Reproduction in any manner whatsoever without the written permission of Dell Computer Corporation is
strictly forbidden.
Trademarks used in this text: Dell and PowerEdge are trademarks of Dell Computer Corporation.
Other trademarks and trade names may be used in this document to refer to either the entities claiming the
marks and names or their products. Dell Computer Corporation disclaims any proprietary interest in
trademarks and trade names other than its own.
Copyright 1998-2002, F5 Networks, Inc. All rights reserved.
F5 Networks, Inc. (F5) believes the information it furnishes to be accurate and reliable. However, F5
assumes no responsibility for the use of this information, nor any infringement of patents or other rights of
third parties which may result from its use. No license is granted by implication or otherwise under any
patent, copyright, or other intellectual property right of F5 except as specifically described by applicable
iControl user licenses. F5 reserves the right to change specifications at any time without notice.
Trademarks
F5, F5 Networks, the F5 logo, BIG-IP, 3-DNS, iControl, GLOBAL-SITE, SEE-IT, EDGE-FX, FireGuard,
Internet Control Architecture, and IP Application Switch are registered trademarks or trademarks of F5
Networks, Inc. in the U.S. and certain other countries. All other product and company names are registered
trademarks or trademarks of their respective holders. F5 trademarks may not be used in connection with
any product or service except as permitted in writing by F5.
Export Regulation Notice
This product may include cryptographic software. Under the Export Administration Act, the United States
government may consider it a criminal offense to export this product from the United States.
Export Warning
This is a Class A product. In a domestic environment this product may cause radio interference in which
case the user may be required to take adequate measures.
FCC Compliance
This equipment generates, uses, and may emit radio frequency energy. The equipment has been type
tested and found to comply with the limits for a Class A digital device pursuant to Part 15 of FCC rules,
which are designed to provide reasonable protection against such radio frequency interference.
Operation of this equipment in a residential area may cause interference, in which case the user at his own
expense will be required to take whatever measures may be required to correct the interference.
Any modifications to this device, unless expressly approved by the manufacturer, can void the user's
authority to operate this equipment under part 15 of the FCC rules.
Canadian Regulatory Compliance
This class A digital apparatus complies with Canadian I CES-003.
3-DNS® Administrator Guidei
Standards Compliance
The product conforms to ANSI/UL Std 1950 and Certified to CAN/CSA Std. C22.2 No. 950.
Acknowledgments
This product includes software developed by the University of California, Berkeley and its contributors.
This product includes software developed by the Computer Systems Engineering Group at the Lawrence
Berkeley Laboratory.
This product includes software developed by the NetBSD Foundation, Inc. and its contributors.
This product includes software developed by Christopher G. Demetriou for the NetBSD Project.
This product includes software developed by Adam Glass.
This product includes software developed by Christian E. Hopps.
This product includes software developed by Dean Huxley.
This product includes software developed by John Kohl.
This product includes software developed by Paul Kranenburg.
This product includes software developed by Terrence R. Lambert.
This product includes software developed by Philip A. Nelson.
This product includes software developed by Herb Peyerl.
This product includes software developed by Jochen Pohl for the NetBSD Project.
This product includes software developed by Chris Provenzano.
This product includes software developed by Theo de Raadt.
This product includes software developed by David Muir Sharnoff.
This product includes software developed by SigmaSoft, Th. Lockert.
This product includes software developed for the NetBSD Project by Jason R. Thorpe.
This product includes software developed by Jason R. Thorpe for And Communications,
http://www.and.com.
This product includes software developed for the NetBSD Project by Frank Van der Linden.
This product includes software developed for the NetBSD Project by John M. Vinopal.
This product includes software developed by Christos Zoulas.
This product includes software developed by Charles Hannum.
This product includes software developed by Charles Hannum, by the University of Vermont and Stage
Agricultural College and Garrett A. Wollman, by William F. Jolitz, and by the University of California,
Berkeley, Lawrence Berkeley Laboratory, and its contributors.
This product includes software developed by the University of Vermont and State Agricultural College and
Garrett A. Wollman.
In the following statement, "This software" refers to the Mitsumi CD-ROM driver: This software was
developed by Holger Veit and Brian Moore for use with "386BSD" and similar operating systems.
"Similar operating systems" includes mainly non-profit oriented systems for research and education,
including but not restricted to "NetBSD," "FreeBSD," "Mach" (by CMU).
In the following statement, "This software" refers to the parallel port driver: This software is a component
of "386BSD" developed by William F. Jolitz, TeleMuse.
This product includes software developed by the Apache Group for use in the Apache HTTP server project
(http://www.apache.org/).
This product includes RRDtool software developed by Tobi Oetiker (http://www.rrdtool.com/index.html)
and licensed under the GNU General Public License.
3-DNS® Administrator Guideiii
iv
Table of Contents
1
Introduction
Table of Contents
IMPORTANT HARDWARE INFORMATION ............................................................ 1-1
Getting started ................................................................................................................. 1-1
Choosing a configuration tool ................................................................................ 1-2
Browser support ...................................................................................................... 1-3
Using the Administrator Kit ........................................................................................... 1-3
Running the 3dns_add script ........................................................................................ 10-4
Verifying the configuration .......................................................................................... 10-4
x
1
Introduction
• IMPORTANT HARDWARE INFORMATION
• Getting started
• Using the Administrator Kit
• What is the 3-DNS Controller?
• What’s new in version 4.5
• Finding help and technical support resources
IMPORTANT HARDWARE INFORMATION
References to hardware and upgrades contained in this document are
specific to F5 Networks hardware products. For information concerning the
initial deployment of your system, see the Deployment Guide that was
shipped with your system. For in-depth Dell-specific hardware information,
see the server documentation that is provided on the Resource CD and that
shipped with your system if you ordered printed documentation.
References to hardware-specific features of the F5 Networks IP Application
Switch, such as the spanning tree protocol and port mirroring, are not
supported on Dell™ PowerEdge™ hardware.
Getting started
The 3-DNS Administrator Guide is designed to help you quickly install and
configure the 3-DNS
and DNS. The Administrator Guide contains the following chapters:
®
Controller to manage your wide-area network traffic
Introduction
◆ Planning the 3-DNS Configuration
This chapter describes the network and configuration planning you need
to do before you install the 3-DNS Controller in your network.
◆ Working with the Setup Utility
This chapter describes the Setup utility and its functions. The Setup
utility runs automatically the first time you turn on the 3-DNS Controller.
◆ Post-Setup Tasks
This chapter describes the base network, which includes the IP addresses,
VLANs, and network interfaces on the 3-DNS Controller.
◆ Essential Configuration Tasks
This chapter describes the software configuration tasks you must
complete, regardless of the type of wide-area traffic management you
want to configure.
◆ Configuring a Globally Distributed Network
This chapter describes the tasks you complete to set up a globally
distributed network.
◆ Configuring a Content Delivery Network
This chapter describes the tasks you complete to set up a network that
includes a CDN provider.
◆ Working with Quality of Service
This chapter describes the components of the Quality of Service load
balancing mode.
3-DNS® Administrator Guide1 - 1
Chapter 1
◆ Working with Global Availability Load Balancing
This chapter describes the components of the Global Availability load
balancing mode.
◆ Adding a 3-DNS Controller to an Existing Network
This chapter describes the tasks you complete to configure an additional
3-DNS Controller in a network that already contains one or more 3-DNS
Controllers.
Choosing a configuration tool
The 3-DNS Controller provides several web-based and command line
administrative tools that make for easy setup and configuration. Use the
following overview to help you decide when each utility is best used.
Setup utility
The Setup utility is a wizard that walks you through the initial system setup.
The utility helps you quickly define basic system settings, such as a root
password and the IP addresses for the interfaces that connect the 3-DNS
Controller to the network. The Setup utility also helps you configure access
to the 3-DNS web server, which hosts the web-based Configuration utility,
as well as the NameSurfer™ application that you can use for DNS zone file
management.
Configuration utility
The Configuration utility is a web-based application that you use to
configure and monitor the 3-DNS Controller. Using the Configuration
utility, you can define the load balancing configuration along with the
network setup, including data centers, sync groups, and servers used for load
balancing and path probing. In addition, you can configure advanced
features such as topology settings and SNMP agents. The Configuration
utility also monitors network traffic, current connections, load balancing
statistics, performance metrics, and the operating system itself. The home
screen of the Configuration utility provides convenient access to downloads
such as the SNMP MIB, and documentation for third-party applications
such as NameSurfer.
NameSurfer application
The NameSurfer application is a third-party application that automatically
configures DNS zone files associated with domains handled by the 3-DNS
Controller. You can use NameSurfer to configure and maintain additional
DNS zone files on a 3-DNS Controller that runs as a primary DNS server.
The Configuration utility provides direct access to the NameSurfer
application, as well as the corresponding documentation for the application.
1 - 2
Please note that your license allows you to manage a maximum of 100 IP
addresses in the NameSurfer application. For more information, refer to the
end-user license agreement included in your product shipment.
3-DNS Maintenance menu
The 3-DNS Maintenance menu is a command line utility that runs scripts
which assist you in configuration and administrative tasks, such as installing
the latest version of the big3d agent on all your systems, or setting up
encrypted communications in the network. You can use the 3-DNS
Maintenance menu from a console connection, from a remote shell
connection, or from the MindTerm SSH Client in the Configuration utility.
Browser support
The Configuration utility, which provides web-based access to the 3-DNS
configuration and features, supports the following browser versions:
• Netscape Navigator 4.7
• Microsoft Internet Explorer, version 5.0 or 5.5
Introduction
Using the Administrator Kit
The 3-DNS Administrator Kit provides simple steps for quick, basic
configuration, and also provides detailed information about more advanced
features and tools, such as the 3dnsmaint command line utility. The
following printed documentation is included with the 3-DNS unit.
◆ Configuration Worksheet
This worksheet provides you with a place to plan the basic configuration
for the 3-DNS Controller.
The following guides are available in PDF format from the CD-ROM
provided with the 3-DNS Controller. These guides are also available from
the home screen of the Configuration utility.
◆ Platform Guide
This guide includes information about the physical 3-DNS unit. It also
contains important environmental warnings.
◆ 3-DNS Administrator Guide
The 3-DNS Administrator Guide provides examples of common
wide-area load balancing solutions supported by the 3-DNS Controller.
For example, you can find everything from a basic DNS request load
balancing solution to a more advanced content acceleration load
balancing solution. This guide also covers general network
administration issues, such as installing the hardware and setting up the
networking configuration.
3-DNS® Administrator Guide1 - 3
Chapter 1
\
Stylistic conventions
◆ 3-DNS Reference Guide
The 3-DNS Reference Guide provides basic descriptions of individual
3-DNS objects, such as wide IPs, pools, virtual servers, load balancing
modes, the big3d agent, resource records, and production rules. It also
provides syntax information for 3dnsmaint commands, configuration
utilities, the wideip.conf file, and system utilities.
To help you easily identify and understand certain types of information, this
documentation uses the following stylistic conventions.
All examples in this documentation use only non-routable IP addresses.
When you set up the solutions we describe, you must use IP addresses
suitable to your own network in place of our sample IP addresses.
Identifying new terms
When we first define a new term, the term is shown in bold italic text. For
example, a wide IP is a mapping of a fully-qualified domain name to a set of
virtual servers that host the domain’s content.
Identifying references to products
We refer to all products in the BIG-IP product family as the BIG-IP system.
We refer to the 3-DNS Controller and the 3-DNS module as the 3-DNS
Controller. If specific configuration information relates to a specific
platform, we note the platform.
Identifying references to objects, names, and commands
We apply bold text to a variety of items to help you easily pick them out of a
block of text. These items include web addresses, IP addresses, utility
names, and portions of commands, such as variables and keywords. For
example, the nslookup command requires that you include at least one
<ip_address> variable.
Identifying references to other documents
We use italic text to denote a reference to another document. In references
where we provide the name of a book as well as a specific chapter or section
in the book, we show the book name in bold, italic text, and the
chapter/section name in italic text to help quickly differentiate the two. For
example, you can find information about topology in the 3-DNS Reference
Guide, Chapter 3, Topology.
1 - 4
Identifying command syntax
We show actual, complete commands in bold Courier text. Note that we do
not include the corresponding screen prompt, unless the command is shown
in a figure that depicts an entire command line screen. For example, the
following command sets the 3-DNS Controller load balancing mode to
Round Robin:
lb_mode rr
Table 1.1 explains additional special conventions used in command line
syntax.
Item in textDescription
Introduction
\
< >
|
[ ]
...
Continue to the next line without typing a line break.
You enter text for the enclosed item. For example, if the command
has <your name>, type in your name.
Separates parts of a command.
Syntax inside the brackets is optional.
Indicates that you can type a series of items.
Table 1.1 Command line conventions used in this manual
What is the 3-DNS Controller?
A 3-DNS Controller is a network appliance that monitors the availability
and performance of global resources, and uses that information to manage
network traffic patterns. The 3-DNS Controller uses load balancing
algorithms, topology-based routing, and production rules to control and
distribute traffic according to specific policies. The system is highly
configurable, and its web-based and command line configuration utilities
allow for easy system setup and monitoring.
