Grid Level
By default, queries are allowed from any address. You can specify restrictions on the allowed origins for queries, as
well as how queries are allowed.
If the query is recursive and the recursion option is enabled, the NIOS appliance queries other servers for the DNS
data it needs. A recursive query requires the appliance to return requested DNS data, or locate the data through
queries to other servers. For information about allowing recursion, refer to Specifying Recursive Queries for a Grid on
page 429.
To allow or deny queries at the grid level:
1. From the DNS perspective, click the DNS Members tab -> grid -> Edit -> Grid DNS Properties.
2. In the Grid DNS Properties editor, click Queries.
Configuring DNS Services
NIOS 4.3r1 Infoblox Administrator Guide (Rev. A) 429
3. In the Allow queries from section, click Add, enter the following address information for servers from which
queries are allowed or denied, and then click OK:
IP Address: Enter an IP address
Network: Enter a network IP Address, and select a Subnet mask from the drop-down menu (1-31).
Any: Select to allow or deny queries from any IP address.
Permission:
Allow: Allows queries from the specified source.
Deny: Denies queries from the specified source.
4. Optionally, you can:
Modify server properties: Select the server from the list and click Modify.
Remove server: Select the server from the list and click Remove.
Move server up the list: Select the server and click Move up. The server moves up the list incrementally with
each click of the button.
Move a server down the list: Select the server and click Move down. The server moves down the list
incrementally with each click of the button.
5. Click the Save icon and the Restart Services icon if it flashes.
Note: You can also allow queries at the member level.
Specifying Recursive Queries for a Grid
When a NIOS appliance receives a query for DNS data it does not have, it first sends a query to any specified
forwarders. If a forwarder does not respond and you have enabled recursive queries (and disabled the Use Forwarders
Only check box under Member DNS Properties -> Forwarders), the NIOS appliance sends a recursive query to specified
internal root servers. If an internal root server is not configured, the appliance then sends a recursive query to the
Internet root servers. For more information on specifying root name servers, see Specifying Root Name Servers on
page 430.
To configure recursive queries for a grid:
1. From the DNS perspective, click the DNS Members tab -> grid -> Edit -> Grid DNS Properties.
2. In the Grid DNS Properties editor, click Queries.
3. Select the Allow recursion check box.
4. In the Allow recursive queries from section, click Add, enter the following address information for server from
which recursive queries are allowed or denied, and then click OK:
IP Address: Enter an IP address.
Network: Enter a network IP Address, and select a Subnet mask from the drop down menu (1-31).
Any: Select to allow or deny recursive queries from any IP address.
Allow: Select to allow recursive queries from the specified source.
Deny: Select to deny recursive queries from the specified source.
5. Optionally, you can:
Modify server properties: Select the server from the list and click Modify.
Remove server: Select the server from the list and click Remove.
Move server up the list: Select the server and click Move up. The server moves up the list incrementally with
each click of the button.
Move a server down the list: Select the server and click Move down. The server moves down the list
incrementally with each click of the button.
6. Click the Save icon and the Restart Services icon if it flashes.
Configuring DNS Services
430 Infoblox Administrator Guide (Rev. A) NIOS 4.3r1
Setting the Source Port Number for Queries
Specifying a source port number for recursive queries ensures that a firewall will allow the response. If you do not
specify a source port number, the NIOS appliance sends these messages from a random port number.
When performing recursive queries, by default the NIOS appliance uses a random source port number above 1024.
The queried server responds using the source port number in the query as the destination port number in its
response. If there is an intervening firewall that does not perform stateful inspection and blocks incoming traffic to
the destination port number, the recursive query fails.
For information on how to specify source port numbers for queries at the grid level, see Setting Source Port Settings
on page 426.
Note: You can also specify these settings at the member level.
Specifying Root Name Servers
Root name servers contain the root zone file which lists the name and IP addresses of the authoritative name servers
for each top-level zone. When a a root name server receives a query for a domain name, it provides at least the names
and addresses of the name servers that are authoritative for the top-level zone of the domain name.
You can configure the NIOS appliance to use Internet root name servers or custom root name servers. If you enable
recursive queries and the appliance receives a recursive query for DNS data it does not have, it queries specified
forwarders (if any) and then queries any root name servers you configure. If you do not specify internal root name
servers and the appliance can access the Internet, it queries the Internet root name servers.
The NIOS appliance provides the flexibility to specify root name servers at the grid, member, and custom view-level.
The default view uses either the member-level root name servers (if specified) or the grid-level root name servers. For
information on configuring root name servers at the view level, see View Level on page 431. For example, you can
specify a set of internal root name servers for a custom view and grid root name servers for another custom view.
Grid Level
To specify root name servers at the grid level:
1. From the DNS perspective, click the DNS Members tab -> grid -> Edit -> Grid DNS Properties.
2. In the Grid DNS Properties editor, click Root Name Servers and select one of the following options:
Use Internet root name servers: This option is selected by default. You can select the Internet root name
servers or specify custom root name servers.
Use custom root name servers: Enables you to specify custom root name servers. Click Add, enter the
following information in the Custom Root Server Item dialog box, and click OK:
Host Name: Enter a name for the root name server.
IP Address: Enter the IP address of the root name server.
The server information appears in the Custom Root Servers field.
3. Optionally, you can:
Modify server properties: Select the server from the list and click Modify.
Remove server: Select the server from the list and click Remove.
