big-ip global traffic manager implementations

BIG-IP® Global Traffic Manager™:Implementations

version 10.2

MAN-0317-00

Product VersionThis manual applies to product version 10.2 of the BIG-IP® Global Traffic Manager™.

Publication DateThis manual was published on October 25, 2011.

Legal Notices

CopyrightCopyright 2011, F5 Networks, Inc. All rights reserved.

F5 Networks, Inc. (F5) believes the information it furnishes to be accurate and reliable. However, F5assumes no responsibility for the use of this information, nor any infringement of patents or other rights ofthird parties which may result from its use. No license is granted by implication or otherwise under anypatent, copyright, or other intellectual property right of F5 except as specifically described by applicableuser licenses. F5 reserves the right to change specifications at any time without notice.

Trademarks3DNS, Access Policy Manager, Acopia, Acopia Networks, Advanced Client Authentication, AdvancedRouting, APM, Application Security Manager, ARX, AskF5, ASM, BIG-IP, Cloud Extender,CloudFucious, CMP, Data Manager, DevCentral, DevCentral [DESIGN], DNS Express, DSC, DSI, EdgeClient, Edge Gateway, Edge Portal, EM, Enterprise Manager, F5, F5 [DESIGN], F5 Management Pack, F5Networks, F5 World, Fast Application Proxy, Fast Cache, FirePass, Global Traffic Manager, GTM, IBR,Intelligent Browser Referencing, Intelligent Compression, IPv6 Gateway, iApps, iControl, iHealth,iQuery, iRules, iRules OnDemand, iSession, IT agility. Your way., L7 Rate Shaping, LC, Link Controller,Local Traffic Manager, LTM, Message Security Module, MSM, Netcelera, OneConnect, Packet Velocity,

Protocol Security Module, PSM, Real Traffic Policy Builder, ScaleN, SSL Acceleration, StrongBox,SuperVIP, SYN Check, TCP Express, TDR, TMOS, Traffic Management Operating System,TrafficShield, Transparent Data Reduction, VIPRION, vCMP, WA, WAN Optimization Manager,WANJet, WebAccelerator, WOM, and ZoneRunner, are trademarks or service marks of F5 Networks, Inc.,in the U.S. and other countries, and may not be used without F5's express written consent.

All other product and company names herein may be trademarks of their respective owners.

PatentsThis product may be protected by U.S. Patents 6,374,300; 6,473,802; 6,970,733; 7,047,301; 7,707,289.This list is believed to be current as of October 25, 2011.

Export Regulation NoticeThis product may include cryptographic software. Under the Export Administration Act, the United Statesgovernment may consider it a criminal offense to export this product from the United States.

RF Interference WarningThis is a Class A product. In a domestic environment this product may cause radio interference, in whichcase the user may be required to take adequate measures.

FCC ComplianceThis equipment has been tested and found to comply with the limits for a Class A digital device pursuantto Part 15 of FCC rules. These limits are designed to provide reasonable protection against harmfulinterference when the equipment is operated in a commercial environment. This unit generates, uses, andcan radiate radio frequency energy and, if not installed and used in accordance with the instruction manual,may cause harmful interference to radio communications. Operation of this equipment in a residential areais likely to cause harmful interference, in which case the user, at his own expense, will be required to takewhatever measures may be required to correct the interference.

BIG-IP® Global Traffic ManagerTM: Implementations i

Any modifications to this device, unless expressly approved by the manufacturer, can void the user'sauthority to operate this equipment under part 15 of the FCC rules.

Canadian Regulatory ComplianceThis class A digital apparatus complies with Canadian I CES-003.

Standards ComplianceThis product conforms to the IEC, European Union, ANSI/UL and Canadian CSA standards applicable toInformation Technology products at the time of manufacture.

AcknowledgmentsThis product includes software developed by Gabriel Forté.

This product includes software developed by Bill Paul.

This product includes software developed by Jonathan Stone.

This product includes software developed by Manuel Bouyer.

This product includes software developed by Paul Richards.

This product includes software developed by the NetBSD Foundation, Inc. and its contributors.

This product includes software developed by the Politecnico di Torino, and its contributors.

This product includes software developed by the Swedish Institute of Computer Science and itscontributors.

This product includes software developed by the University of California, Berkeley and its contributors.

This product includes software developed by the Computer Systems Engineering Group at the LawrenceBerkeley Laboratory.

This product includes software developed by Christopher G. Demetriou for the NetBSD Project.

This product includes software developed by Adam Glass.

This product includes software developed by Christian E. Hopps.

This product includes software developed by Dean Huxley.

This product includes software developed by John Kohl.

This product includes software developed by Paul Kranenburg.

This product includes software developed by Terrence R. Lambert.

This product includes software developed by Philip A. Nelson.

This product includes software developed by Herb Peyerl.

This product includes software developed by Jochen Pohl for the NetBSD Project.

This product includes software developed by Chris Provenzano.

This product includes software developed by Theo de Raadt.

This product includes software developed by David Muir Sharnoff.

This product includes software developed by SigmaSoft, Th. Lockert.

This product includes software developed for the NetBSD Project by Jason R. Thorpe.

This product includes software developed by Jason R. Thorpe for And Communications,http://www.and.com.

This product includes software developed for the NetBSD Project by Frank Van der Linden.

This product includes software developed for the NetBSD Project by John M. Vinopal.

This product includes software developed by Christos Zoulas.

This product includes software developed by the University of Vermont and State Agricultural College andGarrett A. Wollman.

In the following statement, "This software" refers to the Mitsumi CD-ROM driver: This software wasdeveloped by Holger Veit and Brian Moore for use with "386BSD" and similar operating systems."Similar operating systems" includes mainly non-profit oriented systems for research and education,including but not restricted to "NetBSD," "FreeBSD," "Mach" (by CMU).

This product includes software developed by the Apache Group for use in the Apache HTTP server project(http://www.apache.org/).

This product includes software licensed from Richard H. Porter under the GNU Library General PublicLicense (© 1998, Red Hat Software), www.gnu.org/copyleft/lgpl.html.

ii

This product includes the standard version of Perl software licensed under the Perl Artistic License (©1997, 1998 Tom Christiansen and Nathan Torkington). All rights reserved. You may find the most currentstandard version of Perl at http://www.perl.com.

This product includes software developed by Jared Minch.

This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit(http://www.openssl.org/).

This product includes cryptographic software written by Eric Young ([email protected]).

This product contains software based on oprofile, which is protected under the GNU Public License.

This product includes RRDtool software developed by Tobi Oetiker (http://www.rrdtool.com/index.html)and licensed under the GNU General Public License.

This product contains software licensed from Dr. Brian Gladman under the GNU General Public License(GPL).

This product includes software developed by the Apache Software Foundation <http://www.apache.org/>.

This product includes Hypersonic SQL.

This product contains software developed by the Regents of the University of California, SunMicrosystems, Inc., Scriptics Corporation, and others.

This product includes software developed by the Internet Software Consortium.

This product includes software developed by Nominum, Inc. (http://www.nominum.com).

This product contains software developed by Broadcom Corporation, which is protected under the GNUPublic License.

This product contains software developed by MaxMind LLC, and is protected under the GNU LesserGeneral Public License, as published by the Free Software Foundation.

This product includes the GeoPoint Database developed by Quova, Inc. and its contributors.

This product includes software developed by Balazs Scheidler <[email protected]>, which is protectedunder the GNU Public License.

This product includes software developed by NLnet Labs and its contributors.

This product includes software written by Steffen Beyer and licensed under the Perl Artistic License andthe GPL.

This product includes software written by Makamaka Hannyaharamitu © 2007-2008.

BIG-IP® Global Traffic ManagerTM: Implementations iii

Table of Contents

Table of Contents

1Introducing Implementations for the Global Traffic Manager

Introducing the Global Traffic Manager .................................................................................... 1-1Introducing implementations ....................................................................................................... 1-2

2Delegating DNS Traffic to Wide IPs

Working with the Global Traffic Manager andDNS traffic ....................................................................................................................................... 2-1Delegating DNS traffic to wide IPs ............................................................................................ 2-2

Modifying the existing DNS server ................................................................................... 2-2Configuring a listener ........................................................................................................... 2-3

3Replacing a DNS Server with the Global Traffic Manager

Working with the Global Traffic Manager andDNS traffic ....................................................................................................................................... 3-1Replacing a DNS server with the Global Traffic Manager .................................................... 3-2

Configuring the DNS server for zone transfers ............................................................ 3-3Creating a hint zone ............................................................................................................. 3-3Acquiring zone files .............................................................................................................. 3-4Designating the Global Traffic Manager as the primary DNS server ....................... 3-5Configuring a listener ........................................................................................................... 3-5

4Securing Your DNS Infrastructure

Introducing DNSSEC compliance ............................................................................................... 4-1Configuring DNSSEC compliance .............................................................................................. 4-3

Adding a Global Traffic Manager system to a network that contains otherBIG-IP systems ....................................................................................................................... 4-4Adding an additional Global Traffic Manager system to a network .......................... 4-8Configuring DNSSEC keys and zones ............................................................................ 4-10

5Load Balancing Non-Wide IP Traffic to a Pool of DNS Servers

About using the Global Traffic Manager as a load balancer in front of a pool ofDNS servers .................................................................................................................................... 5-1Creating a pool of DNS servers ................................................................................................. 5-2Creating a listener .......................................................................................................................... 5-3

6Sending Traffic Through the Global Traffic Manager

Working with the Global Traffic Manager as a router or forwarder ................................ 6-1Forwarding traffic through the Global Traffic Manager ........................................................ 6-2

Placing the Global Traffic Manager to forward traffic .................................................. 6-2Configuring a VLAN group ................................................................................................. 6-3Forwarding traffic to a DNS server .................................................................................. 6-3

Routing traffic through the Global Traffic Manager ............................................................... 6-4Placing the Global Traffic Manager to route traffic ....................................................... 6-5Routing traffic to a DNS server ......................................................................................... 6-5

BIG-IP® Global Traffic ManagerTM: Implementations 3

Table of Contents

7Ensuring Correct Synchronization When Adding a New Global Traffic Manager

Understanding synchronization in the Global Traffic Manager ........................................... 7-1Adding a new Global Traffic Manager to a synchronization group safely ......................... 7-2

Adding the Global Traffic Manager ................................................................................... 7-3Enabling synchronization ..................................................................................................... 7-4Running the gtm_add script ................................................................................................ 7-4Running the bigip_add script .............................................................................................. 7-5

8Integrating the Global Traffic Manager with BIG-IP Systems

Understanding the interactions between BIG-IP systems .................................................... 8-1Integrating the Global Traffic Manager with other BIG-IP systems ................................... 8-3

Defining a data center .......................................................................................................... 8-4Defining the Global Traffic Manager ................................................................................. 8-4Adding BIG-IP systems ......................................................................................................... 8-5Running the big3d_install script ......................................................................................... 8-6

9Setting Up a Global Traffic Manager Redundant System Configuration

Understanding Global Traffic Manager redundant system configurations ........................ 9-1Setting up a Global Traffic Manager redundant system configuration ............................... 9-2

Configuring the redundant system settings .................................................................... 9-2Creating VLANs .................................................................................................................... 9-3Assigning self IP addresses .................................................................................................. 9-3Creating a floating IP address ............................................................................................. 9-4Configuring the high availability options .......................................................................... 9-5Defining an NTP server ....................................................................................................... 9-5Defining the default gateway route ................................................................................... 9-6Defining a listener ................................................................................................................. 9-6Running a config sync operation ........................................................................................ 9-7Defining a data center .......................................................................................................... 9-7Defining the Global Traffic Manager systems ................................................................. 9-8Enabling synchronization ..................................................................................................... 9-9Running the gtm_add script ................................................................................................ 9-9

10Authenticating with SSL Certificates Signed by a Third Party

Understanding SSL authentication ............................................................................................ 10-1Understanding BIG-IP system certificate authentication .................................................... 10-2Configuring a level one SSL authentication for a Global Traffic Manager ....................... 10-3

Importing the root certificate for the gtmd agent ...................................................... 10-3Setting the certificate depth for the gtmd agent .......................................................... 10-4Importing the root certificate for the big3d agent on the Global TrafficManager ................................................................................................................................. 10-5Setting the Big3d.CertificateDepth variable for the Global Traffic Manager ........ 10-5Importing the device certificate signed by the CA server onto theGlobal Traffic Manager ...................................................................................................... 10-5Verifying the certificate exchange ................................................................................... 10-6

Configuring a certificate chain for a Global Traffic Manager system ............................... 10-7Importing a certificate chain for the gtmd agent ......................................................... 10-8Setting the certificate depth for the gtmd agent .......................................................... 10-9Setting the Big3d.CertificateDepth variable .................................................................. 10-9

4

Table of Contents

Importing the certificate chain for the big3d agent ..................................................... 10-9Importing a device certificate .........................................................................................10-10Verifying the certificate chain exchange ......................................................................10-11

Configuring SSL authentication for a BIG-IP system that includes a Local TrafficManager ........................................................................................................................................10-12

Setting certificate depth for the big3d agent on the Local Traffic Manager ........10-13Replacing the self-signed certificate for the big3d agent on the Local TrafficManager ...............................................................................................................................10-13Importing a device certificate onto the Local Traffic Manager ..............................10-15

11Monitoring Third-Party Servers with SNMP

Overview of SNMP ...................................................................................................................... 11-1Assigning the SNMP monitor to a third-party server ......................................................... 11-1

Adding the server ............................................................................................................... 11-1Adding a virtual server ....................................................................................................... 11-2Creating an SNMP monitor .............................................................................................. 11-3Assigning the monitor ........................................................................................................ 11-3

12Using tmsh to Set Up Implementations

Using tmsh for different implementations .............................................................................. 12-1Setting up a stand-alone system ................................................................................................ 12-2

Provisioning the system ..................................................................................................... 12-3Configuring the global settings ......................................................................................... 12-4Creating a data center ....................................................................................................... 12-4Defining a server ................................................................................................................. 12-5Creating virtual servers to host the site content ........................................................ 12-6Creating a pool .................................................................................................................... 12-7Creating a wide IP ............................................................................................................... 12-8Creating a listener .............................................................................................................. 12-9

Adding a system to a network that contains Local Traffic Manager systems ..............12-10Provisioning the system ...................................................................................................12-11Creating a data center .....................................................................................................12-12Defining a server for the system ...................................................................................12-13Defining servers for the Local Traffic Manager systems ..........................................12-14Running the bigip_add or big3d_install utility .............................................................12-15Creating a listener ............................................................................................................12-16

Adding a system to a network that contains other Global Traffic Managersystems .........................................................................................................................................12-17

Provisioning the new system ..........................................................................................12-18Creating a data center on an existing system ............................................................12-19Defining a server for the new system on an existing system .................................12-20Adding a synchronization group to an existing system ............................................12-21Running the gtm_add utility ............................................................................................12-21Creating a listener ............................................................................................................12-22

Glossary

Index

BIG-IP® Global Traffic ManagerTM: Implementations 5

Table of Contents

6

1

Introducing Implementations for the GlobalTraffic Manager

• Introducing the Global Traffic Manager

• Introducing implementations

Introducing Implementations for the Global Traffic Manager

Introducing the Global Traffic ManagerThe BIG-IP® Global Traffic Manager™ is a system that monitors theavailability and performance of global resources and uses that informationto manage network traffic patterns. The Global Traffic Manager uses loadbalancing algorithms, topology-based routing, and iRules® to control anddistribute traffic according to specific policies.

The Global Traffic Manager provides a variety of features that meet specialneeds. For example, with this product you can:

• Ensure wide-area persistence by maintaining a mapping between a localDNS server and a virtual server in a wide IP pool

• Direct local clients to local servers for globally-distributed sites usingTopology load balancing

• Change the load balancing configuration according to current trafficpatterns or time of day

• Customize load balancing modes

• Set up global load balancing among Local Traffic Manager™ systemsand other load-balancing hosts

• Monitor real-time network conditions

• Configure a content delivery network with a CDN provider

• Guarantee multiple port availability for e-commerce sites

BIG-IP® Global Traffic ManagerTM: Implementations 1 - 1

Chapter 1

Introducing implementationsThis guide is designed to help you accomplish specific configuration tasksassociated with the Global Traffic Manager™. Each chapter focuses on aspecific implementation, providing an overview of the situation and adetailed example of how to configure the system to accomplish theobjectives outlined in the implementation. The tasks outlined in eachchapter are designed so that you can quickly apply them to your ownnetwork.

Getting started

The Global Traffic Manager runs on the Traffic Management OperatingSystem®, commonly referred to as TMOS®. Before you begin configuringan implementation, F5 Networks recommends that you familiarize yourselfwith these additional resource:

◆ BIG-IP® Systems: Getting Started GuideThis guide provides detailed information about licensing andprovisioning the BIG-IP system, as well as installing upgrades. Theguide also provides a brief introduction to the features of BIG-IP systemand the tools for configuring the system.