The 3-DNS Controller provides a variety of features that meet special needs.
For example, with this product you can:
• Configure a content delivery network with a CDN provider
• Guarantee multiple port availability for e-commerce sites
• Ensure wide-area persistence by maintaining a mapping between an local
DNS server and a virtual server in a wide IP pool
• Direct local clients to local servers for globally-distributed sites using
Topology load balancing
• Change the load balancing configuration according to current traffic
patterns or time of day
• Customize load balancing modes
3-DNS® Administrator Guide1 - 5
Chapter 1
• Set up load balancing among BIG-IP systems, EDGE-FX Caches, and
other load-balancing hosts
• Monitor real-time network conditions
Internet protocol and network management support
The 3-DNS Controller supports both the standard DNS protocol and the
3-DNS iQuery protocol (a protocol used for collecting dynamic load
balancing information). The 3-DNS Controller also supports administrative
protocols, such as Simple Network Management Protocol (SNMP), and
Simple Mail Transfer Protocol (SMTP) (outbound only), for performance
monitoring and notification of system events. For administrative purposes,
you can use SSH, RSH, Telnet, and FTP. The Configuration utility supports
HTTPS, for secure web browser connections using SSL, as well as standard
HTTP connections.
The proprietary 3-DNS SNMP agent allows you to monitor status and
current traffic flow using popular network management tools. The 3-DNS
SNMP agent provides detailed data such as current connections being
handled by each virtual server.
Security features
The 3-DNS Controller offers a variety of security features that can help
prevent hostile attacks on your site or equipment.
◆ Secure administrative connections
The 3-DNS Controller supports Secure Shell (SSH) administrative
connections using the Mindterm SSH Client, for browser-based remote
administration, and SSH for remote administration from the command
line. The 3-DNS web server, which hosts the web-based Configuration
utility, supports SSL connections as well as user authentication.
◆ Secure iQuery communications
Crypto versions of the 3-DNS Controller also support Blowfish
encryption for iQuery communications between the 3-DNS Controller
and other systems running the big3d agent.
◆ TCP wrappers
TCP wrappers provide an extra layer of security for network connections.
Configuration scalability
The 3-DNS Controller is a highly scalable and versatile solution. You can
configure the 3-DNS Controller to manage up to several hundred domain
names, including full support of domain name aliases. The 3-DNS
1 - 6
Controller supports a variety of media options, including Fast Ethernet, and
Gigabit Ethernet; the 3-DNS Controller also supports multiple network
interface cards that can provide redundant or alternate paths to the network.
Note
If you use NameSurfer to manage your DNS zone files, you can configure
only up to 100 IP addresses and domain names.
System synchronization options
The 3-DNS Controller sync group feature allows you to automatically
synchronize configurations from one 3-DNS Controller to any other 3-DNS
Controller in the network, simplifying administrative management. The
synchronization feature offers a high degree of administrative control. For
example, you can set the 3-DNS Controller to synchronize a specific
configuration file set, and you can also set which 3-DNS Controllers in the
network receive the synchronized information and which ones do not.
Introduction
Configuring data collection for server status and network path data
The 3-DNS platform includes the big3d agent, which is an integral part of
3-DNS load balancing. The big3d agent continually monitors the
availability of the servers that the 3-DNS Controller load balances. It also
monitors the integrity of the network paths between the servers that host the
domain, and the various local DNS servers that attempt to connect to the
domain. The big3d agent runs on any of the following platforms: 3-DNS
Controller, BIG-IP systems, EDGE-FX Cache, and GLOBAL-SITE
Controller. Each big3d agent broadcasts its collected data to all of the
3-DNS Controllers in your network, ensuring that all 3-DNS Controllers
work with the latest information.
The big3d agent offers a variety of configuration options that allow you to
choose the data collection methods you want to use. For example, you can
configure the big3d agent to track the number of router hops (intermediate
system transitions) along a given network path, and you can also set the
big3d agent to collect host server performance information using the SNMP
protocol. For further details on the big3d agent, refer to the 3-DNS
Reference Guide, Chapter 5, Probing and Metrics Collection.
Redundant system configurations
A redundant system is essentially a pair of 3-DNS units, with one operating
as the active unit that responds to DNS queries, and the other one operating
as the standby unit. If the active unit fails, the standby unit takes over and
begins to respond to DNS queries while the other 3-DNS unit restarts and
becomes the standby unit.
3-DNS® Administrator Guide1 - 7
Chapter 1
The 3-DNS Controller actually supports two methods of checking the status
of the peer system in a redundant system:
◆ Hardware-based fail-over
In a redundant system that has been set up with hardware-based fail-over,
the two units in the system are connected to each other directly using a
fail-over cable attached to the serial ports. The standby unit checks on the
status of the active unit once every second using this serial link.
◆ Network-based fail-over
In a redundant system that has been set up with network-based fail-over,
the two units in the system communicate with each other across an
Ethernet network instead of going across a dedicated fail-over serial
cable. The standby unit checks on the status of the active unit once every
second using the Ethernet.
Note
In a network-based fail-over configuration, the standby 3-DNS unit
immediately takes over if the active unit fails. If a client has queried the
failed 3-DNS unit, and not received an answer, it automatically re-issues the
request (after 5 seconds) and the standby unit, functioning as the active unit,
responds.
Monitoring the 3-DNS Controller and the network
The 3-DNS Controller includes sophisticated monitoring tools to help you
monitor the 3-DNS Controller, the traffic it manages, and the Internet. The
following monitoring tools are available on the 3-DNS Controller: the
Statistics screens, the Internet Weather Map, and the Network Map. All of
these tools are in the Configuration utility.
Comparing a 3-DNS Controller to a BIG-IP system
A 3-DNS Controller load balances traffic for a globally-distributed network,
and a BIG-IP system load balances traffic for a local area network. While
both systems provide load balancing, one of the significant differences
between the BIG-IP system and the 3-DNS Controller is that the 3-DNS
Controller responds to DNS requests issued by an LDNS on behalf of a
client, while the BIG-IP system provides connection management between a
client and a back-end server.
1 - 8
Once the 3-DNS Controller returns a DNS answer to an LDNS, the
conversation between the LDNS and the 3-DNS Controller ends, and the
client connects to the IP address returned by the 3-DNS Controller. Unlike
the 3-DNS Controller, the BIG-IP system sits between the client and the
content servers. It manages the client’s entire conversation with the content
server.
What’s new in version 4.5
The 3-DNS Controller, version 4.5 offers the following major new features
in addition to many other enhancements.
Automatic discovery
The 3-DNS Controller can now automatically collect and add the virtual
server configuration information for any BIG-IP systems and host servers in
the 3-DNS Controller configuration. The Discovery setting has three levels:
OFF, ON, and ON/NO DELETE. For more information on
auto-configuration and the Discovery setting, see Overview of auto-configuration, on page 5-16.
Introduction
Easy system account and password creation
With this release, the 3-DNS Controller now offers one screen, in the
web-based Setup utility, where you can set the passwords for the three
system accounts: root, admin, and support. On this screen, you can also
specify whether to allow command line access, web access, or both for the
support account. You can view the User Access screen by opening the Setup
utility from the home screen. For more information on user accounts and
system accounts, see Chapter 6, Administration and Monitoring, in the
3-DNS Reference Guide.
Enhanced synchronization
The configuration synchronization process for the 3-DNS Controller has
been updated and improved. The controller no longer relies on the syncd
daemon for synchronization. Instead, synchronization occurs automatically,
based on file timestamps, whenever you make any type of change to the
configuration. The 3-DNS Controller also polls any Link Controllers that
you have in your network, and synchronizes the link information across the
sync group. Note that working with sync groups remains the same.
3-DNS® Administrator Guide1 - 9
Chapter 1
Expanded statistics
The statistics screens on the 3-DNS Controller have been enhanced and
expanded. You can now view statistics for the following objects:
• The Detailed Wide IP Statistics screen, available from the Wide IP
Statistics screen, now displays information about virtual servers in the
context of the wide IP pools of which they are members.
• The Link Statistics screen displays information about any router links
you have configured.
• The P95 Billing Estimate statistics screen displays graphs of your actual
bandwidth usage compared to your purchased bandwidth if you have
links configured, or your network has both 3-DNS Controllers and Link
Controllers in it.
• The Internet Weather Map statistics screen now displays information for
both the data centers and the links in your network.
• The Disabled Objects statistics screen now displays these additional
objects: wide IPs, pools, and virtual servers.
For details on each of these screens, refer to the online help for that screen.
Multi-homing and firewall support
The 3-DNS Controller now supports multiple links to the Internet and
network address translations for firewalls. You can designate one or more
self IP addresses and translations for the controller itself, as well as for any
BIG-IP systems, host servers, or routers that are configured as part or the
controller’s network. For information on working with the self IP addresses
and network address translations, refer to the online help for the Self IP List,
which is available from the toolbar for each server type.
Security enhancements
You can now use the Setup utility to configure a remote LDAP or RADIUS
authentication server. With this feature, you no longer need to directly edit
configuration files to set up your LDAP or RADIUS authentication server.
This release of the 3-DNS Controller also expands the number of user roles
that you can assign to user accounts for the purpose of user authorization. In
addition to the standard Full Read/Write, Partial Read/Write, and Read-Only
access levels, you can now define which user interface an administrator uses
to access the 3-DNS Controller (the Configuration utility, the command line
interface, or the iControl interface). These user authorization roles are stored
in the local LDAP database on the 3-DNS Controller, and are designed to
operate in concert with centralized LDAP and RADIUS authentication.
1 - 10
For details on user authorization and managing user accounts, see Managing
user accounts, in Chapter 6, Administration and Monitoring, in the 3-DNS
Reference Guide.
Finding help and technical support resources
You can find additional technical documentation about the 3-DNS
Controller in the following locations:
◆ Release notes
Release notes for the 3-DNS Controller are available from the home
screen of the Configuration utility. The release note contains the latest
information for the current version, including a list of new features and
enhancements, a list of fixes, and a list of known issues.
◆ Online help for 3-DNS features
You can find help online in three different locations:
• The Configuration utility home screen has PDF versions of the guides
included in the Administrator Kit. 3-DNS software upgrades may
replace the guides with updated versions as appropriate.
• The Configuration utility has online help for each screen. Click the
Help button on the toolbar.
• Individual commands have online help, including command syntax
and examples, in standard UNIX man page format. Type the
command followed by -h or -help, and the 3-DNS Controller displays
the syntax and usage associated with the command. You can also type
man <command> to display the man page for the command.
Introduction
◆ Third-party documentation for software add-ons
The Configuration utility contains online documentation for the
third-party software included with the 3-DNS Controller, including the
NameSurfer application.
◆ Technical support through the World Wide Web
The Dell Support website at support.dell.com provides the latest
technical documentation.
Note
All references to hardware platforms in this guide refer specifically to
systems supplied by F5 Networks, Inc. If your hardware was supplied by
another vendor and you have hardware-related questions, please refer to
the documentation from that vendor.
3-DNS® Administrator Guide1 - 11
Chapter 1
1 - 12
2
Planning the 3-DNS Configuration
• Managing traffic on a global network
• Planning issues for the network setup
• Choosing the 3-DNS mode
• Planning issues for the load balancing configuration
• Using advanced traffic control features
Managing traffic on a global network
Planning the 3-DNS Configuration
3-DNS® Administrator Guide2 - 1
Chapter 2
Figure 2.1 A sample network layout showing data paths
Synchronizing configurations and broadcasting performance
metrics
3-DNS Controllers typically work in sync groups, where a group of
controllers shares load balancing configuration settings. In a sync group, any
system that has new configuration changes can broadcast the changes to any
other system in the sync group, allowing for easy administrative
maintenance. To distribute metrics data among the systems in a sync group,
the principal 3-DNS Controller sends requests to the big3d agents in the
network, asking them to collect specific performance and path data. Once
2 - 2
Planning the 3-DNS Configuration
the big3d agents collect the data, they each broadcast the collected data to
all systems in the network, again allowing for simple and reliable metrics
distribution.
Using a 3-DNS Controller as a standard DNS server
When a client requests a DNS resolution for a domain name, an LDNS
sends the request to one of the 3-DNS Controllers that is authoritative for
the zone. The 3-DNS Controller first chooses the best available virtual
server out of a pool to respond to the request, and then returns a DNS
resource record to the requesting local DNS server. The LDNS server uses
the answer for the period of time defined within the resource record. Once
the answer expires, however, the LDNS server must request name resolution
all over again to get a fresh answer.
Figure 2.2 DNS name resolution process
3-DNS® Administrator Guide2 - 3
Chapter 2
Figure 2.2 illustrates the specific steps in the name resolution process.
1. The client connects to an Internet Service Provider (ISP) and queries
the local DNS server to resolve the domain name
www.siterequest.com.
2. If the information is not already in the LDNS server’s cache, the
local DNS server queries a root server (such as InterNIC’s root
servers). The root server returns the IP address of the DNS systems
associated with www.siterequest.com, which in this case runs on
the 3-DNS Controller.
3. The LDNS then connects to one of the 3-DNS Controllers to resolve
the www.siterequest.com name. The 3-DNS Controller uses a load
balancing mode to choose an appropriate virtual server to receive
the connection, and then returns the virtual server’s IP address to the
LDNS.
