You are on page 1of 153

BIG-IP Global Traffic Manager: Implementations

version 10.2
MAN-0317-00

Product Version
This manual applies to product version 10.2 of the BIG-IP Global Traffic Manager.

Publication Date
This manual was published on October 25, 2011.

Legal Notices
Copyright
Copyright 2011, F5 Networks, Inc. All rights reserved. F5 Networks, Inc. (F5) believes the information it furnishes to be accurate and reliable. However, F5 assumes no responsibility for the use of this information, nor any infringement of patents or other rights of third parties which may result from its use. No license is granted by implication or otherwise under any patent, copyright, or other intellectual property right of F5 except as specifically described by applicable user licenses. F5 reserves the right to change specifications at any time without notice.

Trademarks
3DNS, Access Policy Manager, Acopia, Acopia Networks, Advanced Client Authentication, Advanced Routing, APM, Application Security Manager, ARX, AskF5, ASM, BIG-IP, Cloud Extender, CloudFucious, CMP, Data Manager, DevCentral, DevCentral [DESIGN], DNS Express, DSC, DSI, Edge Client, Edge Gateway, Edge Portal, EM, Enterprise Manager, F5, F5 [DESIGN], F5 Management Pack, F5 Networks, F5 World, Fast Application Proxy, Fast Cache, FirePass, Global Traffic Manager, GTM, IBR, Intelligent Browser Referencing, Intelligent Compression, IPv6 Gateway, iApps, iControl, iHealth, iQuery, iRules, iRules OnDemand, iSession, IT agility. Your way., L7 Rate Shaping, LC, Link Controller, Local Traffic Manager, LTM, Message Security Module, MSM, Netcelera, OneConnect, Packet Velocity, Protocol Security Module, PSM, Real Traffic Policy Builder, ScaleN, SSL Acceleration, StrongBox, SuperVIP, SYN Check, TCP Express, TDR, TMOS, Traffic Management Operating System, TrafficShield, Transparent Data Reduction, VIPRION, vCMP, WA, WAN Optimization Manager, WANJet, WebAccelerator, WOM, and ZoneRunner, are trademarks or service marks of F5 Networks, Inc., in the U.S. and other countries, and may not be used without F5's express written consent. All other product and company names herein may be trademarks of their respective owners.

Patents
This product may be protected by U.S. Patents 6,374,300; 6,473,802; 6,970,733; 7,047,301; 7,707,289. This list is believed to be current as of October 25, 2011.

Export Regulation Notice


This product may include cryptographic software. Under the Export Administration Act, the United States government may consider it a criminal offense to export this product from the United States.

RF Interference Warning
This is a Class A product. In a domestic environment this product may cause radio interference, in which case the user may be required to take adequate measures.

FCC Compliance
This equipment has been tested and found to comply with the limits for a Class A digital device pursuant to Part 15 of FCC rules. These limits are designed to provide reasonable protection against harmful interference when the equipment is operated in a commercial environment. This unit generates, uses, and can radiate radio frequency energy and, if not installed and used in accordance with the instruction manual, may cause harmful interference to radio communications. Operation of this equipment in a residential area is likely to cause harmful interference, in which case the user, at his own expense, will be required to take whatever measures may be required to correct the interference.

BIG-IP Global Traffic ManagerTM: Implementations

Any modifications to this device, unless expressly approved by the manufacturer, can void the user's authority to operate this equipment under part 15 of the FCC rules.

Canadian Regulatory Compliance


This class A digital apparatus complies with Canadian I CES-003.

Standards Compliance
This product conforms to the IEC, European Union, ANSI/UL and Canadian CSA standards applicable to Information Technology products at the time of manufacture.

Acknowledgments
This product includes software developed by Gabriel Fort. This product includes software developed by Bill Paul. This product includes software developed by Jonathan Stone. This product includes software developed by Manuel Bouyer. This product includes software developed by Paul Richards. This product includes software developed by the NetBSD Foundation, Inc. and its contributors. This product includes software developed by the Politecnico di Torino, and its contributors. This product includes software developed by the Swedish Institute of Computer Science and its contributors. This product includes software developed by the University of California, Berkeley and its contributors. This product includes software developed by the Computer Systems Engineering Group at the Lawrence Berkeley Laboratory. This product includes software developed by Christopher G. Demetriou for the NetBSD Project. This product includes software developed by Adam Glass. This product includes software developed by Christian E. Hopps. This product includes software developed by Dean Huxley. This product includes software developed by John Kohl. This product includes software developed by Paul Kranenburg. This product includes software developed by Terrence R. Lambert. This product includes software developed by Philip A. Nelson. This product includes software developed by Herb Peyerl. This product includes software developed by Jochen Pohl for the NetBSD Project. This product includes software developed by Chris Provenzano. This product includes software developed by Theo de Raadt. This product includes software developed by David Muir Sharnoff. This product includes software developed by SigmaSoft, Th. Lockert. This product includes software developed for the NetBSD Project by Jason R. Thorpe. This product includes software developed by Jason R. Thorpe for And Communications, http://www.and.com. This product includes software developed for the NetBSD Project by Frank Van der Linden. This product includes software developed for the NetBSD Project by John M. Vinopal. This product includes software developed by Christos Zoulas. This product includes software developed by the University of Vermont and State Agricultural College and Garrett A. Wollman. In the following statement, "This software" refers to the Mitsumi CD-ROM driver: This software was developed by Holger Veit and Brian Moore for use with "386BSD" and similar operating systems. "Similar operating systems" includes mainly non-profit oriented systems for research and education, including but not restricted to "NetBSD," "FreeBSD," "Mach" (by CMU). This product includes software developed by the Apache Group for use in the Apache HTTP server project (http://www.apache.org/). This product includes software licensed from Richard H. Porter under the GNU Library General Public License ( 1998, Red Hat Software), www.gnu.org/copyleft/lgpl.html.

ii

This product includes the standard version of Perl software licensed under the Perl Artistic License ( 1997, 1998 Tom Christiansen and Nathan Torkington). All rights reserved. You may find the most current standard version of Perl at http://www.perl.com. This product includes software developed by Jared Minch. This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org/). This product includes cryptographic software written by Eric Young (eay@cryptsoft.com). This product contains software based on oprofile, which is protected under the GNU Public License. This product includes RRDtool software developed by Tobi Oetiker (http://www.rrdtool.com/index.html) and licensed under the GNU General Public License. This product contains software licensed from Dr. Brian Gladman under the GNU General Public License (GPL). This product includes software developed by the Apache Software Foundation <http://www.apache.org/>. This product includes Hypersonic SQL. This product contains software developed by the Regents of the University of California, Sun Microsystems, Inc., Scriptics Corporation, and others. This product includes software developed by the Internet Software Consortium. This product includes software developed by Nominum, Inc. (http://www.nominum.com). This product contains software developed by Broadcom Corporation, which is protected under the GNU Public License. This product contains software developed by MaxMind LLC, and is protected under the GNU Lesser General Public License, as published by the Free Software Foundation. This product includes the GeoPoint Database developed by Quova, Inc. and its contributors. This product includes software developed by Balazs Scheidler <bazsi@balabit.hu>, which is protected under the GNU Public License. This product includes software developed by NLnet Labs and its contributors. This product includes software written by Steffen Beyer and licensed under the Perl Artistic License and the GPL. This product includes software written by Makamaka Hannyaharamitu 2007-2008.

BIG-IP Global Traffic ManagerTM: Implementations

iii

iv

Table of Contents

Table of Contents

1
Introducing Implementations for the Global Traffic Manager
Introducing the Global Traffic Manager .................................................................................... 1-1 Introducing implementations ....................................................................................................... 1-2

2
Delegating DNS Traffic to Wide IPs
Working with the Global Traffic Manager and DNS traffic ....................................................................................................................................... 2-1 Delegating DNS traffic to wide IPs ............................................................................................ 2-2 Modifying the existing DNS server ................................................................................... 2-2 Configuring a listener ........................................................................................................... 2-3

3
Replacing a DNS Server with the Global Traffic Manager
Working with the Global Traffic Manager and DNS traffic ....................................................................................................................................... 3-1 Replacing a DNS server with the Global Traffic Manager .................................................... 3-2 Configuring the DNS server for zone transfers ............................................................ 3-3 Creating a hint zone ............................................................................................................. 3-3 Acquiring zone files .............................................................................................................. 3-4 Designating the Global Traffic Manager as the primary DNS server ....................... 3-5 Configuring a listener ........................................................................................................... 3-5

4
Securing Your DNS Infrastructure
Introducing DNSSEC compliance ............................................................................................... 4-1 Configuring DNSSEC compliance .............................................................................................. 4-3 Adding a Global Traffic Manager system to a network that contains other BIG-IP systems ....................................................................................................................... 4-4 Adding an additional Global Traffic Manager system to a network .......................... 4-8 Configuring DNSSEC keys and zones ............................................................................ 4-10

5
Load Balancing Non-Wide IP Traffic to a Pool of DNS Servers
About using the Global Traffic Manager as a load balancer in front of a pool of DNS servers .................................................................................................................................... 5-1 Creating a pool of DNS servers ................................................................................................. 5-2 Creating a listener .......................................................................................................................... 5-3

6
Sending Traffic Through the Global Traffic Manager
Working with the Global Traffic Manager as a router or forwarder ................................ 6-1 Forwarding traffic through the Global Traffic Manager ........................................................ 6-2 Placing the Global Traffic Manager to forward traffic .................................................. 6-2 Configuring a VLAN group ................................................................................................. 6-3 Forwarding traffic to a DNS server .................................................................................. 6-3 Routing traffic through the Global Traffic Manager ............................................................... 6-4 Placing the Global Traffic Manager to route traffic ....................................................... 6-5 Routing traffic to a DNS server ......................................................................................... 6-5

BIG-IP Global Traffic ManagerTM: Implementations

Table of Contents

7
Ensuring Correct Synchronization When Adding a New Global Traffic Manager
Understanding synchronization in the Global Traffic Manager ........................................... 7-1 Adding a new Global Traffic Manager to a synchronization group safely ......................... 7-2 Adding the Global Traffic Manager ................................................................................... 7-3 Enabling synchronization ..................................................................................................... 7-4 Running the gtm_add script ................................................................................................ 7-4 Running the bigip_add script .............................................................................................. 7-5

8
Integrating the Global Traffic Manager with BIG-IP Systems
Understanding the interactions between BIG-IP systems .................................................... 8-1 Integrating the Global Traffic Manager with other BIG-IP systems ................................... 8-3 Defining a data center .......................................................................................................... 8-4 Defining the Global Traffic Manager ................................................................................. 8-4 Adding BIG-IP systems ......................................................................................................... 8-5 Running the big3d_install script ......................................................................................... 8-6

9
Setting Up a Global Traffic Manager Redundant System Configuration
Understanding Global Traffic Manager redundant system configurations ........................ 9-1 Setting up a Global Traffic Manager redundant system configuration ............................... 9-2 Configuring the redundant system settings .................................................................... 9-2 Creating VLANs .................................................................................................................... 9-3 Assigning self IP addresses .................................................................................................. 9-3 Creating a floating IP address ............................................................................................. 9-4 Configuring the high availability options .......................................................................... 9-5 Defining an NTP server ....................................................................................................... 9-5 Defining the default gateway route ................................................................................... 9-6 Defining a listener ................................................................................................................. 9-6 Running a config sync operation ........................................................................................ 9-7 Defining a data center .......................................................................................................... 9-7 Defining the Global Traffic Manager systems ................................................................. 9-8 Enabling synchronization ..................................................................................................... 9-9 Running the gtm_add script ................................................................................................ 9-9

10
Authenticating with SSL Certificates Signed by a Third Party
Understanding SSL authentication ............................................................................................ 10-1 Understanding BIG-IP system certificate authentication .................................................... 10-2 Configuring a level one SSL authentication for a Global Traffic Manager ....................... 10-3 Importing the root certificate for the gtmd agent ...................................................... 10-3 Setting the certificate depth for the gtmd agent .......................................................... 10-4 Importing the root certificate for the big3d agent on the Global Traffic Manager ................................................................................................................................. 10-5 Setting the Big3d.CertificateDepth variable for the Global Traffic Manager ........ 10-5 Importing the device certificate signed by the CA server onto the Global Traffic Manager ...................................................................................................... 10-5 Verifying the certificate exchange ................................................................................... 10-6 Configuring a certificate chain for a Global Traffic Manager system ............................... 10-7 Importing a certificate chain for the gtmd agent ......................................................... 10-8 Setting the certificate depth for the gtmd agent .......................................................... 10-9 Setting the Big3d.CertificateDepth variable .................................................................. 10-9 4

Table of Contents

Importing the certificate chain for the big3d agent ..................................................... 10-9 Importing a device certificate .........................................................................................10-10 Verifying the certificate chain exchange ......................................................................10-11 Configuring SSL authentication for a BIG-IP system that includes a Local Traffic Manager ........................................................................................................................................10-12 Setting certificate depth for the big3d agent on the Local Traffic Manager ........10-13 Replacing the self-signed certificate for the big3d agent on the Local Traffic Manager ...............................................................................................................................10-13 Importing a device certificate onto the Local Traffic Manager ..............................10-15

11
Monitoring Third-Party Servers with SNMP
Overview of SNMP ...................................................................................................................... 11-1 Assigning the SNMP monitor to a third-party server ......................................................... 11-1 Adding the server ............................................................................................................... 11-1 Adding a virtual server ....................................................................................................... 11-2 Creating an SNMP monitor .............................................................................................. 11-3 Assigning the monitor ........................................................................................................ 11-3

12
Using tmsh to Set Up Implementations
Using tmsh for different implementations .............................................................................. 12-1 Setting up a stand-alone system ................................................................................................ 12-2 Provisioning the system ..................................................................................................... 12-3 Configuring the global settings ......................................................................................... 12-4 Creating a data center ....................................................................................................... 12-4 Defining a server ................................................................................................................. 12-5 Creating virtual servers to host the site content ........................................................ 12-6 Creating a pool .................................................................................................................... 12-7 Creating a wide IP ............................................................................................................... 12-8 Creating a listener .............................................................................................................. 12-9 Adding a system to a network that contains Local Traffic Manager systems ..............12-10 Provisioning the system ...................................................................................................12-11 Creating a data center .....................................................................................................12-12 Defining a server for the system ...................................................................................12-13 Defining servers for the Local Traffic Manager systems ..........................................12-14 Running the bigip_add or big3d_install utility .............................................................12-15 Creating a listener ............................................................................................................12-16 Adding a system to a network that contains other Global Traffic Manager systems .........................................................................................................................................12-17 Provisioning the new system ..........................................................................................12-18 Creating a data center on an existing system ............................................................12-19 Defining a server for the new system on an existing system .................................12-20 Adding a synchronization group to an existing system ............................................12-21 Running the gtm_add utility ............................................................................................12-21 Creating a listener ............................................................................................................12-22

Glossary Index

BIG-IP Global Traffic ManagerTM: Implementations

Table of Contents

1
Introducing Implementations for the Global Traffic Manager

Introducing the Global Traffic Manager Introducing implementations

Introducing Implementations for the Global Traffic Manager

Introducing the Global Traffic Manager


The BIG-IP Global Traffic Manager is a system that monitors the availability and performance of global resources and uses that information to manage network traffic patterns. The Global Traffic Manager uses load balancing algorithms, topology-based routing, and iRules to control and distribute traffic according to specific policies. The Global Traffic Manager provides a variety of features that meet special needs. For example, with this product you can: Ensure wide-area persistence by maintaining a mapping between a local DNS server and a virtual server in a wide IP pool Direct local clients to local servers for globally-distributed sites using Topology load balancing Change the load balancing configuration according to current traffic patterns or time of day Customize load balancing modes Set up global load balancing among Local Traffic Manager systems and other load-balancing hosts Monitor real-time network conditions Configure a content delivery network with a CDN provider Guarantee multiple port availability for e-commerce sites

BIG-IP Global Traffic ManagerTM: Implementations

1-1

Chapter 1

Introducing implementations
This guide is designed to help you accomplish specific configuration tasks associated with the Global Traffic Manager. Each chapter focuses on a specific implementation, providing an overview of the situation and a detailed example of how to configure the system to accomplish the objectives outlined in the implementation. The tasks outlined in each chapter are designed so that you can quickly apply them to your own network.

Getting started
The Global Traffic Manager runs on the Traffic Management Operating System, commonly referred to as TMOS. Before you begin configuring an implementation, F5 Networks recommends that you familiarize yourself with these additional resource:

BIG-IP Systems: Getting Started Guide This guide provides detailed information about licensing and provisioning the BIG-IP system, as well as installing upgrades. The guide also provides a brief introduction to the features of BIG-IP system and the tools for configuring the system. TMOS Management Guide for BIG-IP Systems This guide contains any information you need to configure and maintain the network and system-related components of the BIG-IP system, such as routes, VLANs, and user accounts. Configuration Guide for BIG-IP Global Traffic Manager This guide contains any information you need for configuring specific features of the BIG-IP system to manage global network traffic. Traffic Management Shell (tmsh) Reference Guide This guide contains information about using the Traffic Management Shell (tmsh) commands to manage the BIG-IP systems.

F5 Networks recommends that you then run the Setup utility to configure basic network elements such as self IP addresses, interfaces, and VLANs. After running the Setup utility, you can use this guide to configure specific implementations. For information on running the Setup utility, see the BIG-IP Systems: Getting Started Guide.

1-2

2
Delegating DNS Traffic to Wide IPs

Working with the Global Traffic Manager and DNS traffic Delegating DNS traffic to wide IPs

Delegating DNS Traffic to Wide IPs

Working with the Global Traffic Manager and DNS traffic


The primary purposes of the BIG-IP Global Traffic Manager are to help you manage incoming wide IP traffic, and load balance that traffic to the appropriate network resources. However, wide IP traffic is only part of the overall DNS traffic a network must handle. Consequently, typical installations of the Global Traffic Manager involve configuring the system to work in conjunction with existing DNS servers already on the network. F5 Networks recommends that you configure your DNS server to delegate wide IP-related requests to the Global Traffic Manager for name resolution.