◆ TMOS® Management Guide for BIG-IP® SystemsThis guide contains any information you need to configure and maintainthe network and system-related components of the BIG-IP system, suchas routes, VLANs, and user accounts.

◆ Configuration Guide for BIG-IP® Global Traffic Manager™This guide contains any information you need for configuring specificfeatures of the BIG-IP system to manage global network traffic.

◆ Traffic Management Shell (tmsh) Reference GuideThis guide contains information about using the Traffic ManagementShell (tmsh) commands to manage the BIG-IP systems.

F5 Networks recommends that you then run the Setup utility to configurebasic network elements such as self IP addresses, interfaces, and VLANs.After running the Setup utility, you can use this guide to configure specificimplementations. For information on running the Setup utility, see theBIG-IP® Systems: Getting Started Guide.

1 - 2

2

Delegating DNS Traffic to Wide IPs

• Working with the Global Traffic Manager and DNStraffic

• Delegating DNS traffic to wide IPs


Working with the Global Traffic Manager andDNS traffic

The primary purposes of the BIG-IP® Global Traffic Manager™ are to helpyou manage incoming wide IP traffic, and load balance that traffic to theappropriate network resources. However, wide IP traffic is only part of theoverall DNS traffic a network must handle. Consequently, typicalinstallations of the Global Traffic Manager involve configuring the systemto work in conjunction with existing DNS servers already on the network.F5 Networks recommends that you configure your DNS server to delegatewide IP-related requests to the Global Traffic Manager for name resolution.

Figure 2.1 Example of the flow of traffic for a Global Traffic Manager withan existing DNS server

To control how the Global Traffic Manager responds to DNS requests, youmust configure a listener. A listener is a specialized resource to which youassign a specific IP address and that uses port 53, the DNS query port. When


Chapter 2

traffic is sent to that IP address, the listener alerts the Global TrafficManager, allowing it to handle the traffic locally or forward the traffic to theappropriate resource.

In this implementation, you create a listener that corresponds to the self IPaddress of the Global Traffic Manager.

Note

This implementation also contains recommendations for modifying the fileson your existing DNS server. However, detailing how to implement thesemodifications is beyond the scope of this implementation. If you areunfamiliar with how to modify the files on your DNS server, F5 Networksrecommends that you review the 5th edition of DNS and BIND, availablefrom O’Reilly.

Delegating DNS traffic to wide IPsThis implementation describes the tasks necessary to integrate a GlobalTraffic Manager with an existing DNS server.

This implementation focuses on the fictional company SiteRequest.SiteRequest recently purchased a Global Traffic Manager to help loadbalance traffic across two of its web-based applications:store.siterequest.com and checkout.siterequest.com. These applicationsare delegated zones of www.siterequest.com, which an existing DNS servermanages. The team at SiteRequest has already configured the Global TrafficManager with two wide IPs, store.wip.siterequest.com andcheckout.wip.siterequest.com, which correspond to the two webapplications.

Modifying the existing DNS serverIn order for the Global Traffic Manager to manage the web applications ofstore.siterequest.com and checkout.siterequest.com, you must create thedelegated zone on the existing DNS server. Creating a delegated zonetypically involves the following tasks:

• Create an A record (address record) that defines the domain name and IPaddress of the Global Traffic Manager.

• Create an NS record (nameserver record) that defines the delegated zonefor which the Global Traffic Manager is responsible.

• Create CNAME records (canonical name records) for each webapplication, which forwards requests for store.siterequest.com andcheckout.siterequest.com to the wide IP addresses ofstore.wip.siterequest.com and checkout.wip.siterequest.com,respectively.

2 - 2


Again, if you are unfamiliar with how to create these zones, F5 Networksrecommends that you review the 5th edition of DNS and BIND, availablefrom O’Reilly.

Configuring a listenerNow you set up a listener on the Global Traffic Manager. A listener is aspecialized resource to which you assign a specific IP address and that usesport 53, the DNS query port. The Global Traffic Manager employs thislistener to identify the DNS traffic for which it is responsible. For thisexample, the listener you create is the same as the self IP address of theGlobal Traffic Manager: 192.168.5.17.

To configure the listener

1. On the Main tab of the navigation pane, expand Global Traffic andthen click Listeners.

2. Click Create.

3. In the Destination box, type the IP address on which the GlobalTraffic Manager listens for network traffic.In this example, type IP address 192.168.5.17.

4. From the VLAN Traffic list, select All VLANs.

5. Click Finished.

You now have an implementation of the Global Traffic Manager in whichthe existing DNS server manages DNS traffic unless the query is forstore.siterequest.com or checkout.siterequest.com. When the DNS serverreceives these queries, it delegates them to the Global Traffic Manager,which then load balances them on the appropriate wide IPs.


Chapter 2

2 - 4

3

Replacing a DNS Server with the GlobalTraffic Manager

• Working with the Global Traffic Manager and DNStraffic

• Replacing a DNS server with the Global TrafficManager

Replacing a DNS Server with the Global Traffic Manager

Working with the Global Traffic Manager andDNS traffic

The primary purposes of the BIG-IP® Global Traffic Manager™ are to helpyou manage incoming wide IP traffic, and load balance that traffic to theappropriate network resources. However, wide IP traffic is only part of theoverall DNS traffic that a network must handle. You can also use the GlobalTraffic Manager as the authoritative nameserver for both wide IPs and allother DNS-related traffic. Typically, this requires that the Global TrafficManager replace an existing DNS server on the network as shown in Figure3.1.

Figure 3.1 Example of the flow of traffic when the Global Traffic Managerreplaces an existing DNS server

To control how the Global Traffic Manager responds to DNS requests, youmust configure a listener. A listener is a specialized resource to which youassign a specific IP address and that uses port 53, the DNS query port. Whentraffic is sent to that IP address, the listener alerts the Global TrafficManager, allowing it to handle the traffic locally or forward the traffic to theappropriate resource.


Chapter 3

In this implementation, you create a listener that corresponds to the self IPaddress of the Global Traffic Manager. Since the Global Traffic Managerreplaces an existing DNS server, this self IP address must correspond withthe IP address that denotes the authoritative nameserver for the appropriatedomain.

Note

The tasks in this implementation are based on the assumption that youunderstand BIND and CNAME records. If you are unfamiliar with thesetopics, F5 Networks recommends that you review the 5th edition of DNSand BIND, available from O’Reilly.

Replacing a DNS server with the Global TrafficManager

This implementation describes the tasks necessary to replace an existingDNS server with the Global Traffic Manager. In this example, the existingDNS server has an IP address of 192.168.5.73, while the Global TrafficManager has an IP address of 192.168.10.105.

Once again, we use the fictional company SiteRequest. SiteRequest recentlypurchased a Global Traffic Manager to help load balance traffic across twoof its web-based applications: store.siterequest.com andcheckout.siterequest.com. These applications are subdomains ofwww.siterequest.com, which an existing DNS server manages. SiteRequesthas decided to replace its existing DNS server with the Global TrafficManager. Earlier, SiteRequest configured the wide IPs that it needs on thesystem; the final task is to make the Global Traffic Manager theauthoritative nameserver for these domains.

The tasks you must complete to replace a DNS server with the GlobalTraffic Manager are:

• Configure the DNS server for zone transfers.

• Create a hint zone.

• Enable recursive queries.

• Acquire zone files.

• Designate the Global Traffic Manager as the primary DNS server.

• Configure a listener.

3 - 2


Configuring the DNS server for zone transfersBefore you configure the Global Traffic Manager to replace the existingDNS server, you need to configure the DNS server to allow zone filetransfers to the Global Traffic Manager. You can enable this authorizationthrough the use of an allow-transfer statement that specifies the IP addressof the Global Traffic Manager: 192.168.10.105. Refer to your BINDdocumentation for more information on how to implement anallow-transfer statement.

Creating a hint zoneAnother task you must complete before the Global Traffic Managerbecomes the primary DNS server is to create a hint zone. Hint zonesdesignate a subset of the root nameservers list. When the local nameserverstarts (or restarts), the nameserver queries the root servers in the hint zonefor the most current list of root servers.

To create a hint zone

1. On the Main tab of the navigation pane, expand Global Traffic andthen click ZoneRunner.

2. On the menu bar, click Zone List.

3. Click Create.

4. From the View Name list, select external.The external view is a default view to which you can assigndifferent zones.

5. In the Zone Name box, type the name you want to use for the zonefile.For this example, type Root.

6. From the Zone Type list, select Hint.

7. Click Finished.


Chapter 3

Acquiring zone filesThe next task you must complete before the Global Traffic Managerbecomes the primary DNS server is to acquire the siterequest.com zonefiles from the existing DNS server. You acquire these zone files through theZoneRunner™ utility.

Tip

This task requires that you have added an allow-transfer statement to theexisting DNS server that authorizes zone transfers to the Global TrafficManager.

To acquire zone files

1. On the Main tab of the navigation pane, expand Global Traffic andthen click ZoneRunner.

2. On the menu bar, click Zone List.

3. Click Create.

4. From the View Name list, select external.Note: The external view is a default view to which you can assigndifferent zones.

5. In the Zone Name box, type the name of the zone file. F5 Networksrecommends that you use the following format to name zone files:db.<viewname>.<zonename>.Note: You must include a trailing dot in the zone name.

For this example, type the following:db.external.siterequest.com.

6. From the Zone Type list, select Master.

7. From the Records Creation Method list, select Transfer fromServer.

8. In the Zone File Name box, type the zone file name.For this example, type db.external.siterequest.com.

9. In the Source Server box, type the IP address of the existing DNSserver.For this example, type 192.168.5.73.

10. Click Finished.

3 - 4


Designating the Global Traffic Manager as the primary DNS serverAt this point, you have configured the Global Traffic Manager as theprimary DNS server for the siterequest.com zone. You must now eitherchange the existing DNS server to become a secondary DNS server to theGlobal Traffic Manager, or remove it from your network.

Note

If you are unfamiliar with how to change a DNS server from a primary DNSserver to a secondary DNS server, refer to the 5th edition of DNS andBIND, available from O’Reilly.

Configuring a listenerThe final task requires you to set up a listener on the Global TrafficManager. The Global Traffic Manager employs this listener to identify theDNS traffic for which it is responsible. In this implementation, the listeneryou create is the same as the self IP address of the Global Traffic Manager:192.168.5.73.



2. Click Create.

3. In the Destination box, type the IP address on which the GlobalTraffic Manager listens for network traffic.For this example, type the IP address 192.168.5.73.


5. Click Finished.

You now have an implementation of the Global Traffic Manager that is alsothe authoritative nameserver for siterequest.com. This system handles anyincoming DNS traffic, whether destined for a wide IP or another node ofsiterequest.com.


Chapter 3

3 - 6

4

Securing Your DNS Infrastructure

• Introducing DNSSEC compliance

• Configuring DNSSEC compliance


Introducing DNSSEC complianceThe Domain Name System Security Extensions (DNSSEC) is anindustry-standard protocol that functions as an extension to the DomainName System (DNS) protocol. The BIG-IP® system uses DNSSEC toguarantee the authenticity of responses that a domain nameserver sends to aclient and to return authenticated denial of existence responses.

You can use the DNSSEC feature to protect your network infrastructurefrom DNS protocol and server attacks such as spoofing, ID hacking, cachepoisoning, and denial of service.

You can use the BIG-IP® Global Traffic Manager™ system to manageincoming wide IP traffic, load balance that traffic to the appropriate networkresources, and to serve as the authoritative nameserver for wide IPs and allother DNS-related traffic as shown in Figure 4.1. Additionally, you can usethe system to ensure that all responses to DNS-related traffic comply withthe DNSSEC security protocol.

Figure 4.1 Example of the flow of traffic when the Global Traffic Manageris a DNSSEC authoritative nameserver

This implementation covers the tasks necessary to configure a BIG-IPsystem to be DNSSEC-compliant. This implementation begins after you runthe Setup utility and configure the network and system settings for theBIG-IP system that you are adding to the network.


Chapter 4

The Setup utility guides you through licensing the product, assigning an IPaddress to the management port of the system, and configuring thepasswords for the root and administrator accounts. While using the Setuputility, you also configure some of the basic network and system settings forthe system, such as setting a self IP address and assigning the system to aVLAN.

The network and system settings form the basis of a BIG-IP systemconfiguration. Because these settings have a variety of applications, they arediscussed in the TMOS® Management Guide for BIG-IP® Systems. F5Networks highly recommends that you review this guide to ensure that youconfigure the basic network and system settings in a way that best fits theneeds of your network and your DNS traffic.

Important

Only users with Administrator or Resource Administrator roles assigned totheir user accounts on the BIG-IP system can perform these tasks.

Note

All examples in this document use only private class IP addresses. When youset up the configurations we describe, you must use valid IP addressessuitable to your own network in place of our sample addresses.

4 - 2


Configuring DNSSEC complianceThis implementation describes three different scenarios in which you wantto secure your DNS infrastructure to ensure that all responses toDNS-related traffic comply with the DNSSEC security protocol.

◆ The first scenario describes the tasks that you perform if you want to adda new Global Traffic Manager system to a network that contains otherBIG-IP systems.To begin the tasks to configure this scenario, see Adding a Global TrafficManager system to a network that contains other BIG-IP systems, onpage 4-4.

◆ The second scenario describes the tasks that you perform if you want toadd a new Global Traffic Manager system to a network that alreadycontains a Global Traffic Manager system.To begin the tasks to configure this scenario, see Adding an additionalGlobal Traffic Manager system to a network, on page 4-8.

In these two cases, after you perform the tasks necessary to add the newsystem to your network, you configure the DNSSEC keys and zones that thesystem uses to ensure that all responses to DNS-related traffic comply withthe DNSSEC security protocol.

◆ The third scenario describes the tasks that you perform if you areupgrading an existing Global Traffic Manager system, which is alreadyset up and configured on the network, and you want to add DNSSECsigning of DNS responses.To begin the tasks to configure this scenario, see Configuring DNSSECkeys and zones, on page 4-10.


Chapter 4

Adding a Global Traffic Manager system to a network thatcontains other BIG-IP systems

If you are adding a Global Traffic Manager system to a network thatcontains other BIG-IP systems, perform the following tasks.

Specifying a data center

When you are adding a Global Traffic Manager system to a network thatcontains other BIG-IP systems, the first task you must perform is to specifya data center on the Global Traffic Manager system.

To specify a data center

1. Expand Global Traffic and click Data Centers.

2. Click Create.

3. In the Name box, type a unique name to identify the data center.For example, type Secure Los Angeles.

4. In the Location box, type the location of the data center.For example, type Los Angeles.

5. In the Contact box, type the name of the system administrator ordepartment that is responsible for managing the data center.For example, type DNSSEC Administrator.

6. Click Finished.

Defining a server

The next task that you perform to add a Global Traffic Manager system to anetwork that contains other BIG-IP systems is to define a server on theGlobal Traffic Manager system that you are adding to the network.

To define a server

1. Expand Global Traffic and click Servers.

2. Click Create.

3. In the Name box, type a unique name for the Global TrafficManager system that you are currently configuring.For example, type DNSSEC server.

4. From the Product list, select your product type:

• If the unit you are configuring is a single device, select BIG-IPSystem (Single).

• If the unit you are configuring is a redundant systemconfiguration, select BIG-IP System (Redundant).

4 - 4


5. For the Address List setting, in the Address box, type the self IPaddress that corresponds to an external VLAN on the system thatyou are currently configuring. Then click Add.For example, type 192.168.34.1.

6. From the Data Center list, select the name of the data center thatyou specified in Specifying a data center, on page 4-4.For example, select Secure Los Angeles.

7. Click Finished.

Defining a Network Time Protocol server

The next task that you perform is to synchronize the time setting on theGlobal Traffic Manager system with the other DNS servers in your networkand on the internet. To do this, you define the Network Time Protocol(NTP) server that the system references. This server ensures that the systemreferences the correct time when creating and removing DNSSEC data.

To define an NTP server

1. Expand System and click Configuration.

2. From the Device menu, choose NTP.

3. For the Time Server List setting, in the Address box, type the IPaddress of the NTP server.For example, type 192.168.5.15.

4. Click Add, and then click Update.

Creating a synchronization group

The next task that you perform is to create a synchronization group on theGlobal Traffic Manager system. BIG-IP systems that are in the samesynchronization group exchange heartbeat messages and share probingresponsibility. Synchronization ensures the rapid distribution ofconfiguration settings to the other systems that belong to the samesynchronization group.