4. The LDNS caches the answer from the 3-DNS Controller, and
passes the IP address to the client.
5. The client connects to the IP address through an ISP.
Load balancing connections across the network
Each of the load balancing modes on the 3-DNS Controller can provide
efficient load balancing for any network configuration. The 3-DNS
Controller bases load balancing on pools of virtual servers. When a client
requests a DNS resolution, the 3-DNS Controller uses the specified load
balancing mode to choose a virtual server from a pool of virtual servers. The
resulting answer to this resolution request is returned as a standard A record.
Although some load balancing configurations can get complex, most load
balancing configurations are relatively simple, whether you use a static load
balancing mode or a dynamic load balancing mode. More advanced
configurations can incorporate multiple pools, as well as advanced traffic
control features, such as topology or production rules.
For more information on specific load balancing modes, see Chapter 2, Load Balancing in the 3-DNS Reference Guide. For more information on load
balancing configurations, review the sample configurations in Chapter 6,
Configuring a Globally-Distributed Network, and Chapter 7, Configuring a
Content Delivery Network. If you are unfamiliar with the 3-DNS Controller,
you may also want to review Chapter 5, Essential Configuration Tasks.
Working with 3-DNS Controllers and other products
2 - 4
The 3-DNS Controller distributes connections across a group of virtual
servers that run in different data centers throughout the network. You can
manage virtual servers from the following types of products:
◆ BIG-IP systems
A BIG-IP virtual server maps to a series of content servers.
Planning the 3-DNS Configuration
◆ EDGE-FX systems
An EDGE-FX virtual server maps to cached content that gets refreshed at
frequent intervals.
◆ Generic host
A host virtual server can be an IP address or an IP alias that hosts the
content.
◆ Other load balancing hosts
Other load balancing hosts map virtual servers to a series of content
hosts.
Figure 2.3 illustrates the hierarchy of how the 3-DNS Controller manages
virtual servers.
Figure 2.3 Load balancing management on a 3-DNS Controller
3-DNS® Administrator Guide2 - 5
Chapter 2
Planning issues for the network setup
After you finish running the Setup utility, and connect each system to the
network, you can set up the network and load balancing configuration on
one 3-DNS Controller, and let the sync group feature automatically
broadcast the configuration to the other 3-DNS Controllers in the network.
You do not have to configure the 3-DNS Controllers individually, unless
you are planning an advanced configuration that requires different
configurations for different data centers, or you are configuring the 3-DNS
Controllers from the command line.
Tip
If you are configuring additional 3-DNS Controllers in a network that
already has a 3-DNS Controller in it, please review Chapter 10, Adding a 3-DNS Controller to an Existing Network.
During the network setup phase, you define four basic aspects of the
network layout, in the following order:
• Base network
The base network includes the interfaces, VLANs, and trunks for the
network topology. Configuring the base network installs the 3-DNS
Controller in your physical network.
• Data centers
Data centers are the physical locations that house the equipment you use
for load balancing.
• Data center servers
The data center servers that you define in the network setup include the
3-DNS Controller, BIG-IP systems, EDGE-FX systems, and host
systems that you use for load balancing and probing.
• Sync group
A sync group defines the group of 3-DNS Controllers that shares
configuration settings.
Note
During the setup phase of configuration, we recommend that you connect to
the 3-DNS Controller from a remote workstation from which you can
complete the remaining configuration tasks using the web-based
Configuration utility.
Configuring the base network
The 3-DNS Controller interfaces and the related topics of self IP addresses,
VLANs, and trunks are collectively referred to, in this manual, as the base
network. The base network, or at least an initial version of it, is configured
when you run the Setup utility for the first time. The initial base network
configuration also includes such things as the default route for the 3-DNS
Controller, fully qualified domain names, and certificate information that
2 - 6
can only be configured using the Setup utility or its components. (To make
changes to other base network components, such as domain names, default
routes, and certificate information, refer to Chapter 3, Using the Setup Utility, which describes the Setup utility and its various components.)
A 3-DNS usually has two network interfaces. Each active interface must be
configured with a VLAN membership, and each VLAN must have a self IP
address. Note that most 3-DNS configurations require only one interface,
VLAN, and self IP address. However, if you are configuring the 3-DNS
Controller in bridge mode or router mode, you may need to configure two
(or more) interfaces, depending on your network requirements. For more
information on configuring the base network, refer to Chapter 4, Post-Setup Tasks.
Defining data centers and servers
In the 3-DNS configuration, it is important that you define all of your data
centers before you begin defining the data center servers. This is because
when you define a server, you specify the data center where the server runs.
(You do this by choosing a data center from the list of data centers you have
already defined.) To define a data center, you need only specify the data
center name. To define a server, however, you need to specify the following
items:
• Server type (3-DNS Controller, BIG-IP system, EDGE-FX system,
router, or host)
• Server IP address (or shared IP alias for redundant systems)
• Name of the data center where the server runs
• The big3d agent factories (on 3-DNS Controller, BIG-IP system, and
EDGE-FX systems only)
• Virtual servers managed by the server (BIG-IP system, EDGE-FX
system, and host systems only)
• SNMP host probing settings (hosts only)
Planning the 3-DNS Configuration
Note
One important aspect of planning your network setup is to decide how to set
up the big3d agent, and which ports you need to open for communications
between the systems in your network. See the 3-DNS Reference Guide,
Chapter 5, Probing and Metrics Collection, for help with determining how
both of these issues affect your installation.
Planning a sync group
A sync group is a group of 3-DNS Controllers that share configuration
information. In a sync group, a principal 3-DNS Controller issues requests
to the big3d agents on all the other systems to gather metrics data. Both the
principal 3-DNS Controller and the receiver 3-DNS Controllers in the sync
3-DNS® Administrator Guide2 - 7
Chapter 2
group receive broadcasts of metrics data from the big3d agents. All
members of the sync group also receive broadcasts of updated configuration
settings from the 3-DNS Controller that has the latest configuration changes.
When you define the sync group, you select the sync group members from
the list of 3-DNS Controllers you have already defined. The sync group lists
the 3-DNS Controllers in the order in which you selected them. The first
3-DNS Controller in the list becomes the principal 3-DNS Controller. The
remaining 3-DNS Controllers in the list become receivers. If the principal
3-DNS Controller becomes disabled, the next 3-DNS Controller in the list
becomes the principal 3-DNS Controller until the original principal 3-DNS
Controller comes back online.
Understanding how a sync group works
The sync group feature synchronizes individual configuration files, such as
wideip.conf, and other files that store system settings. You have the option
of adding files to the synchronization list.
The 3-DNS Controllers in a sync group operate as peer servers. At set
intervals, the syncd utility compares the time stamps of the configuration
files earmarked for synchronization on all of the 3-DNS Controllers. If the
time stamp on a specific file differs between 3-DNS Controllers, the 3-DNS
Controller with the latest file broadcasts the file to all of the other 3-DNS
Controllers in the group.
Understanding how the time tolerance variable affects a sync group
The time tolerance variable is a global variable that defines the number of
seconds that the time setting on one 3-DNS Controller can be ahead or
behind the time setting on another 3-DNS Controller. If the difference
between the times on the systems is greater than the time tolerance, the time
setting on the 3-DNS Controller running behind is reset to match the 3-DNS
Controller with the most recent time. For example, if the time tolerance is 5
seconds, and one 3-DNS Controller is running 10 seconds ahead of the
other, the 3-DNS Controller running behind has its time reset to match the
one running 10 seconds ahead. If the second system was running only 2
seconds ahead of the other, the time settings would remain unchanged. The
values are 0, 5, and higher (values of 1-4 are automatically set to 5, and 0
turns off time synchronization). The default setting is 10 seconds.
The time setting on 3-DNS Controllers is important because a 3-DNS
Controller compares time stamps on files when deciding whether to
synchronize files with other 3-DNS Controllers in the sync group.
Setting up communications on a 3-DNS Controller
There are three different communication issues that you need to resolve
when you set up communication between the 3-DNS Controllers running in
your network.
2 - 8
Planning the 3-DNS Configuration
◆ 3-DNS Controllers communicating with other 3-DNS Controllers
To allow 3-DNS Controllers to communicate with each other, you must
set up ssh and scp utilities.
◆ 3-DNS Controllers communicating with BIG-IP systems and
EDGE-FX systems
To allow the 3-DNS Controller to communicate with BIG-IP systems
and EDGE-FX systems, you address the same ssh issues.
◆ 3-DNS Controllers communicating with big3d agents
To allow communications between big3d agents and the 3-DNS
Controller, you need to configure iQuery ports on any 3-DNS
Controllers, BIG-IP systems, and EDGE-FX systems that run the big3d
agent.
Setting up communication between crypto and non-crypto systems
The 3-DNS Controllers in your network need to communicate with each
other in order to synchronize configuration and performance data. If you use
exclusively crypto 3-DNS Controllers (those that use the SSH protocol) the
communication tools set up by the Setup utility are all you need.
If your network is a mixed environment, that is, composed of both crypto
and non-crypto systems, you need to enable the rsh and rcp utilities on the
crypto systems. Though the rsh and rcp utilities come pre-installed on the
crypto systems, you must explicitly enable these utilities. You can enable
the utilities using the Setup utility. Table 2.1 shows the ports and protocols
used for SSH and RSH communications between crypto and non-crypto
systems.
FromToProtocol
CryptoCryptoTCP<102422SSH/SCP
CryptoNon-cryptoTCP<1024514RSH/RCP
Non-cryptoCryptoTCP<1024514RSH/RCP
Non-cryptoNon-cryptoTCP<1024514RSH/RCP
Table 2.1 SSH and RSH communications ports and protocols
Setting up data collection with the big3d agent
The big3d agent collects performance information from other 3-DNS
Controllers, BIG-IP systems, and EDGE-FX systems on behalf of the
3-DNS Controller you are configuring. The 3-DNS Controller then uses this
performance data for load balancing. The big3d agent uses factories to
manage the data collection. For detailed information on configuring the
From
Port
To
Port
Connection
3-DNS® Administrator Guide2 - 9
Chapter 2
big3d agent, managing the factories, opening the UDP ports, and working
with firewalls, review Chapter 5, Probing and Metrics Collection, in the
3-DNS Reference Guide.
Choosing the 3-DNS mode
The 3-DNS Controller can run in one of three modes: node, bridge, or
router. The base network configuration changes depending on which mode
you choose. The following sections describe the three modes and provide
basic configuration examples.
Running a 3-DNS Controller in node mode
Node mode is the traditional way to configure the 3-DNS Controller. The
benefits of running the 3-DNS Controller in node mode are as follows:
• You can replace your name servers with 3-DNS Controllers.
• You can use the 3-DNS Controller as the authoritative DNS server for
your domain.
• You can manage your DNS zone files with NameSurfer.
When you replace your DNS servers with 3-DNS Controllers, you can use
the extensive wide-area traffic management capabilities of the 3-DNS
Controller in conjunction with the standard DNS protocol. When the 3-DNS
Controller receives a request that matches a wide IP, it routes that request to
the best virtual server in your network. When a 3-DNS Controller receives a
non-matching request, that request is handled by the BIND utility (named)
that is running on the 3-DNS Controller.
When you configure the 3-DNS Controller to be authoritative for your
domain, you can easily manage DNS zone files using NameSurfer, a
browser-based, third-party application included on the 3-DNS Controller.
When you define wide IPs in the Configuration utility, the NameSurfer
application automatically makes the appropriate additions to the zone files.
The changes are then broadcast to the other 3-DNS Controllers in your
network.
Note
If you configure wide IPs from the command line, you need to make the
corresponding zone file changes from the command line.
2 - 10
Planning the 3-DNS Configuration
Using the 3-DNS synchronization features
If you use the advanced synchronization features of the 3-DNS Controller,
we strongly recommend that you configure each 3-DNS Controller to run as
authoritative for the domain. This type of configuration offers the following
advantages:
• You can change zone files on any one of the 3-DNS Controllers in the
network and have those changes automatically broadcast to all of the
other systems in the network.
• Each 3-DNS Controller has the most up-to-date zone files, providing you
one or more layers of redundancy.
• The NameSurfer application automatically controls the addition,
configuration, and deletion of zone files.
Importing BIND files to NameSurfer during an initial installation
During the initial configuration, you can specify that the 3-DNS Controller
import any existing BIND files from your name server to the 3-DNS
Controller. During the initial configuration, you can also designate
NameSurfer as the primary name server for your domain. This forces
NameSurfer to automatically format your BIND files in the NameSurfer
format. For more information, refer to the NameSurfer documentation
available from the home screen in the Configuration utility.
Running a 3-DNS Controller in bridge mode or router mode
Running the 3-DNS Controller in bridge mode or router mode offers the
following benefits:
• You gain the wide-area traffic management capabilities of the 3-DNS
Controller without disrupting your current DNS system.
• In an enterprise, you can install, configure, and test the 3-DNS Controller
before you add the system to your production environment.
• You do not use NameSurfer to manage your zone files.
• You can load balance requests across two separate IP networks.