Figure 2.1 Example of the flow of traffic for a Global Traffic Manager with an existing DNS server

To control how the Global Traffic Manager responds to DNS requests, you must configure a listener. A listener is a specialized resource to which you assign a specific IP address and that uses port 53, the DNS query port. When

BIG-IP Global Traffic ManagerTM: Implementations

2-1

Chapter 2

traffic is sent to that IP address, the listener alerts the Global Traffic Manager, allowing it to handle the traffic locally or forward the traffic to the appropriate resource. In this implementation, you create a listener that corresponds to the self IP address of the Global Traffic Manager.
Note

This implementation also contains recommendations for modifying the files on your existing DNS server. However, detailing how to implement these modifications is beyond the scope of this implementation. If you are unfamiliar with how to modify the files on your DNS server, F5 Networks recommends that you review the 5th edition of DNS and BIND, available from OReilly.

Delegating DNS traffic to wide IPs


This implementation describes the tasks necessary to integrate a Global Traffic Manager with an existing DNS server. This implementation focuses on the fictional company SiteRequest. SiteRequest recently purchased a Global Traffic Manager to help load balance traffic across two of its web-based applications: store.siterequest.com and checkout.siterequest.com. These applications are delegated zones of www.siterequest.com, which an existing DNS server manages. The team at SiteRequest has already configured the Global Traffic Manager with two wide IPs, store.wip.siterequest.com and checkout.wip.siterequest.com, which correspond to the two web applications.

Modifying the existing DNS server


In order for the Global Traffic Manager to manage the web applications of store.siterequest.com and checkout.siterequest.com, you must create the delegated zone on the existing DNS server. Creating a delegated zone typically involves the following tasks: Create an A record (address record) that defines the domain name and IP address of the Global Traffic Manager. Create an NS record (nameserver record) that defines the delegated zone for which the Global Traffic Manager is responsible. Create CNAME records (canonical name records) for each web application, which forwards requests for store.siterequest.com and checkout.siterequest.com to the wide IP addresses of store.wip.siterequest.com and checkout.wip.siterequest.com, respectively.

2-2

Delegating DNS Traffic to Wide IPs

Again, if you are unfamiliar with how to create these zones, F5 Networks recommends that you review the 5th edition of DNS and BIND, available from OReilly.

Configuring a listener
Now you set up a listener on the Global Traffic Manager. A listener is a specialized resource to which you assign a specific IP address and that uses port 53, the DNS query port. The Global Traffic Manager employs this listener to identify the DNS traffic for which it is responsible. For this example, the listener you create is the same as the self IP address of the Global Traffic Manager: 192.168.5.17.

To configure the listener


1. On the Main tab of the navigation pane, expand Global Traffic and then click Listeners. 2. Click Create. 3. In the Destination box, type the IP address on which the Global Traffic Manager listens for network traffic. In this example, type IP address 192.168.5.17. 4. From the VLAN Traffic list, select All VLANs. 5. Click Finished.

You now have an implementation of the Global Traffic Manager in which the existing DNS server manages DNS traffic unless the query is for store.siterequest.com or checkout.siterequest.com. When the DNS server receives these queries, it delegates them to the Global Traffic Manager, which then load balances them on the appropriate wide IPs.

BIG-IP Global Traffic ManagerTM: Implementations

2-3

Chapter 2

2-4

3
Replacing a DNS Server with the Global Traffic Manager

Working with the Global Traffic Manager and DNS traffic Replacing a DNS server with the Global Traffic Manager

Replacing a DNS Server with the Global Traffic Manager

Working with the Global Traffic Manager and DNS traffic


The primary purposes of the BIG-IP Global Traffic Manager are to help you manage incoming wide IP traffic, and load balance that traffic to the appropriate network resources. However, wide IP traffic is only part of the overall DNS traffic that a network must handle. You can also use the Global Traffic Manager as the authoritative nameserver for both wide IPs and all other DNS-related traffic. Typically, this requires that the Global Traffic Manager replace an existing DNS server on the network as shown in Figure 3.1.

Figure 3.1 Example of the flow of traffic when the Global Traffic Manager replaces an existing DNS server

To control how the Global Traffic Manager responds to DNS requests, you must configure a listener. A listener is a specialized resource to which you assign a specific IP address and that uses port 53, the DNS query port. When traffic is sent to that IP address, the listener alerts the Global Traffic Manager, allowing it to handle the traffic locally or forward the traffic to the appropriate resource.

BIG-IP Global Traffic ManagerTM: Implementations

3-1

Chapter 3

In this implementation, you create a listener that corresponds to the self IP address of the Global Traffic Manager. Since the Global Traffic Manager replaces an existing DNS server, this self IP address must correspond with the IP address that denotes the authoritative nameserver for the appropriate domain.
Note

The tasks in this implementation are based on the assumption that you understand BIND and CNAME records. If you are unfamiliar with these topics, F5 Networks recommends that you review the 5th edition of DNS and BIND, available from OReilly.

Replacing a DNS server with the Global Traffic Manager


This implementation describes the tasks necessary to replace an existing DNS server with the Global Traffic Manager. In this example, the existing DNS server has an IP address of 192.168.5.73, while the Global Traffic Manager has an IP address of 192.168.10.105. Once again, we use the fictional company SiteRequest. SiteRequest recently purchased a Global Traffic Manager to help load balance traffic across two of its web-based applications: store.siterequest.com and checkout.siterequest.com. These applications are subdomains of www.siterequest.com, which an existing DNS server manages. SiteRequest has decided to replace its existing DNS server with the Global Traffic Manager. Earlier, SiteRequest configured the wide IPs that it needs on the system; the final task is to make the Global Traffic Manager the authoritative nameserver for these domains. The tasks you must complete to replace a DNS server with the Global Traffic Manager are: Configure the DNS server for zone transfers. Create a hint zone. Enable recursive queries. Acquire zone files. Designate the Global Traffic Manager as the primary DNS server. Configure a listener.

3-2

Replacing a DNS Server with the Global Traffic Manager

Configuring the DNS server for zone transfers


Before you configure the Global Traffic Manager to replace the existing DNS server, you need to configure the DNS server to allow zone file transfers to the Global Traffic Manager. You can enable this authorization through the use of an allow-transfer statement that specifies the IP address of the Global Traffic Manager: 192.168.10.105. Refer to your BIND documentation for more information on how to implement an allow-transfer statement.

Creating a hint zone


Another task you must complete before the Global Traffic Manager becomes the primary DNS server is to create a hint zone. Hint zones designate a subset of the root nameservers list. When the local nameserver starts (or restarts), the nameserver queries the root servers in the hint zone for the most current list of root servers.

To create a hint zone


1. On the Main tab of the navigation pane, expand Global Traffic and then click ZoneRunner. 2. On the menu bar, click Zone List. 3. Click Create. 4. From the View Name list, select external. The external view is a default view to which you can assign different zones. 5. In the Zone Name box, type the name you want to use for the zone file. For this example, type Root. 6. From the Zone Type list, select Hint. 7. Click Finished.

BIG-IP Global Traffic ManagerTM: Implementations

3-3

Chapter 3

Acquiring zone files


The next task you must complete before the Global Traffic Manager becomes the primary DNS server is to acquire the siterequest.com zone files from the existing DNS server. You acquire these zone files through the ZoneRunner utility.
Tip

This task requires that you have added an allow-transfer statement to the existing DNS server that authorizes zone transfers to the Global Traffic Manager.

To acquire zone files


1. On the Main tab of the navigation pane, expand Global Traffic and then click ZoneRunner. 2. On the menu bar, click Zone List. 3. Click Create. 4. From the View Name list, select external. Note: The external view is a default view to which you can assign different zones. 5. In the Zone Name box, type the name of the zone file. F5 Networks recommends that you use the following format to name zone files: db.<viewname>.<zonename>. Note: You must include a trailing dot in the zone name. For this example, type the following:
db.external.siterequest.com.

6. From the Zone Type list, select Master. 7. From the Records Creation Method list, select Transfer from Server. 8. In the Zone File Name box, type the zone file name. For this example, type db.external.siterequest.com. 9. In the Source Server box, type the IP address of the existing DNS server. For this example, type 192.168.5.73. 10. Click Finished.

3-4

Replacing a DNS Server with the Global Traffic Manager

Designating the Global Traffic Manager as the primary DNS server


At this point, you have configured the Global Traffic Manager as the primary DNS server for the siterequest.com zone. You must now either change the existing DNS server to become a secondary DNS server to the Global Traffic Manager, or remove it from your network.
Note

If you are unfamiliar with how to change a DNS server from a primary DNS server to a secondary DNS server, refer to the 5th edition of DNS and BIND, available from OReilly.

Configuring a listener
The final task requires you to set up a listener on the Global Traffic Manager. The Global Traffic Manager employs this listener to identify the DNS traffic for which it is responsible. In this implementation, the listener you create is the same as the self IP address of the Global Traffic Manager: 192.168.5.73.

To configure the listener


1. On the Main tab of the navigation pane, expand Global Traffic and then click Listeners. 2. Click Create. 3. In the Destination box, type the IP address on which the Global Traffic Manager listens for network traffic. For this example, type the IP address 192.168.5.73. 4. From the VLAN Traffic list, select All VLANs. 5. Click Finished.

You now have an implementation of the Global Traffic Manager that is also the authoritative nameserver for siterequest.com. This system handles any incoming DNS traffic, whether destined for a wide IP or another node of siterequest.com.

BIG-IP Global Traffic ManagerTM: Implementations

3-5

Chapter 3

3-6

4
Securing Your DNS Infrastructure

Introducing DNSSEC compliance Configuring DNSSEC compliance

Securing Your DNS Infrastructure

Introducing DNSSEC compliance


The Domain Name System Security Extensions (DNSSEC) is an industry-standard protocol that functions as an extension to the Domain Name System (DNS) protocol. The BIG-IP system uses DNSSEC to guarantee the authenticity of responses that a domain nameserver sends to a client and to return authenticated denial of existence responses. You can use the DNSSEC feature to protect your network infrastructure from DNS protocol and server attacks such as spoofing, ID hacking, cache poisoning, and denial of service. You can use the BIG-IP Global Traffic Manager system to manage incoming wide IP traffic, load balance that traffic to the appropriate network resources, and to serve as the authoritative nameserver for wide IPs and all other DNS-related traffic as shown in Figure 4.1. Additionally, you can use the system to ensure that all responses to DNS-related traffic comply with the DNSSEC security protocol.

Figure 4.1 Example of the flow of traffic when the Global Traffic Manager is a DNSSEC authoritative nameserver

This implementation covers the tasks necessary to configure a BIG-IP system to be DNSSEC-compliant. This implementation begins after you run the Setup utility and configure the network and system settings for the BIG-IP system that you are adding to the network.

BIG-IP Global Traffic ManagerTM: Implementations

4-1

Chapter 4

The Setup utility guides you through licensing the product, assigning an IP address to the management port of the system, and configuring the passwords for the root and administrator accounts. While using the Setup utility, you also configure some of the basic network and system settings for the system, such as setting a self IP address and assigning the system to a VLAN. The network and system settings form the basis of a BIG-IP system configuration. Because these settings have a variety of applications, they are discussed in the TMOS Management Guide for BIG-IP Systems. F5 Networks highly recommends that you review this guide to ensure that you configure the basic network and system settings in a way that best fits the needs of your network and your DNS traffic.
Important

Only users with Administrator or Resource Administrator roles assigned to their user accounts on the BIG-IP system can perform these tasks.
Note

All examples in this document use only private class IP addresses. When you set up the configurations we describe, you must use valid IP addresses suitable to your own network in place of our sample addresses.

4-2

Securing Your DNS Infrastructure

Configuring DNSSEC compliance


This implementation describes three different scenarios in which you want to secure your DNS infrastructure to ensure that all responses to DNS-related traffic comply with the DNSSEC security protocol.

The first scenario describes the tasks that you perform if you want to add a new Global Traffic Manager system to a network that contains other BIG-IP systems. To begin the tasks to configure this scenario, see Adding a Global Traffic Manager system to a network that contains other BIG-IP systems, on page 4-4. The second scenario describes the tasks that you perform if you want to add a new Global Traffic Manager system to a network that already contains a Global Traffic Manager system. To begin the tasks to configure this scenario, see Adding an additional Global Traffic Manager system to a network, on page 4-8.

In these two cases, after you perform the tasks necessary to add the new system to your network, you configure the DNSSEC keys and zones that the system uses to ensure that all responses to DNS-related traffic comply with the DNSSEC security protocol.

The third scenario describes the tasks that you perform if you are upgrading an existing Global Traffic Manager system, which is already set up and configured on the network, and you want to add DNSSEC signing of DNS responses. To begin the tasks to configure this scenario, see Configuring DNSSEC keys and zones, on page 4-10.

BIG-IP Global Traffic ManagerTM: Implementations

4-3

Chapter 4

Adding a Global Traffic Manager system to a network that contains other BIG-IP systems
If you are adding a Global Traffic Manager system to a network that contains other BIG-IP systems, perform the following tasks.

Specifying a data center


When you are adding a Global Traffic Manager system to a network that contains other BIG-IP systems, the first task you must perform is to specify a data center on the Global Traffic Manager system.

To specify a data center


1. Expand Global Traffic and click Data Centers. 2. Click Create. 3. In the Name box, type a unique name to identify the data center. For example, type Secure Los Angeles. 4. In the Location box, type the location of the data center. For example, type Los Angeles. 5. In the Contact box, type the name of the system administrator or department that is responsible for managing the data center. For example, type DNSSEC Administrator. 6. Click Finished.

Defining a server
The next task that you perform to add a Global Traffic Manager system to a network that contains other BIG-IP systems is to define a server on the Global Traffic Manager system that you are adding to the network.

To define a server
1. Expand Global Traffic and click Servers. 2. Click Create. 3. In the Name box, type a unique name for the Global Traffic Manager system that you are currently configuring. For example, type DNSSEC server. 4. From the Product list, select your product type: If the unit you are configuring is a single device, select BIG-IP System (Single). If the unit you are configuring is a redundant system configuration, select BIG-IP System (Redundant).

4-4

Securing Your DNS Infrastructure

5. For the Address List setting, in the Address box, type the self IP address that corresponds to an external VLAN on the system that you are currently configuring. Then click Add. For example, type 192.168.34.1. 6. From the Data Center list, select the name of the data center that you specified in Specifying a data center, on page 4-4. For example, select Secure Los Angeles. 7. Click Finished.

Defining a Network Time Protocol server


The next task that you perform is to synchronize the time setting on the Global Traffic Manager system with the other DNS servers in your network and on the internet. To do this, you define the Network Time Protocol (NTP) server that the system references. This server ensures that the system references the correct time when creating and removing DNSSEC data.

To define an NTP server


1. Expand System and click Configuration. 2. From the Device menu, choose NTP. 3. For the Time Server List setting, in the Address box, type the IP address of the NTP server. For example, type 192.168.5.15. 4. Click Add, and then click Update.

Creating a synchronization group


The next task that you perform is to create a synchronization group on the Global Traffic Manager system. BIG-IP systems that are in the same synchronization group exchange heartbeat messages and share probing responsibility. Synchronization ensures the rapid distribution of configuration settings to the other systems that belong to the same synchronization group.

To create a synchronization group


1. Expand System and then click Configuration. 2. From the Global Traffic menu, choose General. 3. In the Synchronization Group Name box, type a unique name for the group. For example, type DNSSEC. 4. Click Update.

BIG-IP Global Traffic ManagerTM: Implementations

4-5

Chapter 4

Activating synchronization
The next task that you perform to add a Global Traffic Manager system to a network that contains other BIG-IP systems is to activate synchronization on the Global Traffic Manager system. This turns on synchronization for the synchronization group you just created.

To activate synchronization
1. Expand System and then click Configuration. 2. From the Global Traffic menu, choose General. 3. Check the Synchronization box. 4. Click Update.

Running a utility to add the BIG-IP system to your network


The next task that you perform to add a Global Traffic Manager system to a network that contains other BIG-IP systems is to run a utility to add the Global Traffic Manager system to the network. Run one of the following utilities based on your network configuration: If all of the other BIG-IP systems on the network are running the same version of the big3d agent, run the bigip_add utility. Refer to To run the bigip_add utility, on page 4-6. If all of the other BIG-IP systems on the network are running an earlier version of the big3d agent, run the big3d_install utility. Refer to To run the big3d_install utility, on page 4-7.

To run the bigip_add utility


1. Log on to the command-line interface of the Global Traffic Manager system that you are configuring. 2. At the prompt, type the command bigip_add. 3. Press the Enter key. The utility exchanges the appropriate SSL certificates, and authorizes communications between the systems. You can now go to the next task in this implementation, Creating listeners.

4-6

Securing Your DNS Infrastructure

To run the big3d_install utility


1. Log on to the command-line interface of the Global Traffic Manager system that you are configuring. 2. At the prompt, type one of the following commands:
big3d_install big3d_install <IP addresses of existing BIG-IP systems>

3. Press the Enter key. The utility exchanges the appropriate SSL certificates, authorizes communications between the systems, and automatically updates the big3d agents on all the devices. You can now go to the next task in this implementation, Creating listeners.

Creating listeners
The next task that you perform is to configure how the Global Traffic Manager system responds to DNS traffic. To do this, you create a listener. A listener is a specialized resource that is assigned a specific IP address and uses port 53, the DNS query port. When traffic is sent to that IP address, the listener alerts the system, allowing it to handle the traffic locally or forward the traffic to the appropriate resource. You configure a listener using the self IP address of the Global Traffic Manager system that you are configuring when you want the system to sign the responses that it handles. You can also configure the system to sign the responses from another DNS server on your network. To do this, you create a listener using the IP address of the DNS server.