4. Click the Save icon and the Restart Services icon if it flashes.
Member Level
To specify root name servers at the member level, select the following navigational path and click Override grid root
name servers.
From the DNS perspective, click the DNS Members tab -> + (for grid) -> member -> Edit -> Member DNS Properties ->
Root Name Servers.
Configuring DNS Services
NIOS 4.3r1 Infoblox Administrator Guide (Rev. A) 431
Use the steps explained in Grid Level on page 430 to specify custom root servers in the Member DNS Properties
editor. Restart services after you save the settings.
View Level
You can specify root name servers at the view level for all DNS views except the default view. The default view uses
either the member level root name servers (if specified) or the grid level root name servers. Custom views can either
use the grid root name servers or you can override the grid-level setting and specify root name servers for custom
views.
Every grid member has a default view, so if you want to specify root name servers for a default view, you can override
the grid root name server setting at the member level and the default view can use the member-level setting.
To specify the root name server for the custom view, select the following navigational path and click Override grid root
name server.
From the DNS perspective, click the Infoblox Views tab -> + view -> Edit -> IB View Properties -> Root Name Servers.
Use the steps explained in Grid Level on page 430 to specify custom root servers in the View editor. Restart services
after you save the settings.
Specifying Sort Lists
A sort list sorts the order of addresses in responses made to DNS queries. If a DNS lookup produces a response with
multiple addresses, the NIOS appliance sorts the addresses, putting the addresses in the address match list first. If
no addresses match a query, the appliance sorts the addresses according to the address of the querier, putting the
addresses that match the querier first.
To configure a sort list at the grid level:
1. From the DNS perspective, click the DNS Members tab -> grid -> Edit -> Grid DNS Properties.
2. In the Grid DNS Properties editor, click Sortlist, and then click Add.
3. In the Sort List Item dialog, choose from the following:
IP Address: Select radio button and enter the IP address to add to the sortlist. This is a single address with
a 32-bit netmask.
Network: Enter a network IP Address to add to the sortlist, and select a Subnet mask from the drop-down
menu.
Any: Select to add any address to the sortlist.
4. Click OK.
5. Optionally, you can:
Modify the sortlist: Select an item from the list and click Modify.
Remove an item from the sortlist: Select item from the list and click Remove.
Move an item up the list: Select the item and click Move up. The item moves up the list incrementally with
each click of the button.
Move an item down the list: Select the item and click Move down. The item moves down the list
incrementally with each click of the button.
6. Click the Save icon and the Restart Services icon if it flashes.
Note: You can also define sortlists at the member level.
Configuring DNS Services
432 Infoblox Administrator Guide (Rev. A) NIOS 4.3r1
Using Forwarders with a Grid
A forwarder is essentially a name server that other name servers send all of their off-site queries to first. The forwarder
builds up a cache of information, avoiding the need for the other name servers to send queries off-site. The NIOS
appliance can first send a query to a forwarder for DNS data it does not have in its cache and authoritative data, and
can work with one or more forwarders.
You can select any grid member as a forwarder.
You can use forwarders to process all queries for off-site DNS data. This is useful in organizations that need to
minimize off-site traffic, such as a remote office with a slow connection to a companys network.
If you activate the Use Forwarders Only check box in the Grid DNS Properties panel, the NIOS appliance sends queries
to forwarders only, and not to other internal or Internet root servers.
To use a forwarder with a grid:
1. From the DNS perspective, click the DNS Members tab -> grid -> Edit -> Grid DNS Properties.
2. In the Grid DNS Properties editor, click Forwarders.
3. Enter an IP Address in the text field, and then click Add. The IP address appears in the Forwarder text field.
4. To remove a forwarder, select the IP address from the Forwarder list, click Delete, and then click Yes.
5. To use only forwarders on your network (and not root servers), select the Use Forwarders Only check box.
6. Click the Save icon and the Restart Services icon if it flashes.
Using Forwarders with a Member
You can use forwarders with a grid member in the same way they are used with a grid.
To use a forwarder for a grid member:
1. From the DNS perspective, click the DNS Members tab -> + (for grid ) -> member -> Edit -> Grid DNS Properties.
2. In the Grid DNS Properties editor, click General.
3. Click the Override Grid Forwarder Settings check box.
4. Enter an IP Address in the text field, and then click Add. The IP address appears in the Forwarder text field.
5. To remove a forwarder, select the IP address from the Forwarder list, click Delete, and then click Yes.
6. Optionally, click the Use Forwarders Only check box to use only the specified forwarders on your network and not
root servers.
7. Click the Save icon and the Restart Services icon if it flashes.
Specifying Minimal Response Returns
You can enable a NIOS appliance to return a minimal amount of data in response to a query. This capability speeds
up the DNS services provided by the appliance. This section covers how to turn this feature off and on.
To return minimal response data:
1. From the DNS perspective, click the DNS Members tab -> + (for grid ) -> member -> Edit -> Member DNS Properties.
2. In the General section of the Member DNS Properties editor, ensure that the Return minimal responses check box
is selected. It is selected by default.
3. Click the Save icon and the Restart Services icon if it flashes.
Configuring DNS Services
NIOS 4.3r1 Infoblox Administrator Guide (Rev. A) 433
Disabling and Enabling DNS Service for a Grid Member
You can disable the DNS service for any grid member. Be aware that disabling DNS service for a member removes the
NS records from it. If you later re-enable DNS service for this member, the NS records are then restored.