To create a synchronization group

1. Expand System and then click Configuration.

2. From the Global Traffic menu, choose General.

3. In the Synchronization Group Name box, type a unique name forthe group.For example, type DNSSEC.

4. Click Update.


Chapter 4

Activating synchronization

The next task that you perform to add a Global Traffic Manager system to anetwork that contains other BIG-IP systems is to activate synchronization onthe Global Traffic Manager system. This turns on synchronization for thesynchronization group you just created.

To activate synchronization

1. Expand System and then click Configuration.


3. Check the Synchronization box.

4. Click Update.

Running a utility to add the BIG-IP system to your network

The next task that you perform to add a Global Traffic Manager system to anetwork that contains other BIG-IP systems is to run a utility to add theGlobal Traffic Manager system to the network. Run one of the followingutilities based on your network configuration:

• If all of the other BIG-IP systems on the network are running the sameversion of the big3d agent, run the bigip_add utility.Refer to To run the bigip_add utility, on page 4-6.

• If all of the other BIG-IP systems on the network are running an earlierversion of the big3d agent, run the big3d_install utility.Refer to To run the big3d_install utility, on page 4-7.

To run the bigip_add utility

1. Log on to the command-line interface of the Global Traffic Managersystem that you are configuring.

2. At the prompt, type the command bigip_add.

3. Press the Enter key.The utility exchanges the appropriate SSL certificates, andauthorizes communications between the systems.

You can now go to the next task in this implementation, Creating listeners.

4 - 6


To run the big3d_install utility

1. Log on to the command-line interface of the Global Traffic Managersystem that you are configuring.

2. At the prompt, type one of the following commands:

big3d_install

big3d_install <IP addresses of existing BIG-IP systems>

3. Press the Enter key.The utility exchanges the appropriate SSL certificates, authorizescommunications between the systems, and automatically updatesthe big3d agents on all the devices.

You can now go to the next task in this implementation, Creating listeners.

Creating listenersThe next task that you perform is to configure how the Global TrafficManager system responds to DNS traffic. To do this, you create a listener.

A listener is a specialized resource that is assigned a specific IP address anduses port 53, the DNS query port. When traffic is sent to that IP address, thelistener alerts the system, allowing it to handle the traffic locally or forwardthe traffic to the appropriate resource.

You configure a listener using the self IP address of the Global TrafficManager system that you are configuring when you want the system to signthe responses that it handles. You can also configure the system to sign theresponses from another DNS server on your network. To do this, you createa listener using the IP address of the DNS server.

To create a listener

1. Expand Global Traffic and click Listeners.

2. Click Create.

3. In the Destination box, type the IP address on which the GlobalTraffic Manager system listens for network traffic based on whatyou want the system to do:

• If you are configuring the system to sign only wide IP responses,type the self IP address of the system that you are configuring.

• If you are configuring the system as the authoritative nameserverfor another DNS server on your network, type the IP address ofthe DNS server.

For example, type 192.168.34.17, the self IP address of the GlobalTraffic Manager system that you are configuring.

4. From the VLAN Traffic list, select the VLAN or VLANs on whichthis system listens for DNS requests.For example, select VLAN external.


Chapter 4

5. Click Finished.

6. To configure the system as the authoritative nameserver for anotherDNS server, repeat steps 1 - 5, but enter the IP address of the DNSserver in the Destination box.

You are now ready to configure the DNSSEC feature. For more information,refer to Configuring DNSSEC keys and zones, on page 4-10.

Adding an additional Global Traffic Manager system to a networkIf you are adding an additional Global Traffic Manager system to a network,perform the following tasks.

Creating a data center

The first task that you perform to add an additional Global Traffic Managersystem to a network is to specify, on an existing Global Traffic Managersystem, the data center in which the new Global Traffic Manager resides.

To create a data center

1. Expand Global Traffic and click Data Centers.

2. Click Create.

3. In the Name box, type a unique name to identify the data center.For example, type Secure Los Angeles.

4. In the Location box, type the location of the data center.For example, type Los Angeles.

5. In the Contact box, type the name of the system administrator ordepartment that is responsible for managing the data center.For example, type DNSSEC Administrator.

6. Click Finished.

Adding the new Global Traffic Manager system to a synchronization group

The next task that you perform is to add the new system to a synchronizationgroup. You perform this task on an existing Global Traffic Manager that isin the synchronization group to which you want to add the new GlobalTraffic Manager system.

To add the new system to a synchronization group

1. Expand Global Traffic and click Servers.

2. Click Create.

4 - 8


3. In the Name box, type the name of the Global Traffic Managersystem that you are adding to the network.For example, type DNSSEC server.

4. From the Product list, select your product type:

• If the new system is a single device, select BIG-IP System(Single).

• If the new system is a redundant system configuration, selectBIG-IP System (Redundant).

For example, select BIG-IP System (Single).

5. For the Address List setting, in the Address box, type the self IPaddress that corresponds to an external VLAN on the new GlobalTraffic Manager system. Then click Add.For example, type 192.168.34.1.

6. From the Data Center list, select the name of the data center that youspecified in Creating a data center, on page 4-8.For example, select Secure Los Angeles.

7. Click Finished.

Running the gtm_add utility

The next task that you perform is to run the gtm_add utility. You performthis task on the new Global Traffic Manager system that you are adding tothe network.

To run the gtm_add utility

1. At the command prompt, type the following command:

gtm_add <IP address of another Global Traffic Managersystem in the synchronization group>

2. Based on your network configuration, respond to the prompts thatdisplay.Note: If your system has a FIPS hardware security module (HSM),the utility detects the card and prompts you for a series ofresponses.

The utility adds the new Global Traffic Manager system to the network.

Creating a listener

The last task to add an additional Global Traffic Manager system to anetwork is to configure a listener on the new system using the self IPaddress of the new system.


1. Expand Global Traffic and click Listeners.

2. Click Create.


Chapter 4

3. In the Destination box, type the self IP address of the new GlobalTraffic Manager system.For example, type 192.168.34.17.

4. From the VLAN Traffic list, select the VLAN or VLANs on whichthis system listens for DNS requests.For example, select VLAN external.

5. Click Finished.

You are now ready to configure the DNSSEC feature on the new GlobalTraffic Manager system.

Configuring DNSSEC keys and zonesTo configure DNSSEC compliance, you create DNSSEC key-signing andzone-signing keys, and then assign those keys to DNSSEC zones. Performthese tasks on the new Global Traffic Manager system that you added toyour network.

Creating DNSSEC key-signing keys

The next task in this implementation is to create two DNSSEC key-signingkeys. The system uses a key-signing key to sign the DNSKEY record set.

F5 Networks recommends that when you create a key, you create a disabledstandby version of the key with a similar name. For example, in this taskyou create an enabled key-signing key named ksk1, and then create adisabled standby key named ksk2. Later in this implementation, youassociate both of these keys with the same zone. This prepares you to easilyperform a manual rollover of the key should the enabled key becomecompromised. For more information about manual rollover, see theConfiguration Guide for BIG-IP® Global Traffic Manager™.

To create key-signing keys

1. Expand Global Traffic and click DNSSEC Key List.

2. Click Create.

3. In the Name box, type a unique name for the key.For example:

• If you are creating the enabled key-signing key, type ksk1.

• If you are creating the standby key-signing key, type ksk2.

4. In the Bit Width box, type 2048.

5. From the Use FIPS list, if your system has a FIPS hardware securitymodule (HSM), select Enabled.

6. From the Type list, select Key Signing Key.

4 - 10


7. From the State list, make a selection based on whether you arecreating the enabled or standby key.For example:

• If you are creating the enabled key, select Enabled.

• If you are creating the standby key, type Disabled.

8. In the TTL box, accept the default value of 86400 (the number ofseconds in one day).

Note: The value of the TTL specifies how long a client resolver cancache the key. This value must be less than the difference betweenthe values of the rollover period and expiration period of the key;otherwise, a client can make a query and the system can send avalid key that the client cannot recognize.

9. In the Rollover Period box, type 28987147 (the number of secondsin 11 months).

Important: The value of the rollover period must be greater than orequal to one third of the value of the expiration period, and lessthan the value of the expiration period. Additionally, the differencebetween the values of the rollover and expiration periods must bemore than the value of the TTL.

Note: After the key rolls over, you must send the DS records for thezone to which this key is associated to the organization thatmanages the parent zone. Therefore, F5 Networks recommends thatyou base the values that you specify for the rollover and expirationperiods on the time required for that communication cycle tocomplete.

10. In the Expiration Period box, type 31556952 (the number ofseconds in one year).

Important: The value of the expiration period must be more thanthe value of the rollover period. Additionally, the difference betweenthe values of the rollover and expiration periods must be more thanthe value of the TTL.

The National Institute of Standards and Technology (NIST)recommends that a key-signing key expire once a year.

Note: After the key rolls over, you must send the DS records for thezone to which the key is associated to the organization that managesthe parent zone. Therefore, F5 Networks recommends that you basethe values that you specify for the rollover and expiration periodson the time required for that communication cycle to complete.

11. Click Finished.

12. To create a standby key for emergency rollover purposes, repeatsteps 1 - 11, but name the key ksk2, and select Disabled from theState list.


Chapter 4

Creating DNSSEC zone-signing keys

The next task in this implementation is to create two DNSSEC zone-signingkeys. The system uses a zone-signing key to sign all of the record sets in azone.

F5 Networks recommends that when you create a key, you create a disabledstandby version of the key with a similar name. For example, in this taskyou create an enabled key-signing key named zsk1, and then create adisabled standby key named zsk2. Later in this implementation, youassociate both of these keys with the same zone. This prepares you to easilyperform a manual rollover of the key should the enabled key becomecompromised. For more information about manual rollover, see theConfiguration Guide for BIG-IP® Global Traffic Manager™.

To create zone-signing keys

1. Expand Global Traffic and click DNSSEC Key List.

2. Click Create.

3. In the Name box, type a unique name for the key.For example:

• If you are creating the enabled zone-signing key, type zsk1.

• If you are creating the standby zone-signing key, type zsk2.

4. In the Bit Width box, type 1024.

5. From the Use FIPS list, if your system has a FIPS hardware securitymodule (HSM), select Enabled.

6. From the Type list, select Zone Signing Key.

7. From the State list, make a selection based on whether you arecreating the enabled or standby key.

• If you are creating the enabled key, select Enabled.

• If you are creating the standby key, type Disabled.

8. In the TTL box, accept the default value of 86400 (the number ofseconds in one day).

Note: The value of the TTL specifies how long a client resolver cancache the key. This value must be less than the difference betweenthe values of the rollover period and expiration period of the key;otherwise, a client can make a query and the system can send avalid key that the client cannot recognize.

4 - 12


9. In the Rollover Period box, type 1814400 (the number of secondsin 21 days).

Important: The value of the rollover period must be greater than orequal to one third of the value of the expiration period, and lessthan the value of the expiration period. Additionally, the differencebetween the values of the rollover and expiration periods must bemore than the value of the TTL.


10. In the Expiration Period box, type 2592000 (the number ofseconds in 30 days).

Tip: The National Institute of Standards and Technology (NIST)recommends that a zone-signing key expire every 30 days.


11. Click Finished.

12. To create a standby key for emergency rollover purposes, repeatsteps 1 - 11, but name the key zsk2, and select Disabled from theState list.


Chapter 4

Creating DNSSEC zones

The next task in this implementation is to create a DNSSEC zone. Beforethe BIG-IP system can sign requests to a zone, you must assign at least oneenabled zone-signing and one enabled key-signing key to the zone.

In this task, to prepare for a manual rollover, you assign to the zone both theenabled and disabled key-signing and zone-signing keys that you createdpreviously in this implementation.

To create a DNSSEC zone

1. Expand Global Traffic and click DNSSEC Zone List.

2. Click Create.

3. In the Name box, type a FQDN that is a subset of the domain name.For example, type siterequest.com.

4. From the State list, accept the default value of Enabled.

5. For the Zone Signing Key setting, assign at least one enabledzone-signing key to the zone.For example, move the zsk1 and zsk2 zone-signing keys from theAvailable list to the Active list.

6. For the Key Signing Key setting, assign at least one enabledkey-signing key to the zone.For example, move the ksk1 and ksk2 zone-signing keys from theAvailable list to the Active list.

7. Click Finished.

8. Upload the DS records for this zone to the organization thatmanages the parent zone. You can find the DS records in the file/config/gtm/dsset-<dnssec.zone.name>, where zone is the name ofthe zone you are configuring. In this example, the file can be foundat /config/gtm/dsset-siterequest.com.

The Global Traffic Manager system is now configured to handle incomingDNS traffic and to respond to DNS queries with DNSSEC-compliantresponses.

4 - 14

5

Load Balancing Non-Wide IP Traffic to aPool of DNS Servers

• About using the Global Traffic Manager as a loadbalancer in front of a pool of DNS servers

• Creating a pool of DNS servers

• Creating a listener

Load Balancing Non-Wide IP Traffic to a Pool of DNS Servers

About using the Global Traffic Manager as a loadbalancer in front of a pool of DNS servers

This implementation focuses on using a BIG-IP® Global Traffic Manager™system as a load balancer in front of a pool of DNS servers. The GlobalTraffic Manager checks incoming DNS queries. If the query is for a wide IP,the Global Traffic Manager load balances it to the appropriate resource.Otherwise, the Global Traffic Manager forwards the DNS query to one ofthe servers in a pool of DNS servers, and that server handles the query asneeded.

To control how the Global Traffic Manager responds to DNS requests, youmust configure a listener. A listener is a specialized resource that you assignto a specific IP address, which uses port 53, the DNS query port. Whentraffic is sent to that IP address, the listener alerts the Global TrafficManager, allowing it to handle the traffic locally or forward the traffic to theappropriate resource.

Once again, for our example we use the fictional company SiteRequest.SiteRequest recently purchased a Global Traffic Manager to help loadbalance traffic across two of its web-based applications:store.siterequest.com and checkout.siterequest.com. These applicationsare subdomains of www.siterequest.com, which is managed by a pool ofexisting DNS servers. SiteRequest has already configured the Global TrafficManager with two wide IPs, store.siterequest.com andcheckout.siterequest.com, which correspond to these two web applications.

For the purposes of this implementation, the IP address of the Global TrafficManager is 192.168.5.10, while the IP addresses of the DNS servers are10.10.1.1, 10.10.1.2, and 10.10.1.3.

For this implementation, perform the following tasks:

• Create a pool of DNS servers

• Create a listener


Chapter 5

Creating a pool of DNS serversThe first task in this implementation is to configure a pool that contains theDNS servers to which you want the Global Traffic Manager to load balanceDNS traffic.

To create a pool of DNS servers

1. Log on to the command line interface of the Global TrafficManager.

2. Type tmsh, to access the Traffic Management Shell.

3. Run this command sequence:

create /ltm pool DNS_pool members add { 10.10.1.1:domain10.10.1.2:domain 10.10.1.3:domain }

save sys config

list /ltm pool

The system displays the new pool configuration, as shown in Figure5.1.

root@gtm1(Active)(tmos)# list /ltm poolltm pool DNS_pool {

members {10.10.1.1:domain {}10.10.1.2:domain {}10.10.1.3:domain {}

}

}root@gtm1(Active)(tmos)#

Figure 5.1 Results of list command for sample Local Traffic Manager pool

5 - 2

Load Balancing Non-Wide IP Traffic to a Pool of DNS Servers

Creating a listenerThe next task in this implementation is to configure a listener that listens forDNS queries and load balances non-wide IP traffic destined for the DNSservers to a member of the pool you created in the previous task.





create /gtm listener DNS_listener address 192.168.5.10ip-protocol udp pool DNS_pool translate-address enabled

save sys config

list /gtm listener

The system displays the new listener configuration, as shown inFigure .

You now have an implementation of the Global Traffic Manager in whichthe Global Traffic Manager receives DNS queries. If the query is for a wideIP, the Global Traffic Manager load balances the request to the appropriateresource. Otherwise, the Global Traffic Manager load balances queries tothe pool of DNS servers.

root@gtm1(Active)(tmos)# list /gtm listener

gtm listener DNS_listener {address 192.168.5.10

pool DNS_pool}

}

root@gtm1(Active)(tmos)#

Figure 5.2 Results of list command for sample Global Traffic Managerlistener


Chapter 5

5 - 4

6

Sending Traffic Through the Global TrafficManager

• Working with the Global Traffic Manager as arouter or forwarder

• Forwarding traffic through the Global TrafficManager

• Routing traffic through the Global Traffic Manager

Sending Traffic Through the Global Traffic Manager

Working with the Global Traffic Manager as a routeror forwarder

This implementation focuses on using the BIG-IP® Global TrafficManager™ as a router or forwarder in front of an existing DNS server, asshown in the traffic flow example in Figure 6.1. Note that the Global TrafficManager checks incoming DNS queries. If the query is for a wide IP, theGlobal Traffic Manager load balances it to the appropriate resource.Otherwise, the Global Traffic Manager forwards the DNS query to the DNSserver, which then handles the query as needed.