To create a listener
1. Expand Global Traffic and click Listeners. 2. Click Create. 3. In the Destination box, type the IP address on which the Global Traffic Manager system listens for network traffic based on what you want the system to do: If you are configuring the system to sign only wide IP responses, type the self IP address of the system that you are configuring. If you are configuring the system as the authoritative nameserver for another DNS server on your network, type the IP address of the DNS server. For example, type 192.168.34.17, the self IP address of the Global Traffic Manager system that you are configuring. 4. From the VLAN Traffic list, select the VLAN or VLANs on which this system listens for DNS requests. For example, select VLAN external.

BIG-IP Global Traffic ManagerTM: Implementations

4-7

Chapter 4

5. Click Finished. 6. To configure the system as the authoritative nameserver for another DNS server, repeat steps 1 - 5, but enter the IP address of the DNS server in the Destination box.

You are now ready to configure the DNSSEC feature. For more information, refer to Configuring DNSSEC keys and zones, on page 4-10.

Adding an additional Global Traffic Manager system to a network


If you are adding an additional Global Traffic Manager system to a network, perform the following tasks.

Creating a data center


The first task that you perform to add an additional Global Traffic Manager system to a network is to specify, on an existing Global Traffic Manager system, the data center in which the new Global Traffic Manager resides.

To create a data center


1. Expand Global Traffic and click Data Centers. 2. Click Create. 3. In the Name box, type a unique name to identify the data center. For example, type Secure Los Angeles. 4. In the Location box, type the location of the data center. For example, type Los Angeles. 5. In the Contact box, type the name of the system administrator or department that is responsible for managing the data center. For example, type DNSSEC Administrator. 6. Click Finished.

Adding the new Global Traffic Manager system to a synchronization group


The next task that you perform is to add the new system to a synchronization group. You perform this task on an existing Global Traffic Manager that is in the synchronization group to which you want to add the new Global Traffic Manager system.

To add the new system to a synchronization group


1. Expand Global Traffic and click Servers. 2. Click Create.

4-8

Securing Your DNS Infrastructure

3. In the Name box, type the name of the Global Traffic Manager system that you are adding to the network. For example, type DNSSEC server. 4. From the Product list, select your product type: If the new system is a single device, select BIG-IP System (Single). If the new system is a redundant system configuration, select BIG-IP System (Redundant). For example, select BIG-IP System (Single). 5. For the Address List setting, in the Address box, type the self IP address that corresponds to an external VLAN on the new Global Traffic Manager system. Then click Add. For example, type 192.168.34.1. 6. From the Data Center list, select the name of the data center that you specified in Creating a data center, on page 4-8. For example, select Secure Los Angeles. 7. Click Finished.

Running the gtm_add utility


The next task that you perform is to run the gtm_add utility. You perform this task on the new Global Traffic Manager system that you are adding to the network.

To run the gtm_add utility


1. At the command prompt, type the following command:
gtm_add <IP address of another Global Traffic Manager system in the synchronization group>

2. Based on your network configuration, respond to the prompts that display. Note: If your system has a FIPS hardware security module (HSM), the utility detects the card and prompts you for a series of responses. The utility adds the new Global Traffic Manager system to the network.

Creating a listener
The last task to add an additional Global Traffic Manager system to a network is to configure a listener on the new system using the self IP address of the new system.

To create a listener
1. Expand Global Traffic and click Listeners. 2. Click Create.

BIG-IP Global Traffic ManagerTM: Implementations

4-9

Chapter 4

3. In the Destination box, type the self IP address of the new Global Traffic Manager system. For example, type 192.168.34.17. 4. From the VLAN Traffic list, select the VLAN or VLANs on which this system listens for DNS requests. For example, select VLAN external. 5. Click Finished. You are now ready to configure the DNSSEC feature on the new Global Traffic Manager system.

Configuring DNSSEC keys and zones


To configure DNSSEC compliance, you create DNSSEC key-signing and zone-signing keys, and then assign those keys to DNSSEC zones. Perform these tasks on the new Global Traffic Manager system that you added to your network.

Creating DNSSEC key-signing keys


The next task in this implementation is to create two DNSSEC key-signing keys. The system uses a key-signing key to sign the DNSKEY record set. F5 Networks recommends that when you create a key, you create a disabled standby version of the key with a similar name. For example, in this task you create an enabled key-signing key named ksk1, and then create a disabled standby key named ksk2. Later in this implementation, you associate both of these keys with the same zone. This prepares you to easily perform a manual rollover of the key should the enabled key become compromised. For more information about manual rollover, see the Configuration Guide for BIG-IP Global Traffic Manager.

To create key-signing keys


1. Expand Global Traffic and click DNSSEC Key List. 2. Click Create. 3. In the Name box, type a unique name for the key. For example: If you are creating the enabled key-signing key, type ksk1. If you are creating the standby key-signing key, type ksk2. 4. In the Bit Width box, type 2048. 5. From the Use FIPS list, if your system has a FIPS hardware security module (HSM), select Enabled. 6. From the Type list, select Key Signing Key.

4 - 10

Securing Your DNS Infrastructure

7. From the State list, make a selection based on whether you are creating the enabled or standby key. For example: If you are creating the enabled key, select Enabled. If you are creating the standby key, type Disabled. 8. In the TTL box, accept the default value of 86400 (the number of seconds in one day). Note: The value of the TTL specifies how long a client resolver can cache the key. This value must be less than the difference between the values of the rollover period and expiration period of the key; otherwise, a client can make a query and the system can send a valid key that the client cannot recognize. 9. In the Rollover Period box, type 28987147 (the number of seconds in 11 months). Important: The value of the rollover period must be greater than or equal to one third of the value of the expiration period, and less than the value of the expiration period. Additionally, the difference between the values of the rollover and expiration periods must be more than the value of the TTL. Note: After the key rolls over, you must send the DS records for the zone to which this key is associated to the organization that manages the parent zone. Therefore, F5 Networks recommends that you base the values that you specify for the rollover and expiration periods on the time required for that communication cycle to complete. 10. In the Expiration Period box, type 31556952 (the number of seconds in one year). Important: The value of the expiration period must be more than the value of the rollover period. Additionally, the difference between the values of the rollover and expiration periods must be more than the value of the TTL. The National Institute of Standards and Technology (NIST) recommends that a key-signing key expire once a year. Note: After the key rolls over, you must send the DS records for the zone to which the key is associated to the organization that manages the parent zone. Therefore, F5 Networks recommends that you base the values that you specify for the rollover and expiration periods on the time required for that communication cycle to complete. 11. Click Finished. 12. To create a standby key for emergency rollover purposes, repeat steps 1 - 11, but name the key ksk2, and select Disabled from the State list.
BIG-IP Global Traffic ManagerTM: Implementations

4 - 11

Chapter 4

Creating DNSSEC zone-signing keys


The next task in this implementation is to create two DNSSEC zone-signing keys. The system uses a zone-signing key to sign all of the record sets in a zone. F5 Networks recommends that when you create a key, you create a disabled standby version of the key with a similar name. For example, in this task you create an enabled key-signing key named zsk1, and then create a disabled standby key named zsk2. Later in this implementation, you associate both of these keys with the same zone. This prepares you to easily perform a manual rollover of the key should the enabled key become compromised. For more information about manual rollover, see the Configuration Guide for BIG-IP Global Traffic Manager.

To create zone-signing keys


1. Expand Global Traffic and click DNSSEC Key List. 2. Click Create. 3. In the Name box, type a unique name for the key. For example: If you are creating the enabled zone-signing key, type zsk1. If you are creating the standby zone-signing key, type zsk2. 4. In the Bit Width box, type 1024. 5. From the Use FIPS list, if your system has a FIPS hardware security module (HSM), select Enabled. 6. From the Type list, select Zone Signing Key. 7. From the State list, make a selection based on whether you are creating the enabled or standby key. If you are creating the enabled key, select Enabled. If you are creating the standby key, type Disabled. 8. In the TTL box, accept the default value of 86400 (the number of seconds in one day). Note: The value of the TTL specifies how long a client resolver can cache the key. This value must be less than the difference between the values of the rollover period and expiration period of the key; otherwise, a client can make a query and the system can send a valid key that the client cannot recognize.

4 - 12

Securing Your DNS Infrastructure

9. In the Rollover Period box, type 1814400 (the number of seconds in 21 days). Important: The value of the rollover period must be greater than or equal to one third of the value of the expiration period, and less than the value of the expiration period. Additionally, the difference between the values of the rollover and expiration periods must be more than the value of the TTL. Note: After the key rolls over, you must send the DS records for the zone to which this key is associated to the organization that manages the parent zone. Therefore, F5 Networks recommends that you base the values that you specify for the rollover and expiration periods on the time required for that communication cycle to complete. 10. In the Expiration Period box, type 2592000 (the number of seconds in 30 days). Tip: The National Institute of Standards and Technology (NIST) recommends that a zone-signing key expire every 30 days. Note: After the key rolls over, you must send the DS records for the zone to which this key is associated to the organization that manages the parent zone. Therefore, F5 Networks recommends that you base the values that you specify for the rollover and expiration periods on the time required for that communication cycle to complete. 11. Click Finished. 12. To create a standby key for emergency rollover purposes, repeat steps 1 - 11, but name the key zsk2, and select Disabled from the State list.

BIG-IP Global Traffic ManagerTM: Implementations

4 - 13

Chapter 4

Creating DNSSEC zones


The next task in this implementation is to create a DNSSEC zone. Before the BIG-IP system can sign requests to a zone, you must assign at least one enabled zone-signing and one enabled key-signing key to the zone. In this task, to prepare for a manual rollover, you assign to the zone both the enabled and disabled key-signing and zone-signing keys that you created previously in this implementation.

To create a DNSSEC zone


1. Expand Global Traffic and click DNSSEC Zone List. 2. Click Create. 3. In the Name box, type a FQDN that is a subset of the domain name. For example, type siterequest.com. 4. From the State list, accept the default value of Enabled. 5. For the Zone Signing Key setting, assign at least one enabled zone-signing key to the zone. For example, move the zsk1 and zsk2 zone-signing keys from the Available list to the Active list. 6. For the Key Signing Key setting, assign at least one enabled key-signing key to the zone. For example, move the ksk1 and ksk2 zone-signing keys from the Available list to the Active list. 7. Click Finished. 8. Upload the DS records for this zone to the organization that manages the parent zone. You can find the DS records in the file /config/gtm/dsset-<dnssec.zone.name>, where zone is the name of the zone you are configuring. In this example, the file can be found at /config/gtm/dsset-siterequest.com.

The Global Traffic Manager system is now configured to handle incoming DNS traffic and to respond to DNS queries with DNSSEC-compliant responses.

4 - 14

5
Load Balancing Non-Wide IP Traffic to a Pool of DNS Servers

About using the Global Traffic Manager as a load balancer in front of a pool of DNS servers Creating a pool of DNS servers Creating a listener

Load Balancing Non-Wide IP Traffic to a Pool of DNS Servers

About using the Global Traffic Manager as a load balancer in front of a pool of DNS servers
This implementation focuses on using a BIG-IP Global Traffic Manager system as a load balancer in front of a pool of DNS servers. The Global Traffic Manager checks incoming DNS queries. If the query is for a wide IP, the Global Traffic Manager load balances it to the appropriate resource. Otherwise, the Global Traffic Manager forwards the DNS query to one of the servers in a pool of DNS servers, and that server handles the query as needed. To control how the Global Traffic Manager responds to DNS requests, you must configure a listener. A listener is a specialized resource that you assign to a specific IP address, which uses port 53, the DNS query port. When traffic is sent to that IP address, the listener alerts the Global Traffic Manager, allowing it to handle the traffic locally or forward the traffic to the appropriate resource. Once again, for our example we use the fictional company SiteRequest. SiteRequest recently purchased a Global Traffic Manager to help load balance traffic across two of its web-based applications: store.siterequest.com and checkout.siterequest.com. These applications are subdomains of www.siterequest.com, which is managed by a pool of existing DNS servers. SiteRequest has already configured the Global Traffic Manager with two wide IPs, store.siterequest.com and checkout.siterequest.com, which correspond to these two web applications. For the purposes of this implementation, the IP address of the Global Traffic Manager is 192.168.5.10, while the IP addresses of the DNS servers are 10.10.1.1, 10.10.1.2, and 10.10.1.3. For this implementation, perform the following tasks: Create a pool of DNS servers Create a listener

BIG-IP Global Traffic ManagerTM: Implementations

5-1

Chapter 5

Creating a pool of DNS servers


The first task in this implementation is to configure a pool that contains the DNS servers to which you want the Global Traffic Manager to load balance DNS traffic.

To create a pool of DNS servers


1. Log on to the command line interface of the Global Traffic Manager. 2. Type tmsh, to access the Traffic Management Shell. 3. Run this command sequence:
create /ltm pool DNS_pool members add { 10.10.1.1:domain 10.10.1.2:domain 10.10.1.3:domain } save sys config list /ltm pool

The system displays the new pool configuration, as shown in Figure 5.1.
root@gtm1(Active)(tmos)# ltm pool DNS_pool { members { 10.10.1.1:domain 10.10.1.2:domain 10.10.1.3:domain } } root@gtm1(Active)(tmos)# list /ltm pool

{} {} {}

Figure 5.1 Results of list command for sample Local Traffic Manager pool

5-2

Load Balancing Non-Wide IP Traffic to a Pool of DNS Servers

Creating a listener
The next task in this implementation is to configure a listener that listens for DNS queries and load balances non-wide IP traffic destined for the DNS servers to a member of the pool you created in the previous task.

To create a listener
1. Log on to the command line interface of the Global Traffic Manager. 2. Type tmsh, to access the Traffic Management Shell. 3. Run this command sequence:
create /gtm listener DNS_listener address 192.168.5.10 ip-protocol udp pool DNS_pool translate-address enabled save sys config list /gtm listener

The system displays the new listener configuration, as shown in Figure .


root@gtm1(Active)(tmos)# list /gtm listener gtm listener DNS_listener { address 192.168.5.10 pool DNS_pool } } root@gtm1(Active)(tmos)#

Figure 5.2 Results of list command for sample Global Traffic Manager listener You now have an implementation of the Global Traffic Manager in which the Global Traffic Manager receives DNS queries. If the query is for a wide IP, the Global Traffic Manager load balances the request to the appropriate resource. Otherwise, the Global Traffic Manager load balances queries to the pool of DNS servers.

BIG-IP Global Traffic ManagerTM: Implementations

5-3

Chapter 5

5-4

6
Sending Traffic Through the Global Traffic Manager

Working with the Global Traffic Manager as a router or forwarder Forwarding traffic through the Global Traffic Manager Routing traffic through the Global Traffic Manager

Sending Traffic Through the Global Traffic Manager

Working with the Global Traffic Manager as a router or forwarder


This implementation focuses on using the BIG-IP Global Traffic Manager as a router or forwarder in front of an existing DNS server, as shown in the traffic flow example in Figure 6.1. Note that the Global Traffic Manager checks incoming DNS queries. If the query is for a wide IP, the Global Traffic Manager load balances it to the appropriate resource. Otherwise, the Global Traffic Manager forwards the DNS query to the DNS server, which then handles the query as needed.

Figure 6.1 Example of the traffic flow through a Global Traffic Manager routing traffic to a DNS server

BIG-IP Global Traffic ManagerTM: Implementations

6-1

Chapter 6

To control how the Global Traffic Manager responds to DNS requests, you must configure a listener. A listener is a specialized resource that you assign to a specific IP address, which uses port 53, the DNS query port. When traffic is sent to that IP address, the listener alerts the Global Traffic Manager, allowing it to handle the traffic locally or forward the traffic to the appropriate resource. Depending on how you configure the listeners, the Global Traffic Manager operates as either a router or a bridge: If the listener points to a DNS server that exists on the same subnet, the Global Traffic Manager acts as a bridge. If the listener points to a DNS server that exists on a different subnet, the Global Traffic Manager acts a router. For this implementation, you create two different listeners. First, you create a listener that allows the Global Traffic Manager to act as a bridge. Then you create a second listener that allows the Global Traffic Manager to act as a router for a different set of DNS traffic.
Note

To ensure that the Global Traffic Manager forwards or routes requests to the external DNS server instead of using BIND to process those requests, when you create a listener be sure to use an IP address other than the self IP address of the Global Traffic Manager.

Forwarding traffic through the Global Traffic Manager


SiteRequest recently purchased a Global Traffic Manager to help load balance traffic across two of its web-based applications: store.siterequest.com and checkout.siterequest.com. These applications are subdomains of www.siterequest.com, which is managed by an existing DNS server. SiteRequest has already configured the Global Traffic Manager with two wide IPs, store.siterequest.com and checkout.siterequest.com, which correspond to these two web applications.

Placing the Global Traffic Manager to forward traffic


The standard configuration for this implementation requires that you place the Global Traffic Manager between the existing DNS server and the Internet. For the purposes of this implementation, the IP address of the Global Traffic Manager is 192.168.5.10, while the IP address of the DNS server is 192.168.5.23.

6-2

Sending Traffic Through the Global Traffic Manager

To place the Global Traffic Manager on a network for forwarding traffic


1. Connect the Global Traffic Manager to your Internet connection. 2. Connect the DNS server to an Ethernet port on the Global Traffic Manager.

Tip

If you prefer to implement the Global Traffic Manager as a redundant system configuration, see Chapter 9, Setting Up a Global Traffic Manager Redundant System Configuration.

Configuring a VLAN group


The next task in this implementation is to configure a VLAN group through which the Global Traffic Manager can transparently pass traffic to the original DNS server.

To configure a VLAN group


1. On the Main tab of the navigation pane, expand Network and then click VLANs. 2. From the VLAN Groups menu, choose List. 3. Click Create. 4. In the Name box, for this example, use the name GTMforward. 5. In the VLANs setting, use the Move (<<) button to add VLANs to the group by moving the VLANs from the Available list to the Members list. 6. From the Transparency Mode list, select Opaque. 7. Click Finished.