To disable DNS service for a grid member:
1. Log in as the NIOS appliance administrator, or as a superuser.
2. From the DNS perspective, click the DNS Members tab -> + (for grid ) -> member -> Edit -> Grid DNS Properties.
3. In the General section of the Grid DNS Properties editor, clear the Enable DNS Server check box.
To re-enable the service, select the check box again.
4. Click the Save icon and the Restart Services icon if it flashes.
Configuring Additional IP Addresses for a Grid Member
The NIOS appliance supports multiple IP addresses on the loopback interface. You can enable DNS service on
multiple addresses for any grid member. For more information about configuring multiple IP address and anycast
addressing, see Configuring IP Routing Options on page 449.
To configure DNS service on additional IP addresses for a grid member:
1. Log in as the appliance administrator, or as a superuser.
2. From the DNS perspective, click the DNS Members tab -> + (for grid ) -> member -> Edit -> Member DNS Properties.
3. In the General section of the Member DNS Properties editor, click Add to open up the Select Additional Listen On
Address dialog box
4. Select the additional IP address you want to DNS services enabled. If there are no additional IP addresses listed,
configure additional addresses as described in Configuring IP Addresses on the Loopback Interface on page 450.
Click OK.
5. Click the Save icon and the Restart Services icon if it flashes.
Configuring DNS Services
434 Infoblox Administrator Guide (Rev. A) NIOS 4.3r1
Configuring DNS Zone Services
You can configure settings for a zone, assign primaries and secondaries, and allow zone transfers. This section
explains how to specify primary and secondary servers, time to live settings, zone transfers, query lists, dynamic
updates, and Active Directory servers, and is organized in the following way:
Disabling Forwarding for a Zone on page 434
Specifying TTL Settings for a Zone on page 434
Changing the SOA Name for a Zone
Adding an E-mail Address to the SOA Record on page 435
Allowing Zone Transfers for a Zone on page 436
Allowing Query Access for a Zone on page 437
Supporting Active Directory on page 438
Disabling Forwarding for a Zone
You can disable forwarding for a zone, so the NIOS appliance does not forward a query to another name server, for
data (it does not have) that is requested in the query. Instead, the appliance returns an error to the resolver that the
record does not exist.
To disable forwarding for a zone:
1. From the DNS perspective, click the Infoblox Views tab -> + (for Infoblox Views) -> + (for view ) -> + (for
Forward-Mapping) -> zone -> Edit -> Authoritative Zone Properties.
2. In the Settings section of the Authoritative Zone Properties editor, select the Disable Forwarding check box.
3. Click the Save icon and the Restart Services icon if it flashes.
Specifying TTL Settings for a Zone
TTL (time-to-live) is the time that a name server is allowed to cache data. After the TTL expires, the name server is
required to update the data. You can configure the TTL settings for a zone. Setting a high TTL reduces network traffic,
but also reduces the accuracy of your cached data. Conversely, setting a low TTL increases the accuracy of cached
data, but also increase the traffic on your network. There are five TTL settings, however, if you choose to configure one
setting you must also provide values for the other settings.
To specify TTL settings for a zone:
1. From the DNS perspective, click + (for Infoblox Views) -> + (for view) -> + (for Forward-Mapping Zones,
IPv4 Reverse-Mapping Zones, or IPv6 Reverse-Mapping Zones) -> zone -> Edit -> Authoritative Zone Properties.
2. In the Settings section of the Authoritative Zone Properties editor, select the Override Grid Settings radio button.
3. Specify the following values:
Refresh every: This interval tells the secondary how often to send a message to the primary for a zone to
check that its data is current, and retrieve fresh data if it is not. The default is three hours.
Retry every: This interval tells the secondary how long to wait before attempting to recontact the primary
after a connection failure between the two occurs. The default is one hour.
Expire after: If the secondary fails to contact the primary for <expire> seconds, the secondary expires the
zone. This TTL setting defines the amount of time after which the secondary stops giving out answers about
the zone because the zone data is too old to be useful. The default is one week.
Default TTL: Time to Live interval that specifies how long data is cached in the grid secondary server.
Negative TTL: Time to Live interval that specifies how long data is cached for Does Not Respond
responses in the grid secondary server.
4. Click the Save icon, and the Restart Services icon if it flashes.
Configuring DNS Zone Services
NIOS 4.3r1 Infoblox Administrator Guide (Rev. A) 435
Changing the SOA Name for a Zone
If the primary name server of a zone is a grid member, the NIOS appliance allows you to change the SOA (start of
authority) name that is automatically created when you initially configure the zone. For example, you might want to
hide the primary server for a zone. If your appliance is named dns1. zone. t l d, and for security reasons, you may
want to show a secondary server called dns2. zone. t l d as the primary server. To do so, you would go to
dns1. zone. t l d zone (being the true primary) and change the SOA to dns2. zone. t l d to hide the true identity of the
real primary server.
To change the SOA name for a zone:
1. From the DNS perspective, click + (for Infoblox Views) -> + (for view) -> + (for Forward-Mapping Zones,
IPv4 Reverse-Mapping Zones, or IPv6 Reverse-Mapping Zones) -> zone -> Edit -> Authoritative Zone Properties.
2. In the Settings section of the Authoritative Zone Properties editor, select the Set primary for SOA check box, and
then enter the new SOA name in the text field to its right.
3. Click the Save icon, and the Restart Services icon if it flashes.
Setting the Serial Number in the SOA Record
The serial number in the SOA record incrementally changes every time the record is modified. This serial number
plays a key role when and how zone data is updated via zone transfers. For example, if a secondary server has a
higher serial number than the primary server, zone transfers would come from the secondary, not the primary server.