When you configure the 3-DNS Controller in bridge mode, you install the
3-DNS Controller into your network so that all DNS requests are intercepted
by the 3-DNS Controller before they are sent to your name server for
resolution. Based on the content of the request, the 3-DNS Controller does
one of the following:
• If the request matches a wide IP managed by the 3-DNS Controller, the
system responds to the request with the best available virtual server in
your network.
• If the request does not match any wide IPs managed by the 3-DNS
Controller, the system forwards the request to the DNS server for
resolution.
3-DNS® Administrator Guide2 - 11
3
Using the Setup Utility
• Creating the initial software configuration with the
Setup utility
• Connecting to the 3-DNS Controller for the first
time
• Using the Setup utility for the first time
• Running the Setup utility after creating the initial
software configuration
Using the Setup Utility
Creating the initial software configuration with the
Setup utility
Once you install and connect the hardware and obtain a license, the next step
in the installation process is to turn the system on and run the Setup utility.
The Setup utility defines the initial configuration settings required to install
the 3-DNS Controller into the network. You can run the Setup utility
remotely from a web browser, or from an SSH or Telnet client, or you can
run it directly from the console.
Before you connect to the unit, we recommend that you gather the list of
information outlined in the configuration worksheet provided with the
3-DNS Controller. Note that the screens you see are tailored to the specific
hardware and software configuration that you have. For example, if you
have a stand-alone system, the Setup utility skips the redundant system
screens.
Once you have configured the base network elements with the Setup utility,
you might want to further enhance the configuration of these elements. For
additional information about these configuration tasks, see Chapter 4,
Post-Setup Tasks.
The license file installed on the system must be compatible with the latest
version of the 3-DNS software before you run the Setup utility. If it is not,
you must update the license using the registration key provided to you by
your vendor. If you do not have a registration key, please contact your
vendor to obtain one. If you choose to continue without obtaining a license,
the 3-DNS software will not be fully functional.
3-DNS® Administrator Guide3 - 1
Chapter 3
Connecting to the 3-DNS Controller for the first time
The Setup utility prompts you to enter the same information, whether you
run the utility from a web browser, or from the command line. If you run the
utility from the console, no reboot is necessary; if you run the utility from
the web, the unit reboots automatically; if you run the utility from an SSH
client, we recommend that you reboot the unit after you complete the setup.
This reboot automatically removes the default IP address and root password
provided specifically for the purposes of running the Setup utility remotely.
The 3-DNS software replaces the default IP address and root password with
the password and IP addresses that you define while running the utility.
Running the utility from the console or serial terminal
Before you can run the Setup utility from either the console or a serial
terminal, you must first log in. Use the following default user name and
password to log in.
Username: root
Password: default
After you log in, you can start the utility directly from the console or serial
terminal by typing the command setup.
Running the Setup utility remotely
You can run the Setup utility remotely only from a workstation that is on the
same LAN as the unit. To allow remote connections for the Setup utility, the
3-DNS software comes with two pre-defined IP addresses, and a pre-defined
root password. The default root password is default, and the preferred
default IP address is 192.168.1.245. If this IP address is unsuitable for your
network, the 3-DNS software uses an alternate IP address, 192.168.245.245.
However, if you define an IP alias on an administrative workstation in the
same IP network as the 3-DNS Controller, the unit detects the network of
the alias and uses the corresponding default IP address.
Once the utility finishes and the system reboots, these default IP addresses
are replaced by the information that you entered in the Setup utility.
Setting up an IP alias for the default IP address before you start the unit
You must set up an IP alias for your remote workstation before you turn on
the unit and start the Setup utility. The remote workstation must be on the
same IP network as the unit. If you add this alias prior to booting up the
3-DNS Controller, the unit detects the alias and uses the corresponding
address.
3 - 2
Using the Setup Utility
To set up an IP alias for the alternate IP address
The IP alias must be in the same network as the default IP address you want
the 3-DNS Controller to use. For example, on a UNIX workstation, you
might create one of the following aliases:
◆ If you want the unit to use the default IP address 192.168.1.245, then add
3-DNS® Administrator Guide3 - 3
Chapter 3
4. On the Configuration Status screen, click Setup Utility.
5. Fill out each screen using the information from the Setup utility
configuration list. After you complete the Setup utility, the 3-DNS
Controller reboots and uses the new settings you defined.
Note
You can rerun the Setup utility from a web browser at any time by clicking
the Setup utility link on the welcome screen.
Starting the utility from the command line
You can run the command line version of the Setup utility from the console
or serial terminal, or from a remote SSH client, or from a Telnet client.
To start the Setup utility from the console
1. At the login prompt, type root for the user name, and default for the
password.
2. At the 3-DNS prompt, type the following command to start the
command-line based Setup utility.
setup
3. Fill out each screen using the information from the Configuration
worksheet. After you complete the Setup utility, the 3-DNS
Controller uses the new settings you defined.
To start the Setup utility from the command line from a remote
administrative workstation
1. Start an SSH client on a workstation connected to the same IP
network as the internal VLAN of the unit. (See Chapter 4,
Post-Setup Tasks, for information on downloading the SSH client
from the 3-DNS Controller.)
2. Type the following command, where <default IP> is the IP address
in use on the 3-DNS internal VLAN.
ssh <default IP>
3. At the login prompt, type root for the user name, and default for the
password.
4. At the 3-DNS prompt, type the following command to start the
command-line based Setup utility.
setup
5. Fill out each screen using the information from the Configuration
worksheet. After you complete the Setup utility, reboot the 3-DNS
Controller by typing the following command:
reboot
3 - 4
Note
You can rerun the Setup utility at any time using the setup command.
Using the Setup utility for the first time
The following sections provide detailed information about the settings that
you define in the Setup utility.
Keyboard type
Select the type of keyboard you want to use with the 3-DNS Controller. The
following options are available:
• Belgian
• Bulgarian MIK
• French
•German
• Japanese - 106 key
• Norwegian
• Spanish
•Swedish
• US + Cyrillic
• US - Standard 101 key (default)
• United Kingdom
Using the Setup Utility
Root password
A root password allows you command line administrative access to the
3-DNS Controller. We recommend that the password contain a minimum of
6 characters, but no more than 32 characters. Passwords are case-sensitive,
and we recommend that your password contain a combination of upper- and
lower-case characters, as well as numbers and special characters (for
example, !@#$%^&*). Once you enter a password, the Setup utility
prompts you to confirm your root password by typing it again. If the two
passwords match, your password is immediately saved. If the two passwords
do not match, the Setup utility provides an error message and prompts you
to re-enter your password.
3-DNS® Administrator Guide3 - 5
Chapter 3
Host name
The host name identifies the 3-DNS Controller itself. Host names must be
fully qualified domain names (FQDNs). The host portion of the name must
start with a letter, and must be at least two characters. The FQDN must be
less than or equal to 256 characters, but not less than 1 character. Each label
part of the name must be 63 characters or fewer. Only letters, numbers, and
the characters underscore ( _ ), dash ( - ), and period ( . ) are allowed. For
example:
<host 63 characters or less>.<label 63 characters or less>.net
You should only change the host name of the system with the Setup utility.
Editing /etc/hosts, or using the hostname command to change the host name
renders the system inaccessible.
Redundant system settings
There are three types of settings you need to define for redundant systems:
unit IDs, fail-over IP addresses, and fail-over type.
Unit IDs
The default unit ID number is 1. If this is the first unit in the redundant
system, use the default. When you configure the second unit in the system,
type 2. These unit IDs are used for active-active redundant configuration.
Choosing a fail-over IP address
A fail-over IP address is the IP address of the unit that takes over if the
current unit fails. Type in the IP address configured on the internal interface
of the other 3-DNS unit in the redundant system.
Fail-over type
There are two types of fail-over to choose from: hard-wired fail-over, and
network fail-over. Choose hard-wired fail-over if you plan to connect the
units together with the fail-over cable provided with the redundant system.
Choose network fail-over if you plan to use the network that the units are
connected to for fail-over functionality.
Note
3 - 6
Hard-wired fail-over is only available if the platform supports hard-wired
fail-over.
Setting the interface media type
Configure media settings for each interface. The media type options depend
on the network interface card included in your hardware configuration. The
Setup utility prompts you with the settings that apply to the interface
installed in the unit. The 3-DNS Controller supports the following types:
•auto
• 10baseT
• 10baseT, FDX
• 100baseTX
• 100baseTX, FDX
• Gigabit Ethernet
Note
For best results, choose the auto setting. In some cases, devices configured
for the auto media are incompatible, and the proper duplex setting will not
be negotiated. In these cases you may need to set the media settings to the
same speed and duplex on this device and the corresponding switch or host.
Check your switch or hub documentation for this information.
Using the Setup Utility
The Setup utility lists only the network interface devices that it detects
during system boot. If the utility lists fewer interface devices than you
expected, a network adapter may have come loose during shipping. Check
the LED indicators on the network adapters to ensure that they are working
and are connected.
Configuring VLANs and IP addresses
You can create a new VLAN or use the default VLANs to create the 3-DNS
Controller configuration.
Determine whether you want to have security enabled for a VLAN, or
disabled for the VLAN. Then, type the IP address settings for the VLAN.
The IP address settings include:
• Port Lockdown settings
• IP address, netmask, and broadcast
• Floating self IP address, netmask, and broadcast
Note
We recommend that you set the floating self IP address as the default route
for target devices, such as servers. The floating self IP address is owned by
the active unit in an active/standby configuration.
3-DNS® Administrator Guide3 - 7
Chapter 3
Note
The IP address of the external VLAN is not the IP address of your site or
sites. The IP addresses of the sites themselves are specified by the virtual IP
addresses associated with each virtual server you configure.
Assigning interfaces to VLANs
After you configure the VLANs that you want to use on the 3-DNS
Controller, you can assign interfaces to the VLANs. If you use the default
internal and external VLANs, we recommend that you assign at least one
interface to the external VLAN, and at least one interface to the internal
VLAN. The external VLAN is the one on which the 3-DNS Controller
receives connection requests. The internal VLAN is typically the one that is
connected to the network of servers, firewalls, or other equipment that the
3-DNS Controller load balances.
Associating the primary IP address and VLAN with the host name
After you assign interfaces to VLANs, and if you have more than one
VLAN defined, you can choose one VLAN/IP address combination as the
primary IP address to associate with the unit host name.
Configuring a default gateway pool
If a 3-DNS Controller does not have a predefined route for network traffic,
the unit automatically sends traffic to the pool that you define as the default
gateway pool. You can think of the default gateway pool as a pool of default
routes. Typically, a default gateway pool is set to two or more gateway IP
addresses. If you type more than one default gateway IP address, the
additional gateways provide high availability for administrative
connections. The first address you type becomes the default route. If a
gateway in the default gateway pool becomes inactive, existing connections
through the inactive gateway are routed through another gateway in the
default gateway pool. If you type one IP address, no pool is created, and that
address is entered as the default route.
All default gateway IP addresses you add to the default gateway pool must
be in the same IP network as the 3-DNS Controller.
Configuring remote web server access
The 3-DNS web server provides the ability to set up remote web access on
each VLAN. When you set up web access on a VLAN, you can connect to
the web-based configuration utility through the VLAN. To enable web
access, specify a fully qualified domain name (FQDN) for each VLAN. The
3 - 8
Using the Setup Utility
3-DNS web server configuration also requires that you define a password
for the admin user. If SSL is available, the configuration also generates
authentication certificates.
Note
If the host name portion of the FQDN is greater than 64 characters, the
3-DNS software cannot use it for the web server FQDN.
The Setup utility guides you through a series of screens to set up remote web
access.
• The first screen prompts you to select the VLAN you want to configure
for web access. After you select an interface to configure, the utility
prompts you to type a fully qualified domain name (FQDN) for the
interface. You can configure web access on one or more interfaces.
• After you configure the interface, the utility prompts you for a password
for the admin user account.
• After you type a password for the admin user account, you have the
option to type the IP addresses from which web-interface connections are
allowed.
• After you type the IP addresses that are allowed to access the unit with
the admin account, the certification screen prompts you for country,
state, city, company, and division.
If you ever change the IP addresses or host names on the 3-DNS interfaces,
you must reconfigure the 3-DNS web server and the portal to reflect your
new settings.
You should add users, or change passwords for existing users, only through
the Configuration utility.
If you have modified the remote web server configuration outside of the
Configuration utility, be aware that some changes may be lost when you run
the Setup utility. This utility overwrites the httpd.conf file and the
openssl.conf file.
Configuring remote administrative access
After you configure remote web access, the Setup utility prompts you to
configure remote command line access. On most 3-DNS units, the first
screen you see is the Configure SSH screen, which prompts you to type an
IP address for SSH command line access. If SSH is not available, you are
prompted to configure access through Telnet, RSH, and FTP instead.
3-DNS® Administrator Guide3 - 9
Chapter 3
When the Setup utility prompts you to enter an IP address for
administration, you can type a single IP address or a list of IP addresses,
from which the 3-DNS Controller will accept administrative connections
(either remote shell connections, or connections to the web server on the
3-DNS Controller). To specify a range of IP addresses, you can use the
asterisk (*) as a wildcard character in the IP addresses.