Forwarding traffic to a DNS server


With this setup, all DNS traffic flows through the Global Traffic Manager. Next, you need to configure the Global Traffic Manager to recognize the traffic that it must forward to the DNS server.

To forward traffic to the DNS server


1. On the Main tab of the navigation pane, expand Global Traffic and then click Listeners. 2. Click Create.

BIG-IP Global Traffic ManagerTM: Implementations

6-3

Chapter 6

3. In the Destination box, type the IP address on which the Global Traffic Manager listens for network traffic. For this example, type the IP address 192.168.5.23. Tip: To ensure that requests are bridged to the external DNS server rather than processed by BIND on the Global Traffic Manager system, do not use a self IP address of the system as the destination. 4. From the VLAN Traffic list, select All VLANs. 5. Click Finished.

You now have an implementation of the Global Traffic Manager in which the Global Traffic Manager receives all DNS queries. If the query is for a wide IP, the Global Traffic Manager load balances the request to the appropriate resource. Otherwise, the Global Traffic Manager forwards the query to the DNS server for resolution.

Routing traffic through the Global Traffic Manager


This part of the implementation covers the tasks necessary to route traffic through a Global Traffic Manager to another DNS server; for example, one that resides in a different data center. When the Global Traffic Manager manages traffic in this manner, it acts like a router between one section of the network and another. This implementation again focuses on the fictional company SiteRequest. SiteRequest still wants to use the Global Traffic Manager to help load balance traffic across two of its web-based applications: store.siterequest.com and checkout.siterequest.com. These applications are subdomains of www.siterequest.com, which is managed by an existing DNS server. Again, SiteRequest has already configured the Global Traffic Manager with two wide IPs, store.siterequest.com and checkout.siterequest.com, which correspond to these two web applications.

6-4

Sending Traffic Through the Global Traffic Manager

Placing the Global Traffic Manager to route traffic


The standard configuration for this implementation requires that you place the Global Traffic Manager between the existing DNS server and the Internet. For the purposes of this example, the IP address of the Global Traffic Manager is 192.168.5.10, while the IP address of the DNS server is 172.15.23.23.

To place the Global Traffic Manager on the network for routing traffic
1. Connect the Global Traffic Manager to your Internet connection. 2. Connect the DNS server to an Ethernet port on the Global Traffic Manager.

Routing traffic to a DNS server


With this setup, all DNS traffic flows through the Global Traffic Manager. Lastly, you need to configure the Global Traffic Manager to recognize the traffic that it must route to the DNS server.

To route traffic to the DNS server


1. On the Main tab of the navigation pane, expand Global Traffic and then click Listeners. 2. Click Create. 3. In the Destination box, type the IP address on which the Global Traffic Manager listens for network traffic. In this example, type the IP address 172.15.23.23. Tip: To ensure that requests are routed to the external DNS server rather than processed by BIND on the Global Traffic Manager system, do not use a self IP address of the system as the destination. 4. From the VLAN Traffic list, select All VLANs. 5. Click Finished.

You now have an implementation of the Global Traffic Manager in which the Global Traffic Manager receives all DNS queries. If the query is for a wide IP, the Global Traffic Manager load balances the request to the appropriate resource. If the traffic has a destination IP address of 172.15.23.23, the Global Traffic Manager routes the query to the DNS server for resolution.

BIG-IP Global Traffic ManagerTM: Implementations

6-5

Chapter 6

6-6

7
Ensuring Correct Synchronization When Adding a New Global Traffic Manager

Understanding synchronization in the Global Traffic Manager Adding a new Global Traffic Manager to a synchronization group safely

Ensuring Correct Synchronization When Adding a New Global Traffic Manager

Understanding synchronization in the Global Traffic Manager


You can configure BIG-IP Global Traffic Manager systems in collections called synchronization groups. In these groups, all Global Traffic Manager systems have the same rank. Global Traffic Manager systems that are in the same synchronization group exchange heartbeat messages and share probing responsibility. Synchronization ensures the rapid distribution of Global Traffic Manager settings to any other systems that belong to the same synchronization group. Synchronization occurs in the following manner: At regular intervals, each Global Traffic Manager uses the iQuery protocol to compare the timestamp of its configuration files against the timestamps on all other Global Traffic Manager in its synchronization group. If the system detects a newer configuration file, it downloads and uses those files. Once a synchronization is in progress, it must either complete or timeout, before another synchronization can occur.

Figure 7.1 An example of a synchronization group

You can modify the settings of all Global Traffic Manager systems from any Global Traffic Manager. The changes you make on one Global Traffic Manager are sent to all other Global Traffic Manager systems within the same synchronization group. When you enable the Synchronization setting for each Global Traffic Manager in the group, the systems automatically synchronize their configuration files. Additionally, when you enable the

BIG-IP Global Traffic ManagerTM: Implementations

7-1

Chapter 7

Synchronize DNS Zone Files setting for each system in the group, the systems automatically synchronize their Domain Name System (DNS) zone files.
Important

Global Traffic Manager systems only exchange heartbeat messages if they have the same software version installed. When you upgrade one Global Traffic Manager system in a synchronization group, the configuration of the upgraded system does not automatically synchronize with the configuration of the systems with an older version of software. One exception to this process occurs when you add a new Global Traffic Manager to the network. In this scenario, there is a chance that the timestamp of the new systems configuration file is newer than the files on the already-installed Global Traffic Manager. If you enable synchronization at this point, the unconfigured configuration file is distributed to the existing Global Traffic Manager systems, effectively removing your existing configurations. You can avoid the accidental synchronization of an unconfigured configuration file to existing Global Traffic Manager systems by using the gtm_add script when you add a new Global Traffic Manager to your network. This script acquires the configuration file from an existing Global Traffic Manager and applies it to the new system. As a result, the new system acquires the current configuration for your network.

Adding a new Global Traffic Manager to a synchronization group safely


This implementation focuses on the fictional company, SiteRequest. Currently, the SiteRequest network has two data centers: one located in New York; the other in Los Angeles. Until recently, SiteRequest had a single Global Traffic Manager located at the New York data center, with an IP address of 192.168.5.199. However, recent increases in DNS traffic have prompted the integration of a new Global Traffic Manager at the Los Angeles data center. These two Global Traffic Manager systems must belong to the same synchronization group, allowing changes made to one system to transfer over to the other. For the purposes of this implementation, both Global Traffic Manager systems are the same version, and the Global Traffic Manager in New York is already active and communicating with the rest of the network. At this point in the implementation, the new Global Traffic Manager is connected to the network and assigned the IP address, 10.10.5.25. SiteRequest also has a data center object defined on the Global Traffic Manager located in New York, and has named this new data center: Los Angeles Data Center. This data center contains the various BIG-IP systems

7-2

Ensuring Correct Synchronization When Adding a New Global Traffic Manager

that reside in Los Angeles. Finally, you have two Local Traffic Manager systems; one at each data center. The Local Traffic Manager in New York has an IP address of 192.168.5.10; the one in Los Angeles has an IP address of 10.10.5.20. The tasks you must complete to add a new Global Traffic Manager to a synchronization group are: Add the Global Traffic Manager to the configuration Enable synchronization Run the gtm_add script Run the bigip_add script

Adding the Global Traffic Manager


The first task you must accomplish is adding the Los Angeles Global Traffic Manager to the New York Global Traffic Manager.

To add the Global Traffic Manager


1. On the Main tab of the navigation pane of the New York Global Traffic Manager, expand Global Traffic, and then click Servers. 2. Click Create. 3. In the Name box, for this example, type Los Angeles GTM. 4. From the Product list, select the server type. In this example, select BIG-IP System (Single). 5. For the Address List setting, complete the following tasks: In the Address box, type the IP address of the server. For this example, type: 10.10.5.25 Click Add. 6. From the Data Center list, select the data center to which the server belongs. For this example, select Los Angeles Data Center. 7. From the Virtual Server Discovery list, select Disabled. 8. Click Create.

The newly added Global Traffic Manager displays a red status marker, because you have not yet run the bigip_add script. For more information about running this script, see Running the bigip_add script, on page 7-5.

BIG-IP Global Traffic ManagerTM: Implementations

7-3

Chapter 7

Enabling synchronization
For the next task, you enable the Synchronization option, and assign an appropriate name for the synchronization group. For this implementation, use the synchronization group name North America.

To enable synchronization
1. On the Main tab of the navigation pane, expand System and then click Configuration. 2. From the Global Traffic menu, choose General. 3. Check the Synchronization check box. 4. Check the Synchronize DNS Zone Files check box. 5. In the Synchronization Group Name box, type the name of the group. In this example, type North America. 6. Click Update.

Running the gtm_add script


Next, you need to have the new Global Traffic Manager acquire the settings established on an existing Global Traffic Manager. In this example, the Global Traffic Manager in Los Angeles acquires the configurations established at the New York data center. You must do this before you attempt to synchronize these systems; otherwise, you run the risk of having the new Global Traffic Manager, which is unconfigured, replace the configuration of the New York system. To acquire the configuration files, you run the gtm_add script.

To run the gtm_add script


1. Access the unconfigured Global Traffic Manager. 2. At the command prompt, type gtm_add. 3. Press the y key to start the gtm_add script. 4. Type the IP address of the configured Global Traffic Manager. For this example, type 192.168.5.199. 5. Press Enter.

At this point, both Global Traffic Manager systems share the same configuration. In addition, they also belong to the same synchronization group, because the gtm_add script copied the settings from the existing Global Traffic Manager to the new Global Traffic Manager.

7-4

Ensuring Correct Synchronization When Adding a New Global Traffic Manager

Running the bigip_add script


With the new unit added to the existing unit, you can now access the new system and run the bigip_add script. This script exchanges SSL certificates so that each system is authorized to communicate with the other. In this example, you run this script from the Global Traffic Manager in the Los Angeles data center.

To run the bigip_add script


1. Log on to the command line interface for the Global Traffic Manager. 2. At the prompt, type bigip_add <ip addresses>. In this example, type bigip_add 192.168.5.10 10.10.5.20 192.168.5.199 Note: In this example, you have included the IP address of the Global Traffic Manager in New York. 3. Press Enter.

BIG-IP Global Traffic ManagerTM: Implementations

7-5

Chapter 7

7-6

8
Integrating the Global Traffic Manager with BIG-IP Systems

Understanding the interactions between BIG-IP systems Integrating the Global Traffic Manager with other BIG-IP systems

Integrating the Global Traffic Manager with BIG-IP Systems

Understanding the interactions between BIG-IP systems


Many common implementations of Global Traffic Manager systems involve adding the new system to networks in which Local Traffic Manager systems are already present. In this scenario, the Global Traffic Manager allows you to expand your load balancing and traffic management capabilities beyond the local area network. For this implementation to be successful, however, you must authorize communications between the Global Traffic Manager and any Local Traffic Manager on your network. BIG-IP systems employ a custom protocol, called iQuery, to exchange information back and forth. To manage this flow of information, both the Global Traffic Manager and any Local Traffic Manager systems employ a software utility, called big3d. Part of the process when establishing communications between the Global Traffic Manager and other BIG-IP systems is to open port 22 and port 4353 between the two systems. Port 22 allows the Global Traffic Manager to copy the newest version of the big3d agent to existing systems, while iQuery requires the port 4353 for its normal communications. In order for other BIG-IP systems to communicate with the Global Traffic Manager, F5 Networks recommends that you update the big3d agent on older BIG-IP systems by running the big3d_install script from the Global Traffic Manager. For more information about running the big3d_install script, see SOL8195 on AskF5.com.

Figure 8.1 Communications between big3d and gtmd agents

BIG-IP Global Traffic ManagerTM: Implementations

8-1

Chapter 8

You must also authorize the communication between the Global Traffic Manager systems and Local Traffic Manager systems. You authorize this communication through the use of SSL certificates. These certificates ensure that each BIG-IP system, whether Global Traffic Manager or Local Traffic Manager, trusts the communications sent from any other BIG-IP system. Consequently, the two tasks you must accomplish when integrating a Global Traffic Manager with BIG-IP systems are: Enable communications between the different BIG-IP systems. Install the latest version of the big3d agent.
Tip

For more information about the big3d agent, see Appendix A, Working with the big3d Agent, of the Configuration Guide for BIG-IP Global Traffic Manager. In this implementation, we use the Configuration utility; however, if you prefer to use tmsh, see Chapter 12, Using tmsh to Set Up Implementations.

8-2

Integrating the Global Traffic Manager with BIG-IP Systems

Integrating the Global Traffic Manager with other BIG-IP systems


This implementation focuses on adding a Global Traffic Manager to a network that has several BIG-IP systems. A BIG-IP system is a specific F5 product, including Local Traffic Manager systems, Global Traffic Manager systems, and Link Controller systems. At this point, you have added the Global Traffic Manager to the network, and configured a listener to ensure that DNS traffic is routed to the appropriate resource (either the Global Traffic Manager or another DNS server). To illustrate how to integrate a Global Traffic Manager with other BIG-IP systems, this implementation uses the fictional company, SiteRequest. SiteRequest currently has two data centers: one located in New York and one located in Los Angeles. Each data center has a BIG-IP redundant system configuration. Table 8.1 displays the details for these BIG-IP systems.
System New York BIG-IP 1 New York BIG-IP 2 Los Angeles BIG-IP 1 Los Angeles BIG-IP 2 New York GTM IP Address 192.168.5.10 192.168.5.11 10.10.5.20 10.10.5.21 192.168.5.30

Table 8.1 SiteRequest BIG-IP systems

Figure 8.2 The SiteRequest network

BIG-IP Global Traffic ManagerTM: Implementations

8-3

Chapter 8

The tasks associated with integrating the Global Traffic Manager are: Define a data center. Define the Global Traffic Manager. Add the BIG-IP systems. Run the big3d_install script.

Defining a data center


The first task is to define the data centers on the Global Traffic Manager. Data centers are important entities within the Global Traffic Manager; you cannot add other entities, such as servers, without them.

To define a data center


1. On the Main tab of the navigation pane, expand Global Traffic and then click Data Centers. 2. Click Create. 3. In the Name box, type the name of the data center. For this example, type New York Data Center. 4. In the Location box, type the location of the data center. For this example, type New York, NY. 5. From the State list, select Enabled. 6. Click Finished.

Repeat this procedure to create the Los Angeles data center.

Defining the Global Traffic Manager


At installation, the Global Traffic Manager has no knowledge of itself. To have the Global Traffic Manager communicate and operate with other systems, you must define it. You can do this using the Configuration utility as shown in the following procedure. Alternatively, you can define the Global Traffic Manager using the tmsh utility. For more information about the tmsh utility, see the Traffic Management Shell (tmsh) Reference Guide.

To define the Global Traffic Manager


1. On the Main tab of the navigation pane, expand Global Traffic and then click Servers. 2. Click Create. 3. In the Name box, type the name of the server. For this example, type New York GTM.

8-4

Integrating the Global Traffic Manager with BIG-IP Systems

4. From the Product list, select a server type. For this example, select BIG-IP System (Single). 5. For the Address List setting, complete the following tasks: In the Address box, type the IP address of the server. For this example, type: 192.168.5.30 Click Add. 6. From the Data Center list, select New York Data Center. 7. For the Health Monitors setting, assign the bigip monitor to the server by moving it from the Available list to the Selected list. 8. From the Virtual Server Discovery list, select Disabled. 9. Click Create.

Adding BIG-IP systems


Once you have defined the two data centers within the Global Traffic Manager, and defined the Global Traffic Manager itself, you can add the BIG-IP systems that reside at each data center.
Note

A BIG-IP system is a specific F5 product, that can include Local Traffic Manager systems, Global Traffic Manager systems, and Link Controller systems.
Important

The IP addresses that you use in the following procedure cannot be the IP addresses assigned to the management port.

To add the BIG-IP systems to the Global Traffic Manager


1. On the Main tab of the navigation pane, expand Global Traffic and then click Servers. 2. Click Create. 3. In the Name box, type the name of the server. For this example, type New York BIG-IP 1. 4. From the Product list, select a server type. For this example, select BIG-IP System (Redundant). 5. For the Address List setting, complete the following tasks: In the Address box, type the IP address of the server. For this example, type: 192.168.5.10 Click Add. 6. For the Peer Address List setting, complete the following tasks:

BIG-IP Global Traffic ManagerTM: Implementations

8-5

Chapter 8

In the Address box, type the IP address of the second BIG-IP system that completes the redundant system configuration. In this example, type: 192.168.5.11. Click Add. 7. For the Health Monitors setting, assign the bigip monitor to the server by moving it from the Available list to the Selected list. 8. From the Virtual Server Discovery list, select Enabled. 9. Click Create.

Repeat this procedure to add the BIG-IP systems located in the Los Angeles data center.

Running the big3d_install script


At this point, you have configured the Global Traffic Manager with the information it needs to begin communications with the BIG-IP systems on the network. However, before these systems can communicate with each other, you must upgrade the big3d agents on the BIG-IP systems and instruct these systems to authenticate with the other systems through the exchange of web certificates. You can accomplish both of these tasks through the big3d_install script. This script is included with the Global Traffic Manager.
Important

The big3d_install script installs the big3d agent and runs the bigip_add script. Run the big3d_install script only on a system that is configured with the most current BIG-IP system software on your network, because big3d is only backward compatible.

To run the big3d_install script


1. Log on to the command line interface for the Global Traffic Manager. 2. At the prompt, type big3d_install <ip addresses>. For this example, type the following: big3d_install 192.168.5.10 192.168.5.11 10.10.5.20 10.10.5.21 3. Press Enter. This script instructs the Global Traffic Manager to connect to each BIG-IP system that you specified by IP address. As it connects to each system, it prompts you to supply the appropriate logon information to access that system.