The NIOS appliance allows you to change the serial number (in the SOA record) for the primary server so it is higher
than the secondary server, thereby ensuring zone transfers come from the primary server (as they should).
You have the option of using administrative style serial numbers instead of a simple counter. To do this, create a serial
number like: yyyymmddxx (such as 2004101843) where yyyy is the year, mm is the month, dd is the day of the month,
and xx is the edit number (so, in the example, we have made 43 changes on 10/18/2004).
You can change the serial number in an SOA record only if the primary server of the zone is a grid member. To change
the serial number in an SOA record:
1. From the DNS perspective, click + (for Infoblox Views) -> + (for view) -> + (for Forward-Mapping Zones,
IPv4 Reverse-Mapping Zones, or IPv6 Reverse-Mapping Zones) -> zone -> Edit -> Authoritative Zone Properties.
2. In the Settings section of the Authoritative Zone Properties editor, select enter one of the following:
Click the Increment serial number by check box, and then enter an increment number in the text field to the
right.
Click the Set serial number check box, and then enter a serial number in the text field to the right.
3. Click the Save icon, and the Restart Services icon if it flashes.
Adding an E-mail Address to the SOA Record
If the primary name server of a zone is a grid member, you can add an administrator e-mail address to the SOA record
to help people determine who to contact about this zone.
To add an e-mail address for an SOA record at the grid level:
1. From the DNS perspective, click the DNS Members tab -> grid -> Edit -> Grid DNS Properties.
2. In the General section of the Grid DNS Properties editor, enter the e-mail address in the E-mail Address (for SOA
RNAME field) field.
3. Click the Save icon, and the Restart Services icon if it flashes.
Configuring DNS Services
436 Infoblox Administrator Guide (Rev. A) NIOS 4.3r1
To add an e-mail address to an SOA record of a zone:
1. From the DNS perspective, click + (for Infoblox Views) -> + (for view) -> + (for Forward-Mapping Zones,
IPv4 Reverse-Mapping Zones, or IPv6 Reverse-Mapping Zones) -> zone -> Edit -> Authoritative Zone Properties.
2. In the Settings section of the Authoritative Zone Properties editor, click the Override e-mail address check box,
and then enter an e-mail address in the E-mail Address text field.
3. Click the Save icon, and the Restart Services icon if it flashes.
Allowing Zone Transfers for a Zone
By default, the NIOS appliance automatically performs zone transfers within a grid. However, you can configure the
appliance to allow zone transfers to an external DNS name server. Zones within a grid automatically receive updated
zone data via database replication that occurs over a secure SSL-based VPN.
Traditional zone transfers are only necessary when deploying appliances with standard name servers, or devices that
are outside of the grid, such as an external primary server or external secondary servers. This section only applies to
external DNS servers that are not grid members.
The NIOS appliance allows the use of standards-based TSIG keys, that use the one-way hash function MD5 to secure
transfers between the primary and secondary name servers. Zones can override globally configured TSIG keys.
Note: This TSIG function does not use GSS-TSIG (secure updates to Microsoft
Windows or Minicom on Linux) program already installed. This serial connection allows
you to use CLI (command line interface) commands to monitor and configure the Infoblox appliance. Note that the
monitoring and configuration options available through the CLI are limited.
Figure D.3 Cabling for Independent Infoblox Appliance Configuration
Power Connector
Power Switch
Management
System
L2/L3
Switch
Serial Port LAN Port
Ethernet Cable
Serial Cable
Internet
Hardware Information
726 Infoblox Administrator Guide (Rev. A) NIOS 4.3r1
HA Pair Appliance Cabling Using the LAN and HA Ports
Figure D.4 shows a pair of Infoblox-1000 or -1200 appliances configured to be an HA pair. To manage them through
the GUI, connect ethernet cables from the LAN and HA ports on both appliances to a local network switch. Also,
connect an ethernet cable from your management system to the same switch. In this example, the connection from
the management system would go through the same router as the DNS and DHCP service traffic provided by the HA
pair.
Note: Do not use a crossover cable to connect the two HA ports on the Infoblox appliances. This only works on
Infoblox appliances running the DNSone 2.X software, and completely disrupts network connectivity for an HA
pair running DNSone 3.X software or later.
In this example, the Infoblox appliances can be part of a grid, or not, and operate as a single entity like the single
appliance above. Both are capable of providing simultaneous DNS and DHCP services for your LAN. This example also
shows using the LAN port for the management, and not using the serial console or management (MGMT) port.
Figure D.4 Cabling for an HA Pair Configuration
Never disconnect the LAN and HA cables to force a failover between the HA nodes. Refer to Forcing an HA Failover on
page 263. Make sure each node uses a different static IP addresses in the same subnet.
HA Port
L2/L3
Switch
LAN Port HA Port LAN Port
Management
System
Active Node Passive Node
Internet
Connecting the Ethernet Cables
NIOS 4.3r1 Infoblox Administrator Guide (Rev. A) 727
Cabling for the MGMT Port
The MGMT port can be used for:
Out-of-band appliance management
Grid communications
DNS services
For more information about these three options, refer to Using the MGMT Port on page 136.