The following example allows remote administration from all hosts on the
192.168.2.0/24 network:
192.168.2.*
For administration purposes, you can connect to the 3-DNS floating self IP
address, which always connects you to the active unit in an active/standby
redundant system. To connect to a specific unit, connect directly to the IP
address of that 3-DNS unit.
Setting support access
Note
Next, the Setup utility prompts you to set up a support access account. If you
would like to activate a support access account to allow your vendor access
to the 3-DNS unit, type a password for the support account. Next, select the
access type you want for the support account.
Setting the time zone
Next, you need to specify your time zone. This ensures that the clock for the
3-DNS Controller is set correctly, and that dates and times recorded in log
files correspond to the time zone of the system administrator. Scroll through
the list to find the time zone at your location. Note that one option may
appear with multiple names. Select the time zone you want to use, and press
the Enter key to continue.
Configuring NTP support
You can synchronize the time on the unit to a public time server by using
Network Time Protocol (NTP). NTP is built on top of TCP/IP and assures
accurate, local timekeeping with reference to clocks located on the Internet.
This protocol is capable of synchronizing distributed clocks, within
milliseconds, over long periods of time. If you choose to enable NTP, make
sure UDP port 123 is open in both directions when the unit is behind a
firewall.
3 - 10
Configuring the 3-DNS mode
The 3-DNS Controller can run in three different modes: node, bridge, and
router.
◆ Node mode
The node mode is the traditional installation of the 3-DNS Controller.
The 3-DNS Controller replaces a DNS server in a network and uses the
DNS server’s IP address. All DNS traffic is directed at the 3-DNS
Controller because it is registered with InterNIC as authoritative for the
domain. In node mode, you usually run BIND on the system to manage
DNS zone files. In node mode, you may also use the NameSurfer
application available to manage your zone files.
◆ Bridge mode
In bridge mode, the 3-DNS Controller acts as an IP bridging device by
forwarding packets between two LAN segments (usually on the same IP
subnet). The system usually has one IP address, and is installed between
the router or switch, and the authoritative DNS server. The 3-DNS
Controller does not replace the authoritative DNS server.
The 3-DNS Controller filters all DNS packets that match wide IPs, and
forwards the remaining packets to the authoritative DNS server for
resolution. Note that this may be the preferred method of using the
3-DNS Controller because you do not have to replace the authoritative
DNS server, and you can perform out-of-band testing before you deploy
3-DNS software upgrades.
Using the Setup Utility
◆ Router mode
In router mode, the 3-DNS Controller acts as a router by forwarding
packets between two different IP subnets. You can put the 3-DNS
Controller anywhere in the network topology so that packets destined for
the authoritative DNS server have to pass through it. Router mode
requires at least two IP addresses and two VLANs. Router mode is
probably most useful for Internet service providers (ISPs) that want to
redirect traffic to local content servers. For example, by using the 3-DNS
Controller in router mode, an ISP can redirect requests for
ads.siterequest.net to a local ad server.
Configuring user authentication
When you run the Setup utility, you can configure authentication for 3-DNS
user accounts either through an external LDAP or RADIUS server, or
locally on the 3-DNS Controller. The following sections describe these two
authentication options.
Note
The root and admin accounts are always authenticated locally.
3-DNS® Administrator Guide3 - 11
Chapter 3
Using the local LDAP database only
When you run the Setup utility, you are not required to configure an external
LDAP or RADIUS database to manage user authentication. Instead, you can
use the default authentication mechanism, which is the 3-DNS Controller’s
local LDAP database. In this case, the local LDAP database manages not
only authorization for your 3-DNS users, but also authentication. All users
subsequently attempting to log on to a 3-DNS Controller must enter a user
name and password, which are checked against user data stored in the local
database. If the user name and password are found and verified in that
database, the user is authenticated.
Configuring the unit to use an external LDAP or RADIUS server
When you run the Setup utility, you can configure an external (remote)
server, either LDAP or RADIUS, to manage user authentication for the
3-DNS Controller. When you choose this configuration option, all users
subsequently attempting to log on to a 3-DNS Controller must enter a user
name and password, which are checked against user data stored in that
external database. If the user name and password are found and verified in
that database, the user is authenticated.
Note
In the event that authentication fails with an external LDAP or RADIUS
server, you can log in with accounts locally, such as the root and admin
accounts.
Configuring external LDAP authentication
When you configure the unit to use an external LDAP server for user
authentication, you need the following information:
• The IP address of the LDAP server, or the IP address of the primary
server if you have more than one LDAP server.
• The base distinguished name of each LDAP server. This name must be
the same for each server.
• Optionally, the user name of the account that you want to bind to the
LDAP server as the search account. The search account is a read-only
account used to do searches. This account must be able to access
passwords. If you have more than one LDAP server, this account must be
the same on each server.
• If you configure an LDAP search account, you need the password for
that account. If you have more than one LDAP server, you must use the
same search account and password.
• After you configure external authentication, you need to set the
authorization level, or role, for each user you want to allow to access the
controller. You can do this after you complete the Setup utility. Add an
account and role for each user in the User Administration screen of the
Configuration utility. Since the external authentication server handles the
password authentication, you do not need to enter a password for these
3 - 12
users. For detailed instructions on setting roles for users, see Managing user accounts, in Chapter 6, Administration and Monitoring, in the
3-DNS Reference Guide.
Configuring external RADIUS authentication
When you configure the unit to use an external RADIUS server for user
authentication you need the following information:
• The IP address of the RADIUS server, or the IP address of the primary
server and secondary server if you have more than one RADIUS server.
• The port configured for RADIUS traffic on your RADIUS server.
Typically, the port configured for RADIUS is port 1645, the traditional
RADIUS port, or port 1812, the new official RADIUS port.
• The primary RADIUS secret, and if you have a secondary RADIUS
server, the secondary RADIUS secret.
• After you configure external authentication, you need to set the
authorization level, or role, for each user you want to allow to access the
controller. You can do this after you complete the Setup utility. Add an
account and role for each user in the User Administration screen of the
Configuration utility. Since the external authentication server handles the
password authentication, you do not need to enter a password for these
users. For detailed instructions on setting roles for users, see Managing user accounts, in Chapter 6, Administration and Monitoring, in the
3-DNS Reference Guide.
Using the Setup Utility
Configuring NameSurfer for zone file management
You can configure NameSurfer to handle DNS zone file management. We
strongly recommend that you configure NameSurfer to handle zone file
management by selecting NameSurfer to be the master on the unit. If you
select NameSurfer as the master, NameSurfer converts the DNS zone files
on the system, becomes the authoritative DNS, and automatically processes
changes and updates to the zone files. (You can access the NameSurfer
application directly from the Configuration utility for the 3-DNS
Controller.)
In the final series of the Setup utility screens, you choose whether to have
NameSurfer handle DNS zone file management on the 3-DNS Controller. If
you configure the 3-DNS Controller in node mode, we strongly recommend
that you configure NameSurfer to handle zone file management. If you
designate NameSurfer as the primary name server, NameSurfer converts the
DNS zone files on the system, becomes the authoritative DNS, and
automatically processes changes and updates to the zone files. (You can
access the NameSurfer application directly from the Configuration utility).
To open the NameSurfer application
1. In the navigation pane, click NameSurfer.
The NameSurfer home screen opens.
3-DNS® Administrator Guide3 - 13
Chapter 3
2. Edit the zone file information as required.
For help with the NameSurfer application, click Help in the
NameSurfer navigation pane.
Note
Remember that if you run the 3-DNS Controller in bridge or router mode,
the system is not authoritative for any domains, so the NameSurfer
application is not available to manage any zone files.
Running the Setup utility after creating the initial
software configuration
You normally run the Setup utility when the system is first installed as part
of the installation procedure. However, you can also use the command line
Setup utility to change existing settings at any time. This section describes
running the Setup utility to change settings after you run it initially.
To run the Setup utility from the command line, type in the following
command:
setup
After you complete the initial configuration, the Setup utility presents a
menu of individual configuration options.
The Setup utility menu is divided into two different sections, Required and
Optional. The Setup utility includes the following required configuration
options:
• Set the default gateway pool
• Configure VLANs and networking
•Set host name
• Configure web servers
• Set the root password
The following configuration selections are optional:
lqq I N I T I A L S E T U P M E N U qqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqk
x x
x Choose the desired configuration function from the list below. x
x x
x (A) Configure all services (R) Steps for redundant systems x
x x
x REQUIRED x
x (E) Set default gateways (V) Configure VLANs & networking x
x (H) Set host name (W) Configure web servers x
x (P) Set root password x
x x
x OPTIONAL x
x (C) Remote authentication (O) Configure remote access x
x (D) Configure DNS (S) Configure SSH x
x (F) Configure FTP (T) Configure Telnetd x
x (I) Initialize iControl portal (U) Configure RSH x
x (K) Set keyboard type (Y) Set support access x
x (L) License Activation (Z) Set time zone x
x (M) Define time servers (Q) Quit x
x (N) Configure NameSurfer x
x x
x Enter Choice: x
mqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqj
Figure 3.1 The Setup utility menu
Options available only through the Setup utility menu
This section contains descriptions of options that are available only through
the Setup utility menu. These options include:
• Initializing the iControl portal
• Configuring RSH
• Configuring Telnet
• Configuring FTP
Initialize the iControl portal
This option is available in the menu only after you create the initial software
configuration. Select this option to configure the CORBA ports (IIOP and
FSSL). This option prompts you for a list of IP addresses or host names you
3-DNS® Administrator Guide3 - 15
Chapter 3
Configuring RSH
want to embed as objects in the portal object reference. Typically, in a
redundant system, this list includes the fail-over IP address of the other
3-DNS unit in the redundant system.
This option prompts you to set the portal to use IP addresses instead of DNS
names. If the portal is set to use IP addresses, the 3-DNS Controller does not
have to do a DNS lookup.
In addition to these settings, you can change the following iControl portal
settings:
• The security mode of the portal. You can allow the portal to handle
non-secure requests.
• The name of the portal object reference file.
• The portal PID file name.
This option is available only in the menu after you create the initial software
configuration. Use this option to configure the remote shell (rshd) server.
This utility prompts you for an IP address from which administrators may
access the 3-DNS Controller. You can use wildcard characters (*) to include
all addresses from a specific part of the network. This utility also prompts
you to create a support account for access by technical support.
Configuring Telnet
Configuring FTP
If inetd is not currently configured, this utility configures inetd for the
remote shell server (rshd). If the service port for rsh is closed, this utility
opens the service port to permit rsh connections to the system.
Use this option to configure the Telnet server only on a 3-DNS Controller.
The Setup utility prompts you to configure each service independently. This
allows you to enable Telnet.
The utility prompts you for a configuration address for each service from
which administrators may access the 3-DNS Controller. You can use
wildcard characters (*) to include all addresses from a specific part of the
network. This utility also prompts you to create a support account for access
by technical support.
If inetd is not currently configured, this utility configures inetd for the
requested services. If the ports for Telnet are closed, this utility opens the
ports to permit Telnet connections to the 3-DNS Controller.
Use this option to configure FTP on the 3-DNS Controller. The Setup utility
prompts you for an IP address from which administrators may access the
3-DNS Controller with FTP. You can use wildcard characters (*) to include
all addresses from a specific part of the network. This utility also prompts
you to create a support account for access by technical support.
3 - 16
Using the Setup Utility
If the service port for FTP is closed, this utility opens the service port to
permit FTP connections to the 3-DNS Controller.
Although you can configure FTP and Telnet on a 3-DNS Controller, we
recommend that you leave these services disabled, for security reasons.
3-DNS® Administrator Guide3 - 17
Chapter 3
3 - 18
4
Post-Setup Tasks
• Introduction
• Configuring the interfaces
• Working with VLANs
• Configuring a self IP address
Introduction
Post-Setup Tasks
Setting up the base network for the 3-DNS Controller means configuring
elements such as the 3-DNS Controller host name, a default gateway pool,
interface media settings, and VLANs and self IP addresses. Configuration
tasks for the BIG-IP base network are performed using the Setup utility. For
information on using the Setup utility, see Chapter 3, Using the Setup Utility.
Once you have configured the base network elements with the Setup utility,
you might want to further enhance the configuration of these elements. This
chapter provides the information you need to perform these additional
configuration tasks. You can perform these tasks using either the
Configuration utility or the bigpipe command line utility.
Elements you might want to further configure after running Setup are:
◆ Interfaces
You can set the media type and the duplex mode for an interface, as well
as display interface status.
◆ VLANs
VLAN options include tagging, and assigning interfaces to VLANs. In
addition, you can group separate VLANs together for the purpose of
bridging packets between them.
◆ Self IP addresses
You can change self IP addresses or create any number of additional self
IP addresses for a VLAN.
◆ Additional host names
You can insert additional host names and IP addresses for network
devices into the /etc/hosts file. For example, you can insert host names
for the IP addresses that you will assign to virtual servers, and host
names for standard devices such as your routers, network interface cards,
and servers.
◆ General networking
You can configure a default route, as well as dynamic routing, DNS, and
email.
Note
Once you have configured the base network, you can configure the
high-level network. Examples of elements you configure as part of the
high-level network are: Pools, rules, proxies, and network address
translation (SNATs and NATs).