8-6

Integrating the Global Traffic Manager with BIG-IP Systems

When the script has completed its operations, the following changes take effect on each BIG-IP system: The appropriate SSL certificates are exchanged between each system, authorizing communications between each system. The big3d agent on each system is upgraded to the same version as installed on the Global Traffic Manager. You have now successfully configured the BIG-IP systems on this network, including the Global Traffic Manager, to communicate with each other. The Global Traffic Manager can now use the BIG-IP systems when load balancing DNS requests, as well as when acquiring statistical or status information for the virtual servers these systems manage.

BIG-IP Global Traffic ManagerTM: Implementations

8-7

Chapter 8

8-8

9
Setting Up a Global Traffic Manager Redundant System Configuration

Understanding Global Traffic Manager redundant system configurations Setting up a Global Traffic Manager redundant system configuration

Setting Up a Global Traffic Manager Redundant System Configuration

Understanding Global Traffic Manager redundant system configurations


With the BIG-IP Global Traffic Manager, you manage incoming DNS traffic, forwarding that traffic to the appropriate DNS server or load balancing it to other resources on the network. Typically, a given network has several Global Traffic Manager systems, with at least one system installed at one of several data centers. With these systems in place, you can control the distribution of DNS traffic across your resources, monitor these resources to determine their availability, and ensure that any web-based applications have all the components necessary to operate successfully. A standard implementation of Global Traffic Manager systems is a redundant system configuration. This is a set of two Global Traffic Manager systems: one operating as the active unit, the other operating as the standby unit. If the active unit goes offline, the standby unit immediately assumes responsibility for managing DNS traffic. The new active unit remains active until another event occurs that would cause the unit to go offline, or you manually reset the status of each unit. The implementation tasks outlined in this chapter describe how to configure a Global Traffic Manager redundant system. This example focuses on the fictional company, SiteRequest. Table 9.1 outlines the network characteristics at SiteRequest that pertain to this implementation.
Component Data Center Global Traffic Manager (Active Unit) Characteristics Name: New York Data Center Host name: gtm1.siterequest.com Self IP address: 10.1.1.20/24 Floating IP address: 10.1.1.50 (shared with second Global Traffic Manager) Management IP address: 192.168.15.16 Global Traffic Manager (Standby Unit) Host name: gtm2.siterequest.com Self IP address: 10.1.1.21/24 Floating IP address: 10.1.1.50 (shared with first Global Traffic Manager) Management IP address: 192.168.15.17 VLAN Name: dns_requests Assigned interfaces: 1.1 (untagged) Default Gateway NTP server IP address: 10.1.1.100 IP address: 192.168.5.15

Table 9.1 Network characteristics of SiteRequest

BIG-IP Global Traffic ManagerTM: Implementations

9-1

Chapter 9

For this example, SiteRequest already has both Global Traffic Manager systems connected to the network; however, they have not yet assigned IP addresses to the systems.

Setting up a Global Traffic Manager redundant system configuration


This implementation focuses on the fictional company SiteRequest. This company wants to create a Global Traffic Manager redundant system configuration. They already have the systems installed on the network; however, they have yet to fully configure them. In this implementation, you accomplish the following tasks: Configure the redundant system settings of each Global Traffic Manager. Create a VLAN. Assign Self IP addresses to both systems. Create a floating IP address. Configure the high availability options. Define an NTP server. Define the default gateway. Define a listener for incoming DNS traffic. Run a bigpipe config sync operation. Define the data center to which the Global Traffic Manager systems belong. Define the Global Traffic Manager systems. Enable synchronization. Conduct the initial configuration synchronization between systems through the gtm_add utility.

Configuring the redundant system settings


The first task in creating a redundant system configuration with two Global Traffic Manager systems is to configure the redundant system settings. You configure two different systems: the active system, which is initially online, and the standby system, which comes online only when the active system goes offline.
Note

You can also complete the following procedure by running the Setup Utility. You can access this utility through the main page of the Configuration utility of the Global Traffic Manager.

9-2

Setting Up a Global Traffic Manager Redundant System Configuration

To configure redundant system settings for the active system


1. On the Main tab of the navigation pane, expand System and then click Platform. 2. From the High Availability list, select Redundant Pair. 3. From the Unit ID list, select 1. 4. Click Update.

To configure redundant system settings for the second system


1. On the Main tab of the navigation pane, expand System and then click Platform. 2. From the High Availability list, select Redundant Pair. 3. From the Unit ID list, select 2. 4. Click Update.

Creating VLANs
The next task in this implementation requires you to set up a VLAN. This VLAN encompasses the IP addresses associated with the Global Traffic Manager systems and the other network components that help manage DNS traffic. You must apply the following procedures to both the active and standby systems.

To create a VLAN
1. On the Main tab of the navigation pane, expand Network and then click VLANs. 2. Click Create. 3. In the Name box, type dns_requests. 4. For the Interfaces setting, use the Move buttons to assign interface 1.1 to the Untagged list. 5. Click Finished.

Assigning self IP addresses


With VLANs in place, you can now assign self IP addresses to each Global Traffic Manager. These self IP addresses identify the Global Traffic Manager on the network.

BIG-IP Global Traffic ManagerTM: Implementations

9-3

Chapter 9

You must apply the following procedure to both the active and standby systems.

To assign self IP addresses


1. On the Main tab of the navigation pane, expand Network and then click Self IPs. 2. Click Create. 3. In the IP address box, type a self IP address to assign to the VLAN for DNS requests. For this example, type one of the following: For gtm1.siterequest.com, type 10.1.1.20 For gtm2.siterequest.com, type 10.1.1.21 4. In the Netmask box, type the appropriate net mask. For this example, 255.255.255.0. 5. From the VLAN list, select VLAN dns_requests. 6. Click Finished.

Creating a floating IP address


In a redundant system configuration, both Global Traffic Manager systems share a common IP address called a floating IP address. A floating IP address is an IP address that represents both the active and standby units in a redundant system. To the rest of the network, this floating IP address represents the active Global Traffic Manager. If the primary unit goes offline, the secondary unit takes over traffic destined for the floating IP address. This setup ensures that DNS traffic flows smoothly even in the event a fail-over occurs. For this task, you configure only the active system. The settings you create are transferred to the standby system during a synchronization that you initiate later in this process.

To create a floating IP address


1. On the Main tab of the navigation pane, expand Network and then click Self IPs. 2. Click Create. 3. In the IP address box, type the IP address of the system. For this example, type 10.1.1.50. 4. In the Netmask box, type the appropriate net mask. For this example, 255.255.255.0. 5. From the VLAN list, select VLAN dns_requests. 6. Check the Floating IP option. 7. Click Finished.
9-4

Setting Up a Global Traffic Manager Redundant System Configuration

Configuring the high availability options


Many of the options associated with creating a redundant system reside in the High Availability section of the Configuration utility. These options include the IP addresses of each system, the type of redundant system configuration, and other options. You must apply the following procedure to both the active and standby systems.

To configure high availability options


1. On the Main tab of the navigation pane, expand System and then click High Availability. 2. On the menu bar, click Network Failover. 3. Click the Network Failover box. 4. In the Peer Management Address box, delete the colons (::) and type the management IP address of the peer unit. For this example, type 192.168.15.17. 5. For the Unicast setting, add an entry: a) In the Configuration Identifier box, type a unique name for the unicast entry. For this example, type DNS requests. b) In the Local Address box, type the self IP address associated with the failover VLAN you created on the unit you are configuring. For this example, type 10.1.1.20. c) In the Remote Address box, type the self IP address associated with the failover VLAN you created on the peer unit. In this example, type 10.1.1.21. d) Click Add.
Note

In this example, for the gtm2.siterequest.com, use 192.168.15.16 for the Peer Management Address, and reverse the values of the Local Address and Remote Address settings.

Defining an NTP server


The next task of this implementation requires you to define an NTP server that both Global Traffic Manager systems use during synchronization options. This task is important because it determines a common time value for both systems. During file synchronizations, the systems use this time value to see if any newer configuration files exist.

BIG-IP Global Traffic ManagerTM: Implementations

9-5

Chapter 9

To define an NTP server


1. On the Main tab of the navigation pane, expand System and then click Configuration. 2. From the Device menu, choose NTP. 3. In the Address box, type the IP address of the NTP server. In this example, 192.168.5.15. 4. Click Add. 5. Click Update.

Defining the default gateway route


Another task you must accomplish is defining the default gateway route for network traffic. The Global Traffic Manager uses this route to send and receive network traffic.

To define the default route


1. On the Main tab of the navigation pane, expand Network and then click Routes. 2. Click Add. 3. From the Type list, select Default Gateway. 4. From the Resource list, select Use Gateway and then type the IP address of default gateway. In this example, type 10.1.1.100. 5. Click Finished.

Defining a listener
The Global Traffic Manager employs a listener to identify the DNS traffic for which it is responsible. In this implementation, you need to create a listener that corresponds to the floating IP address shared between the two Global Traffic Manager systems. For this task, you configure only the active system. The settings you create are transferred to the standby system during a synchronization that you initiate later in this process.

To configure the listener


1. On the Main tab of the navigation pane, expand Global Traffic and then click Listeners. 2. Click Create.

9-6

Setting Up a Global Traffic Manager Redundant System Configuration

3. In the Destination box, type the IP address on which the system will listen for traffic. In this example, type 10.1.1.50. 4. From the VLAN Traffic list, select All VLANs. 5. Click Finished.

Running a config sync operation


If you are familiar with Global Traffic Manager, you might be familiar with its synchronization feature. This feature ensures that all Global Traffic Manager systems share the same information on wide IPs, pools, and other network configurations associated with DNS traffic management. For a redundant system, you must employ an additional synchronization option to share the self IP address, default route, and other information you configured on the active system with the standby system.

To run a config sync operation


1. On the Main tab of the navigation pane, expand System and then click High Availability. 2. On the menu bar, click ConfigSync. 3. Click Synchronize TO Peer. The system synchronizes settings to the standby Global Traffic Manager; in this example, gtm1.siterequest.com. 4. Click OK.

Defining a data center


The next task is to define the data centers in the Global Traffic Manager. Data centers are important entities within the Global Traffic Manager; you cannot add other entities, such as server, without them. For this task, you configure only the active system. The settings you create are transferred to the standby system during a synchronization that you initiate later in this process.

To define a data center


1. On the Main tab of the navigation pane, expand Global Traffic and then click Data Centers. 2. Click Create. 3. In the Name box, type the name of the data center. In this example, type New York Data Center. 4. In the Location box, type the location of the data center. For this example, type New York, NY.

BIG-IP Global Traffic ManagerTM: Implementations

9-7

Chapter 9

5. From the State list, select Enabled. 6. Click Finished.

Defining the Global Traffic Manager systems


At installation, a Global Traffic Manager has no knowledge of itself. To have the Global Traffic Manager communicate and operate with other systems, you must define it within the user interface. For this example, you need to define both gtm1.siterequest.com and gtm2.siterequest.com. For this task, you configure only the active system. The settings you create are transferred to the standby system during a synchronization that you initiate later in this process.

To define the Global Traffic Manager


1. On the Main tab of the navigation pane, expand Global Traffic and then click Servers. 2. Click Create. 3. In the Name box, type the name of the system. In this example, type gtm1.siterequest.com. 4. From the Product list, select BIG-IP System (Redundant). 5. For the Address List setting, complete the following tasks: In the Address box, type the IP address of the system. In this example, type 10.1.1.20. Click Add. 6. For the Peer Address List setting, complete the following tasks: In the Address box, type the IP address of the second system. For this example, type 10.1.1.21. Click Add. 7. From the Data Center list, select a data center. In this example, select New York Data Center. 8. From the Virtual Server Discovery list, select Disabled. 9. Click Create.

You now repeat this procedure on the second Global Traffic Manager, reversing the IP addresses in the Address List and Peer Address List options. In this example, you repeat this procedure for the gtm2.siterequest.com system.

9-8

Setting Up a Global Traffic Manager Redundant System Configuration

Enabling synchronization
For the next task, you enable the synchronization options and assign an appropriate name for the synchronization group. For this implementation, the synchronization group name is North America. For this task, you configure only the active system. The settings you create are transferred to the standby system during a synchronization that you initiate later in this process.

To enable synchronization
1. On the Main tab of the navigation pane, expand System, and then click Configuration. 2. From the Global Traffic menu, choose General. 3. Check the Synchronization check box. 4. Check the Synchronize DNS Zone Files check box. 5. In the Synchronization Group Name box, type the name of the synchronization group. In this example, type North America. 6. Click Update.

Running the gtm_add script


Next, you need to have the two systems share the same configuration. (For this example, that means you need to have the Global Traffic Manager in Los Angeles acquire the configurations established at the New York data center.) You must do this before you attempt to synchronize these systems; otherwise, you run the risk of having the new Global Traffic Manager, which is unconfigured, replace the configuration of older systems. To acquire the configuration files, you run the gtm_add script.
Note

You must run the gtm_add script from the currently unconfigured Global Traffic Manager.

To run the gtm_add script


1. Log on to the unconfigured Global Traffic Manager. In this example, log on to gtn2.siterequest.com. 2. At the command prompt, type gtm_add. 3. Press the y key to start the gtm_add script. 4. Type the IP address of the configured Global Traffic Manager. For this example, type 10.1.1.20. 5. Press Enter.

BIG-IP Global Traffic ManagerTM: Implementations

9-9

Chapter 9

The gtm_add process begins, acquiring configuration data from the active Global Traffic Manager; In this example gtn1.sitequrest.com. Once the process completes, you have successfully created a redundant system consisting of two Global Traffic Manager systems.

9 - 10

10
Authenticating with SSL Certificates Signed by a Third Party

Understanding SSL authentication Understanding BIG-IP system certificate authentication Configuring a level one SSL authentication for a Global Traffic Manager Configuring a certificate chain for a Global Traffic Manager system Configuring SSL authentication for a BIG-IP system that includes a Local Traffic Manager

Authenticating with SSL Certificates Signed by a Third Party

Understanding SSL authentication


The BIG-IP Global Traffic Manager system uses an encryption protocol, Secure Sockets Layer (SSL) authentication, to verify the authenticity of the credentials of any other system with which it needs to exchange data. For example, a Global Traffic Manager system might send a request to a Local Traffic Manager system that attempts to authenticate the request, and after authenticating the request sends a response back to the Global Traffic Manager system that in turn attempts to authenticate the response. With SSL authentication, this verification process occurs with the use of a specialized file, called a certificate, which the two systems exchange. The systems then verify the authenticity of the certificate, typically through the use of a Certificate Authority (CA) server, which both systems have previously verified. SSL supports ten levels of authentication (also known as certificate depth) as described below. At level 0, certificates are verified by the system to which they belong. These types of certificates are also known as self-signed certificates. At level 1, certificates are authenticated by a CA server that is separate from the system. At levels 2 - 9, certificates are authenticated by additional CA servers, which verify the authenticity of other servers. These multiple levels of authentication are referred to as certificate chains, and allow for a tiered verification system that ensures that only authorized communications occur between servers.

BIG-IP Global Traffic ManagerTM: Implementations

10 - 1

Chapter 10

Understanding BIG-IP system certificate authentication


When you install BIG-IP software, it includes a self-signed SSL certificate. A self-signed certificate is an authentication mechanism that is created and authenticated by the system on which it resides. These certificates allow BIG-IP systems to ensure that they are authorized to communicate with other BIG-IP systems on the network. If your network includes one or more CA servers, you can install on each BIG-IP system SSL certificates that are signed by a third party. To configure multiple level system certificate authentication, you must:

Import to each BIG-IP system the certificates that are necessary to authenticate communications with other BIG-IP systems. In addition, you must also modify the following two settings. Set the Certificate Depth for the gtmd agent This setting determines the number of CA servers (often referred to as the authentication chain) that the gtmd agent can traverse to validate the authenticity of another BIG-IP system. You can access this setting through the Configuration utility. Set the Big3d.CertificateDepth variable This variable determines the number of CA servers that the big3d agent can traverse to validate the authenticity of another BIG-IP system. You access this setting through the command line.
Important

The specified number of certificate levels (certificate depth) that the gtmd agent can traverse must match the specified number for the big3d agent. For example, if the Certificate Depth setting for the gtmd agent is set to 2, then the Big3d.CertificateDepth variable for the big3d agent must also be set to 2. For more information about SSL certificates, see the TMOS Management Guide for BIG-IP Systems.

10 - 2

Authenticating with SSL Certificates Signed by a Third Party

Configuring a level one SSL authentication for a Global Traffic Manager


To see how you can use certificates signed by a third party with a BIG-IP Global Traffic Manager, consider the fictional company SiteRequest. The network at SiteRequest includes two Global Traffic Manager systems. In addition, SiteRequest uses its own CA server to generate and authenticate SSL certificates for its servers. In this scenario, SiteRequest wants to replace the self-signed certificates of their Global Traffic Manager systems with the companys own SSL certificates. The following procedures describe how to install the new certificate on each Global Traffic Manager. To accomplish this, you must complete the following tasks on each system: Import the root certificate for the gtmd agent. Set the certificate depth for the gtmd agent. Import the root certificate for the big3d agent. Set the Big3d.CertificateDepth variable. Import the third-party certificate signed by the CA server. Verify the certificate exchange. For the purposes of this implementation, assume that you already have a signed certificate/key pair and the root certificate from the CA server. A root certificate is a special instance of a certificate chain for which the certificate depth is 1. The following tasks assume that these Global Traffic Manager systems are already synchronized. For more information on how to synchronize Global Traffic Manager systems, see Chapter 7, Ensuring Correct Synchronization When Adding a New Global Traffic Manager.
Important

If you have a Local Traffic Manager system that you want to be able to communicate with the Global Traffic Manager systems, you must also configure the Local Traffic Manager. For more information, see Configuring SSL authentication for a BIG-IP system that includes a Local Traffic Manager, on page 10-12.

Importing the root certificate for the gtmd agent


The first task to set up the Global Traffic Manager to use a third-party certificate signed by a CA server is to replace the existing certificate file for the gtmd agent with the root certificate of your CA server.