Out-of-Band Management Cabling
Figure D.5 shows a single independent appliance. To manage a single independent appliance through its MGMT port,
connect an ethernet cable between the MGMT port and a private network switch. Next, connect an ethernet cable
between the LAN port and a local network switch. Connect the management system to the local network switch to log
in to the appliance and enable the MGMT port. After the MGMT port is enabled, then connect the management system
to the private switch. A crossover cable can be used to connect the management system directly to the appliance.
In this example, the appliance management traffic goes through the MGMT port, while DNS and DHCP services goes
through the LAN port.
Figure D.5 Cabling an Independent Infoblox-1000 or -1200 Appliance for Out-of-Band Management
Figure D.6 on page 728 shows an HA pair deployed as either an independent HA pair or an HA grid master. To manage
the active node through MGMT port, connect ethernet cables between the MGMT port and a private network switch.
Connect the management system to a local network switch. Connect ethernet cables between the LAN and HA ports
and a local network switch. After the MGMT port is enabled, connect the management system to the private switch.
In this example, the Infoblox appliances are not accessible on the local network and communicate across a private
network. Both independent and grid HA pairs are capable of providing simultaneous DNS and DHCP services on the
LAN and HA ports. If the HA pair is a grid master, it communicates with grid members through the LAN and HA ports.
Management
System
L2/L3
Switch
MGMT Port LAN Port
Ethernet Cable
Crossover Cable
L2/L3
Switch
Internet
Hardware Information
728 Infoblox Administrator Guide (Rev. A) NIOS 4.3r1
Figure D.6 Cabling an Independent HA Pair for Out-of-Band Management
Grid Services Management Cabling
Figure D.7 shows a single Infoblox-1000 or -1200 appliance deployed as a grid member. To route grid services
through the MGMT port, connect ethernet cables between the MGMT port on the grid member and a private network
switch. Connect the management system to this same private switch. Connect ethernet cables between the LAN and
HA ports on the grid master to the private switch.
In this example, the single grid member is capable of providing simultaneous DNS and DHCP services on the LAN
port, but the grid services traffic goes through the MGMT port. If the HA pair grid master is using the out-of-band
function, there should be a router and another switch between the grid master and the switch connected to the grid
member.
Figure D.7 Cabling for a Single Member using the MGMT Port for Grid Services
MGMT Port
L2/L3
Switch
LAN/HA Ports
MGMT Port LAN/HA Ports
Internet
Management
System
L2/L3
Switch
Active Node
Passive Node
Management
System
L2/L3
Switch
MGMT Port LAN Port
L2/L3
Switch
Internet
Active Node Passive Node
LAN Port
HA Master
Single Member
HA Port
LAN Port HA Port
Connecting the Ethernet Cables
NIOS 4.3r1 Infoblox Administrator Guide (Rev. A) 729
Figure D.8 shows an HA pair deployed as a grid member. To route grid services through the MGMT ports, connect
ethernet cables between the MGMT ports on the grid member and a private network switch. Connect the management
system to this same private switch. Connect ethernet cables between the LAN and HA ports on the grid master to the
private switch.
In this example, the HA pair grid member is capable of providing simultaneous DNS and DHCP services on the LAN
port, but the grid services traffic goes through the MGMT port. If the HA pair grid master is using the out-of-band
function, there should be a router and another switch between the grid master and the switch connected to the grid
member.
Figure D.8 Cabling for an HA Member Using Grid Communications
Management
System
L2/L3
Switch
MGMT Port LAN and HA Ports
L2/L3
Switch
Internet
Active Node Passive Node
LAN Port
HA Master
HA Member
HA Port
LAN Port HA Port
Active Node
Passive Node
MGMT Port LAN and HA Ports
Hardware Information
730 Infoblox Administrator Guide (Rev. A) NIOS 4.3r1
DNS Services Cabling
Figure D.9 shows a single Infoblox-1000 or -1200 appliance deployed as an independent server. To route DNS
services through the MGMT port, connect ethernet cables between the MGMT port on the appliance and a private
network switch. Connect an ethernet cable between the LAN port and a local network switch. Initially connect the
management system to this same local network switch. After you enable the MGMT port and DNS services, connect
the management system to the private switch.
In this example, DNS services go through the MGMT port, and all other protocol services go through the LAN port. By
default, a single appliance using the MGMT port for DNS services also uses out-of-band management on the MGMT
port.
Figure D.9 Cabling for an Independent Appliance Using its LAN Port for DNS and its MGMT Port for Management
Figure D.10 shows a single Infoblox-1000 or -1200 appliance deployed as grid member. To route DNS services
through its MGMT port, connect ethernet cables between the MGMT port on the appliance and a private network
switch. Connect the management system to this same private switch. Connect ethernet cables between the LAN and
HA ports on the grid master to the private switch.
In this example, DNS services go through the MGMT port and other protocol services go through the LAN port.
Figure D.10 Cabling for a Single Member Using its LAN Port for DNS and its MGMT Port for Grid Communications
Management
System
L2/L3
Switch
MGMT Port LAN Port LAN Port
L2/L3
Switch
Internet
Single Independent
Management
System
L2/L3
Switch
MGMT Port LAN Port
L2/L3
Switch
Internet
Active Node Passive Node
LAN Port
Grid Master
HA Port LAN Port HA Port
Single Member
Rack Mounting Information
NIOS 4.3r1 Infoblox Administrator Guide (Rev. A) 731
Rack Mounting Information
Infoblox-1000 or -1200 appliances mount into a standard 19 (48 cm) equipment rack. The mounting brackets
required to mount the appliance are shipped with the product, and the bolts for attaching the mounting brackets are
screwed into the sides of the system. This product may require safety agency evaluation, certification, or licensing.