3-DNS® Administrator Guide4 - 1
Chapter 4
Configuring the interfaces
Typically, a 3-DNS Controller has two network interfaces. The following
sections describe the naming convention, displaying the status, setting the
media type, and setting the duplex mode for the interfaces in the 3-DNS
Controller.
Understanding the interface naming convention
By convention, the Ethernet interfaces on a 3-DNS Controller take the name
<s>.<p> where s is the slot number of the NIC, and p is the port number on
the NIC. For the 2U platform, slot numbering is top-to-bottom, and port
numbering is left-to-right as shown in Figure 4.1.
1.1
Expansion Slot
Expansion Slot
Expansion Slot
1.2
Port 1
Port 2
designator
Figure 4.1 Rear view of a 3-DNS Controller with two interface ports
Displaying status for interfaces
Use the following syntax to display the current status and the settings for the
installed interface cards:
b interface show
Figure 4.2 is an example of the output you see when you issue this
command.
interface speed pkts pkts pkts pkts bits bits errors trunk STP
Mb/s in out drop coll in out
1.1 UP 100 HD 0 213 0 0 0 74.2K 0
2.1 UP 100 HD 20 25 0 0 28.6K 33.9K 0
Figure 4.2 The bigpipe interface show command output
Use the following syntax to display the current status and the setting for a
specific interface.
b interface <if_name> show
Port
4 - 2
Setting the media type
You can set the media type for the interface card either to the specific media
type or to auto for auto detection. If the media type is set to auto and the
card does not support auto detection, the default type for that interface is
used, for example 100BaseTX.
Use the following syntax to set the media type:
b interface <if_name> media <media_type> | auto
(Default media type is auto.)
If the 3-DNS Controller is inter-operating with an external switch, the
media setting should match that of the switch. To accomplish this, it is best
to specify the setting explicitly, and not rely on automatic detection using
auto.
Post-Setup Tasks
Note
Setting the duplex mode
You can set duplex mode to full or half duplex. If the media type does not
allow duplex mode to be set, this is indicated by an onscreen message. If
media type is set to auto, or if setting duplex mode is not supported for the
interface, the duplex setting is not saved to bigip.conf.
Use the following syntax to set the duplex mode:
b interface <if_name> duplex full | half | auto
(Default mode is auto.)
Note
If the 3-DNS Controller is inter-operating with an external switch, the
media setting should match that of the switch. To accomplish this, it is best
to specify the setting explicitly, and not rely on automatic detection using
auto.
3-DNS® Administrator Guide4 - 3
Chapter 4
Working with VLANs
A VLAN is a grouping of separate 3-DNS Controller networks that allows
those networks to behave as if they were a single local area network,
whether or not there is a direct ethernet connection between them.
The 3-DNS Controller offers several options that you can configure for a
VLAN. These options are summarized in Table 4.1.
OptionDescription
Create a default VLAN
configuration
Create, rename, or delete
VLANs
Configure packet access to
VLANs
Manage the L2 forwarding
table
Create VLAN groupsYou can create a VLAN group to allow layer 2 packet forwarding between VLANs.
Set VLAN securityYou can set port lockdown by VLAN.
Set fail-safe timeoutsYou can set a fail-safe timeout on a VLAN. You can use a fail-safe timeout to trigger
Set self IP addressesYou can set one or more self IP addresses for VLANs.
Set MAC masqueradeYou can use the MAC masquerade to set up a media access control (MAC) address
Configure VLAN mirroringYou can configure the 3-DNS Controller to replicate packets received by a VLAN and
You can use the Setup utility to create a default VLAN configuration.
You can create, rename, or delete a VLAN.
Through an option called tagging, you can direct packets from multiple VLANs to a
specific 3-DNS interface, or direct traffic from a single VLAN to multiple interfaces.
You can edit the L2 forwarding table to enter static MAC address assignments.
fail-over in a redundant system.
that is shared by a redundant system.
send them to another VLAN or set of VLANs.
Table 4.1 Configuration options for VLANs
Default VLAN configuration
By default, the Setup utility configures each interface on the 3-DNS
Controller as a member of a VLAN. The 3-DNS Controller identifies the
fastest interfaces, makes the lowest-numbered interface in that group a
member of the VLAN external, and makes all remaining interfaces
members of the VLAN internal.
4 - 4
Post-Setup Tasks
Figure 4.3 Simple VLAN configuration for a 3-DNS Controller
VLAN flexibility is such that separate IP networks can belong to a single
VLAN, while a single IP network can be split among multiple VLANs. (The
latter case allows the 3-DNS Controller to be inserted into an existing LAN
without renaming the nodes.) The VLANs named external and internal are
separate networks, and in the configuration shown they behave like separate
networks. The networks belonging to VLAN internal are also separate
networks, but have been made to behave like a single network. This is
accomplished using a feature called VLAN bridging.
Your default VLAN configuration is created using the Setup utility. On a
typical unit with two interfaces, you create an internal and external VLAN.
Creating, renaming, and deleting VLANs
Typically, if you use the default configuration, one VLAN is assigned to
each interface. However, if you need to change your network configuration,
or if the default VLANs are not adequate for a network configuration, you
can create new VLANs, rename existing VLANs, or delete a VLAN.
To create a VLAN using the Configuration utility
1. In the navigation pane, click Network.
The VLANs screen opens.
2. Click the Add button.
3. Type the attributes for the VLAN.
4. Click Done.
3-DNS® Administrator Guide4 - 5
Chapter 4
To rename or delete a VLAN using the Configuration utility
1. In the navigation pane, click Network.
The VLANs screen opens.
2. In the VLANs screen, use one of the following options:
• To rename a VLAN, click the VLAN name you want to change.
The VLAN properties screen opens. Type the new name in the
VLAN name box.
• To delete a VLAN, click the Delete button for the VLAN you
want to delete.
3. Click Done.
To create, rename, or delete a VLAN from the command line
To create a VLAN from the command line, use the following syntax:
b vlan <vlan name> interfaces add <if name> <if name>
For example, if you want to create a VLAN named myvlan that contains the
interfaces 1.1 and 1.2, type the following command:
b vlan myvlan interfaces add 1.1 1.2
To rename an existing VLAN, use the following syntax:
b vlan <vlan name> rename <new vlan name>
For example, if you want to rename the VLAN myvlan to yourvlan, type
the following command:
b vlan myvlan rename yourvlan
To delete a VLAN, use the following syntax:
b vlan <vlan name> delete
For example, to delete the VLAN named yourvlan, type the following
command:
b vlan yourvlan delete
4 - 6
Configuring packet access to VLANs
The 3-DNS Controller supports two methods for sending and receiving
packets through an interface that is a member of one or more VLANs. These
two methods are:
◆ Port-based access to VLANs
Packets are accepted for a VLAN because the packets have no tags in
their headers and were received on an interface that is a member of a
VLAN. With this method, an interface is configured as an untagged
member of the VLAN. Packets sent out through untagged interfaces
contain no tag in their header.
◆ Tag-based access to VLANs
Packets are accepted for a VLAN because the packets have tags in their
headers and the tag matches the VLAN identification number for the
VLAN. With this method, an interface is configured as a tagged member
of the VLAN. Packets sent out through tagged interfaces contain a tag in
their header.
The sending/receiving method used by a VLAN is determined by the way
that you add a member interface to a VLAN. When creating a VLAN or
modifying VLAN properties (using the Configuration utility or the bigpipe
command), you can add an interface to that VLAN as either an untagged or
a tagged interface.
Post-Setup Tasks
The following two sections describe these two methods of providing packet
access to a VLAN.
Port-based access to VLANs
Port-based access to VLANs occurs when an interface is added to a VLAN
as an untagged interface. In this case, the interface can be added only to that
VLAN and to no others. This limits the interface to accepting traffic only
from that VLAN, instead of from multiple VLANs. To solve this problem,
3-DNS Controller allows you to configure a feature known as tagging,
described in the following section.
Tag-based access to VLANs
Tag-based access to VLANs occurs when an interface is added to a VLAN
as a tagged interface. A tagged interface can be added to multiple VLANs,
thereby allowing the interface to accept traffic from each VLAN of which
the interface is a member.
When you add an interface to a VLAN as a tagged interface, the 3-DNS
Controller associates the interface with the VLAN identification number, or
tag, which becomes embedded in a header of a packet.
Note
Every VLAN has a VLAN identification number. This identification number
is assigned to a VLAN either explicitly by a user when creating the VLAN,
or automatically by the 3-DNS Controller if the user does not supply one.
3-DNS® Administrator Guide4 - 7
Chapter 4
Configuration procedures
Each time you add an interface to a VLAN, either when creating a VLAN or
modifying its properties, you can designate that interface as a tagged
interface. A single interface can therefore have multiple tags associated with
it.
The result is that whenever a packet comes into that interface, the interface
reads the tag that is embedded in a header of the packet. If the tag in the
packet matches any of the tags associated with the interface, the interface
accepts the packet. If the tag in the packet does not match any of the tags
associated with the interface, the interface rejects the packet.
Important
You should use VLAN tagging only if you are running the 3-DNS Controller
in bridge mode.
You configure tag-based access to VLANs using either the Configuration
utility or the bigpipe vlan command. You can configure tag-based access
either when you create a VLAN and add member interfaces to it, or by
modifying the properties of an existing VLAN. In the latter case, you simply
change the status of one or more member interfaces from untagged to
tagged.
To create a VLAN that supports tag-based access using the
Configuration utility
Creating a VLAN that supports tag-based access means creating the VLAN
and then adding one or more tagged interfaces to it.
1. In the navigation pane, click Network.
The VLAN screen opens.
2. Click the Add button.
The Add VLAN screen opens.
3. On the Add VLAN screen, type the VLAN name.
4. In the Tag box, you can optionally specify a VLAN ID number. If
you do not provide one, the 3-DNS Controller assigns a default
number.
5. In the Resources box, specify any tagged interfaces by selecting the
appropriate interface numbers from the Interface Number list and
clicking tagged >>.
6. Configure the other VLAN options.
7. Click Done.
4 - 8
Post-Setup Tasks
To configure tag-based access on an existing VLAN using the
Configuration utility
Configuring tag-based access on an existing VLAN means changing the
existing status of one or more member interfaces from untagged to tagged.
1. In the navigation pane, click Network.
The VLAN screen opens.
2. Click the VLAN name in the list.
The properties screen for that VLAN opens.
3. In the Resources box, move any untagged interfaces from the
Current Interfaces list to the Interface Number list.
4. Specify any tagged interfaces by selecting the appropriate interface
numbers from the Interface Number list and clicking tagged >>.
5. Click Done.
To create a VLAN that supports tag-based access from the
command line
1. Type the bigpipe vlan command, specifying a VLAN name, the tag
keyword, and a VLAN ID number. The following example creates
the VLAN external with a VLAN ID of 1209.
b vlan external tag 1209
2. Add the interfaces to the VLAN external as tagged interfaces. This
is done by specifying the VLAN name, the tagged keyword, and the
interfaces to be tagged. For example:
b vlan external interfaces add tagged 4.1 5.1 5.2
The effect of this command is to associate a tag with interfaces 4.1 and 5.1,
which in turn allows packets with that tag access to the external VLAN.
The above procedure adds multiple tagged interfaces to a single VLAN.
However, you can also add a single tagged interface to multiple VLANs.
This results in a single interface having more than one tag associated with it.
For example, the following commands add the tagged interface 4.1 to the
two VLANs external and internal:
b vlan external interfaces add tagged 4.1
b vlan internal interfaces add tagged 4.1
Setting up security for VLANs
You can lock down a VLAN to prevent direct connection to the 3-DNS
Controller through that VLAN. You can override this lockdown for specific
services by enabling the corresponding global variable for that service. For
example:
b global open_ssh_port enable
3-DNS® Administrator Guide4 - 9
Chapter 4
To enable or disable port lockdown using the Configuration
utility
1. In the navigation pane, click Network.
The VLAN screen opens.
2. Click the VLAN name in the list.
The properties screen for that VLAN opens.
3. To enable port lockdown, click a check in the Port Lockdown box.
To disable port lockdown, clear the Port Lockdown check box.
4. Click Done.
To enable or disable port lockdown from the command line
To enable port lockdown, type:
b vlan <vlan_name> port_lockdown enable
To disable port lockdown, type:
b vlan <vlan_name> port_lockdown disable
Setting fail-safe timeouts for VLANs
For redundant 3-DNS units, you can enable a failsafe mechanism that will
fail over when loss of traffic is detected on a VLAN, and traffic is not
restored during the fail-over timeout period for that VLAN. You can enable
a fail-safe mechanism to attempt to generate traffic when half the timeout
has elapsed. If the attempt is successful, the fail-over is stopped.
To set the fail-over timeout and arm the fail-safe using the
Configuration utility
1. In the navigation pane, click Network.
The VLAN screen opens.
2. Click the VLAN name in the list.
The properties screen for that VLAN opens.
3. Check the Arm Failsafe box, and specify the timeout in seconds in
the Timeout box.
4 - 10
To set the fail-over timeout and arm the fail-safe from the
command line
Using the vlan command, you may set the timeout period and also arm or
disarm the fail-safe.