BIG-IP Global Traffic ManagerTM: Implementations

10 - 3

Chapter 10

For this task, perform the following procedure on only one Global Traffic Manager in a synchronization group. The system automatically synchronizes these settings with the other Global Traffic Manager systems in the group.
Important

In this procedure, you must import the root certificate from your CA server into the Configuration utility. Before you start this procedure, ensure that you have this certificate available.

To import the root certificate for the gtmd agent


1. On the Main tab of the navigation pane, expand Global Traffic and click Servers. 2. On the menu bar, click Trusted Server Certificates. 3. Click Import. 4. From the Import Method list, select Replace. 5. For the Certificate Source setting, select the Upload File option and then use the Browse button to navigate and select the root certificate file. 6. Click Import.

Setting the certificate depth for the gtmd agent


Because, in the previous task, you replaced the certificate file of the gtmd agent with the root certificate of the CA server, you must change the certificate depth for the gtmd agent to 1. For this task, you perform the following procedure on only one Global Traffic Manager. The system then synchronizes these settings with any other Global Traffic Manager systems in its synchronization group.

To set the certificate depth for the gtmd agent


1. On the Main tab of the navigation pane, expand System and then click Configuration. 2. From the Global Traffic menu, choose General. 3. For the Certificate Depth setting, type 1. 4. Click Update.

10 - 4

Authenticating with SSL Certificates Signed by a Third Party

Importing the root certificate for the big3d agent on the Global Traffic Manager
The next task to set up the Global Traffic Manager to use a third-party certificate signed by a CA server is to import the root certificate of the CA server for the big3d agent. For this task, perform the following procedure on all Global Traffic Manager systems.

To import the root certificate for the big3d agent on the Global Traffic Manager
1. On the Main tab of the navigation pane, expand System and then click Device Certificates. 2. On the menu bar, click Trusted Device Certificates. 3. Click Import. 4. From the Import Method list, select Replace. 5. In the Certificate Source box, select the Upload File option and then use the Browse button to navigate and select the root certificate file. 6. Click Import.

Setting the Big3d.CertificateDepth variable for the Global Traffic Manager


While the Certificate Depth setting handles the number of certificate levels the gtmd agent can use, it does not affect the big3d agent. To modify the certificate depth for the big3d agent, you must set the bigpipe variable, Big3d.CertificateDepth. For this task, perform the following procedure on all Global Traffic Manager systems.

To set the Big3d.CertificateDepth variable


1. Access the command line for the Global Traffic Manager. 2. At the command line, type the following:
b db Big3d.CertificateDepth 1

Importing the device certificate signed by the CA server onto the Global Traffic Manager
The final task is to import the device certificate signed by the CA server. For this task, perform the following procedure on all Global Traffic Manager systems.

BIG-IP Global Traffic ManagerTM: Implementations

10 - 5

Chapter 10

To import the device certificate


1. On the Main tab of the navigation pane, expand System and then click Device Certificates. 2. Click Import. 3. From the Import Type list, select Certificate and Key. The screen refreshes and provides options to add a new certificate and key. 4. For the Certificate Source setting, select the Upload File option and then use the Browse button to navigate and select the certificate signed by the CA server. 5. For the Key Source setting, select the Upload File option and then use the Browse button to navigate and select the device key file. 6. Click Import.

Verifying the certificate exchange


At this point, you can verify that you installed the certificate correctly by running the following commands:
iqdump <self IP address> iqdump <peer IP address>

If the certificate was installed correctly, these commands display a continuous stream of information on the console window.

10 - 6

Authenticating with SSL Certificates Signed by a Third Party

Configuring a certificate chain for a Global Traffic Manager system


To see how you can use a certificate chain to allow multiple Global Traffic Manager systems to communicate with one another, we again consider the fictional company SiteRequest. This time the network at SiteRequest includes two Global Traffic Manager systems that are already part of the same synchronization group. For more information on how to synchronize Global Traffic Manager systems, see Chapter 7, Ensuring Correct Synchronization When Adding a New Global Traffic Manager. Besides using its own CA server to generate and authenticate SSL certificates for its servers, the company also uses additional CA servers for this purpose. In this scenario, SiteRequest wants to add a certificate chain to the self-signed certificates of their Global Traffic Manager systems. For the purposes of this implementation, you must first create a file containing a certificate chain that consists of the certificates from each of the additional CA servers that the company uses. Then import this file into the gtmd and big3d agents as shown in Importing a certificate chain for the gtmd agent, on page 10-8, and Importing the certificate chain for the big3d agent, on page 10-9. Then you complete the following tasks on only one of the Global Traffic Manager systems in the synchronization group. These changes are automatically propagated to the other Global Traffic Manager systems in the group. Import the certificate chain for the gtmd agent. Set the certificate depth for the gtmd agent. Finally, you complete the following tasks on each system in the synchronization group. Set the Big3d.CertificateDepth variable. Import the certificate chain for the big3d agent. Import a device certificate. Verify the certificate exchange.

BIG-IP Global Traffic ManagerTM: Implementations

10 - 7

Chapter 10

Importing a certificate chain for the gtmd agent


The first task in configuring a certificate chain for a BIG-IP system is to replace the existing certificate with the file containing the certificate chain for the gtmd agent. To do this, perform the following two procedures. First create a certificate chain file, and then import the certificate chain onto the Global Traffic Manager system.

To create a certificate chain file for the Global Traffic Manager


1. Using a text editor, create an empty file for the certificate chain. 2. Still using a text editor, copy an individual certificate from its own certificate file and paste the certificate into the file you created in step 1. 3. Repeat step 2 for each certificate that you want to include in the certificate chain.

When you are finished, you should have a certificate chain file that contains all certificates that you want to include in the certificate chain.
Important

Before you perform the following procedure, ensure that the file containing the certificate chain is accessible from the Global Traffic Manager system that you want to configure.

To import the certificate chain file


1. On the Main tab of the navigation pane, expand Global Traffic and click Servers. 2. On the menu bar, click Trusted Server Certificates. 3. Click Import. 4. From the Import Method list, select Replace. 5. For the Certificate Source setting, select the Upload File option and then use the Browse button to navigate and select the certificate chain file. 6. Click Import.

10 - 8

Authenticating with SSL Certificates Signed by a Third Party

Setting the certificate depth for the gtmd agent


After you import the file containing the certificate chain, you must change the certificate depth for the gtmd agent. For this task, perform the following procedure on only one Global Traffic Manager. The system then synchronizes these settings with all other Global Traffic Manager systems in the synchronization group.

To set the certificate depth for the gtmd agent


1. On the Main tab of the navigation pane, expand System and then click Configuration. 2. From the Global Traffic menu, choose General. 3. For the Certificate Depth setting, type 2. Note: If you have multiple levels of CA servers in your network, you increase this setting for each level. 4. Click Update.

Setting the Big3d.CertificateDepth variable


The certificate depth must be the same for the gtmd and big3d agents. As shown in the previous procedure, the Certificate Depth setting in the Configuration utility handles the number of certificate levels the gtmd agent can use. However, to modify the certificate depth for the big3d agent, you must set the bigpipe variable, Big3d.CertificateDepth. For this task, perform the following procedure on all Global Traffic Manager systems.

To set the Big3d.CertificateDepth variable


1. Access the command line for the Global Traffic Manager. 2. At the command line, type the following:
b db Big3d.CertificateDepth 2

Importing the certificate chain for the big3d agent


The next task in configuring a certificate chain for a BIG-IP system is to replace the existing certificate with the file containing the certificate chain for the big3d agent.

BIG-IP Global Traffic ManagerTM: Implementations

10 - 9

Chapter 10

For this task, perform the following procedure on all Global Traffic Manager systems.
Important

Before you start this procedure, make sure that the file containing the certificate chain is accessible from all of the Global Traffic Managers that you want to configure.

To import the certificate chain for the big3d agent


1. On the Main tab of the navigation pane, expand System and then click Device Certificates. 2. On the menu bar, click Trusted Device Certificates. 3. Click Import. 4. From the Import Method list, select Replace. 5. For the Certificate Source setting, select the Upload File option and then use the Browse button to navigate and select the certificate chain file. 6. Click Import.

Importing a device certificate


The final task in configuring a certificate chain is to import a device certificate signed by the last CA in the certificate chain. For this task, perform the following procedure on all Global Traffic Manager systems.

To import a device certificate


1. On the Main tab of the navigation pane, expand System and then click Device Certificates. 2. Click Import. 3. From the Import Type list, select Certificate and Key. 4. For the Certificate Source setting, select the Upload File option and then use the Browse button to navigate and select the device certificate. 5. For the Key Source setting, select the Upload File option and then use the Browse button to navigate and select the device key file. 6. Click Import.

10 - 10

Authenticating with SSL Certificates Signed by a Third Party

Verifying the certificate chain exchange


At this point, you can verify that you installed the certificate chain correctly by running the following commands on each Global Traffic Manager system:
iqdump <self IP address> iqdump <peer IP address>

If you installed the certificate chain correctly, these commands display a continuous stream of information in the console window.

BIG-IP Global Traffic ManagerTM: Implementations

10 - 11

Chapter 10

Configuring SSL authentication for a BIG-IP system that includes a Local Traffic Manager
If you are configuring SSL authentication for a BIG-IP system that includes a Local Traffic Manager system, you must configure the Local Traffic Manager system so that it can communicate with the Global Traffic Manager system using SSL authentication. Before you import SSL certificates to a Local Traffic Manager. You must perform the following tasks for the big3d agent on each Local Traffic Manager system: Set the certificate depth for the big3d agent. Replace the self-signed certificate for the big3d agent on the Local Traffic Manager with a root certificate or a certificate chain. Import a device certificate signed by the last CA server in the chain. Before you import SSL certificates onto the Local Traffic Manager, make sure that: Self-signed certificates are installed on all Local Traffic Manager systems on your network. Your network includes its own CA server to generate certificates signed by a third party. You want to replace the self-signed certificates on the Local Traffic Manager systems with certificates that the CA server has generated. The remainder of this chapter describes how to configure SSL certificates on a Local Traffic Manager system for the purpose of communicating with Global Traffic Manager systems.

10 - 12

Authenticating with SSL Certificates Signed by a Third Party

Setting certificate depth for the big3d agent on the Local Traffic Manager
For BIG-IP systems to communicate successfully, the specified number of certificate levels that the big3d agent on the Local Traffic Manager can traverse must match the number of certificate levels that the gtmd agent on the Global Traffic Manager can traverse. For example, if the Certificate Depth setting for gtmd is set to 2, then the Big3d.CertificateDepth variable for big3d must also be set to 2. For more information about setting the certificate depth for the gtmd agent, see Setting the certificate depth for the gtmd agent, on page 10-4. You must set the certificate depth on all Local Traffic Manager systems on the network.

To set the Big3d.CertificateDepth variable on the Local Traffic Manager


1. Access the command line for Local Traffic Manager. 2. At the command line, type the following:
b db Big3d.CertificateDepth <integer> Important

After you configure the certificate depth for the big3d agent, you must import either a root certificate or a certificate chain, but not both.

Replacing the self-signed certificate for the big3d agent on the Local Traffic Manager
You can replace the existing self-signed certificate for the big3d agent by importing either the root certificate of a CA server or a certificate chain.

To import the root certificate for the big3d agent on the Local Traffic Manager
1. On the Main tab of the navigation pane, expand System and then click Device Certificates. 2. On the menu bar, click Trusted Device Certificates. 3. Click Import. 4. From the Import Method list, select Replace. 5. For the Certificate Source setting, select the Upload File option and then use the Browse button to navigate to and select the root certificate file. 6. Click Import.

BIG-IP Global Traffic ManagerTM: Implementations

10 - 13

Chapter 10

If you choose to import a certificate chain, you need to first create a certificate chain file, and then import the entire certificate chain on to the Local Traffic Manager system.

To create a certificate chain file for the Local Traffic Manager


1. Using a text editor, create an empty file for the certificate chain. 2. Still using a text editor, copy an individual certificate from its own certificate file and paste the certificate into the file you created in step 1. 3. Repeat step 2 for each certificate that you want to include in the certificate chain.
Important

Before you perform the following procedure, ensure that the file containing the certificate chain is accessible from all of the Local Traffic Manager systems that you want to configure.

To import the certificate chain for the big3d agent on the Local Traffic Manager
1. On the Main tab of the navigation pane, expand System, and then click Device Certificates. 2. On the menu bar, click Trusted Device Certificates. 3. Click Import. 4. From the Import Method list, select Replace. 5. For the Certificate Source setting, select the Upload File option and then use the Browse button to navigate and select the certificate chain file that you created in the previous the procedure, To create a certificate chain file for the Local Traffic Manager. 6. Click Import.

10 - 14

Authenticating with SSL Certificates Signed by a Third Party

Importing a device certificate onto the Local Traffic Manager


The final task in configuring a certificate chain is to import a device certificate signed by the last CA in the certificate chain. For this task, perform the following procedure on all Local Traffic Manager systems.

To import a device certificate


1. On the Main tab of the navigation pane, expand System and then click Device Certificates. 2. Click Import. 3. From the Import Type list, select Certificate and Key. 4. For the Certificate Source setting, select the Upload File option and then use the Browse button to navigate and select the device certificate. 5. For the Key Source setting, select the Upload File option and then use the Browse button to navigate and select the device key file. 6. Click Import.

BIG-IP Global Traffic ManagerTM: Implementations

10 - 15

Chapter 10

10 - 16

11
Monitoring Third-Party Servers with SNMP

Overview of SNMP Assigning the SNMP monitor to a third-party server

Monitoring Third-Party Servers with SNMP

Overview of SNMP
SNMP, or Simple Network Management Protocol, is frequently used to acquire data from different network systems. At the core of SNMP is a MIB, or Management Information Base, which specifies the data available on a given system. In a BIG-IP system environment, you typically use SNMP for acquiring information about the health of a third-party server. To accomplish this, you assign an SNMP monitor to a server currently running SNMP. This monitor can then provide information on the availability of that server.

Assigning the SNMP monitor to a third-party server


To see how you can use SNMP to monitor a third-party server, consider the fictional company, SiteRequest. SiteRequest has a server that contains several resources related to one of its web applications. This server is not a BIG-IP system; however, it does have SNMP running. As a result, the IT department has opted to use the SNMP monitor included with the Global Traffic Manager to track the availability of the server. To use SNMP to acquire information about this server, you must perform the following tasks: Add the server to the Global Traffic Manager configuration. Add a virtual server to the server. Create an SNMP monitor. Assign the monitor to the server. For the purposes of this example, you use the server name SiteRequest Resource, which has an IP address of 10.0.1.25. You also use the data center name, SiteRequest-main. In this example, you have already created the data center.

Adding the server


The first task in monitoring a server running SNMP requires you to add the server to the Global Traffic Manager configuration. In this example you add the server, SiteRequest Resource, to the network. This server has the IP address 10.0.1.25.

BIG-IP Global Traffic ManagerTM: Implementations

11 - 1

Chapter 11

To add the server


1. On the Main tab of the navigation pane, expand Global Traffic and then click Servers. 2. Click Create. 3. In the Name box, type the name of the sever. For this example, type SiteRequest Resource. 4. From the Product list, select the server type. For this example, select Generic Host. 5. For the Address List setting, complete the following tasks: In the Address box, type the IP address of the server. For this example, type 10.0.1.25. Click Add. 6. From the Data Center list, select the data center to which the server belongs. For this example, select SiteRequest-main. 7. Locate the Resources area, which is close to the bottom of the screen, and from the Virtual Server List option, select Disabled. 8. Click Create.

Adding a virtual server


One of the requirements of the SNMP monitor on the Global Traffic Manager is that you must assign a virtual server to the server being monitored. Without this virtual server, the SNMP monitor cannot acquire information about the system. For this example, you add a virtual server, vs-generic-1, with an IP address of 10.100.100.5, to the server you created in the previous section.

To add a virtual server


1. On the Main tab of the navigation pane, expand Global Traffic and click Servers. 2. Click the name of the server to which you want to add virtual servers. For this example, click the link for SiteRequest Resource. 3. On the menu bar, click Virtual Servers. 4. Click Add. 5. In the Name box, type the name of the virtual server. For this example, type the name vs-generic-1. 6. In the Address box, type the IP address of the virtual server. For this example, type the IP address 10.100.100.5. 7. Click Create.
11 - 2

Monitoring Third-Party Servers with SNMP

Creating an SNMP monitor


Now that the server is in the Global Traffic Manager configuration, you can create an SNMP monitor. For the purposes of this example, the default values assigned to an SNMP monitor are sufficient for SiteRequests server. In this example, you create an SNMP monitor called Site-Request SNMP. This monitor uses the default SNMP monitor settings.

To create an SNMP monitor


1. On the Main tab of the navigation pane, expand Global Traffic and then click Monitors. 2. Click Create. 3. In the Name box, type the name of the monitor. For this example, type SiteRequest-SNMP. 4. From the Type list, select a monitor type. For this example, select SNMP. 5. Click Finished.

Assigning the monitor


You can now assign the new custom SNMP monitor to the server.

To assign the SNMP monitor


1. On the Main tab of the navigation pane, expand Global Traffic and then click Servers. 2. Click the server name, SiteRequest Host. 3. For the Health Monitors setting, select SiteRequest-SNMP from the Available list and then use the Move [<<] button to move the monitor to the Selected list. Note: This ensures that the monitor starts to check the availability of the server. 4. Click Update.

You now have an SNMP monitor assigned to a third-party server within the Global Traffic Manager configuration. The system can now use this monitor to verify that the server is available for load balancing DNS requests.