Figure 6.1 Example of the traffic flow through a Global Traffic Managerrouting traffic to a DNS server


Chapter 6

To control how the Global Traffic Manager responds to DNS requests, youmust configure a listener. A listener is a specialized resource that you assignto a specific IP address, which uses port 53, the DNS query port. Whentraffic is sent to that IP address, the listener alerts the Global TrafficManager, allowing it to handle the traffic locally or forward the traffic to theappropriate resource.

Depending on how you configure the listeners, the Global Traffic Manageroperates as either a router or a bridge:

• If the listener points to a DNS server that exists on the same subnet, theGlobal Traffic Manager acts as a bridge.

• If the listener points to a DNS server that exists on a different subnet, theGlobal Traffic Manager acts a router.

For this implementation, you create two different listeners. First, you createa listener that allows the Global Traffic Manager to act as a bridge. Thenyou create a second listener that allows the Global Traffic Manager to act asa router for a different set of DNS traffic.

Note

To ensure that the Global Traffic Manager forwards or routes requests tothe external DNS server instead of using BIND to process those requests,when you create a listener be sure to use an IP address other than the selfIP address of the Global Traffic Manager.

Forwarding traffic through the Global TrafficManager

SiteRequest recently purchased a Global Traffic Manager to help loadbalance traffic across two of its web-based applications:store.siterequest.com and checkout.siterequest.com. These applicationsare subdomains of www.siterequest.com, which is managed by an existingDNS server. SiteRequest has already configured the Global Traffic Managerwith two wide IPs, store.siterequest.com and checkout.siterequest.com,which correspond to these two web applications.

Placing the Global Traffic Manager to forward trafficThe standard configuration for this implementation requires that you placethe Global Traffic Manager between the existing DNS server and theInternet. For the purposes of this implementation, the IP address of theGlobal Traffic Manager is 192.168.5.10, while the IP address of the DNSserver is 192.168.5.23.

6 - 2


To place the Global Traffic Manager on a network forforwarding traffic

1. Connect the Global Traffic Manager to your Internet connection.

2. Connect the DNS server to an Ethernet port on the Global TrafficManager.

Tip

If you prefer to implement the Global Traffic Manager as a redundantsystem configuration, see Chapter 9, Setting Up a Global Traffic ManagerRedundant System Configuration.

Configuring a VLAN groupThe next task in this implementation is to configure a VLAN group throughwhich the Global Traffic Manager can transparently pass traffic to theoriginal DNS server.

To configure a VLAN group

1. On the Main tab of the navigation pane, expand Network and thenclick VLANs.

2. From the VLAN Groups menu, choose List.

3. Click Create.

4. In the Name box, for this example, use the name GTMforward.

5. In the VLANs setting, use the Move (<<) button to add VLANs tothe group by moving the VLANs from the Available list to theMembers list.

6. From the Transparency Mode list, select Opaque.

7. Click Finished.

Forwarding traffic to a DNS serverWith this setup, all DNS traffic flows through the Global Traffic Manager.Next, you need to configure the Global Traffic Manager to recognize thetraffic that it must forward to the DNS server.

To forward traffic to the DNS server


2. Click Create.


Chapter 6

3. In the Destination box, type the IP address on which the GlobalTraffic Manager listens for network traffic.For this example, type the IP address 192.168.5.23.

Tip: To ensure that requests are bridged to the external DNS serverrather than processed by BIND on the Global Traffic Managersystem, do not use a self IP address of the system as the destination.


5. Click Finished.

You now have an implementation of the Global Traffic Manager in whichthe Global Traffic Manager receives all DNS queries. If the query is for awide IP, the Global Traffic Manager load balances the request to theappropriate resource. Otherwise, the Global Traffic Manager forwards thequery to the DNS server for resolution.

Routing traffic through the Global Traffic ManagerThis part of the implementation covers the tasks necessary to route trafficthrough a Global Traffic Manager to another DNS server; for example, onethat resides in a different data center. When the Global Traffic Managermanages traffic in this manner, it acts like a router between one section ofthe network and another.

This implementation again focuses on the fictional company SiteRequest.SiteRequest still wants to use the Global Traffic Manager to help loadbalance traffic across two of its web-based applications:store.siterequest.com and checkout.siterequest.com. These applicationsare subdomains of www.siterequest.com, which is managed by an existingDNS server. Again, SiteRequest has already configured the Global TrafficManager with two wide IPs, store.siterequest.com andcheckout.siterequest.com, which correspond to these two web applications.

6 - 4


Placing the Global Traffic Manager to route trafficThe standard configuration for this implementation requires that you placethe Global Traffic Manager between the existing DNS server and theInternet. For the purposes of this example, the IP address of the GlobalTraffic Manager is 192.168.5.10, while the IP address of the DNS server is172.15.23.23.

To place the Global Traffic Manager on the network forrouting traffic

1. Connect the Global Traffic Manager to your Internet connection.

2. Connect the DNS server to an Ethernet port on the Global TrafficManager.

Routing traffic to a DNS serverWith this setup, all DNS traffic flows through the Global Traffic Manager.Lastly, you need to configure the Global Traffic Manager to recognize thetraffic that it must route to the DNS server.

To route traffic to the DNS server


2. Click Create.

3. In the Destination box, type the IP address on which the GlobalTraffic Manager listens for network traffic.In this example, type the IP address 172.15.23.23.

Tip: To ensure that requests are routed to the external DNS serverrather than processed by BIND on the Global Traffic Managersystem, do not use a self IP address of the system as the destination.


5. Click Finished.

You now have an implementation of the Global Traffic Manager in whichthe Global Traffic Manager receives all DNS queries. If the query is for awide IP, the Global Traffic Manager load balances the request to theappropriate resource. If the traffic has a destination IP address of172.15.23.23, the Global Traffic Manager routes the query to the DNSserver for resolution.


Chapter 6

6 - 6

7

Ensuring Correct Synchronization WhenAdding a New Global Traffic Manager

• Understanding synchronization in the Global TrafficManager

• Adding a new Global Traffic Manager to asynchronization group safely

Ensuring Correct Synchronization When Adding a New Global Traffic Manager

Understanding synchronization in the Global TrafficManager

You can configure BIG-IP® Global Traffic Manager™ systems incollections called synchronization groups. In these groups, all GlobalTraffic Manager systems have the same rank. Global Traffic Managersystems that are in the same synchronization group exchange heartbeatmessages and share probing responsibility.

Synchronization ensures the rapid distribution of Global Traffic Managersettings to any other systems that belong to the same synchronization group.Synchronization occurs in the following manner:

• At regular intervals, each Global Traffic Manager uses the iQuery®

protocol to compare the timestamp of its configuration files against thetimestamps on all other Global Traffic Manager in its synchronizationgroup.

• If the system detects a newer configuration file, it downloads and usesthose files.

• Once a synchronization is in progress, it must either complete or timeout,before another synchronization can occur.

Figure 7.1 An example of a synchronization group

You can modify the settings of all Global Traffic Manager systems from anyGlobal Traffic Manager. The changes you make on one Global TrafficManager are sent to all other Global Traffic Manager systems within thesame synchronization group. When you enable the Synchronization settingfor each Global Traffic Manager in the group, the systems automaticallysynchronize their configuration files. Additionally, when you enable the


Chapter 7

Synchronize DNS Zone Files setting for each system in the group, thesystems automatically synchronize their Domain Name System (DNS) zonefiles.

Important

Global Traffic Manager systems only exchange heartbeat messages if theyhave the same software version installed. When you upgrade one GlobalTraffic Manager system in a synchronization group, the configuration of theupgraded system does not automatically synchronize with the configurationof the systems with an older version of software.

One exception to this process occurs when you add a new Global TrafficManager to the network. In this scenario, there is a chance that thetimestamp of the new system’s configuration file is newer than the files onthe already-installed Global Traffic Manager. If you enable synchronizationat this point, the unconfigured configuration file is distributed to the existingGlobal Traffic Manager systems, effectively removing your existingconfigurations.

You can avoid the accidental synchronization of an unconfiguredconfiguration file to existing Global Traffic Manager systems by using thegtm_add script when you add a new Global Traffic Manager to yournetwork. This script acquires the configuration file from an existing GlobalTraffic Manager and applies it to the new system. As a result, the newsystem acquires the current configuration for your network.

Adding a new Global Traffic Manager to asynchronization group safely

This implementation focuses on the fictional company, SiteRequest.Currently, the SiteRequest network has two data centers: one located in NewYork; the other in Los Angeles.

Until recently, SiteRequest had a single Global Traffic Manager located atthe New York data center, with an IP address of 192.168.5.199. However,recent increases in DNS traffic have prompted the integration of a newGlobal Traffic Manager at the Los Angeles data center. These two GlobalTraffic Manager systems must belong to the same synchronization group,allowing changes made to one system to transfer over to the other. For thepurposes of this implementation, both Global Traffic Manager systems arethe same version, and the Global Traffic Manager in New York is alreadyactive and communicating with the rest of the network.

At this point in the implementation, the new Global Traffic Manager isconnected to the network and assigned the IP address, 10.10.5.25.SiteRequest also has a data center object defined on the Global TrafficManager located in New York, and has named this new data center: LosAngeles Data Center. This data center contains the various BIG-IP systems

7 - 2


that reside in Los Angeles. Finally, you have two Local Traffic Manager™systems; one at each data center. The Local Traffic Manager in New Yorkhas an IP address of 192.168.5.10; the one in Los Angeles has an IP addressof 10.10.5.20.

The tasks you must complete to add a new Global Traffic Manager to asynchronization group are:

• Add the Global Traffic Manager to the configuration

• Enable synchronization

• Run the gtm_add script

• Run the bigip_add script

Adding the Global Traffic ManagerThe first task you must accomplish is adding the Los Angeles Global TrafficManager to the New York Global Traffic Manager.

To add the Global Traffic Manager

1. On the Main tab of the navigation pane of the New York GlobalTraffic Manager, expand Global Traffic, and then click Servers.

2. Click Create.

3. In the Name box, for this example, type Los Angeles GTM.

4. From the Product list, select the server type.In this example, select BIG-IP System (Single).

5. For the Address List setting, complete the following tasks:

• In the Address box, type the IP address of the server.For this example, type: 10.10.5.25

• Click Add.

6. From the Data Center list, select the data center to which the serverbelongs.For this example, select Los Angeles Data Center.

7. From the Virtual Server Discovery list, select Disabled.

8. Click Create.

The newly added Global Traffic Manager displays a red status marker,because you have not yet run the bigip_add script. For more informationabout running this script, see Running the bigip_add script, on page 7-5.


Chapter 7

Enabling synchronizationFor the next task, you enable the Synchronization option, and assign anappropriate name for the synchronization group. For this implementation,use the synchronization group name North America.

To enable synchronization

1. On the Main tab of the navigation pane, expand System and thenclick Configuration.


3. Check the Synchronization check box.

4. Check the Synchronize DNS Zone Files check box.

5. In the Synchronization Group Name box, type the name of thegroup.In this example, type North America.

6. Click Update.

Running the gtm_add scriptNext, you need to have the new Global Traffic Manager acquire the settingsestablished on an existing Global Traffic Manager. In this example, theGlobal Traffic Manager in Los Angeles acquires the configurationsestablished at the New York data center. You must do this before youattempt to synchronize these systems; otherwise, you run the risk of havingthe new Global Traffic Manager, which is unconfigured, replace theconfiguration of the New York system. To acquire the configuration files,you run the gtm_add script.

To run the gtm_add script

1. Access the unconfigured Global Traffic Manager.

2. At the command prompt, type gtm_add.

3. Press the y key to start the gtm_add script.

4. Type the IP address of the configured Global Traffic Manager.For this example, type 192.168.5.199.

5. Press Enter.

At this point, both Global Traffic Manager systems share the sameconfiguration. In addition, they also belong to the same synchronizationgroup, because the gtm_add script copied the settings from the existingGlobal Traffic Manager to the new Global Traffic Manager.

7 - 4


Running the bigip_add scriptWith the new unit added to the existing unit, you can now access the newsystem and run the bigip_add script. This script exchanges SSL certificatesso that each system is authorized to communicate with the other. In thisexample, you run this script from the Global Traffic Manager in the LosAngeles data center.

To run the bigip_add script

1. Log on to the command line interface for the Global TrafficManager.

2. At the prompt, type bigip_add <ip addresses>.In this example, type bigip_add 192.168.5.10 10.10.5.20192.168.5.199

Note: In this example, you have included the IP address of theGlobal Traffic Manager in New York.

3. Press Enter.


Chapter 7

7 - 6

8

Integrating the Global Traffic Manager withBIG-IP Systems

• Understanding the interactions between BIG-IPsystems

• Integrating the Global Traffic Manager with otherBIG-IP systems

Integrating the Global Traffic Manager with BIG-IP Systems

Understanding the interactions between BIG-IPsystems

Many common implementations of Global Traffic Manager™ systemsinvolve adding the new system to networks in which Local Traffic Managersystems are already present. In this scenario, the Global Traffic Managerallows you to expand your load balancing and traffic managementcapabilities beyond the local area network. For this implementation to besuccessful, however, you must authorize communications between theGlobal Traffic Manager and any Local Traffic Manager™ on your network.

BIG-IP® systems employ a custom protocol, called iQuery®, to exchangeinformation back and forth. To manage this flow of information, both theGlobal Traffic Manager and any Local Traffic Manager systems employ asoftware utility, called big3d.

Part of the process when establishing communications between the GlobalTraffic Manager and other BIG-IP systems is to open port 22 and port 4353between the two systems. Port 22 allows the Global Traffic Manager to copythe newest version of the big3d agent to existing systems, while iQueryrequires the port 4353 for its normal communications.

In order for other BIG-IP systems to communicate with the Global TrafficManager, F5 Networks recommends that you update the big3d agent onolder BIG-IP systems by running the big3d_install script from the GlobalTraffic Manager. For more information about running the big3d_installscript, see SOL8195 on AskF5.com.

Figure 8.1 Communications between big3d and gtmd agents


Chapter 8

You must also authorize the communication between the Global TrafficManager systems and Local Traffic Manager systems. You authorize thiscommunication through the use of SSL certificates. These certificates ensurethat each BIG-IP system, whether Global Traffic Manager or Local TrafficManager, trusts the communications sent from any other BIG-IP system.

Consequently, the two tasks you must accomplish when integrating a GlobalTraffic Manager with BIG-IP systems are:

• Enable communications between the different BIG-IP systems.

• Install the latest version of the big3d agent.

Tip

For more information about the big3d agent, see Appendix A, Working withthe big3d Agent, of the Configuration Guide for BIG-IP® Global TrafficManager™.

In this implementation, we use the Configuration utility; however, if youprefer to use tmsh, see Chapter 12, Using tmsh to Set Up Implementations.

8 - 2


Integrating the Global Traffic Manager with otherBIG-IP systems

This implementation focuses on adding a Global Traffic Manager to anetwork that has several BIG-IP systems. A BIG-IP system is a specific F5product, including Local Traffic Manager systems, Global Traffic Managersystems, and Link Controller™ systems. At this point, you have added theGlobal Traffic Manager to the network, and configured a listener to ensurethat DNS traffic is routed to the appropriate resource (either the GlobalTraffic Manager or another DNS server).

To illustrate how to integrate a Global Traffic Manager with other BIG-IPsystems, this implementation uses the fictional company, SiteRequest.SiteRequest currently has two data centers: one located in New York andone located in Los Angeles. Each data center has a BIG-IP redundant systemconfiguration. Table 8.1 displays the details for these BIG-IP systems.

Figure 8.2 The SiteRequest network

System IP Address

New York BIG-IP 1 192.168.5.10

New York BIG-IP 2 192.168.5.11

Los Angeles BIG-IP 1 10.10.5.20

Los Angeles BIG-IP 2 10.10.5.21

New York GTM 192.168.5.30

Table 8.1 SiteRequest BIG-IP systems


Chapter 8

The tasks associated with integrating the Global Traffic Manager are:

• Define a data center.

• Define the Global Traffic Manager.

• Add the BIG-IP systems.

• Run the big3d_install script.

Defining a data centerThe first task is to define the data centers on the Global Traffic Manager.Data centers are important entities within the Global Traffic Manager; youcannot add other entities, such as servers, without them.

To define a data center

1. On the Main tab of the navigation pane, expand Global Traffic andthen click Data Centers.

2. Click Create.

3. In the Name box, type the name of the data center.For this example, type New York Data Center.

4. In the Location box, type the location of the data center.For this example, type New York, NY.

5. From the State list, select Enabled.

6. Click Finished.

Repeat this procedure to create the Los Angeles data center.