Ask your building inspector for requirements applicable to your location.
Chassis Warning
When operating the appliance in an equipment rack, take the following precautions:
Make sure the ambient temperature around the appliance (which may be higher than the room temperature) is
within the limit specified for the appliance.
Make sure there is sufficient airflow around the appliance.
Make sure electrical circuits are not overloaded consider the backplate rating of all the connected equipment,
and make sure you have over current protection.
Make sure the appliance is properly grounded.
Make sure no objects are placed on top of the appliance
Rack Mounting and Safety
Read and factor these considerations before rack mounting your appliance.
English
WARNING: To prevent bodily injury when mounting or servicing this appliance in a rack, you must take special
precautions to ensure that the system remains stable. The following guidelines are provided to
ensure your safety.
This appliance should be mounted at the bottom of the rack if it is the only appliance in the rack.
When mounting this appliance in a partially filled rack, load the rack from the bottom to the top with the
heaviest component at the bottom of the rack.
If the rack is provided with stabilizing appliances, install the stabilizers before mounting or servicing the
appliance in the rack.
French
WARNING: Pour viter toute blessure corporelle pendant les oprations de montage ou de rparation de
cette unit en casier, il convient de prendre des prcautions spciales afin de maintenir la stabilit
du systme. Les directives ci-dessous sont destines assurer la protection du personnel.
Si cette unit constitue la seule unite monte en casier, elle doit tre place dans le bas.
Si cette unit est monte dans un casier partiellement rempli, charger le casier de bas en haut en plaant
l'lment le plus lourd dans le bas.
Si le casier est quip de dispositifs stabilisateurs, installer les stabilisateurs avant de monter ou de
rparer l'unit en casier.
Hardware Information
732 Infoblox Administrator Guide (Rev. A) NIOS 4.3r1
German
WARNING: Zur Vermeidung von Krperverletzung beim Anbringen oder Warten dieser Einheit in einem Gestell
mssen Sie besondere Vorkehrungen treffen, um sicherzustellen, dab das System stabil bleibt. Die
folgenden Richtlinien sollen zur Gewhrleistung Ihrer Sicherheit dienen.
Wenn diese Einheit die einzige im Gestell ist, sollte sie unten im Gestell angebracht werden.
Bei Anbringung dieser Einheit in einem zum Teil gefllten Gestell ist das Gestell von unten nach oben zu
laden, wobei das schwerste Bauteil unten im Gestell anzubringen ist.
Wird das Gestell mit Stabilisierungszubehr geliefert, sind zuerst die Stabilisatoren zu installieren, bevor
Sie die Einheit im Gestell anbringen oder sie warten.
Hardware Platform Specifications and Requirements
This section lists the hardware platform specifications and requirements for the Infoblox-500, -1000, -1010 (DC), and
-1200. For hardware information for other Infoblox platforms, refer to the user guide that ships with the product.
System Specifications
Form Factor: 1U rack mountable appliance
Dimensions: 1.75 H x 17.25 W x 15 D (4.45 cm H x 43.82 cm W x 38.1 cm)
Weight: Approximately 13 pounds
Ethernet Ports:
MGMT 10/100 Base T
LAN 10/100/1000 Base T
HA 10/100/1000 Base T
Console Port: DB9 (9600/8n1, Xon/Xoff)
LCD Panel: Liquid Crystal Display (LCD) with input buttons
Caution: There is a risk of explosion if you replace the CR2032 lithium cell 3V battery on the motherboard with an
incorrect type. Dispose of used batteries according to regional requirements.
Environmental Specifications
The environmental specifications are as follows:
Operating Temperature: 41 to 95 degrees F (5 to 35 degrees C)
Storage Temperature: -40 to 122 degrees F (-40 to 50 degrees C)
Relative Humidity: 5% to 95%, relative humidity (non-condensing)
AC Electrical Power Specifications
The AC electrical power specifications are as follows:
Input Voltage: 100-240 VAC switchable, 47-63 HZ, 3 A
Output Power: 250 watts
DC Electrical Power Specifications
The DC electrical power specifications are as follows:
Input Voltage: 40-60 VDC, 9 A
Output Power: 250 watts
For installation in a restricted access location only. The protection circuit for the DC system should have a 10-15 A
circuit breaker.