BIG-IP Global Traffic ManagerTM: Implementations

11 - 3

Chapter 11

11 - 4

12
Using tmsh to Set Up Implementations

Using tmsh for different implementations Setting up a stand-alone system Adding a system to a network that contains Local Traffic Manager systems Adding a system to a network that contains other Global Traffic Manager systems

Using tmsh to Set Up Implementations

Using tmsh for different implementations


This chapter describes three different implementations in which you provision and configure the Global Traffic Manager using the Traffic Management Shell (tmsh). Refer to these topics: Setting up a stand-alone system, on page 12-2 Adding a system to a network that contains Local Traffic Manager systems, on page 12-10 Adding a system to a network that contains other Global Traffic Manager systems, on page 12-17 These implementation focus on the fictional company, SiteRequest. They are based on the fact that you have already installed and licensed the BIG-IP system software, and either run the Setup utility or used tmsh to configure the basic network elements. When you use tmsh commands to configure the Global Traffic Manager, the system automatically saves the configuration changes in the file /config/gtm/wideip.conf. Note that only users with Administrator or Resource Administrator roles assigned to their user accounts on the BIG-IP system can access tmsh.
WARNING

You must provision the Global Traffic Manager before you configure it; otherwise, you lose the system configuration when you provision the system.

BIG-IP Global Traffic ManagerTM: Implementations

12 - 1

Chapter 12

Setting up a stand-alone system


In the first implementation, SiteRequest has purchased a stand-alone Global Traffic Manager to use in its North American data center. SiteRequest wants to use the system to handle DNS requests for and load balance traffic to www.siterequest.com, and its aliases www.store.siterequest.com and www.checkout.siterequest.com. SiteRequest wants the system to respond to these DNS requests on the IP address 192.168.5.17 and to load balance the traffic to two virtual servers on the system: 10.1.6.100:http and 10.1.6.101:80. To configure a stand-alone Global Traffic Manager, complete the following tasks using tmsh: Provision the system Configure the global settings Create a data center Define a server Create virtual servers Create a pool Create a wide IP Create a listener

12 - 2

Using tmsh to Set Up Implementations

Provisioning the system


You must provision the Global Traffic Manager before you configure it. Provisioning apportions CPU, memory, and disk space among the system software modules.
Note

A stand-alone Global Traffic Manager includes a Local Traffic Manager that is provisioned at the nominal level by default.

To provision the system


1. Log on to the command line interface of the Global Traffic Manager. 2. Type tmsh, to access the Traffic Management Shell. 3. Run this command sequence:
modify /sys provision gtm level nominal save sys config list /sys provision

The system displays the provision configuration, as shown in Figure 12.1.


root@big-ip1(Active)(tmos)# list /sys provision sys provision gtm { level nominal } sys provision lc { } sys provision ltm { level nominal } root@big-ip1(Active)(tmos)#

Figure 12.1 Results of list command for sample system provision

BIG-IP Global Traffic ManagerTM: Implementations

12 - 3

Chapter 12

Configuring the global settings


After you provision the system, F5 Networks recommends that you configure the system so that it does not run the Setup utility when a user opens the Configuration utility. To do this, run the command sequence:
modify /sys db setup.run value false

Creating a data center


The next task is to create a data center to associate on your network the resources that share the same subnet. The Global Traffic Manager consolidates the paths and metrics data collected from the resources into the data center, and uses that data to conduct load balancing operations. In this scenario, SiteRequest wants to use the Global Traffic Manager in its North American data center.
Important

You must configure at least one data center before you can add servers to the Global Traffic Manager configuration.

To create a data center


1. Navigate to the tmsh gtm module. 2. Run this command sequence:
create datacenter north_america list datacenter north_america all-properties

The system displays the data center configuration, as shown in Figure 12.2.

root@big-ip1(Active)(tmos.gtm)# list datacenter north_america gtm datacenter north_america { contact none enabled location none } root@big-ip1(Active)(tmos.gtm)#

Figure 12.2 Results of list command for sample data center

12 - 4

Using tmsh to Set Up Implementations

Defining a server
After you create a data center, the next task is to configure the Global Traffic Manager to respond to DNS requests with the IP address 192.168.5.17. To do this, create a server in the north_america data center that represents the system itself. Assign a bigip monitor to the server to track the status of the server.
Important

Each server can belong to only one data center.

To define a server
1. Navigate to the tmsh gtm module. 2. Run this command sequence:
create server gtm1 datacenter north_america monitor bigip addresses add { 192.168.5.17 } list server gtm1 all-properties

The system displays the server configuration, as shown in Figure 12.3.


root@big-ip1(Active)(tmos.gtm)# list server gtm1 all-properties gtm server gtm1 { addresses { 192.168.5.17 { ... } } datacenter north_america enabled ... } } root@big-ip1(Active)(tmos.gtm)#

Figure 12.3 Results of list command for sample server

BIG-IP Global Traffic ManagerTM: Implementations

12 - 5

Chapter 12

Creating virtual servers to host the site content


After you create a server, add virtual servers to the server. A virtual server, in this context, is a specific IP address and port number that points to the server you created in the previous task. SiteRequest wants to load balance the traffic to www.siterequest.com across virtual servers with these IP addresses: 10.1.6.100:http and 10.1.6.101:80.

To create virtual servers


1. Navigate to the tmsh gtm module. 2. Run this command sequence:
modify server gtm1 virtual-servers add { 10.1.6.100:http 10.1.6.101:80 } list server gtm1 all-properties

The system displays the server configuration, as shown in Figure 12.4.


root@big-ip1(Active)(tmos.gtm)# list server gtm1 gtm server gtm1 { addresses { 192.168.5.17{ ... } } datacenter north_america ... monitor bigip ... virtual-servers { 10.1.6.100:http { ... } 10.1.6.101:http { ... } } } root@big-ip1(Active)(tmos.gtm)#

Figure 12.4 Results of list command for sample server with virtual servers

12 - 6

Using tmsh to Set Up Implementations

Creating a pool
Now that you have created virtual servers, create a pool that the Global Traffic Manager uses to load balance traffic to those virtual servers.

To create a pool
1. Navigate to the tmsh gtm module. 2. Run this command sequence:
create pool my_pool members add { 10.1.6.100:http 10.1.6.101:80 } list pool my_pool all-properties

The system displays the pool configuration, as shown in Figure 12.5.


root@big-ip1(Active)(tmos.gtm)# gtm pool my_pool { ... members { 10.1.6.100:http { ... } 10.1.6.101:http { order 1 ... } ... } } root@big-ip1(Active)(tmos.gtm)# list pool my_pool

Figure 12.5 Results of list command for sample pool

BIG-IP Global Traffic ManagerTM: Implementations

12 - 7

Chapter 12

Creating a wide IP
After you create a pool, create a wide IP that maps www.siterequest.com to the virtual servers you previously created. To do this, add the pool with the virtual servers to the wide IP. You can also add aliases for the domain name to the wide IP. SiteRequest wants to create the wide IP www.siterequest.com and add to it the aliases www.store.siterequest.com and www.checkout.siterrequest.com.

To create a wide IP
1. Navigate to the tmsh gtm module. 2. Run this command sequence:
create wideip www.siterequest.com pools add {my_pool} aliases add { www.store.siterequest.com www.checkout.siterequest.com } list wideip www.siterequest.com all-properties

The system displays the wide IP configuration, as shown in Figure 12.6.


root@big-ip1(Active)(tmos.gtm)# list wideip www.siterequest.com gtm wideip www.siterequest.com { aliases { www.store.siterequest.com www.checkout.siterequest.com } ... pools { my_pool { ... } } ... } root@big-ip1(Active)(tmos.gtm)#

Figure 12.6 Results of list command for sample wide IP

12 - 8

Using tmsh to Set Up Implementations

Creating a listener
To configure the Global Traffic Manager to communicate with the rest of your network, create a listener that monitors the network for DNS queries that are destined for its IP address 192.168.5.17.
Note

The system automatically saves listeners that you create.

To create a listener
1. Navigate to the tmsh gtm module. 2. Run this command sequence:
create listener gtm1_listener address 192.168.5.17

The IP address 192.168.5.17 does not match a self IP address on the system; therefore, the system saves the listener in the file bigip.conf. Note: The system saves listeners with IP addresses that match a self IP address on the system in the file bigip_local.conf.
list listener gtm1_listener all-properties

The system displays the listener configuration, as shown in Figure 12.7.


root@big-ip1(Active)(tmos.gtm)# list listener gtm1_listener gtm listener gtm1_listener { address 192.168.5.17 ip-protocol udp ... } root@big-ip1(Active)(tmos.gtm)#

Figure 12.7 Results of list command for sample listener The Global Traffic Manager is now configured to process DNS requests for and load balance traffic to www.siterequest.com.

BIG-IP Global Traffic ManagerTM: Implementations

12 - 9

Chapter 12

Adding a system to a network that contains Local Traffic Manager systems


In the second implementation, SiteRequest already has BIG-IP Local Traffic Manager systems in its data center. SiteRequest wants to add a new Global Traffic Manager system to its South American data center to respond to DNS requests on the IP address 192.168.5.18. To configure the new Global Traffic Manager, complete the following tasks using tmsh: Provision the system Create a data center Define a server for the system Define servers for the Local Traffic Manager systems Run either the bigip_add or big3d_install utility Create a listener

12 - 10

Using tmsh to Set Up Implementations

Provisioning the system


You must provision the Global Traffic Manager before you configure it. Provisioning apportions CPU, memory, and disk space among the system software modules.

To provision the system


1. Log on to the command line interface of the Global Traffic Manager. 2. Type tmsh, to access the Traffic Management Shell. 3. Run this command sequence:
modify /sys provision gtm level nominal save sys config list /sys provision

The system displays the provision configuration, as shown in Figure 12.8.


root@big-ip2(Active)(tmos)# list /sys provision sys provision gtm { level nominal } sys provision lc { } sys provision ltm { level nominal } root@big-ip2(Active)(tmos)#

Figure 12.8 Results of list command for sample system provision

BIG-IP Global Traffic ManagerTM: Implementations

12 - 11

Chapter 12

Creating a data center


The next task is to create a data center to associate the resources on your network that share the same subnet. The Global Traffic Manager consolidates the paths and metrics data collected from the resources into the data center, and uses that data to conduct load balancing operations. In this scenario, SiteRequest wants to use the Global Traffic Manager in its South American data center.

To create a data center


1. Navigate to the tmsh gtm module. 2. Run this command sequence:
create datacenter south_america list datacenter south_america all-properties

The system displays the data center configuration, as shown in Figure 12.9.
root@big-ip2(Active)(tmos.gtm)# list datacenter south_america gtm datacenter south_america { contact none enabled location none } root@big-ip2(Active)(tmos.gtm)#

Figure 12.9 Results of list command for sample data center

12 - 12

Using tmsh to Set Up Implementations

Defining a server for the system


After you create a data center, the next task is to configure the Global Traffic Manager to respond to DNS requests with the IP address 192.168.5.18. To do this, create a server in the south_america data center that represents the system itself. Assign a bigip monitor to the server to track the status of the server.
Important

Each server can belong to only one data center.

To define a server for the system


1. Navigate to the tmsh gtm module. 2. Run this command sequence:
create server gtm2 datacenter south_america monitor bigip addresses add { 192.168.5.18 } list server gtm2 all-properties

The system displays the server configuration, as shown in Figure 12.10.


root@big-ip2(Active)(tmos.gtm)# list server gtm2 gtm server gtm2 { addresses { 192.168.5.18 { ... } } datacenter south_america ... monitor bigip ... } root@big-ip2(Active)(tmos.gtm)#

Figure 12.10 Results of list command for sample server

BIG-IP Global Traffic ManagerTM: Implementations

12 - 13

Chapter 12

Defining servers for the Local Traffic Manager systems


After you create a server for the Global Traffic Manager itself, create a server on the Global Traffic Manager for each of the other BIG-IP systems on your network.
Important

Each server can belong to only one data center.

To define servers for the Local Traffic Manager systems


1. Navigate to the tmsh gtm module. 2. Run this command sequence:
create server ltm1 datacenter south_america monitor bigip addresses add { 192.168.5.1 } create server ltm2 datacenter south_america monitor bigip addresses add { 192.168.5.2 } list server

The system displays the server configuration, as shown in Figure 12.11.


root@big-ip2(Active)(tmos.gtm)# list server gtm2 gtm server gtm2 { addresses { 192.168.5.18 { } } datacenter south_america monitor bigip } ltm server ltm1 { addresses { 192.168.5.1 { } } datacenter south_america monitor bigip } ltm server ltm2 { addresses { 192.168.5.2 { } } datacenter south_america monitor bigip } root@big-ip2(Active)(tmos.gtm)#

Figure 12.11 Results of list command for sample server

12 - 14

Using tmsh to Set Up Implementations

Running the bigip_add or big3d_install utility


The next task is to run a utility to add the new Global Traffic Manager to the network. Run one of the following utilities based on your network configuration: If the other BIG-IP systems on the network are running the same version of the big3d agent, run the bigip_add utility. If the other BIG-IP systems on the network are running an earlier version of the big3d agent, run the big3d_install utility.

To run the bigip_add utility


1. Navigate to the tmsh gtm module. 2. Run this command: run bigip_add. The utility exchanges the appropriate SSL certificates, and authorizes communications between the Global Traffic Manager and the other BIG-IP systems for which you defined servers in the previous task.

To run the big3d_install utility


1. Navigate to the tmsh gtm module. 2. Run one of these commands: run big3d_install The utility exchanges the appropriate SSL certificates, authorizes communications between the Global Traffic Manager and the BIG-IP systems for which you defined servers in the previous task, and automatically updates the big3d agents on all the devices. run big3d_install <IP addresses of existing
BIG-IP systems>

The utility exchanges the appropriate SSL certificates, authorizes communications between the Global Traffic Manager and the BIG-IP systems specified in the command sequence, and automatically updates the big3d agents on all the devices.

BIG-IP Global Traffic ManagerTM: Implementations

12 - 15

Chapter 12

Creating a listener
The last task is to configure the Global Traffic Manager to communicate with the rest of the network. To do this, create a listener that monitors the network for DNS queries that are destined for its IP address 192.168.5.18.
Note

When you create a listener, the system automatically saves the listener.

To create a listener
1. Navigate to the tmsh gtm module. 2. Run this command sequence:
create listener gtm2_listener address 192.168.5.18

The system saves the listener in the file bigip_local.conf, because the listener has an IP address that matches a self IP address on the system. Note: The system saves, to the file bigip.conf, listeners with IP addresses that do not match self IP addresses on the system.
list listener gtm2_listener

The system displays the listener configuration, as shown in Figure 12.12.


root@big-ip2(Active)(tmos.gtm)# list listener gtm2_listener gtm listener gtm2_listener { address 192.168.5.18 ip-protocol udp ... } root@big-ip2(Active)(tmos.gtm)#

Figure 12.12 Results of list command for sample listener You have successfully added the Global Traffic Manager to a network that contains BIG-IP systems. The systems are synchronized and the Global Traffic Manager is configured to respond to DNS requests on 192.168.5.18.

12 - 16

Using tmsh to Set Up Implementations

Adding a system to a network that contains other Global Traffic Manager systems
In the third implementation, SiteRequest purchased another Global Traffic Manager to use in its Asian data center. SiteRequest wants to add the new system to a synchronization group that contains the original Global Traffic Manager. It wants to configure the new system to respond to DNS requests on the IP address 192.168.5.18. To add a Global Traffic Manager using tmsh, complete the following tasks. Provision the new system On an existing Global Traffic Manager that you want to be in the same synchronization group as the new system: Create a data center Define a server for the new system Add a synchronization group On the new system: Run the gtm_add utility Create a listener

BIG-IP Global Traffic ManagerTM: Implementations

12 - 17

Chapter 12

Provisioning the new system


You must provision the Global Traffic Manager before you configure it. Provisioning apportions CPU, memory, and disk space among the system software modules.

To provision the new system


1. Log on to the new Global Traffic Manager command line interface. 2. Type tmsh, to access the Traffic Management Shell. 3. Run this command sequence:
modify /sys provision gtm level nominal save sys config list /sys provision

The system displays the provision configuration, as shown in Figure 12.13.


root@big-ip3(Active)(tmos)# list /sys provision sys provision gtm { level nominal } sys provision lc { } sys provision ltm { level nominal } root@big-ip3(Active)(tmos)#

Figure 12.13 Results of the list command for sample system provision

12 - 18

Using tmsh to Set Up Implementations

Creating a data center on an existing system


Now that you have provisioned the new Global Traffic Manager, create a new data center on an existing Global Traffic Manager. In this implementation, SiteRequest wants to create an Asian data center.

To create a new data center on an existing system


1. Navigate to the tmsh gtm module. 2. Run this command sequence:
create datacenter asia list datacenter asia all-properties

The system displays the data center configuration, as shown in Figure 12.14.
root@big-ip4(Active)(tmos.gtm)# list datacenter asia gtm datacenter asia { contact none enabled location none } root@big-ip4(Active)(tmos.gtm)#

Figure 12.14 Results of list command for sample data center

BIG-IP Global Traffic ManagerTM: Implementations

12 - 19

Chapter 12

Defining a server for the new system on an existing system


After you create a data center, the next task is to configure the new Global Traffic Manager to respond to DNS requests with the IP address 192.168.5.19. To do this, on the existing Global Traffic Manager on which you performed the previous task, create a server in the asia data center that represents the new Global Traffic Manager system. Assign a bigip monitor to the server to track the status of the server. Perform this task.
Important

Each server can belong to only one data center.

To create a server for the new system on an existing system


1. Navigate to the tmsh gtm module. 2. Run this command sequence:
create server gtm3 datacenter asia monitor bigip addresses add { 192.168.5.19 } list server gtm3

The system displays the server configuration, as shown in Figure 12.15.


root@big-ip4(Active)(tmos.gtm)# list server gtm3 gtm server gtm3 { addresses { 192.168.5.19 { ... } } datacenter asia ... monitor bigip ... } root@big-ip4(Active)(tmos.gtm)#

Figure 12.15 Results of list command for sample server

12 - 20

Using tmsh to Set Up Implementations

Adding a synchronization group to an existing system


Now, create the worldwide synchronization group on the existing Global Traffic Manager on which you performed the previous task.