Defining the Global Traffic ManagerAt installation, the Global Traffic Manager has no knowledge of itself. Tohave the Global Traffic Manager communicate and operate with othersystems, you must define it. You can do this using the Configuration utilityas shown in the following procedure. Alternatively, you can define theGlobal Traffic Manager using the tmsh utility. For more information aboutthe tmsh utility, see the Traffic Management Shell (tmsh) ReferenceGuide.

To define the Global Traffic Manager

1. On the Main tab of the navigation pane, expand Global Traffic andthen click Servers.

2. Click Create.

3. In the Name box, type the name of the server.For this example, type New York GTM.

8 - 4


4. From the Product list, select a server type.For this example, select BIG-IP System (Single).



• Click Add.

6. From the Data Center list, select New York Data Center.

7. For the Health Monitors setting, assign the bigip monitor to theserver by moving it from the Available list to the Selected list.


9. Click Create.

Adding BIG-IP systemsOnce you have defined the two data centers within the Global TrafficManager, and defined the Global Traffic Manager itself, you can add theBIG-IP systems that reside at each data center.

Note

A BIG-IP system is a specific F5 product, that can include Local TrafficManager systems, Global Traffic Manager systems, and Link Controllersystems.

Important

The IP addresses that you use in the following procedure cannot be the IPaddresses assigned to the management port.

To add the BIG-IP systems to the Global Traffic Manager


2. Click Create.

3. In the Name box, type the name of the server.For this example, type New York BIG-IP 1.

4. From the Product list, select a server type.For this example, select BIG-IP System (Redundant).



• Click Add.

6. For the Peer Address List setting, complete the following tasks:


Chapter 8

• In the Address box, type the IP address of the second BIG-IPsystem that completes the redundant system configuration.In this example, type: 192.168.5.11.

• Click Add.

7. For the Health Monitors setting, assign the bigip monitor to theserver by moving it from the Available list to the Selected list.

8. From the Virtual Server Discovery list, select Enabled.

9. Click Create.

Repeat this procedure to add the BIG-IP systems located in the Los Angelesdata center.

Running the big3d_install scriptAt this point, you have configured the Global Traffic Manager with theinformation it needs to begin communications with the BIG-IP systems onthe network. However, before these systems can communicate with eachother, you must upgrade the big3d agents on the BIG-IP systems andinstruct these systems to authenticate with the other systems through theexchange of web certificates. You can accomplish both of these tasksthrough the big3d_install script. This script is included with the GlobalTraffic Manager.

Important

The big3d_install script installs the big3d agent and runs the bigip_addscript. Run the big3d_install script only on a system that is configured withthe most current BIG-IP system software on your network, because big3d isonly backward compatible.

To run the big3d_install script

1. Log on to the command line interface for the Global TrafficManager.

2. At the prompt, type big3d_install <ip addresses>.For this example, type the following:big3d_install 192.168.5.10 192.168.5.11 10.10.5.20 10.10.5.21

3. Press Enter.

This script instructs the Global Traffic Manager to connect to each BIG-IPsystem that you specified by IP address. As it connects to each system, itprompts you to supply the appropriate logon information to access thatsystem.

8 - 6


When the script has completed its operations, the following changes takeeffect on each BIG-IP system:

• The appropriate SSL certificates are exchanged between each system,authorizing communications between each system.

• The big3d agent on each system is upgraded to the same version asinstalled on the Global Traffic Manager.

You have now successfully configured the BIG-IP systems on this network,including the Global Traffic Manager, to communicate with each other. TheGlobal Traffic Manager can now use the BIG-IP systems when loadbalancing DNS requests, as well as when acquiring statistical or statusinformation for the virtual servers these systems manage.


Chapter 8

8 - 8

9

Setting Up a Global Traffic ManagerRedundant System Configuration

• Understanding Global Traffic Manager redundantsystem configurations

• Setting up a Global Traffic Manager redundantsystem configuration

Setting Up a Global Traffic Manager Redundant System Configuration

Understanding Global Traffic Manager redundantsystem configurations

With the BIG-IP® Global Traffic Manager™, you manage incoming DNStraffic, forwarding that traffic to the appropriate DNS server or loadbalancing it to other resources on the network. Typically, a given networkhas several Global Traffic Manager systems, with at least one systeminstalled at one of several data centers. With these systems in place, you cancontrol the distribution of DNS traffic across your resources, monitor theseresources to determine their availability, and ensure that any web-basedapplications have all the components necessary to operate successfully.

A standard implementation of Global Traffic Manager systems is aredundant system configuration. This is a set of two Global TrafficManager systems: one operating as the active unit, the other operating as thestandby unit. If the active unit goes offline, the standby unit immediatelyassumes responsibility for managing DNS traffic. The new active unitremains active until another event occurs that would cause the unit to gooffline, or you manually reset the status of each unit.

The implementation tasks outlined in this chapter describe how to configurea Global Traffic Manager redundant system. This example focuses on thefictional company, SiteRequest. Table 9.1 outlines the networkcharacteristics at SiteRequest that pertain to this implementation.

Component Characteristics

Data Center Name: New York Data Center

Global Traffic Manager(Active Unit)

Host name: gtm1.siterequest.com

Self IP address: 10.1.1.20/24

Floating IP address: 10.1.1.50 (shared with secondGlobal Traffic Manager)

Management IP address: 192.168.15.16

Global Traffic Manager(Standby Unit)

Host name: gtm2.siterequest.com

Self IP address: 10.1.1.21/24

Floating IP address: 10.1.1.50 (shared with first GlobalTraffic Manager)

Management IP address: 192.168.15.17

VLAN Name: dns_requests

Assigned interfaces: 1.1 (untagged)

Default Gateway IP address: 10.1.1.100

NTP server IP address: 192.168.5.15

Table 9.1 Network characteristics of SiteRequest


Chapter 9

For this example, SiteRequest already has both Global Traffic Managersystems connected to the network; however, they have not yet assigned IPaddresses to the systems.

Setting up a Global Traffic Manager redundantsystem configuration

This implementation focuses on the fictional company SiteRequest. Thiscompany wants to create a Global Traffic Manager redundant systemconfiguration. They already have the systems installed on the network;however, they have yet to fully configure them.

In this implementation, you accomplish the following tasks:

• Configure the redundant system settings of each Global Traffic Manager.

• Create a VLAN.

• Assign Self IP addresses to both systems.

• Create a floating IP address.

• Configure the high availability options.

• Define an NTP server.

• Define the default gateway.

• Define a listener for incoming DNS traffic.

• Run a bigpipe config sync operation.

• Define the data center to which the Global Traffic Manager systemsbelong.

• Define the Global Traffic Manager systems.

• Enable synchronization.

• Conduct the initial configuration synchronization between systemsthrough the gtm_add utility.

Configuring the redundant system settingsThe first task in creating a redundant system configuration with two GlobalTraffic Manager systems is to configure the redundant system settings. Youconfigure two different systems: the active system, which is initially online,and the standby system, which comes online only when the active systemgoes offline.

Note

You can also complete the following procedure by running the Setup Utility.You can access this utility through the main page of the Configuration utilityof the Global Traffic Manager.

9 - 2


To configure redundant system settings for the activesystem

1. On the Main tab of the navigation pane, expand System and thenclick Platform.

2. From the High Availability list, select Redundant Pair.

3. From the Unit ID list, select 1.

4. Click Update.

To configure redundant system settings for the secondsystem

1. On the Main tab of the navigation pane, expand System and thenclick Platform.

2. From the High Availability list, select Redundant Pair.

3. From the Unit ID list, select 2.

4. Click Update.

Creating VLANsThe next task in this implementation requires you to set up a VLAN. ThisVLAN encompasses the IP addresses associated with the Global TrafficManager systems and the other network components that help manage DNStraffic.

You must apply the following procedures to both the active and standbysystems.

To create a VLAN

1. On the Main tab of the navigation pane, expand Network and thenclick VLANs.

2. Click Create.

3. In the Name box, type dns_requests.

4. For the Interfaces setting, use the Move buttons to assign interface1.1 to the Untagged list.

5. Click Finished.

Assigning self IP addressesWith VLANs in place, you can now assign self IP addresses to each GlobalTraffic Manager. These self IP addresses identify the Global TrafficManager on the network.


Chapter 9

You must apply the following procedure to both the active and standbysystems.

To assign self IP addresses

1. On the Main tab of the navigation pane, expand Network and thenclick Self IPs.

2. Click Create.

3. In the IP address box, type a self IP address to assign to the VLANfor DNS requests.For this example, type one of the following:

• For gtm1.siterequest.com, type 10.1.1.20

• For gtm2.siterequest.com, type 10.1.1.21

4. In the Netmask box, type the appropriate net mask.For this example, 255.255.255.0.

5. From the VLAN list, select VLAN dns_requests.

6. Click Finished.

Creating a floating IP addressIn a redundant system configuration, both Global Traffic Manager systemsshare a common IP address called a floating IP address. A floating IPaddress is an IP address that represents both the active and standby units in aredundant system. To the rest of the network, this floating IP addressrepresents the active Global Traffic Manager. If the primary unit goesoffline, the secondary unit takes over traffic destined for the floating IPaddress. This setup ensures that DNS traffic flows smoothly even in theevent a fail-over occurs.

For this task, you configure only the active system. The settings you createare transferred to the standby system during a synchronization that youinitiate later in this process.

To create a floating IP address

1. On the Main tab of the navigation pane, expand Network and thenclick Self IPs.

2. Click Create.

3. In the IP address box, type the IP address of the system.For this example, type 10.1.1.50.

4. In the Netmask box, type the appropriate net mask.For this example, 255.255.255.0.

5. From the VLAN list, select VLAN dns_requests.

6. Check the Floating IP option.

7. Click Finished.

9 - 4


Configuring the high availability optionsMany of the options associated with creating a redundant system reside inthe High Availability section of the Configuration utility. These optionsinclude the IP addresses of each system, the type of redundant systemconfiguration, and other options.

You must apply the following procedure to both the active and standbysystems.

To configure high availability options

1. On the Main tab of the navigation pane, expand System and thenclick High Availability.

2. On the menu bar, click Network Failover.

3. Click the Network Failover box.

4. In the Peer Management Address box, delete the colons (::) andtype the management IP address of the peer unit.For this example, type 192.168.15.17.

5. For the Unicast setting, add an entry:

a) In the Configuration Identifier box, type a unique name for theunicast entry.For this example, type DNS requests.

b) In the Local Address box, type the self IP address associatedwith the failover VLAN you created on the unit you areconfiguring.For this example, type 10.1.1.20.

c) In the Remote Address box, type the self IP address associatedwith the failover VLAN you created on the peer unit.In this example, type 10.1.1.21.

d) Click Add.

Note

In this example, for the gtm2.siterequest.com, use 192.168.15.16 for thePeer Management Address, and reverse the values of the Local Addressand Remote Address settings.

Defining an NTP serverThe next task of this implementation requires you to define an NTP serverthat both Global Traffic Manager systems use during synchronizationoptions. This task is important because it determines a common time valuefor both systems. During file synchronizations, the systems use this timevalue to see if any newer configuration files exist.


Chapter 9

To define an NTP server


2. From the Device menu, choose NTP.

3. In the Address box, type the IP address of the NTP server.In this example, 192.168.5.15.

4. Click Add.

5. Click Update.

Defining the default gateway routeAnother task you must accomplish is defining the default gateway route fornetwork traffic. The Global Traffic Manager uses this route to send andreceive network traffic.

To define the default route

1. On the Main tab of the navigation pane, expand Network and thenclick Routes.

2. Click Add.

3. From the Type list, select Default Gateway.

4. From the Resource list, select Use Gateway and then type the IPaddress of default gateway.In this example, type 10.1.1.100.

5. Click Finished.

Defining a listenerThe Global Traffic Manager employs a listener to identify the DNS trafficfor which it is responsible. In this implementation, you need to create alistener that corresponds to the floating IP address shared between the twoGlobal Traffic Manager systems.




2. Click Create.

9 - 6


3. In the Destination box, type the IP address on which the systemwill listen for traffic.In this example, type 10.1.1.50.


5. Click Finished.

Running a config sync operationIf you are familiar with Global Traffic Manager, you might be familiar withits synchronization feature. This feature ensures that all Global TrafficManager systems share the same information on wide IPs, pools, and othernetwork configurations associated with DNS traffic management.

For a redundant system, you must employ an additional synchronizationoption to share the self IP address, default route, and other information youconfigured on the active system with the standby system.

To run a config sync operation

1. On the Main tab of the navigation pane, expand System and thenclick High Availability.

2. On the menu bar, click ConfigSync.

3. Click Synchronize TO Peer.The system synchronizes settings to the standby Global TrafficManager; in this example, gtm1.siterequest.com.

4. Click OK.

Defining a data centerThe next task is to define the data centers in the Global Traffic Manager.Data centers are important entities within the Global Traffic Manager; youcannot add other entities, such as server, without them.


To define a data center

1. On the Main tab of the navigation pane, expand Global Traffic andthen click Data Centers.

2. Click Create.

3. In the Name box, type the name of the data center.In this example, type New York Data Center.

4. In the Location box, type the location of the data center.For this example, type New York, NY.


Chapter 9

5. From the State list, select Enabled.

6. Click Finished.

Defining the Global Traffic Manager systemsAt installation, a Global Traffic Manager has no knowledge of itself. Tohave the Global Traffic Manager communicate and operate with othersystems, you must define it within the user interface. For this example, youneed to define both gtm1.siterequest.com and gtm2.siterequest.com.


To define the Global Traffic Manager


2. Click Create.

3. In the Name box, type the name of the system.In this example, type gtm1.siterequest.com.

4. From the Product list, select BIG-IP System (Redundant).


• In the Address box, type the IP address of the system.In this example, type 10.1.1.20.

• Click Add.

6. For the Peer Address List setting, complete the following tasks:

• In the Address box, type the IP address of the second system.For this example, type 10.1.1.21.

• Click Add.

7. From the Data Center list, select a data center.In this example, select New York Data Center.


9. Click Create.

You now repeat this procedure on the second Global Traffic Manager,reversing the IP addresses in the Address List and Peer Address Listoptions. In this example, you repeat this procedure for thegtm2.siterequest.com system.

9 - 8


Enabling synchronizationFor the next task, you enable the synchronization options and assign anappropriate name for the synchronization group. For this implementation,the synchronization group name is North America.


To enable synchronization

1. On the Main tab of the navigation pane, expand System, and thenclick Configuration.


3. Check the Synchronization check box.

4. Check the Synchronize DNS Zone Files check box.

5. In the Synchronization Group Name box, type the name of thesynchronization group.In this example, type North America.

6. Click Update.

Running the gtm_add scriptNext, you need to have the two systems share the same configuration. (Forthis example, that means you need to have the Global Traffic Manager inLos Angeles acquire the configurations established at the New York datacenter.) You must do this before you attempt to synchronize these systems;otherwise, you run the risk of having the new Global Traffic Manager,which is unconfigured, replace the configuration of older systems. Toacquire the configuration files, you run the gtm_add script.

Note

You must run the gtm_add script from the currently unconfigured GlobalTraffic Manager.

To run the gtm_add script

1. Log on to the unconfigured Global Traffic Manager.In this example, log on to gtn2.siterequest.com.

2. At the command prompt, type gtm_add.

3. Press the y key to start the gtm_add script.

4. Type the IP address of the configured Global Traffic Manager.For this example, type 10.1.1.20.

5. Press Enter.


Chapter 9

The gtm_add process begins, acquiring configuration data from the activeGlobal Traffic Manager; In this example gtn1.sitequrest.com. Once theprocess completes, you have successfully created a redundant systemconsisting of two Global Traffic Manager systems.

9 - 10

10

Authenticating with SSL Certificates Signedby a Third Party

• Understanding SSL authentication

• Understanding BIG-IP system certificateauthentication

• Configuring a level one SSL authentication for aGlobal Traffic Manager

• Configuring a certificate chain for a Global TrafficManager system

• Configuring SSL authentication for a BIG-IP systemthat includes a Local Traffic Manager

Authenticating with SSL Certificates Signed by a Third Party

Understanding SSL authenticationThe BIG-IP® Global Traffic Manager system uses an encryption protocol,Secure Sockets Layer (SSL) authentication, to verify the authenticity of thecredentials of any other system with which it needs to exchange data. Forexample, a Global Traffic Manager system might send a request to a LocalTraffic Manager system that attempts to authenticate the request, and afterauthenticating the request sends a response back to the Global TrafficManager system that in turn attempts to authenticate the response.

With SSL authentication, this verification process occurs with the use of aspecialized file, called a certificate, which the two systems exchange. Thesystems then verify the authenticity of the certificate, typically through theuse of a Certificate Authority (CA) server, which both systems havepreviously verified.

SSL supports ten levels of authentication (also known as certificate depth)as described below.

• At level 0, certificates are verified by the system to which they belong.These types of certificates are also known as self-signed certificates.

• At level 1, certificates are authenticated by a CA server that is separatefrom the system.