NIOS 4.3r1 Infoblox Administrator Guide (Rev. A) 733
Index
A
A records
adding 394
adding to shared record groups 417
AAAA records
adding 395
adding to shared record groups 417
Active Directory
authenticating admins 110
configuring for NAC Foundation 594
configuring support for 438446
importing users from 620
user class assignments 588
admin groups 67108
ALL USERS group 69
confuguring on RADIUS server 108
defining permissions 74
limited-access 69, 70
superusers 69
admins
authenticating 101
authenticating using RADIUS 104
defining admin policy 112
notifying 113
password length 113
using Active Directory to authenticate 110
anycast 452
API
introduction 665
migrating data 264
audit log
configuring 170
IPAM device types 560
sending to syslog 166
B
backup file
creating and restoring 222
BOOTP
DHCP option filters 505
specifying parameters 492
bulk host records 389
admin permissions 87
C
cache
clearing on a Linux computer 42
DNS 447
managing settings 46
software version 44
captive portal
configuring 590
capture traffic 173
certificates
default of the appliance 39, 44
EAP certificate signing request 626
for admin authentication 111
generating a certificate signing request 49
generating self-signed 48
importing 49
LDAP server 625
manage during login 45
on grid connector and appliance 621
RADIUS authentication 626
self-signed EAP 626
uploading and downloading 627
CNAME records 400
connecting to a NIOS appliance 38
customizing columns 54
D
Data Import Wizard
migrating data 264
DDNS 537556
configuring DHCP 541548
configuring DNS 552554
TSIG 555
verification 549
delegated zones 365
detailed status 160
NTP status icons 118
viewing 160
device status 160
DHCP
configuration checklist 487
defining admin permissions 90
enabling 489
general properties 488
lease times 491
monitoring address usage 567
NAC Foundation module 583
viewing configuration file 517
viewing lease details 574
DHCP client identifiers 467
DHCP failover
assigning to DHCP range 469
configuring 514
DHCP filters 499513
DHCP lease history
defining admin permissions 97
enabling 498
importing and exporting 579
maximum capacity 579
viewing 574
DHCP option filters 505
DHCP options
configuring 494
option 12 542
option 15 542
option 60 495
option 61 467
option 81 545
DHCP ranges
applying MAC address filters 504
applying option filters 506
applying relay agent filters 513
Index
734 Infoblox Administrator Guide (Rev. A) NIOS 4.3r1
assigning device types 560
configuring 469
defining admin permissions 91, 94
NAC Foundation module 587
permission to assign members 82
permission to create from template 95
using templates 473
DHCP statistics 571
DHCP templates
assigning device types 561
configuring 470480
defining admin permissions 95
distribution
NIOS software 265
DMAPI 665
DNAME records 402
DNS
allow and deny queries 428
cache 447
configuration checklist 335
configuration file 447
defining admin permissions 83
enabling 433
forwarders 432
IPv6 347
logging categories 167
root name servers 430
setting TTL 424
sort lists 431
specifying DNS resolvers 147
updates for a zone 544
using MGMT port 142
zone statistics 447
DNS views 337346
defining admin permissions 84
read-only permission 82, 91
DNSone
software package 30
documentation
content organization 20
related technical documents 24
style conventions 22
dynamic DNS
See DDNS
E
EAP-TLS 618
EAP-TTLS 618
Ethernet ports 132
expand networks 462
exporting data 60
F
fixed addresses
assigning devce types 561
configuring 467
converting from dynamiz lease 564
converting to reserved or host 566
defining admin permissions 91, 93
DNS updates 548
permission to create from template 95
using templates 476
forward zones 366
forwarders 432
FTP
backup file 222
configuring 609
uploading files 610
G
gateways
defined 30
global search 55
grid
configuring 267309
defined 30
deployment scenario 33
DNS updates for DHCP 544
downgrading 220
multiple grid deployment 34, 35
NAT groups 271
promoting master candidate 309
removing a member 309
replacing a master 309
replication status 163
restart services 156
restricting access 129
upgrading software 313
VitalQIP 648
Grid Connector for Active Directory 620
Grid Manager 4345
grid master
candidate defined 31
defined 31
promoting candidate 309
grid members
admin permission to assign to DHCP range 94
assigning RADIUS policy group 631
assigning to DHCP ranges 469
assigning to networks 461
configuring syslog 166
defined 31
defining admin permissions 82
DHCP lease history log 498
DHCP logging 576
modifying security settings 131
permissions 85
read-only permission 91
restart services 157
H
hardware and software requrements 38
high availability (HA) pair
configuring grid master 282
configuring independent 231
defined 30
deploying indpendent 245
deployment scenario 36
forcing failover 263
grid members 289
monitoring status 164
rebooting 151
upgrading software 265
Host Name Compliance Report
admin permissions 87
viewing 386
NIOS 4.3r1 Infoblox Administrator Guide (Rev. A) 735
host names
defined 30
for DNS updates 547
restrictions 384
restrictions for shared record groups 414
host records
adding 387
admin permissions 87
bulk 389
converting from dynamic lease 566
converting to fixed addresses 566
host name restrictions 384
HTTP
configuring 608
redirecting to HTTPS 130
restricting access to appliance 129
uploading files 610
HTTPS
defined 47
I
ICMP echo requests
ping 490
icons
detailed status 160
device status 160
distribution and upgrade status 324
LCD 162
memory usage 162
replication 163
service status 160
import zone data 359
independent appliances
configuring 231
deployment scenario 32
HA pair, deployment scenario 36
upgrading software 265
Infoblox-1552
power supply status 162
Infoblox-2000 153
power supply status 162
RAID status 163
IP Address Management panel
admin permissions 91
IPAM
advanced find 578
classifying devices 558
classifying host records 388
DHCP lease event log 575
importing and exporting 579
lease event details 578
logging member 575
searching data 572
searching DHCP lease event log 577
viewing DHCP lease details 574
viewing IPAM data 571