To add a synchronization group to an existing system


1. Navigate to the tmsh gtm module. 2. Run this command:
modify settings general synchronization-group-name worldwide

The system is now a member of the worldwide synchronization group.

Running the gtm_add utility


The next task is to run a utility on the new Global Traffic Manager to add it to the network.
WARNING

Run the gtm_add utility on only the new Global Traffic Manager. If you run this utility on existing systems, you will replace the existing systems configurations with that of the minimally configured new system.

To run the gtm_add utility


1. Navigate to the tmsh gtm module. 2. Run this command:
run gtm_add <IP address of another Global Traffic Manager in the synchronization group>

3. Based on your network configuration, respond to the prompts that display. Note that if your system has a FIPS hardware security module (HSM), the utility detects the card and prompts you for a series of responses. The utility adds the new Global Traffic Manager to the network. The new system has the same configuration as the other systems in the synchronization group.

BIG-IP Global Traffic ManagerTM: Implementations

12 - 21

Chapter 12

Creating a listener
To configure the new Global Traffic Manager to communicate with the rest of your network, create a listener that monitors the network for DNS queries that are destined for its IP address 192.168.5.19.
Note

The system automatically saves listeners that you create.

To create a listener
1. Navigate to the tmsh gtm module. 2. Run these commands:
create listener gtm3_listener address 192.168.5.19

The system automatically saves the listener in the file bigip_local.conf, because the listener has an IP address that matches a self IP address on the system. Note: The system saves to the file bigip.conf listeners with IP addresses that do not match self IP addresses on the system.
list listener gtm1_listener

The system displays the listener configuration, as shown in Figure 12.16.


root@big-ip3(Active)(tmos.gtm)# list listener gtm3_listener gtm listener gtm3_listener { address 192.168.5.19 ip-protocol udp ... } root@big-ip3(Active)(tmos.gtm)#

Figure 12.16 Results of list command for sample listener You have successfully added the Global Traffic Manager to a network that contains a Global Traffic Manager system. The systems are synchronized and the new Global Traffic Manager is configured to respond to DNS requests on 192.168.5.19.

12 - 22

Glossary

Glossary

A record The A record is the ADDRESS resource record that a Global Traffic Manager returns to a local DNS server in response to a name resolution request. The A record contains a variety of information, including one or more IP addresses that resolve to the requested domain name. See also DNS. active unit In a redundant system configuration, the active unit is the system that currently load balances connections. If the active unit fails, the standby unit assumes control and begins to load balance connections. See also redundant system. authentication chain Authentication chain is a term used to describe several web certificates that Global Traffic Manager must follow to verify the authenticity of another system. With an authentication chain, Global Traffic Manager requests additional web certificates until it identifies one that is verified by a trusted certificate authority server. authoritative DNS The authoritative DNS is a nameserver that is authoritative for the DNS zone. See also DNS, secondary DNS, and zone. big3d agent The big3d agent is a monitoring agent that collects metrics information about server performance and network paths between a data center and a specific local DNS server. The Global Traffic Manager uses the information collected by the big3d agent for dynamic load balancing. BIND (Berkeley Internet Name Domain) BIND is the most common implementation of the Domain Name System (DNS). BIND provides a system for matching domain names to IP addresses. For more information, refer to http://www.isc.org/products/BIND. certificate A certificate is an online credential signed by a trusted certificate authority and used for SSL network traffic as a method of authentication. certificate chain Certificate chains are multiple levels of certificates authenticated by additional CA servers, which verify the authenticity of other servers. This allows for a tiered verification system that ensures only authorized communications occur between servers.

BIG-IP Global Traffic ManagerTM: Implementations

Glossary - 1

Glossary

certificate authority (CA) A certificate authority is an external, trusted organization that issues a signed digital certificate to a requesting computer system for use as a credential to obtain authentication for SSL network traffic. certificate depth Certificate depth refers to the number of web certificates Global Traffic Manager can use to verify the authenticity of another BIG-IP system. Also referred to as authentication chain. CNAME record A canonical name (CNAME) record acts as an alias to another domain name. A canonical name and its alias can belong to different zones, so the CNAME record must always be entered as a fully qualified domain name. CNAME records are useful for setting up logical names for network services so that they can be easily relocated to different physical hosts. See also DNS and domain name. Configuration utility The Configuration utility is the browser-based application that you use to configure the BIG-IP system. data center A data center is a physical location that houses one or more Global Traffic Manager systems, BIG-IP systems, or host machines. DNS The Domain Name System protocol is an industry-standard protocol that maps hostnames to IP addresses. DNSSEC The Domain Name System Security Extensions (DNSSEC) is an industry-standard protocol that functions as an extension to the Domain Name System (DNS) protocol. See also DNS, key-signing key, TTL, and zone-signing key. domain name A domain name is a unique name that is associated with one or more IP addresses. Domain names are used in URLs to identify particular Web pages. For example, in the URL http://www.siterequest.com/index.html, the domain name is siterequest.com. See also DNS.

Glossary - 2

Glossary

external VLAN The external VLAN is a default VLAN on the BIG-IP system. In a basic configuration, this VLAN has the administration ports locked down. In a normal configuration, this is typically a VLAN on which external clients request connections to internal servers. See also VLAN. fail-over Fail-over is the process whereby a standby unit in a redundant system configuration takes over when a software failure or a hardware failure is detected on the active unit. FIPS hardware security module A FIPS hardware security module (HSM) is a hard drive that processes key signing tasks. floating IP address A floating self IP address is an additional self IP address for a VLAN that serves as a shared address by both units of a BIG-IP redundant system configuration. health monitor A health monitor checks a node to see if it is up and functioning for a given service. If the node fails the check, it is marked down. Different monitors exist for checking different services. hint zone A hint zone designates a subset of root nameservers in the root nameservers list. When the local nameserver starts (or restarts), it queries the list of root nameservers in the hint zone for the most current list of root nameservers. interface The physical port on a BIG-IP system is called an interface. iQuery The iQuery protocol is used to exchange information between Global Traffic Manager systems and BIG-IP systems. The iQuery protocol is officially registered with IANA for port 4353, and works on UDP and TCP connections. iRule An iRule is a user-written script that controls the behavior of a connection passing through the Link Controller. iRules are an F5 Networks feature and are frequently used to direct certain connections to a non-default load balancing pool. However, iRules can perform other tasks, such as implementing secure network address translation and enabling session persistence.

BIG-IP Global Traffic ManagerTM: Implementations

Glossary - 3

Glossary

key-signing key The system uses a key-signing key that you create and assign to a DNSSEC zone to sign the DNSKEY record for a zone. Creating a key-signing key is one step in configuring a BIG-IP system to be DNSSEC-compliant. See also DNSSEC, TTL, and zone-signing key. listener A listener is a specialized resource that is assigned a specific IP address and uses port 53, the DNS query port. When traffic is sent to that IP address, the listener alerts the Global Traffic Manager, allowing it to handle the traffic locally or forward the traffic to the appropriate resource. load balancing pool See pool. local DNS A local DNS is a server that makes name resolution requests on behalf of a client. With respect to the Global Traffic Manager, local DNS servers are the source of name resolution requests. Local DNS is also referred to as LDNS. member Member is a reference to a node when it is included in a particular load balancing pool. Pools typically include multiple member nodes. named The named daemon manages domain nameserver software. nameserver A nameserver is a server that maintains a DNS database, and resolves domain name requests to IP addresses using that database. A nameserver is considered authoritative for some given zone when it has a complete set of data for the zone, allowing it to answer queries about the zone on its own, without needing to consult another nameserver. name resolution Name resolution is the process by which a nameserver matches a domain name request to an IP address, and sends the information to the client requesting the resolution. Network Time Protocol (NTP) Network Time Protocol functions over the Internet to synchronize system clocks to Universal Coordinated Time. NTP provides a mechanism to set and maintain clock synchronization within milliseconds.

Glossary - 4

Glossary

NS record A nameserver (NS) record is used to define a set of authoritative nameservers for a DNS zone. See also DNS. pool A pool is composed of a group of network devices (called members). The Link Controller load balances requests to the nodes within a pool based on the load balancing method and persistence method you choose when you create the pool or edit its properties. pool member A pool member is a server that is a member of a load balancing pool. port A port can be represented by a number that is associated with a specific service supported by a host. Refer to the Services and Port Index for a list of port numbers and corresponding services. redundant system configuration Redundant system configuration refers to a pair of units that are configured for fail-over. In a redundant system, there are two units, one running as the active unit and one running as the standby unit. If the active unit fails, the standby unit takes over and manages connection requests. resource record A resource record is a record in a DNS database that stores data associated with domain names. A resource record typically includes a domain name, a TTL, a record type, and data specific to that record type. See also A record, CNAME record, DNS, and NS record. root certificate A root certificate is a special instance of a certificate chain that has only one level of certificate depth. secondary DNS The secondary DNS is a nameserver that retrieves DNS data from the nameserver that is authoritative for the DNS zone. See also DNS, authoritative DNS, and zone. self IP address Self IP addresses are the IP addresses owned by the BIG-IP system that you use to access the internal and external VLANs. service Service refers to services such as TCP, UDP, HTTP, and FTP.

BIG-IP Global Traffic ManagerTM: Implementations

Glossary - 5

Glossary

Setup utility The Setup utility walks you through the initial system configuration process. You can run the Setup utility from the Configuration utility start screen. SNMP (Simple Network Management Protocol) SNMP is the Internet standard protocol, defined in STD 15, RFC 1157, developed to manage nodes on an IP network. SSL (Secure Sockets Layer) SSL is a network communications protocol that uses public-key technology as a way to transmit data in a secure manner. standby unit A standby unit in a redundant system configuration is a unit that is always prepared to become the active unit if the active unit fails. synchronization group A synchronization group is a group of Global Traffic Manager systems that synchronize system configurations and zone files (if applicable). All synchronization group members receive broadcasts of metrics data from the big3d agents throughout the network. All synchronization group members also receive broadcasts of updated configuration settings from the Global Traffic Manager that has the latest configuration changes. virtual server Virtual servers are a specific combination of virtual address and virtual port, associated with a content site that is managed by an Link Controller or other type of host server. TTL The value of the TTL setting that you assign to a key-signing key or zon-signing key specifies how long a client resolver can cache the key. See also DNSSEC, key-signing key, and zone-signing key. VLAN VLAN stands for virtual local area network. A VLAN is a logical grouping of network devices. You can use a VLAN to logically group devices that are on different network segments. wide IP A wide IP is a collection of one or more fully-qualified domain names that maps to one or more pools of virtual servers that host the content of the domains, and that are managed either by BIG-IP systems, or by host servers. The Global Traffic Manager load balances name resolution requests across the virtual servers that are defined in the wide IP that is associated with the requested domain name.

Glossary - 6

Glossary

zone In DNS terms, a zone is a subset of DNS records for one or more domains. See also DNS, authoritative DNS, and secondary DNS. zone file In DNS terms, a zone file is a database set of domains with one or many domain names, designated mail servers, a list of other nameservers that can answer resolution requests, and a set of zone attributes, which are contained in an SOA record. zone-signing key The system uses a zone-signing key that you create and assign to a DNSSEC zone to sign all of the record sets in a zone. Creating a zone-signing key is one step in configuring a BIG-IP system to be DNSSEC-compliant. See also DNSSEC, key-signing key, and TTL.

BIG-IP Global Traffic ManagerTM: Implementations

Glossary - 7

Glossary

Glossary - 8

Index

Index

/config/gtm/wideip.conf file 12-1

A
A record See Address record, creating. Address record, creating 2-2 allow-transfer statement, adding to DNS server 3-4 authoritative nameserver 3-1, 3-2, 4-1

B
big3d agent described 8-1 importing root certificates 10-5 big3d_install utility, running 4-7, 8-6, 12-15 Big3d.CertificateDepth variable setting 10-5, 10-9 setting for Global Traffic Manager systems 10-2 bigip monitor 12-20 BIG-IP system adding to global traffic configuration 8-4 integrating with global traffic configuration 8-1 bigip_add utility, running 4-6, 7-5, 12-15 bridge 6-2

DNS query port 2-1, 2-3, 3-1, 5-1, 6-2 DNS server pools creating 5-2 load balancing to 5-1 DNS servers adding allow-transfer statement 3-4 and delegated zones 2-1 and zone transfers 3-3 creating pools 5-2 forwarding to 6-3 load balancing traffic to pools 5-3 modifying for delegating traffic 2-2 replacing 3-1 using existing 2-1 DNS traffic delegating to wide IPs 2-2 forwarding 6-3 managing 2-1 routing 6-5 DNSSEC (Domain Name System Security Extensions) 4-1 DNSSEC key signing keys 4-10 DNSSEC zone 4-14 DNSSEC zone signing keys 4-12

F
features of Global Traffic Manager 1-1 FIPS hardware security module (HSM) and gtm_add utility 4-9, 12-21 floating IP addresses 9-4 forwarder, using Global Traffic Manager as 6-1

C
cache poisoning 4-1 certificate chains 10-1 certificate depth defined 10-2 setting 10-4, 10-9 certificates, SSL 8-2 CNAME record, creating 2-2 communication, authorizing 8-2 config sync, running 9-7 configuration files, synchronizing 7-2

G
global settings, configuring with tmsh 12-21 Global Traffic Manager adding to another system 7-3, 12-17 adding to synchronization group 7-2 and forwarder system placement 6-2 and redundant systems 9-1 as a forwarder 6-1 as a router 6-1 defining for BIG-IP system integration 8-4 defining for redundant system 9-8 for router system placement 6-5 forwarding traffic 6-3 provisioning with tmsh 12-3, 12-11, 12-18 routing traffic 6-5 with other systems 12-17 gtm_add script and redundant systems 9-9 and synchronization 7-2 running 7-4 gtm_add utility, running 4-9, 12-21 gtmd and root certificates 10-3

D
data centers creating with tmsh 12-4, 12-12, 12-19 defining for BIG-IP system integration 8-4 defining for redundant systems 9-7 default gateway route 9-6 delegated zones and listeners 2-1 and web-based applications 2-2 and wide IPs 2-1 creating 2-2 denial of service, preventing 4-1 DNS protocol 4-1 DNS queries forwarding 6-4 load balancing to a pool 5-3

BIG-IP Global Traffic ManagerTM: Implementations

Index - 3

Index

H
high availability options 9-5

I
ID hacking, preventing 4-1 install utility running big3d_install 12-15 running bigip_add 12-15 IP address and listeners 2-3, 3-1 iQuery protocol 7-1

port 53 See DNS query port. protocol, iQuery 8-1 provisioning process 12-3, 12-11, 12-18 provisioning with tmsh 12-3, 12-11, 12-18

R
redundant systems and configuration settings 9-2 and default gateway routes 9-6 and floating IP addresses 9-4 and Global Traffic Manager 9-1 and high availability options 9-5 and listeners 9-6 and NTP servers 9-5 defined 9-1 running config sync 9-7 router 6-1, 6-2

K
key signing keys 4-10 keys DNSSEC key signing keys 4-10 DNSSEC zone signing keys 4-12

L
listeners and delegated zones 2-1 and primary DNS servers 3-5 and redundant systems 9-6 configuring 2-3, 3-2 creating 4-7, 5-3 creating with tmsh 12-9, 12-16, 12-22 defined 5-1, 6-2 load balancing and multiple systems 8-1 and web-based applications 2-2 for non-wide IP traffic 5-1 Local Traffic Manager defining servers for 12-14 integrating with Global Traffic Manager 8-1, 12-10

S
scripts running big3d_install 8-6 running bigip_add 7-5 running gtm_add 7-4 secondary DNS server 3-5 self IP addresses and VLANs 9-3 self-signed certificates 10-2 servers defining NTP 4-5 defining with tmsh 12-5, 12-13 defining with tmsh on existing system 12-20 Simple Network Management Protocol. See SNMP. slave server See secondary DNS server. SNMP monitor 11-1 SNMP, defined 11-1 spoofing, preventing 4-1 SSL authentication 10-1 SSL certificates and authorizing communications 8-2 and BIG-IP systems 10-2 and levels 10-1 assigning third-party certificates 10-3, 10-7 stand-alone system, configuring with tmsh 12-2 synchronization activating 4-6 and NTP 4-5 and redundant systems 9-9 and time 4-5 creating groups 4-5 enabling 7-4 synchronization group, adding 12-21

M
manual key rollover, preparing for 4-14

N
name resolution 2-1 non-wide IP traffic 5-1 NS record, creating 2-2 NTP defining 4-5 synchronizing systems 4-5 NTP server 9-5

P
pool of DNS servers creating 5-2 creating with tmsh 12-7 load balancing to 5-3 Index - 4

Index

synchronization groups 4-5 adding Global Traffic Manager systems 7-2 defined 7-1 systems adding BIG-IP to data centers 8-5

zone transfers 3-3 zones using delegated 2-2

T
third-party servers and SNMP 11-1 timestamps, and configuration files 7-2 tmsh adding a new Global Traffic Manager with 12-17 configuring a new Global Traffic Manager with 12-10 configuring a stand-alone Global Traffic Manager with 12-2 configuring Global Traffic Manager with 12-1 traffic and load balancing 2-1, 3-1 and load balancing non-wide IP traffic 5-1 and wide IPs 2-1, 3-1 bridging 6-2 for name resolution 2-1 forwarding 6-2 managing DNS data 2-1 routing 6-5

U
utilities big3d_install, running 4-7, 12-15 bigip_add, running 4-6, 12-15 gtm_add, running 4-9

V
virtual servers and SNMP monitors 11-2 creating with tmsh 12-6 VLANs assigning self IP addresses 9-3 creating 9-3

W
web certificates, exchanging 8-6 web-based applications 2-2, 3-2 wide IP and delegated zones 2-1 and delegating traffic 2-2 creating with tmsh 12-8

Z
zone files, acquiring 3-4 zone for DNSSEC 4-14 zone signing keys 4-12 BIG-IP Global Traffic ManagerTM: Implementations Index - 5