• At levels 2 - 9, certificates are authenticated by additional CA servers,which verify the authenticity of other servers. These multiple levels ofauthentication are referred to as certificate chains, and allow for a tieredverification system that ensures that only authorized communicationsoccur between servers.


Chapter 10

Understanding BIG-IP system certificateauthentication

When you install BIG-IP® software, it includes a self-signed SSL certificate.A self-signed certificate is an authentication mechanism that is created andauthenticated by the system on which it resides. These certificates allowBIG-IP systems to ensure that they are authorized to communicate withother BIG-IP systems on the network.

If your network includes one or more CA servers, you can install on eachBIG-IP system SSL certificates that are signed by a third party. To configuremultiple level system certificate authentication, you must:

◆ Import to each BIG-IP system the certificates that are necessary toauthenticate communications with other BIG-IP systems. In addition,you must also modify the following two settings.

◆ Set the Certificate Depth for the gtmd agentThis setting determines the number of CA servers (often referred to asthe authentication chain) that the gtmd agent can traverse to validate theauthenticity of another BIG-IP system. You can access this settingthrough the Configuration utility.

◆ Set the Big3d.CertificateDepth variableThis variable determines the number of CA servers that the big3d agentcan traverse to validate the authenticity of another BIG-IP system. Youaccess this setting through the command line.

Important

The specified number of certificate levels (certificate depth) that the gtmdagent can traverse must match the specified number for the big3d agent. Forexample, if the Certificate Depth setting for the gtmd agent is set to 2, thenthe Big3d.CertificateDepth variable for the big3d agent must also be set to2.

For more information about SSL certificates, see the TMOS® ManagementGuide for BIG-IP® Systems.

10 - 2


Configuring a level one SSL authentication for aGlobal Traffic Manager

To see how you can use certificates signed by a third party with a BIG-IP®

Global Traffic Manager™, consider the fictional company SiteRequest. Thenetwork at SiteRequest includes two Global Traffic Manager systems. Inaddition, SiteRequest uses its own CA server to generate and authenticateSSL certificates for its servers. In this scenario, SiteRequest wants to replacethe self-signed certificates of their Global Traffic Manager systems with thecompany’s own SSL certificates.

The following procedures describe how to install the new certificate on eachGlobal Traffic Manager. To accomplish this, you must complete thefollowing tasks on each system:

• Import the root certificate for the gtmd agent.

• Set the certificate depth for the gtmd agent.

• Import the root certificate for the big3d agent.

• Set the Big3d.CertificateDepth variable.

• Import the third-party certificate signed by the CA server.

• Verify the certificate exchange.

For the purposes of this implementation, assume that you already have asigned certificate/key pair and the root certificate from the CA server. Aroot certificate is a special instance of a certificate chain for which thecertificate depth is 1.

The following tasks assume that these Global Traffic Manager systems arealready synchronized. For more information on how to synchronize GlobalTraffic Manager systems, see Chapter 7, Ensuring Correct SynchronizationWhen Adding a New Global Traffic Manager.

Important

If you have a Local Traffic Manager™ system that you want to be able tocommunicate with the Global Traffic Manager systems, you must alsoconfigure the Local Traffic Manager. For more information, seeConfiguring SSL authentication for a BIG-IP system that includes aLocal Traffic Manager, on page 10-12.

Importing the root certificate for the gtmd agentThe first task to set up the Global Traffic Manager to use a third-partycertificate signed by a CA server is to replace the existing certificate file forthe gtmd agent with the root certificate of your CA server.


Chapter 10

For this task, perform the following procedure on only one Global TrafficManager in a synchronization group. The system automaticallysynchronizes these settings with the other Global Traffic Manager systemsin the group.

Important

In this procedure, you must import the root certificate from your CA serverinto the Configuration utility. Before you start this procedure, ensure thatyou have this certificate available.

To import the root certificate for the gtmd agent

1. On the Main tab of the navigation pane, expand Global Traffic andclick Servers.

2. On the menu bar, click Trusted Server Certificates.

3. Click Import.

4. From the Import Method list, select Replace.

5. For the Certificate Source setting, select the Upload File optionand then use the Browse button to navigate and select the rootcertificate file.

6. Click Import.

Setting the certificate depth for the gtmd agentBecause, in the previous task, you replaced the certificate file of the gtmdagent with the root certificate of the CA server, you must change thecertificate depth for the gtmd agent to 1.

For this task, you perform the following procedure on only one GlobalTraffic Manager. The system then synchronizes these settings with anyother Global Traffic Manager systems in its synchronization group.

To set the certificate depth for the gtmd agent



3. For the Certificate Depth setting, type 1.

4. Click Update.

10 - 4


Importing the root certificate for the big3d agent on the GlobalTraffic Manager

The next task to set up the Global Traffic Manager to use a third-partycertificate signed by a CA server is to import the root certificate of the CAserver for the big3d agent. For this task, perform the following procedure onall Global Traffic Manager systems.

To import the root certificate for the big3d agent on theGlobal Traffic Manager

1. On the Main tab of the navigation pane, expand System and thenclick Device Certificates.

2. On the menu bar, click Trusted Device Certificates.

3. Click Import.


5. In the Certificate Source box, select the Upload File option andthen use the Browse button to navigate and select the root certificatefile.

6. Click Import.

Setting the Big3d.CertificateDepth variable for the Global TrafficManager

While the Certificate Depth setting handles the number of certificate levelsthe gtmd agent can use, it does not affect the big3d agent. To modify thecertificate depth for the big3d agent, you must set the bigpipe variable,Big3d.CertificateDepth.

For this task, perform the following procedure on all Global TrafficManager systems.

To set the Big3d.CertificateDepth variable

1. Access the command line for the Global Traffic Manager.

2. At the command line, type the following:b db Big3d.CertificateDepth 1

Importing the device certificate signed by the CA server onto theGlobal Traffic Manager

The final task is to import the device certificate signed by the CA server. Forthis task, perform the following procedure on all Global Traffic Managersystems.


Chapter 10

To import the device certificate


2. Click Import.

3. From the Import Type list, select Certificate and Key.The screen refreshes and provides options to add a new certificateand key.

4. For the Certificate Source setting, select the Upload File optionand then use the Browse button to navigate and select the certificatesigned by the CA server.

5. For the Key Source setting, select the Upload File option and thenuse the Browse button to navigate and select the device key file.

6. Click Import.

Verifying the certificate exchangeAt this point, you can verify that you installed the certificate correctly byrunning the following commands:

• iqdump <self IP address>

• iqdump <peer IP address>

If the certificate was installed correctly, these commands display acontinuous stream of information on the console window.

10 - 6


Configuring a certificate chain for a Global TrafficManager system

To see how you can use a certificate chain to allow multiple Global TrafficManager systems to communicate with one another, we again consider thefictional company SiteRequest. This time the network at SiteRequestincludes two Global Traffic Manager systems that are already part of thesame synchronization group. For more information on how to synchronizeGlobal Traffic Manager systems, see Chapter 7, Ensuring CorrectSynchronization When Adding a New Global Traffic Manager.

Besides using its own CA server to generate and authenticate SSLcertificates for its servers, the company also uses additional CA servers forthis purpose. In this scenario, SiteRequest wants to add a certificate chain tothe self-signed certificates of their Global Traffic Manager systems.

For the purposes of this implementation, you must first create a filecontaining a certificate chain that consists of the certificates from each ofthe additional CA servers that the company uses. Then import this file intothe gtmd and big3d agents as shown in Importing a certificate chain for thegtmd agent, on page 10-8, and Importing the certificate chain for the big3dagent, on page 10-9.

Then you complete the following tasks on only one of the Global TrafficManager systems in the synchronization group. These changes areautomatically propagated to the other Global Traffic Manager systems in thegroup.

• Import the certificate chain for the gtmd agent.

• Set the certificate depth for the gtmd agent.

Finally, you complete the following tasks on each system in thesynchronization group.

• Set the Big3d.CertificateDepth variable.

• Import the certificate chain for the big3d agent.

• Import a device certificate.

• Verify the certificate exchange.


Chapter 10

Importing a certificate chain for the gtmd agentThe first task in configuring a certificate chain for a BIG-IP system is toreplace the existing certificate with the file containing the certificate chainfor the gtmd agent. To do this, perform the following two procedures. Firstcreate a certificate chain file, and then import the certificate chain onto theGlobal Traffic Manager system.

To create a certificate chain file for the Global TrafficManager

1. Using a text editor, create an empty file for the certificate chain.

2. Still using a text editor, copy an individual certificate from its owncertificate file and paste the certificate into the file you created instep 1.

3. Repeat step 2 for each certificate that you want to include in thecertificate chain.

When you are finished, you should have a certificate chain file that containsall certificates that you want to include in the certificate chain.

Important

Before you perform the following procedure, ensure that the file containingthe certificate chain is accessible from the Global Traffic Manager systemthat you want to configure.

To import the certificate chain file


2. On the menu bar, click Trusted Server Certificates.

3. Click Import.


5. For the Certificate Source setting, select the Upload File optionand then use the Browse button to navigate and select the certificatechain file.

6. Click Import.

10 - 8


Setting the certificate depth for the gtmd agentAfter you import the file containing the certificate chain, you must changethe certificate depth for the gtmd agent.

For this task, perform the following procedure on only one Global TrafficManager. The system then synchronizes these settings with all other GlobalTraffic Manager systems in the synchronization group.

To set the certificate depth for the gtmd agent



3. For the Certificate Depth setting, type 2.Note: If you have multiple levels of CA servers in your network, youincrease this setting for each level.

4. Click Update.

Setting the Big3d.CertificateDepth variableThe certificate depth must be the same for the gtmd and big3d agents. Asshown in the previous procedure, the Certificate Depth setting in theConfiguration utility handles the number of certificate levels the gtmd agentcan use. However, to modify the certificate depth for the big3d agent, youmust set the bigpipe variable, Big3d.CertificateDepth.


To set the Big3d.CertificateDepth variable

1. Access the command line for the Global Traffic Manager.

2. At the command line, type the following:b db Big3d.CertificateDepth 2

Importing the certificate chain for the big3d agentThe next task in configuring a certificate chain for a BIG-IP system is toreplace the existing certificate with the file containing the certificate chainfor the big3d agent.


Chapter 10


Important

Before you start this procedure, make sure that the file containing thecertificate chain is accessible from all of the Global Traffic Managers thatyou want to configure.

To import the certificate chain for the big3d agent



3. Click Import.


5. For the Certificate Source setting, select the Upload File optionand then use the Browse button to navigate and select the certificatechain file.

6. Click Import.

Importing a device certificateThe final task in configuring a certificate chain is to import a devicecertificate signed by the last CA in the certificate chain. For this task,perform the following procedure on all Global Traffic Manager systems.

To import a device certificate


2. Click Import.

3. From the Import Type list, select Certificate and Key.

4. For the Certificate Source setting, select the Upload File optionand then use the Browse button to navigate and select the devicecertificate.


6. Click Import.

10 - 10


Verifying the certificate chain exchangeAt this point, you can verify that you installed the certificate chain correctlyby running the following commands on each Global Traffic Managersystem:

• iqdump <self IP address>

• iqdump <peer IP address>

If you installed the certificate chain correctly, these commands display acontinuous stream of information in the console window.


Chapter 10

Configuring SSL authentication for a BIG-IP systemthat includes a Local Traffic Manager

If you are configuring SSL authentication for a BIG-IP system that includesa Local Traffic Manager™ system, you must configure the Local TrafficManager system so that it can communicate with the Global TrafficManager system using SSL authentication.

Before you import SSL certificates to a Local Traffic Manager. You mustperform the following tasks for the big3d agent on each Local TrafficManager system:

• Set the certificate depth for the big3d agent.

• Replace the self-signed certificate for the big3d agent on the LocalTraffic Manager with a root certificate or a certificate chain.

• Import a device certificate signed by the last CA server in the chain.

Before you import SSL certificates onto the Local Traffic Manager, makesure that:

• Self-signed certificates are installed on all Local Traffic Managersystems on your network.

• Your network includes its own CA server to generate certificates signedby a third party.

• You want to replace the self-signed certificates on the Local TrafficManager systems with certificates that the CA server has generated.

The remainder of this chapter describes how to configure SSL certificates ona Local Traffic Manager system for the purpose of communicating withGlobal Traffic Manager systems.

10 - 12


Setting certificate depth for the big3d agent on the Local TrafficManager

For BIG-IP systems to communicate successfully, the specified number ofcertificate levels that the big3d agent on the Local Traffic Manager cantraverse must match the number of certificate levels that the gtmd agent onthe Global Traffic Manager can traverse. For example, if the CertificateDepth setting for gtmd is set to 2, then the Big3d.CertificateDepthvariable for big3d must also be set to 2. For more information about settingthe certificate depth for the gtmd agent, see Setting the certificate depth forthe gtmd agent, on page 10-4.

You must set the certificate depth on all Local Traffic Manager systems onthe network.

To set the Big3d.CertificateDepth variable on the LocalTraffic Manager

1. Access the command line for Local Traffic Manager.

2. At the command line, type the following:b db Big3d.CertificateDepth <integer>

Important

After you configure the certificate depth for the big3d agent, you mustimport either a root certificate or a certificate chain, but not both.

Replacing the self-signed certificate for the big3d agent on theLocal Traffic Manager

You can replace the existing self-signed certificate for the big3d agent byimporting either the root certificate of a CA server or a certificate chain.

To import the root certificate for the big3d agent on theLocal Traffic Manager



3. Click Import.


5. For the Certificate Source setting, select the Upload File optionand then use the Browse button to navigate to and select the rootcertificate file.

6. Click Import.


Chapter 10

If you choose to import a certificate chain, you need to first create acertificate chain file, and then import the entire certificate chain on to theLocal Traffic Manager system.

To create a certificate chain file for the Local TrafficManager

1. Using a text editor, create an empty file for the certificate chain.

2. Still using a text editor, copy an individual certificate from its owncertificate file and paste the certificate into the file you created instep 1.

3. Repeat step 2 for each certificate that you want to include in thecertificate chain.

Important

Before you perform the following procedure, ensure that the file containingthe certificate chain is accessible from all of the Local Traffic Managersystems that you want to configure.

To import the certificate chain for the big3d agent on theLocal Traffic Manager

1. On the Main tab of the navigation pane, expand System, and thenclick Device Certificates.


3. Click Import.


5. For the Certificate Source setting, select the Upload File optionand then use the Browse button to navigate and select the certificatechain file that you created in the previous the procedure, To create acertificate chain file for the Local Traffic Manager.

6. Click Import.

10 - 14


Importing a device certificate onto the Local Traffic ManagerThe final task in configuring a certificate chain is to import a devicecertificate signed by the last CA in the certificate chain. For this task,perform the following procedure on all Local Traffic Manager systems.

To import a device certificate


2. Click Import.

3. From the Import Type list, select Certificate and Key.

4. For the Certificate Source setting, select the Upload File optionand then use the Browse button to navigate and select the devicecertificate.


6. Click Import.


Chapter 10

10 - 16

11

Monitoring Third-Party Servers with SNMP

• Overview of SNMP

• Assigning the SNMP monitor to a third-party server


Overview of SNMPSNMP, or Simple Network Management Protocol, is frequently used toacquire data from different network systems. At the core of SNMP is a MIB,or Management Information Base, which specifies the data available on agiven system.

In a BIG-IP® system environment, you typically use SNMP for acquiringinformation about the health of a third-party server. To accomplish this, youassign an SNMP monitor to a server currently running SNMP. This monitorcan then provide information on the availability of that server.

Assigning the SNMP monitor to a third-party serverTo see how you can use SNMP to monitor a third-party server, consider thefictional company, SiteRequest. SiteRequest has a server that containsseveral resources related to one of its web applications. This server is not aBIG-IP system; however, it does have SNMP running. As a result, the ITdepartment has opted to use the SNMP monitor included with the GlobalTraffic Manager™ to track the availability of the server.

To use SNMP to acquire information about this server, you must performthe following tasks:

• Add the server to the Global Traffic Manager configuration.

• Add a virtual server to the server.

• Create an SNMP monitor.

• Assign the monitor to the server.

For the purposes of this example, you use the server name SiteRequestResource, which has an IP address of 10.0.1.25. You also use the datacenter name, SiteRequest-main. In this example, you have already createdthe data center.

Adding the serverThe first task in monitoring a server running SNMP requires you to add theserver to the Global Traffic Manager configuration.

In this example you add the server, SiteRequest Resource, to the network.This server has the IP address 10.0.1.25.


Chapter 11

To add the server


2. Click Create.

3. In the Name box, type the name of the sever.For this example, type SiteRequest Resource.

4. From the Product list, select the server type.For this example, select Generic Host.


• In the Address box, type the IP address of the server.For this example, type 10.0.1.25.

• Click Add.