watermarks 567570
IPAM WinConnect
configuring 644
monitoring 646
IPv6
AAAA records 395
configuring DNS 347
DNS views 343
reverse-mapping zone 355
J
Java sandbox 40
Java Web Start
Java Application Cache Viewer 41
join networks 462
K
Keystone license 31
L
LAN address
defined 31
LCD
configure network settings 234
disabling 130
status 162
LDAP authentication
configuring 625
licenses
activating 149
Keystone 31
managing 148
removing 149, 152
local admins 101
logging in
creating a banner 54
login options 45
using Java Web Start 39
using the Grid Manager 44
login banner 54
logs
audit log 170
DHCP 575
DHCP and DNS data 262
DHCP logs 498
RADIUS accounting log 634
replication 172
syslog 165
traffic capture 173
loopback interface
captive portal IP address 590
configuring IP addresses 450
M
MAC address filters
admin permission to apply to DHCP range 94
configuring 503505
defining admin permissions 96
using in NAC Foundation module 583
memory usage status 162
MGMT port
IP address 31
monitoring status 162
RADIUS auth for admins 105
static routes 146
using 136
MIBs
SNMP 177
MTU
for VPN tunnels 308
Index
736 Infoblox Administrator Guide (Rev. A) NIOS 4.3r1
MX records
adding 397
adding to shared record groups 418
N
name server groups 376378
NAS
configuring 632
NAT
configuration example 241
NAT groups 271
Network discovery 519
configuring 525
managing discovered data 531
viewing discovered data 529
networks
configuring and managing 461
defining admin permissions 91
permission to assign members 82
permission to create from template 95
shared 466
using templates 471
viewing statistics 517
NIOS appliance 31
monitoring status 160
rebooting 151
resetting 151
restricting HTTP access 129
shutting down 151
NIOS GUI
cache settings 46
customizing columns 54
detailed status 160
exporting data 60
features 50
printing 56
setting page size 101
setting timeout 130
NIOS software
downgrading 220
reverting 221
upgrade a grid 313
upgrading 220
upgrading independent appliances 265
NIOS virtual appliance 31
nodes
defined 31
NTP
adding an authentication key 124
appliance as client 122
appliance as NTP server 125
authenticating 120
monitoring status 118, 161
using for appliances 119
O
online help 52
OSPF
configuring 454
P
PAP 618
passwords
default 25
length for admins 113
PEAP 618
Perl 666
permissions
defining for AAA 98
defining for admin groups 74
defining for DHCP 90
defining for DNS 83
defining for TFTP, HTTP, and FTP services 100
for grid members 82
perspectives
customizing 53
defined 51
ports
Ethernet and service ports 132135
MGMT 136
primary servers
configuring 349
name server group 376
stealth 350
printing from NIOS GUI 56
PTR records
adding 396
PXE lease time
configuring 491
R
RADIUS
adding local users 620
anthentication admins 104
authentication methods 618
configuring 633
configuring authentication server 596
configuring policy rules 630
enable accounting 634
policy groups 631
proxy services 635642
specifying attributes 630
using policies 628
view configuration file 640
RAID
Infoblox-2000 153
monitoring status 163
rebooting 151
recycle bin
DNS 382
in the grid 310
restoring data 363
restoring DHCP objects 481
regular expressions 693
relay agent filters 511
remote admins
authenticating 102
authenticating using Active Directory 110
authenticating using RADIUS 104
creating admin groups for 112
remote console access
enabling and disabling 128
replication status 163
viewing 163, 172
resource records
adding 394
adding to shared record groups 417
NIOS 4.3r1 Infoblox Administrator Guide (Rev. A) 737
bulk host records 389
defining permissions 85, 87
host records 387
shared record groups 393
specifying TTL 407
restart services 156
restore objects 311
RFC 2317 355
root name servers 430
root zone 358
S
search
global 55
secondary servers
configuring 350
forwarding updates 554
name server group 376
notifying external 425
self-service portal 593
service configuration
defined 31
service status 160
shared networks 466
defining admin permissions 91
shared record groups 393, 412
admin permissions 88
shutting down 151
SNMP 175218
configuring 217
enable threshold crossing event trap 569
Infoblox MIBs 177
VitalQIP 661
SOA records
stub zone 373
zone settings 435
software and hardware requirements 38
software distribution 315
monitoring 324
SPF records 399
split networks 462
SRV records 398
adding to shared record groups 418
SSH
remote console access 128
restrict access to MGMT port 140
SSL
certificates 4749
for admin authentication 111
LDAP authentication 625
overview 47
tunnel 39, 44
Startup Wizard
HA grid master 282
independent appliance 236
indpendent HA pair 247
single grid master 285
static routes
configuring 144
stub zones 368
subzones 356
syslog 165169
system time
monitoring 118
setiing date and time 117
T
technical support 25
download support bundle 227
enabling and disabling access 128
restrict access to MGMT port 140
TFTP
backup file 222
configuring 607
uploading files 610
time zone
distribution schedule 316
for grid and members 117
setting for local admins 101
upgrade schedule 320
timeout, setting 130
traffic capture tool 173
TSIG
DDNS updates 555
zone transfers 427
TTL
setting for DNS 424
setting for zones 434
TTL for resource records 407
TXT records 399
adding to shared record groups 419
U
upgrade groups
creating and managing 314
upgrade status 324
upgrade test 319
upgrading a grid 313
user class filters 510
user name 25
V
variables 22
views
See DNS views
VIP
defined 31
virtual router ID
defined 31
VitalQIP
enabling on a grid 653
monitoring 660
overview 648
uploading files 651
user exit files 652
W
WinConnect
See IPAM WinConnect
Index
738 Infoblox Administrator Guide (Rev. A) NIOS 4.3r1
Z
zones
configuring authoritative 353
configuring parameters 434
defined 31
defining admin permissions 84, 85
delegated 365
enabling transfers 426
forward 366
importing data 242, 359
locking and unlocking 379
modifying 380
name server groups 378
read/write permission 82
removing 380
restoring data 363
root zone 358
shared record groups 393, 415
statistics 447
stub 368
subzones 356
transfers 362, 436