To set the timeout, type:
b vlan <vlan_name> timeout <timeout_in_seconds>
To arm the fail-safe, type:
b vlan <vlan_name> failsafe arm
To disarm the fail-safe, type:
b vlan <vlan_name> failsafe disarm
Setting the MAC masquerade address
You can share the media access control (MAC) masquerade address
between 3-DNS units in a redundant system. This option has the following
advantages:
• Increased reliability and failover speed, especially in lossy networks
• Interoperability with switches that are slow to respond to the network
changes
• Interoperability with switches that are configured to ignore network
changes
Post-Setup Tasks
Note
For sensible operation, you must set the MAC masquerade address to be the
same on both the active and standby units. To do this, configure the shared
MAC address manually, by editing the bigip_base.conf file on both units.
Do not use the bigpipe config sync command.
The MAC address for a VLAN is the MAC address of the first interface to
be mapped to the VLAN, typically 4.1 for external, and 5.1 for internal.
You can view the interfaces mapped to a VLAN using the following
command:
b vlan show
You can view the MAC addresses for the interfaces on the 3-DNS
Controller using the following command:
b interface show verbose
Use the following syntax to set the MAC masquerade address to be shared
by both 3-DNS units in the redundant system.
b vlan <vlan_name> mac_masq <MAC_addr>
3-DNS® Administrator Guide4 - 11
Chapter 4
Find the MAC address on both the active and standby units, and pick one
that is similar but unique. A safe technique for selecting the shared MAC
address follows.
Suppose you want to set up mac_masq on the external interfaces. Using the
b interface show command on the active and standby units, you note that
their MAC addresses are:
Active: 3.1 = 0:0:0:ac:4c:a2
Standby: 3.1 = 0:0:0:ad:4d:f3
In order to avoid packet collisions, you now must choose a unique MAC
address. The safest way to do this is to select one of the addresses, and
convert the MAC address to a locally administered address using 0x40 for
the first byte. (The 0x40 byte indicates the logical operator OR.)
In this example, either 40:0:0:ac:4c:a2 or 40:0:0:ad:4d:f3 would be a
suitable shared MAC address to use on both 3-DNS units in the redundant
system.
The shared MAC address is used only when the 3-DNS Controller is in
active mode. When the unit is in standby mode, the original MAC address of
the network card is used.
If you do not configure mac_masq on startup, or when transitioning from
standby mode to active mode, the 3-DNS Controller sends gratuitous ARP
requests to notify the default router and other machines on the local Ethernet
segment that its MAC address has changed. See RFC 826 for more details
on ARP.
Note
The MAC masquerade information is stored in the bigip_base.conf file.
Configuring a self IP address
A self IP address is an IP address mapping to one or more VLANs and their
associated interfaces on a 3-DNS Controller. You assign a self IP address to
each interface on the unit as part of the initial configuration, and you also
assign a floating (shared) alias for units in a redundant system. You can
create additional self IP addresses for health checking, gateway failsafe,
routing, or other purposes. You create additional self IP addresses using
either the Configuration utility or using the self command in the bigpipe
utility. (See the 3-DNS Reference Guide, Appendix B, bigpipe Command Reference, for more information on the self command.)
4 - 12
To add a self IP address to a VLAN using the Configuration
utility
1. In the navigation pane, click Network.
The VLANs screen opens.
2. Click the Self IP Addresses tab.
Post-Setup Tasks
3. Click the Add button.
4. In the IP Address box, type the self IP address to be assigned.
5. In the Netmask box, type an optional netmask.
6. In the Broadcast box, type an optional broadcast address.
7. If you want to configure the self IP address as a floating address,
check the Floating box.
8. If you want to enable the address for SNAT auto-mapping, check
the SNAT Automap box.
9. In the VLAN box, type the name of the VLAN to which you want to
assign the self IP address.
10. Click Done.
To add a self IP address to a VLAN from the command line
You can add any number of additional self IP addresses to a VLAN to create
aliases. For example:
b self 11.11.11.4 vlan external
b self 11.11.11.5 vlan external
b self 11.11.11.6 vlan external
b self 11.11.11.7 vlan external
Also, any one self IP address may have floating enabled to create a floating
alias that is shared by both units of a redundant system:
b self 11.11.11.8 floating enable
Assigning a self IP address to an interface automatically maps it to the
VLAN of which it is a member. Assigning a self IP address to an interface
not mapped to an untagged VLAN produces an error message.
3-DNS® Administrator Guide4 - 13
Chapter 4
4 - 14
5
Essential Configuration Tasks
• Reviewing the configuration tasks
• Setting up a basic configuration
• Setting up a data center
• Setting up servers
• Working with sync groups
• Overview of auto-configuration
• Configuring global variables
Reviewing the configuration tasks
Once you have completed the Setup utility, you set up the network and load
balancing aspects of the 3-DNS Controller. The 3-DNS Controller has three
essential configuration tasks that all users must complete, regardless of the
chosen load balancing solution.
◆ Configure the physical aspects of your load balancing network, which
includes the following:
• Data centers
• Data center servers and their virtual servers
• Communications between the 3-DNS Controller and other servers
• 3-DNS synchronization (if you have more than one 3-DNS Controller
in your network)
◆ Configure the logical aspects of your load balancing network, including
wide IPs and pools
◆ Configure the global load balancing modes and global variables
Essential Configuration Tasks
3-DNS® Administrator Guide5 - 1
Chapter 5
Setting up a basic configuration
Each 3-DNS Controller in the network setup must have information
regarding which data center houses specific servers, and with which other
3-DNS Controllers it can share configuration and load balancing
information. A basic network setup includes data centers, servers, and one
sync group. Once you have the basic network components configured on
your 3-DNS Controller, you can set up the wide IPs you need for managing
your load balancing. We recommend that you review the load balancing
solutions in the remaining chapters of this guide before you configure the
wide IPs.
The following sections describe the various elements of a basic network:
◆ Data centers
Data centers are the top level of your network setup. We recommend that
you configure one data center for each physical location in your global
network. The data center element of your configuration defines the
servers (3-DNS Controllers, BIG-IP systems, EDGE-FX systems, hosts,
and routers) that reside at that location.
A data center can contain any type of server. For example, in Figure 5.1
on page 5-4, the Tokyo data center contains a 3-DNS Controller and a
host, while the New York and Los Angeles data centers contain 3-DNS
Controllers and BIG-IP systems.
For information about configuring data centers, see Setting up a data center, on page 5-3.
◆ Servers
The data center servers that you define in the network setup include
3-DNS Controllers, BIG-IP systems, EDGE-FX systems, hosts, and
routers. You define the 3-DNS Controllers that manage load balancing to
the BIG-IP systems, EDGE-FX systems, and hosts, and you also define
the virtual servers that are managed by the servers. Virtual servers are the
ultimate destination for connection requests.
For information about configuring servers, see Setting up servers, on
page 5-5.
◆ Sync groups
Sync groups contain only 3-DNS Controllers. When setting up a sync
group, you define which 3-DNS Controllers have the same configuration.
In most cases, you should define all 3-DNS Controllers as part of the
same sync group.
For information about configuring sync groups, see Working with sync groups, on page 5-13.
5 - 2
◆ Wide IPs
After you define virtual servers for your BIG-IP systems, EDGE-FX
systems, and hosts, you need to define wide IPs to specify how
connections are distributed among the virtual servers. A wide IP maps a
Essential Configuration Tasks
domain name to a pool of virtual servers, and it specifies the load
balancing modes that the 3-DNS Controller uses to choose a virtual
server from the pool.
When a local DNS server requests a connection to a specific domain
name, the wide IP definition specifies which virtual servers are eligible
to answer the request, and which load balancing modes to use in
choosing a virtual server to resolve the request.
For information about configuring wide IPs and choosing load balancing
modes, please refer to Chapter 2, Load Balancing, in the 3-DNS
Reference Guide.
◆ Global variables
You can configure global variables that apply to all servers and wide IPs
in your network. However, the default values of the global variables
work well for most situations, so configuring global variables is optional.
For information about configuring global variables, see Configuring global variables, on page 5-17.
Setting up a data center
The first step in configuring your 3-DNS network is to create data centers. A
data center defines the group of 3-DNS Controllers, BIG-IP systems,
EDGE-FX systems, and host systems that reside in a single physical
location. For each data center that contains a 3-DNS Controller or a BIG-IP
system, you can also define a router. Figure 5.1 on page 5-4 shows an
example of a data center.
The advantage of grouping all systems from a single physical location into
one data center in the configuration is to allow path information collected by
one server to be shared with all other servers in the data center. The 3-DNS
Controller uses the big3d agent to collect path and metrics information
about the other servers, and their virtual servers, in the data center. The
3-DNS Controller then applies path metrics results to all the virtual servers
in the data center when making load balancing decisions.
Note
You must configure at least one data center before you can add servers to
the 3-DNS configuration.
3-DNS® Administrator Guide5 - 3
Chapter 5
Figure 5.1 Example of a multiple data center setup
When you add servers to the network setup, you assign the servers to the
appropriate data centers.
To configure a data center using the Configuration utility
1. In the navigation pane, click Data Centers.
2. On the toolbar, click Add Data Center.
The Add New Data Center screen opens.
3. Add the new data center settings. For help on defining data centers,
click Help on the toolbar.
The data center is added to your configuration.
4. Repeat this process for each data center in your network.
Note
To configure a data center from the command line, refer to Appendix A,
3-DNS Configuration File, in the 3-DNS Reference Guide.
5 - 4
Setting up servers
There are five types of servers you can configure on a 3-DNS Controller:
3-DNS Controllers, BIG-IP systems, EDGE-FX systems, hosts, and routers.
At the minimum, your network includes one 3-DNS Controller, and at least
one server (BIG-IP system, EDGE-FX system, or host) that it manages.
This section describes how to set up each server type (3-DNS Controller,
BIG-IP system, EDGE-FX system, host, and router) that makes up your
network. The setup procedures here assume that the servers are up and
running in the network, and that they already have virtual servers defined (if
the server manages virtual servers). Note that 3-DNS Controllers and routers
do not manage virtual servers.
If you are adding a BIG-IP Link Controller to the 3-DNS configuration, you
add the Link Controller as a BIG-IP system. If you want the 3-DNS
Controller to be aware of and manage the links on the Link Controller, then
you add the Link Controller as a 3-DNS system, also.
Essential Configuration Tasks
Important
Defining 3-DNS Controllers
The purpose of defining a 3-DNS Controller in the configuration is to
establish in which data center the 3-DNS Controller resides and, if
necessary, to change big3d agent settings. Before you add other 3-DNS
Controllers to the configuration, you should add the 3-DNS Controller you
are configuring to its own configuration. By adding any additional 3-DNS
Controllers to the configuration, you make those 3-DNS Controllers
available so that you can add them to a sync group.
Note
Please review Chapter 10, Adding a 3-DNS Controller to an Existing
Network, if you are configuring more than one 3-DNS Controller in your
network.
To define a 3-DNS Controller using the Configuration utility
1. In the navigation pane, expand the Servers item, then click 3-DNS.
2. On the toolbar, click Add 3-DNS.
The Add New 3-DNS screen opens.
3-DNS® Administrator Guide5 - 5
Chapter 5
Essential Configuration Tasks
To add virtual servers using the Configuration utility
1. In the navigation pane, expand the Servers item, and then click
BIG-IP.
2. In the table, find the BIG-IP system that you just added.
3. Click the entry in its BIG-IP Virtual Servers column.
4. On the toolbar, click Add Virtual Server.
The Add Virtual Server to BIG-IP screen opens.
5. Add the new virtual server settings. For help on adding virtual
servers, click Help on the toolbar.
Repeat this process for each virtual server you want to add to this
BIG-IP system.
Note
For details on how to configure a BIG-IP system from the command line,
refer to Appendix A, 3-DNS Configuration File, in the 3-DNS Reference Guide.
Defining a BIG-IP system with the 3-DNS module
In the 3-DNS configuration, you treat the BIG-IP system and the 3-DNS
Controller module as if they were separate devices. You can add the two
server types either by using the Configuration utility or by editing the
wideip.conf file. The following instructions describe how to add a BIG-IP
system with the 3-DNS Controller module, with the name
combo.siterequest.net and the IP address 192.168.100.100, to the
configuration.
Before you define a BIG-IP system with the 3-DNS Controller module in
the 3-DNS configuration, you should have the following information:
• The name and IP address of the BIG-IP system
• The name and IP address of the 3-DNS Controller
To add a BIG-IP system with the 3-DNS Controller module using
the Configuration utility
1. In the navigation pane, expand the Servers item, and then click
BIG-IP.
The BIG-IP List screen opens.
2. On the toolbar, click Add BIG-IP.
The Add BIG-IP screen opens.
3. In the BIG-IP Name box, type combo.siterequest.net.
4. In the BIG-IP IP Address box, type 192.168.100.100.
3-DNS® Administrator Guide5 - 7
Chapter 5
5. Add the rest of the settings as needed.
Note: When you have finished defining the BIG-IP system, you can
add the 3-DNS Controller module to the configuration.
6. In the navigation pane, expand the Servers item, and then click
3-DNS.