6. From the Data Center list, select the data center to which the serverbelongs.For this example, select SiteRequest-main.

7. Locate the Resources area, which is close to the bottom of thescreen, and from the Virtual Server List option, select Disabled.

8. Click Create.

Adding a virtual serverOne of the requirements of the SNMP monitor on the Global TrafficManager is that you must assign a virtual server to the server beingmonitored. Without this virtual server, the SNMP monitor cannot acquireinformation about the system.

For this example, you add a virtual server, vs-generic-1, with an IP addressof 10.100.100.5, to the server you created in the previous section.

To add a virtual server


2. Click the name of the server to which you want to add virtualservers.For this example, click the link for SiteRequest Resource.

3. On the menu bar, click Virtual Servers.

4. Click Add.

5. In the Name box, type the name of the virtual server.For this example, type the name vs-generic-1.

6. In the Address box, type the IP address of the virtual server.For this example, type the IP address 10.100.100.5.

7. Click Create.

11 - 2


Creating an SNMP monitorNow that the server is in the Global Traffic Manager configuration, you cancreate an SNMP monitor. For the purposes of this example, the defaultvalues assigned to an SNMP monitor are sufficient for SiteRequest’s server.

In this example, you create an SNMP monitor called Site-Request SNMP.This monitor uses the default SNMP monitor settings.

To create an SNMP monitor

1. On the Main tab of the navigation pane, expand Global Traffic andthen click Monitors.

2. Click Create.

3. In the Name box, type the name of the monitor.For this example, type SiteRequest-SNMP.

4. From the Type list, select a monitor type.For this example, select SNMP.

5. Click Finished.

Assigning the monitorYou can now assign the new custom SNMP monitor to the server.

To assign the SNMP monitor


2. Click the server name, SiteRequest Host.

3. For the Health Monitors setting, select SiteRequest-SNMP fromthe Available list and then use the Move [<<] button to move themonitor to the Selected list.Note: This ensures that the monitor starts to check the availabilityof the server.

4. Click Update.

You now have an SNMP monitor assigned to a third-party server within theGlobal Traffic Manager configuration. The system can now use this monitorto verify that the server is available for load balancing DNS requests.


Chapter 11

11 - 4

12

Using tmsh to Set Up Implementations

• Using tmsh for different implementations

• Setting up a stand-alone system

• Adding a system to a network that contains LocalTraffic Manager systems

• Adding a system to a network that contains otherGlobal Traffic Manager systems


Using tmsh for different implementationsThis chapter describes three different implementations in which youprovision and configure the Global Traffic Manager using the TrafficManagement Shell (tmsh). Refer to these topics:

• Setting up a stand-alone system, on page 12-2

• Adding a system to a network that contains Local Traffic Managersystems, on page 12-10

• Adding a system to a network that contains other Global TrafficManager systems, on page 12-17

These implementation focus on the fictional company, SiteRequest. Theyare based on the fact that you have already installed and licensed the BIG-IPsystem software, and either run the Setup utility or used tmsh to configurethe basic network elements.

When you use tmsh commands to configure the Global Traffic Manager,the system automatically saves the configuration changes in the file/config/gtm/wideip.conf. Note that only users with Administrator orResource Administrator roles assigned to their user accounts on theBIG-IP system can access tmsh.

WARNING

You must provision the Global Traffic Manager before you configure it;otherwise, you lose the system configuration when you provision the system.


Chapter 12

Setting up a stand-alone systemIn the first implementation, SiteRequest has purchased a stand-alone GlobalTraffic Manager to use in its North American data center. SiteRequest wantsto use the system to handle DNS requests for and load balance traffic towww.siterequest.com, and its aliases www.store.siterequest.com andwww.checkout.siterequest.com. SiteRequest wants the system to respondto these DNS requests on the IP address 192.168.5.17 and to load balancethe traffic to two virtual servers on the system: 10.1.6.100:http and10.1.6.101:80.

To configure a stand-alone Global Traffic Manager, complete the followingtasks using tmsh:

• Provision the system

• Configure the global settings

• Create a data center

• Define a server

• Create virtual servers

• Create a pool

• Create a wide IP


12 - 2


Provisioning the systemYou must provision the Global Traffic Manager before you configure it.Provisioning apportions CPU, memory, and disk space among the systemsoftware modules.

Note

A stand-alone Global Traffic Manager includes a Local Traffic Managerthat is provisioned at the nominal level by default.

To provision the system




modify /sys provision gtm level nominal

save sys config

list /sys provision

The system displays the provision configuration, as shown in Figure12.1.

root@big-ip1(Active)(tmos)# list /sys provisionsys provision gtm {

level nominal}sys provision lc { }sys provision ltm {

level nominal}root@big-ip1(Active)(tmos)#

Figure 12.1 Results of list command for sample system provision


Chapter 12

Configuring the global settingsAfter you provision the system, F5 Networks recommends that youconfigure the system so that it does not run the Setup utility when a useropens the Configuration utility.

To do this, run the command sequence:

modify /sys db setup.run value false

Creating a data centerThe next task is to create a data center to associate on your network theresources that share the same subnet. The Global Traffic Managerconsolidates the paths and metrics data collected from the resources into thedata center, and uses that data to conduct load balancing operations.

In this scenario, SiteRequest wants to use the Global Traffic Manager in itsNorth American data center.

Important

You must configure at least one data center before you can add servers tothe Global Traffic Manager configuration.


1. Navigate to the tmsh gtm module.


create datacenter north_america

list datacenter north_america all-properties

The system displays the data center configuration, as shown inFigure 12.2.

root@big-ip1(Active)(tmos.gtm)# list datacenter north_americagtm datacenter north_america {

contact noneenabledlocation none

}root@big-ip1(Active)(tmos.gtm)#

Figure 12.2 Results of list command for sample data center

12 - 4


Defining a serverAfter you create a data center, the next task is to configure the GlobalTraffic Manager to respond to DNS requests with the IP address192.168.5.17. To do this, create a server in the north_america data centerthat represents the system itself. Assign a bigip monitor to the server totrack the status of the server.

Important

Each server can belong to only one data center.

To define a server



create server gtm1 datacenter north_america monitor bigipaddresses add { 192.168.5.17 }

list server gtm1 all-properties

The system displays the server configuration, as shown in Figure12.3.

root@big-ip1(Active)(tmos.gtm)# list server gtm1all-propertiesgtm server gtm1 {

addresses {192.168.5.17 {...}

}datacenter north_americaenabled...}


Figure 12.3 Results of list command for sample server


Chapter 12

Creating virtual servers to host the site contentAfter you create a server, add virtual servers to the server. A virtual server,in this context, is a specific IP address and port number that points to theserver you created in the previous task.

SiteRequest wants to load balance the traffic to www.siterequest.comacross virtual servers with these IP addresses: 10.1.6.100:http and10.1.6.101:80.

To create virtual servers



modify server gtm1 virtual-servers add{ 10.1.6.100:http 10.1.6.101:80 }



root@big-ip1(Active)(tmos.gtm)# list server gtm1gtm server gtm1 {

addresses {192.168.5.17{

...}

}datacenter north_america...monitor bigip...virtual-servers {

10.1.6.100:http {...

}10.1.6.101:http {

...}

}}root@big-ip1(Active)(tmos.gtm)#

Figure 12.4 Results of list command for sample server with virtual servers

12 - 6


Creating a poolNow that you have created virtual servers, create a pool that the GlobalTraffic Manager uses to load balance traffic to those virtual servers.

To create a pool



create pool my_pool members add { 10.1.6.100:http10.1.6.101:80 }

list pool my_pool all-properties

The system displays the pool configuration, as shown in Figure12.5.

root@big-ip1(Active)(tmos.gtm)# list pool my_poolgtm pool my_pool {

...members {

10.1.6.100:http {...

}10.1.6.101:http {

order 1...

}...

}}root@big-ip1(Active)(tmos.gtm)#

Figure 12.5 Results of list command for sample pool


Chapter 12

Creating a wide IPAfter you create a pool, create a wide IP that maps www.siterequest.com tothe virtual servers you previously created. To do this, add the pool with thevirtual servers to the wide IP. You can also add aliases for the domain nameto the wide IP.

SiteRequest wants to create the wide IP www.siterequest.com and add to itthe aliases www.store.siterequest.com andwww.checkout.siterrequest.com.

To create a wide IP



create wideip www.siterequest.com pools add {my_pool}aliases add { www.store.siterequest.comwww.checkout.siterequest.com }

list wideip www.siterequest.com all-properties

The system displays the wide IP configuration, as shown in Figure12.6.

root@big-ip1(Active)(tmos.gtm)# list wideipwww.siterequest.comgtm wideip www.siterequest.com {

aliases {www.store.siterequest.comwww.checkout.siterequest.com

}...pools {

my_pool {...

}}...


Figure 12.6 Results of list command for sample wide IP

12 - 8


Creating a listenerTo configure the Global Traffic Manager to communicate with the rest ofyour network, create a listener that monitors the network for DNS queriesthat are destined for its IP address 192.168.5.17.

Note

The system automatically saves listeners that you create.




create listener gtm1_listener address 192.168.5.17

The IP address 192.168.5.17 does not match a self IP address on thesystem; therefore, the system saves the listener in the filebigip.conf.

Note: The system saves listeners with IP addresses that match a selfIP address on the system in the file bigip_local.conf.

list listener gtm1_listener all-properties

The system displays the listener configuration, as shown in Figure12.7.

The Global Traffic Manager is now configured to process DNS requests forand load balance traffic to www.siterequest.com.

root@big-ip1(Active)(tmos.gtm)# list listener gtm1_listenergtm listener gtm1_listener {

address 192.168.5.17ip-protocol udp...


Figure 12.7 Results of list command for sample listener


Chapter 12

Adding a system to a network that contains LocalTraffic Manager systems

In the second implementation, SiteRequest already has BIG-IP Local TrafficManager systems in its data center. SiteRequest wants to add a new GlobalTraffic Manager system to its South American data center to respond toDNS requests on the IP address 192.168.5.18.

To configure the new Global Traffic Manager, complete the following tasksusing tmsh:

• Provision the system


• Define a server for the system

• Define servers for the Local Traffic Manager systems

• Run either the bigip_add or big3d_install utility


12 - 10


Provisioning the systemYou must provision the Global Traffic Manager before you configure it.Provisioning apportions CPU, memory, and disk space among the systemsoftware modules.

To provision the system





save sys config

list /sys provision





Figure 12.8 Results of list command for sample system provision


Chapter 12

Creating a data centerThe next task is to create a data center to associate the resources on yournetwork that share the same subnet. The Global Traffic Managerconsolidates the paths and metrics data collected from the resources into thedata center, and uses that data to conduct load balancing operations.

In this scenario, SiteRequest wants to use the Global Traffic Manager in itsSouth American data center.




create datacenter south_america

list datacenter south_america all-properties


root@big-ip2(Active)(tmos.gtm)# list datacenter south_americagtm datacenter south_america {




12 - 12


Defining a server for the systemAfter you create a data center, the next task is to configure the GlobalTraffic Manager to respond to DNS requests with the IP address192.168.5.18. To do this, create a server in the south_america data centerthat represents the system itself. Assign a bigip monitor to the server totrack the status of the server.

Important


To define a server for the system



create server gtm2 datacenter south_america monitor bigipaddresses add { 192.168.5.18 }




addresses {192.168.5.18 {

...}

}datacenter south_america...monitor bigip...




Chapter 12

Defining servers for the Local Traffic Manager systemsAfter you create a server for the Global Traffic Manager itself, create aserver on the Global Traffic Manager for each of the other BIG-IP systemson your network.

Important


To define servers for the Local Traffic Manager systems



create server ltm1 datacenter south_america monitor bigipaddresses add { 192.168.5.1 }

create server ltm2 datacenter south_america monitor bigipaddresses add { 192.168.5.2 }

list server



addresses {192.168.5.18 { }

}datacenter south_americamonitor bigip

}ltm server ltm1 {

addresses {192.168.5.1 { }


}ltm server ltm2 {

addresses {192.168.5.2 { }




12 - 14


Running the bigip_add or big3d_install utilityThe next task is to run a utility to add the new Global Traffic Manager to thenetwork. Run one of the following utilities based on your networkconfiguration:

• If the other BIG-IP systems on the network are running the same versionof the big3d agent, run the bigip_add utility.

• If the other BIG-IP systems on the network are running an earlier versionof the big3d agent, run the big3d_install utility.

To run the bigip_add utility


2. Run this command: run bigip_add.The utility exchanges the appropriate SSL certificates, andauthorizes communications between the Global Traffic Managerand the other BIG-IP systems for which you defined servers in theprevious task.

To run the big3d_install utility


2. Run one of these commands:

• run big3d_install

The utility exchanges the appropriate SSL certificates, authorizescommunications between the Global Traffic Manager and theBIG-IP systems for which you defined servers in the previoustask, and automatically updates the big3d agents on all thedevices.

• run big3d_install <IP addresses of existingBIG-IP systems>The utility exchanges the appropriate SSL certificates, authorizescommunications between the Global Traffic Manager and theBIG-IP systems specified in the command sequence, andautomatically updates the big3d agents on all the devices.


Chapter 12

Creating a listenerThe last task is to configure the Global Traffic Manager to communicatewith the rest of the network. To do this, create a listener that monitors thenetwork for DNS queries that are destined for its IP address 192.168.5.18.

Note

When you create a listener, the system automatically saves the listener.





The system saves the listener in the file bigip_local.conf, becausethe listener has an IP address that matches a self IP address on thesystem.

Note: The system saves, to the file bigip.conf, listeners with IPaddresses that do not match self IP addresses on the system.

list listener gtm2_listener


You have successfully added the Global Traffic Manager to a network thatcontains BIG-IP systems. The systems are synchronized and the GlobalTraffic Manager is configured to respond to DNS requests on 192.168.5.18.





12 - 16


Adding a system to a network that contains otherGlobal Traffic Manager systems

In the third implementation, SiteRequest purchased another Global TrafficManager to use in its Asian data center. SiteRequest wants to add the newsystem to a synchronization group that contains the original Global TrafficManager. It wants to configure the new system to respond to DNS requestson the IP address 192.168.5.18.

To add a Global Traffic Manager using tmsh, complete the following tasks.

• Provision the new system

• On an existing Global Traffic Manager that you want to be in the samesynchronization group as the new system:


• Define a server for the new system

• Add a synchronization group

• On the new system:

• Run the gtm_add utility



Chapter 12

Provisioning the new systemYou must provision the Global Traffic Manager before you configure it.Provisioning apportions CPU, memory, and disk space among the systemsoftware modules.

To provision the new system

1. Log on to the new Global Traffic Manager command line interface.




save sys config

list /sys provision





Figure 12.13 Results of the list command for sample system provision

12 - 18


Creating a data center on an existing systemNow that you have provisioned the new Global Traffic Manager, create anew data center on an existing Global Traffic Manager. In thisimplementation, SiteRequest wants to create an Asian data center.

To create a new data center on an existing system



create datacenter asia

list datacenter asia all-properties


root@big-ip4(Active)(tmos.gtm)# list datacenter asiagtm datacenter asia {





Chapter 12

Defining a server for the new system on an existing systemAfter you create a data center, the next task is to configure the new GlobalTraffic Manager to respond to DNS requests with the IP address192.168.5.19. To do this, on the existing Global Traffic Manager on whichyou performed the previous task, create a server in the asia data center thatrepresents the new Global Traffic Manager system. Assign a bigip monitorto the server to track the status of the server. Perform this task.

Important


To create a server for the new system on an existingsystem



create server gtm3 datacenter asia monitor bigipaddresses add { 192.168.5.19 }

list server gtm3



addresses {192.168.5.19 {

...}

}datacenter asia...monitor bigip...



12 - 20


Adding a synchronization group to an existing systemNow, create the worldwide synchronization group on the existing GlobalTraffic Manager on which you performed the previous task.

To add a synchronization group to an existing system


2. Run this command:

modify settings general synchronization-group-nameworldwide

The system is now a member of the worldwide synchronizationgroup.

Running the gtm_add utilityThe next task is to run a utility on the new Global Traffic Manager to add itto the network.

WARNING

Run the gtm_add utility on only the new Global Traffic Manager. If you runthis utility on existing systems, you will replace the existing systems’configurations with that of the minimally configured new system.

To run the gtm_add utility


2. Run this command:

run gtm_add <IP address of another Global Traffic Managerin the synchronization group>

3. Based on your network configuration, respond to the prompts thatdisplay. Note that if your system has a FIPS hardware securitymodule (HSM), the utility detects the card and prompts you for aseries of responses.The utility adds the new Global Traffic Manager to the network.The new system has the same configuration as the other systems inthe synchronization group.


Chapter 12

Creating a listenerTo configure the new Global Traffic Manager to communicate with the restof your network, create a listener that monitors the network for DNS queriesthat are destined for its IP address 192.168.5.19.

Note

The system automatically saves listeners that you create.



2. Run these commands:


The system automatically saves the listener in the filebigip_local.conf, because the listener has an IP address thatmatches a self IP address on the system.

Note: The system saves to the file bigip.conf listeners with IPaddresses that do not match self IP addresses on the system.

list listener gtm1_listener


You have successfully added the Global Traffic Manager to a network thatcontains a Global Traffic Manager system. The systems are synchronizedand the new Global Traffic Manager is configured to respond to DNSrequests on 192.168.5.19.





12 - 22

Glossary

Glossary

A record

The A record is the ADDRESS resource record that a Global TrafficManager™ returns to a local DNS server in response to a name resolutionrequest. The A record contains a variety of information, including one ormore IP addresses that resolve to the requested domain name. See also DNS.

active unit

In a redundant system configuration, the active unit is the system thatcurrently load balances connections. If the active unit fails, the standby unitassumes control and begins to load balance connections. See also redundantsystem.

authentication chain

Authentication chain is a term used to describe several web certificates thatGlobal Traffic Manager must follow to verify the authenticity of anothersystem. With an authentication chain, Global Traffic Manager requestsadditional web certificates until it identifies one that is verified by a trustedcertificate authority server.

authoritative DNS

The authoritative DNS is a nameserver that is authoritative for the DNSzone. See also DNS, secondary DNS, and zone.

big3d agent

The big3d agent is a monitoring agent that collects metrics informationabout server performance and network paths between a data center and aspecific local DNS server. The Global Traffic Manager uses the informationcollected by the big3d agent for dynamic load balancing.

BIND (Berkeley Internet Name Domain)

BIND is the most common implementation of the Domain Name System(DNS). BIND provides a system for matching domain names to IPaddresses. For more information, refer tohttp://www.isc.org/products/BIND.

certificate

A certificate is an online credential signed by a trusted certificate authorityand used for SSL network traffic as a method of authentication.

certificate chain

Certificate chains are multiple levels of certificates authenticated byadditional CA servers, which verify the authenticity of other servers. Thisallows for a tiered verification system that ensures only authorizedcommunications occur between servers.

BIG-IP® Global Traffic ManagerTM: Implementations Glossary - 1

Glossary

certificate authority (CA)

A certificate authority is an external, trusted organization that issues asigned digital certificate to a requesting computer system for use as acredential to obtain authentication for SSL network traffic.

certificate depth

Certificate depth refers to the number of web certificates Global TrafficManager can use to verify the authenticity of another BIG-IP® system. Alsoreferred to as authentication chain.

CNAME record

A canonical name (CNAME) record acts as an alias to another domainname. A canonical name and its alias can belong to different zones, so theCNAME record must always be entered as a fully qualified domain name.CNAME records are useful for setting up logical names for networkservices so that they can be easily relocated to different physical hosts. Seealso DNS and domain name.

Configuration utility

The Configuration utility is the browser-based application that you use toconfigure the BIG-IP system.

data center

A data center is a physical location that houses one or more Global TrafficManager systems, BIG-IP systems, or host machines.

DNS

The Domain Name System protocol is an industry-standard protocol thatmaps hostnames to IP addresses.

DNSSEC

The Domain Name System Security Extensions (DNSSEC) is anindustry-standard protocol that functions as an extension to the DomainName System (DNS) protocol. See also DNS, key-signing key, TTL, andzone-signing key.

domain name

A domain name is a unique name that is associated with one or more IPaddresses. Domain names are used in URLs to identify particular Webpages. For example, in the URL http://www.siterequest.com/index.html,the domain name is siterequest.com. See also DNS.

Glossary - 2

Glossary

external VLAN

The external VLAN is a default VLAN on the BIG-IP system. In a basicconfiguration, this VLAN has the administration ports locked down. In anormal configuration, this is typically a VLAN on which external clientsrequest connections to internal servers. See also VLAN.

fail-over

Fail-over is the process whereby a standby unit in a redundant systemconfiguration takes over when a software failure or a hardware failure isdetected on the active unit.

FIPS hardware security module

A FIPS hardware security module (HSM) is a hard drive that processes keysigning tasks.

floating IP address

A floating self IP address is an additional self IP address for a VLAN thatserves as a shared address by both units of a BIG-IP redundant systemconfiguration.

health monitor

A health monitor checks a node to see if it is up and functioning for a givenservice. If the node fails the check, it is marked down. Different monitorsexist for checking different services.

hint zone

A hint zone designates a subset of root nameservers in the root nameserverslist. When the local nameserver starts (or restarts), it queries the list of rootnameservers in the hint zone for the most current list of root nameservers.

interface

The physical port on a BIG-IP system is called an interface.

iQuery

The iQuery® protocol is used to exchange information between GlobalTraffic Manager systems and BIG-IP systems. The iQuery protocol isofficially registered with IANA for port 4353, and works on UDP and TCPconnections.

iRule

An iRule is a user-written script that controls the behavior of a connectionpassing through the Link Controller™. iRules® are an F5 Networks featureand are frequently used to direct certain connections to a non-default loadbalancing pool. However, iRules can perform other tasks, such asimplementing secure network address translation and enabling sessionpersistence.


Glossary

key-signing key

The system uses a key-signing key that you create and assign to a DNSSECzone to sign the DNSKEY record for a zone. Creating a key-signing key isone step in configuring a BIG-IP system to be DNSSEC-compliant. See alsoDNSSEC, TTL, and zone-signing key.

listener

A listener is a specialized resource that is assigned a specific IP address anduses port 53, the DNS query port. When traffic is sent to that IP address, thelistener alerts the Global Traffic Manager, allowing it to handle the trafficlocally or forward the traffic to the appropriate resource.

load balancing pool

See pool.

local DNS

A local DNS is a server that makes name resolution requests on behalf of aclient. With respect to the Global Traffic Manager, local DNS servers arethe source of name resolution requests. Local DNS is also referred to asLDNS.

member

Member is a reference to a node when it is included in a particular loadbalancing pool. Pools typically include multiple member nodes.

named

The named daemon manages domain nameserver software.

nameserver

A nameserver is a server that maintains a DNS database, and resolvesdomain name requests to IP addresses using that database. A nameserver isconsidered authoritative for some given zone when it has a complete set ofdata for the zone, allowing it to answer queries about the zone on its own,without needing to consult another nameserver.

name resolution

Name resolution is the process by which a nameserver matches a domainname request to an IP address, and sends the information to the clientrequesting the resolution.

Network Time Protocol (NTP)

Network Time Protocol functions over the Internet to synchronize systemclocks to Universal Coordinated Time. NTP provides a mechanism to setand maintain clock synchronization within milliseconds.

Glossary - 4

Glossary

NS record

A nameserver (NS) record is used to define a set of authoritativenameservers for a DNS zone. See also DNS.

pool

A pool is composed of a group of network devices (called members). TheLink Controller load balances requests to the nodes within a pool based onthe load balancing method and persistence method you choose when youcreate the pool or edit its properties.

pool member

A pool member is a server that is a member of a load balancing pool.

port

A port can be represented by a number that is associated with a specificservice supported by a host. Refer to the Services and Port Index for a list ofport numbers and corresponding services.

redundant system configuration

Redundant system configuration refers to a pair of units that are configuredfor fail-over. In a redundant system, there are two units, one running as theactive unit and one running as the standby unit. If the active unit fails, thestandby unit takes over and manages connection requests.

resource record

A resource record is a record in a DNS database that stores data associatedwith domain names. A resource record typically includes a domain name, aTTL, a record type, and data specific to that record type. See also A record,CNAME record, DNS, and NS record.

root certificate

A root certificate is a special instance of a certificate chain that has only onelevel of certificate depth.

secondary DNS

The secondary DNS is a nameserver that retrieves DNS data from thenameserver that is authoritative for the DNS zone. See also DNS,authoritative DNS, and zone.

self IP address

Self IP addresses are the IP addresses owned by the BIG-IP system that youuse to access the internal and external VLANs.

service

Service refers to services such as TCP, UDP, HTTP, and FTP.


Glossary

Setup utility

The Setup utility walks you through the initial system configuration process.You can run the Setup utility from the Configuration utility start screen.

SNMP (Simple Network Management Protocol)

SNMP is the Internet standard protocol, defined in STD 15, RFC 1157,developed to manage nodes on an IP network.

SSL (Secure Sockets Layer)

SSL is a network communications protocol that uses public-key technologyas a way to transmit data in a secure manner.

standby unit

A standby unit in a redundant system configuration is a unit that is alwaysprepared to become the active unit if the active unit fails.

synchronization group

A synchronization group is a group of Global Traffic Manager systems thatsynchronize system configurations and zone files (if applicable). Allsynchronization group members receive broadcasts of metrics data from thebig3d agents throughout the network. All synchronization group membersalso receive broadcasts of updated configuration settings from the GlobalTraffic Manager that has the latest configuration changes.

virtual server

Virtual servers are a specific combination of virtual address and virtual port,associated with a content site that is managed by an Link Controller or othertype of host server.

TTL

The value of the TTL setting that you assign to a key-signing key orzon-signing key specifies how long a client resolver can cache the key. Seealso DNSSEC, key-signing key, and zone-signing key.

VLAN

VLAN stands for virtual local area network. A VLAN is a logical groupingof network devices. You can use a VLAN to logically group devices that areon different network segments.

wide IP

A wide IP is a collection of one or more fully-qualified domain names thatmaps to one or more pools of virtual servers that host the content of thedomains, and that are managed either by BIG-IP systems, or by host servers.The Global Traffic Manager load balances name resolution requests acrossthe virtual servers that are defined in the wide IP that is associated with therequested domain name.

Glossary - 6

Glossary

zone

In DNS terms, a zone is a subset of DNS records for one or more domains.See also DNS, authoritative DNS, and secondary DNS.

zone file

In DNS terms, a zone file is a database set of domains with one or manydomain names, designated mail servers, a list of other nameservers that cananswer resolution requests, and a set of zone attributes, which are containedin an SOA record.

zone-signing key

The system uses a zone-signing key that you create and assign to a DNSSECzone to sign all of the record sets in a zone. Creating a zone-signing key isone step in configuring a BIG-IP system to be DNSSEC-compliant. See alsoDNSSEC, key-signing key, and TTL.


Glossary

Glossary - 8

Index

/config/gtm/wideip.conf file 12-1

AA record

See Address record, creating.Address record, creating 2-2allow-transfer statement, adding to DNS server 3-4authoritative nameserver 3-1, 3-2, 4-1

Bbig3d agent

described 8-1importing root certificates 10-5

big3d_install utility, running 4-7, 8-6, 12-15Big3d.CertificateDepth variable

setting 10-5, 10-9setting for Global Traffic Manager systems 10-2

bigip monitor 12-20BIG-IP system

adding to global traffic configuration 8-4integrating with global traffic configuration 8-1

bigip_add utility, running 4-6, 7-5, 12-15bridge 6-2

Ccache poisoning 4-1certificate chains 10-1certificate depth

defined 10-2setting 10-4, 10-9

certificates, SSL 8-2CNAME record, creating 2-2communication, authorizing 8-2config sync, running 9-7configuration files, synchronizing 7-2

Ddata centers

creating with tmsh 12-4, 12-12, 12-19defining for BIG-IP system integration 8-4defining for redundant systems 9-7

default gateway route 9-6delegated zones

and listeners 2-1and web-based applications 2-2and wide IPs 2-1creating 2-2

denial of service, preventing 4-1DNS protocol 4-1DNS queries

forwarding 6-4load balancing to a pool 5-3

DNS query port 2-1, 2-3, 3-1, 5-1, 6-2DNS server pools

creating 5-2load balancing to 5-1

DNS serversadding allow-transfer statement 3-4and delegated zones 2-1and zone transfers 3-3creating pools 5-2forwarding to 6-3load balancing traffic to pools 5-3modifying for delegating traffic 2-2replacing 3-1using existing 2-1

DNS trafficdelegating to wide IPs 2-2forwarding 6-3managing 2-1routing 6-5

DNSSEC (Domain Name System Security Extensions)4-1DNSSEC key signing keys 4-10DNSSEC zone 4-14DNSSEC zone signing keys 4-12

Ffeatures of Global Traffic Manager 1-1FIPS hardware security module (HSM)

and gtm_add utility 4-9, 12-21floating IP addresses 9-4forwarder, using Global Traffic Manager as 6-1

Gglobal settings, configuring with tmsh 12-21Global Traffic Manager

adding to another system 7-3, 12-17adding to synchronization group 7-2and forwarder system placement 6-2and redundant systems 9-1as a forwarder 6-1as a router 6-1defining for BIG-IP system integration 8-4defining for redundant system 9-8for router system placement 6-5forwarding traffic 6-3provisioning with tmsh 12-3, 12-11, 12-18routing traffic 6-5with other systems 12-17

gtm_add scriptand redundant systems 9-9and synchronization 7-2running 7-4

gtm_add utility, running 4-9, 12-21gtmd and root certificates 10-3

BIG-IP® Global Traffic ManagerTM: Implementations Index - 3

Index

Hhigh availability options 9-5

IID hacking, preventing 4-1install utility

running big3d_install 12-15running bigip_add 12-15

IP addressand listeners 2-3, 3-1

iQuery protocol 7-1

Kkey signing keys 4-10keys

DNSSEC key signing keys 4-10DNSSEC zone signing keys 4-12

Llisteners

and delegated zones 2-1and primary DNS servers 3-5and redundant systems 9-6configuring 2-3, 3-2creating 4-7, 5-3creating with tmsh 12-9, 12-16, 12-22defined 5-1, 6-2

load balancingand multiple systems 8-1and web-based applications 2-2for non-wide IP traffic 5-1

Local Traffic Managerdefining servers for 12-14integrating with Global Traffic Manager 8-1, 12-10

Mmanual key rollover, preparing for 4-14

Nname resolution 2-1non-wide IP traffic 5-1NS record, creating 2-2NTP

defining 4-5synchronizing systems 4-5

NTP server 9-5

Ppool of DNS servers

creating 5-2creating with tmsh 12-7load balancing to 5-3

port 53See DNS query port.

protocol, iQuery 8-1provisioning process 12-3, 12-11, 12-18provisioning with tmsh 12-3, 12-11, 12-18

Rredundant systems

and configuration settings 9-2and default gateway routes 9-6and floating IP addresses 9-4and Global Traffic Manager 9-1and high availability options 9-5and listeners 9-6and NTP servers 9-5defined 9-1running config sync 9-7

router 6-1, 6-2

Sscripts

running big3d_install 8-6running bigip_add 7-5running gtm_add 7-4

secondary DNS server 3-5self IP addresses

and VLANs 9-3self-signed certificates 10-2servers

defining NTP 4-5defining with tmsh 12-5, 12-13defining with tmsh on existing system 12-20

Simple Network Management Protocol. See SNMP.slave server

See secondary DNS server.SNMP monitor 11-1SNMP, defined 11-1spoofing, preventing 4-1SSL authentication 10-1SSL certificates

and authorizing communications 8-2and BIG-IP systems 10-2and levels 10-1assigning third-party certificates 10-3, 10-7

stand-alone system, configuring with tmsh 12-2synchronization

activating 4-6and NTP 4-5and redundant systems 9-9and time 4-5creating groups 4-5enabling 7-4

synchronization group, adding 12-21

Index - 4

Index

synchronization groups 4-5adding Global Traffic Manager systems 7-2defined 7-1

systemsadding BIG-IP to data centers 8-5

Tthird-party servers

and SNMP 11-1timestamps, and configuration files 7-2tmsh

adding a new Global Traffic Manager with 12-17configuring a new Global Traffic Manager with

12-10configuring a stand-alone Global Traffic Manager

with 12-2configuring Global Traffic Manager with 12-1

trafficand load balancing 2-1, 3-1and load balancing non-wide IP traffic 5-1and wide IPs 2-1, 3-1bridging 6-2for name resolution 2-1forwarding 6-2managing DNS data 2-1routing 6-5

Uutilities

big3d_install, running 4-7, 12-15bigip_add, running 4-6, 12-15gtm_add, running 4-9

Vvirtual servers

and SNMP monitors 11-2creating with tmsh 12-6

VLANsassigning self IP addresses 9-3creating 9-3

Wweb certificates, exchanging 8-6web-based applications 2-2, 3-2wide IP

and delegated zones 2-1and delegating traffic 2-2creating with tmsh 12-8

Zzone files, acquiring 3-4zone for DNSSEC 4-14zone signing keys 4-12

zone transfers 3-3zones

using delegated 2-2

BIG-IP® Global Traffic ManagerTM: Implementations Index - 5

big-ip global traffic manager implementations

Documents

f5 design

local traffic manager

data manager

f5 world

enterprise manager

application security

traffic management

patentsthis product