The 3-DNS List screen opens.
7. On the toolbar, click Add 3-DNS.
The Add 3-DNS screen opens.
8. In the 3-DNS Name box, type combo.siterequest.net.
9. In the 3-DNS IP Address box, type 192.168.100.100.
10. Add the rest of the settings as needed.
Note
For details on how to configure a BIG-IP system with the 3-DNS Controller
module from the command line, refer to Appendix A, 3-DNS Configuration File, in the 3-DNS Reference Guide.
Defining a router
Routers do not manage virtual servers, rather they manage the links to the
Internet for your network. Before you define a router in the 3-DNS
configuration, you should have the following information:
• The name of the router
• The IP address of the router (this is the gateway IP address)
• The IP addresses of the links that the router manages
Note
If you have a Link Controller or BIG-IP system in your network, the
auto-configuration process adds the routers to the configuration for you.
Note, however, that for BIG-IP systems, auto-configuration adds only one
router per data center. Use the following procedure only if you have
auto-configuration turned off.
To define a router using the Configuration utility
1. In the navigation pane, expand the Servers item, then click
Routers.
2. On the toolbar, click Add Router.
The Add New Router screen opens.
5 - 8
3. Add the new router settings. For help on defining a router, click
Help on the toolbar.
Note
For details on how to configure a router from the command line, refer to
Appendix A, 3-DNS Configuration File, in the 3-DNS Reference Guide.
Defining EDGE-FX systems
An EDGE-FX system can be either an EDGE-FX Cache, or a
GLOBAL-SITE Controller. Before you define any EDGE-FX systems, you
should have the following information:
• The IP address of the system itself
• The IP address and service name or port number of each virtual server
managed by an EDGE-FX Cache
Essential Configuration Tasks
Important
Auto-configuration automatically collects the virtual server configuration
information for any EDGE-FX systems you may have in your network. For
more information about auto-configuration, see Overview of auto-configuration, on page 5-15.
To define an EDGE-FX system using the Configuration utility
1. In the navigation pane, expand the Servers item, then click
EDGE-FX.
2. On the toolbar, click Add EDGE-FX.
The Add New EDGE-FX screen opens.
3. Add the new EDGE-FX system settings. Note that if you want the
3-DNS Controller to discover the EDGE-FX system’s virtual
servers, select ON for the Discovery setting. (For help on defining
EDGE-FX systems, click Help on the toolbar.)
4. Click Add when you have finished configuring the initial settings
for the EDGE-FX system.
The controller adds the EDGE-FX system information to the
configuration.
Important
Auto-configuration collects the virtual server information for any
EDGE-FX systems you have in your network, if you turn on Discovery when
you add the EDGE-FX system to the configuration. For more information
about auto-configuration, see Overview of auto-configuration, on page
5-15.
3-DNS® Administrator Guide5 - 9
Chapter 5
If you do not turn on Discovery when you add the EDGE-FX system to the
configuration, then use the following procedure to add virtual servers to the
EDGE-FX definition in the configuration.
To add virtual servers using the Configuration utility
1. In the navigation pane, click Servers, then click EDGE-FX.
2. In the table, find the EDGE-FX system that you just added.
3. Click the entry in its EDGE-FX Virtual Servers column.
4. On the toolbar, click Add Virtual Server.
The Add Virtual Server to EDGE-FX screen opens.
5. Add the new virtual server settings. For help on adding virtual
servers, click Help on the toolbar.
Repeat this process for each virtual server you want to add. Note that
GLOBAL-SITE Controllers do not manage virtual servers.
Note
For details on how to configure an EDGE-FX system from the command
line, refer to Appendix A, 3-DNS Configuration File, in the 3-DNS Reference Guide.
Defining host servers
A host is an individual network server or server array controller other than a
3-DNS Controller, BIG-IP system, EDGE-FX Cache, GLOBAL-SITE
Controller, or router. Before configuring a host, you should have the
following information:
◆ Address information
◆ SNMP information for host probing
The IP address and service name or port number of each virtual server to
be managed by the host.
To implement host probing and to collect performance metrics, you must
specify SNMP agent settings after you define the host server. The
settings you specify include the type and version of SNMP agent that
runs on the host, the community string, and the number of
communication attempts that you want the big3d agent to make while
gathering host metrics. SNMP agent settings for hosts are described in
Configuring host SNMP settings, on page 5-12.
5 - 10
Note
To fully configure host probing, you must configure the SNMP agent
settings in the host definition as previously described, set up the big3d
agents to run SNMP factories, and configure the SNMP agents on the hosts
themselves. For details, please refer to Chapter 5, Probing and Metrics
Collection, in the 3-DNS Reference Guide.
Essential Configuration Tasks
Important
Auto-configuration automatically collects the virtual server configuration
information for any load-balancing hosts you may have in your network
®
(with the exception of Cisco
LocalDirectors). For more information about
auto-configuration, see Overview of auto-configuration, on page 5-15.
To define a host using the Configuration utility
1. In the navigation pane, expand the Servers item, and then click
Host.
2. On the toolbar, click Add Host.
The Add New Host screen opens
3. Add the new host settings. Note that if you want the 3-DNS
Controller to discover the host’s virtual servers, select ON for the
Discovery setting. (For help on defining hosts, click Help on the
toolbar.)
4. Click Add when you have finished configuring the initial settings
for the host.
The controller adds the host information to the configuration.
Important
Auto-configuration collects the virtual server information for any host
systems you have in your network, if you turn on Discovery when you add
the host to the configuration. For more information about
auto-configuration, see Overview of auto-configuration, on page 5-15.
If you do not turn on Discovery (step 3, in previous procedure) when you
add the host to the configuration, then use the following procedure to add
virtual servers to the host definition.
To add more virtual servers using the Configuration utility
1. In the navigation pane, click Host.
2. In the table, find the host that you just added, and click the entry in
its Host Virtual Servers column.
3. On the toolbar, click Add Host Virtual Server.
The Add Virtual Server to Host screen opens.
4. Add the new virtual server settings. For help on adding virtual
servers, click Help on the toolbar.
Repeat this process for each virtual server you want to add to this
host.
Note
For details on how to configure a host from the command line, refer to
Appendix A, 3-DNS Configuration File, in the 3-DNS Reference Guide.
3-DNS® Administrator Guide5 - 11
Chapter 5
Configuring host SNMP settings
After defining a host server, you need to configure its SNMP settings if you
want to use SNMP host probing. Remember that you must first set up at
least one SNMP probing factory on any 3-DNS Controller, BIG-IP system,
EDGE-FX Cache, or GLOBAL-SITE Controller that runs the big3d agent
and is in the same data center as the host.
The SNMP prober collects some or all of the following information from
hosts.
• Memory utilization
• CPU utilization
• Disk space utilization
• Packet rate (packets per second
• Throughput rate (kilobytes per second)
• Current connections
The 3-DNS Controller uses this performance information for dynamic load
balancing modes, such as Packet Rate, Quality of Service, and
Kilobytes/Second.
Table 5.1 shows the host SNMP agents supported by the 3-DNS Controller.
SNMP AgentDescription
GenericA generic SNMP agent is an SNMP agent that collects metrics provided by object identifiers
(OIDs) as specified in the RFC 1213 document.
UCDThis free SNMP agent is provided by the University of California at Davis. It is available on the
web at http://net-snmp.sourceforge.net
Solstice
NTServ
Win2KServThis SNMP matrix agent is distributed with Microsoft Windows 2000 Server.
Cisco LDV2
Cisco LDV3This SNMP agent is distributed with the Cisco LocalDirector, version 3.X.
ArrowPointThis SNMP agent is distributed with the Cisco/ArrowPoint CSS series.
Alteon
Foundry
This SNMP agent is a product of Sun
This SNMP matrix agent is distributed with Microsoft
This SNMP agent is distributed with the Cisco
This SNMP agent is distributed with the Alteon
This SNMP agent is distributed with the Foundry
®
Microsystems.
®
LocalDirector, version 2.X.
®
WebSystems ACEdirector.
®
®
Windows NT® Server 4.0.
ServerIron.
CacheFlow
This SNMP agent is distributed with the CacheFlow
Table 5.1 Supported SNMP agents
5 - 12
®
appliances.
Viewing host performance metrics
The Configuration utility displays the host metrics in the Host Statistics
screen. The 3-DNS Controller bases the advanced load balancing decisions
on packet rate, kilobytes per second, and current connections metrics, but
the Host Statistics screen displays the other metrics as well, for information
purposes.
Reviewing SNMP configuration issues
The SNMP probing feature requires that each host run an SNMP agent, and
that the hosts and the big3d agents in the data centers have open network
communication. Certain firewall configurations block SNMP
communications, and you may need to verify that the firewalls in your
network allow SNMP traffic to pass through.
In addition to properly configuring the SNMP agents on the hosts
themselves, you need to specify SNMP host probing settings in two places
in the 3-DNS configuration. First, when you define a 3-DNS Controller or
BIG-IP system, you set the big3d agent to run at least one SNMP factory.
Second, when you define the host servers, you configure specific SNMP
agent settings for each host. For example, you need to specify the type of
agent running on the host as well as the community string that allows access
to the SNMP agent. Last, you configure the SNMP agent on the host itself.
We recommend that you use the documentation originally provided with
host to configure the SNMP agent.
Essential Configuration Tasks
Note
For more information about working with the big3d agent and SNMP, refer
to Chapter 5, Probing and Metrics Collection, in the 3-DNS Reference
Guide.
Working with sync groups
A sync group defines a group of 3-DNS Controllers that synchronize their
configuration settings, metrics data, and zone files (optional). A sync group
contains a principal system and one or more receiver systems. The principal
system is the 3-DNS Controller from which the receiver systems obtain their
metrics and server statistics information. You configure a sync group from
the principal 3-DNS Controller. First list the IP address of the principal
itself. Then list the receiver 3-DNS Controllers in the order that they should
become principals if previously listed 3-DNS Controllers fail.
Configuring sync groups
The following procedures describe how to configure sync groups.
3-DNS® Administrator Guide5 - 13
Chapter 5
To define a sync group using the Configuration utility
1. In the navigation pane, click 3-DNS Sync.
The System - Add a New Sync Group screen opens.
2. In the New Sync Group Name box, type the name of the new sync
group and click Add.
The Add a 3-DNS to a Sync Group screen opens.
3. From the list of 3-DNS Controllers, first select the 3-DNS
Controller that you want to be the principal system. Then check the
box next to each 3-DNS Controller that you want to add to the sync
group.
4. Click Add.
Note
For details on how to configure a sync group from the command line, refer
to Appendix A, 3-DNS Configuration File, in the 3-DNS Reference Guide.
Setting the time tolerance value
The time tolerance value is a global variable that defines the number of
seconds that one 3-DNS Controller's time setting is allowed to be out of
sync with another 3-DNS Controller's time setting. We recommend that you
leave the time tolerance variable at the default setting of 10.
To check the value for the time tolerance setting using the
Configuration utility
1. In the navigation pane, click System.
The System - General screen opens.
2. On the toolbar, click Timers and Task Intervals.
3. Note the value in the 3-DNS Sync Time Tolerance box, and change
it if necessary.
4. If you change this setting, click Update to save it. For more
information about the settings on this screen, click Help on the
toolbar.
To check the value for the time tolerance setting in the
configuration file
1. To ensure that the configuration files contain the same information
as the memory cache, type the following command:
3ndc dumpdb
5 - 14
2. Open the wideip.conf file in a text editor (either vi or pico).
3. Search for time_tolerance. If the time_tolerance sub-statement is
not in the configuration file, the default (10) is used.
4. Save and close the file.
5. Commit the changes to the configuration by typing:
3ndc reload
Overview of auto-configuration
The 3-DNS Controller automatically retrieves configuration details from
BIG-IP systems, hosts, and other 3-DNS Controllers that you add to the
3-DNS configuration. This process is known as auto-configuration.
Auto-configuration queries BIG-IP systems for their configuration
information, including self IP addresses and virtual servers.
Auto-configuration can also gather configuration information for host
systems that have SNMP enabled. Using auto-configuration eliminates the
repetitive tasks of entering configuration information both on the BIG-IP
systems and hosts, and on the 3-DNS Controller, thus dramatically reducing
administrative overhead.
Essential Configuration Tasks
Auto-configuration continually monitors the configurations for changes.
When you add or remove an object from a BIG-IP system, 3-DNS
Controller, or host, the change displays almost immediately in the 3-DNS
configuration. The 3-DNS Controller also synchronizes the changes among
the sync group members.
Once the 3-DNS Controller has retrieved the initial configuration, you
modify the auto-configuration settings for each server type using the
Configuration utility. Auto-configuration has three settings:
◆ ON
When the Discovery setting is set to ON, the 3-DNS Controller polls the
BIG-IP systems and host systems in the network every 30 seconds to
update the configuration information for those systems. Any changes,
additions, or deletions are then made to the controller's configuration.
◆ ON/NO DELETE
When the Discovery setting is set to ON/NO DELETE, the 3-DNS
Controller polls the BIG-IP system and host systems in the network
every 30 seconds to update the configuration information for those
systems. Any changes or additions are then made to the controller's
configuration. Any deletions in the configuration are ignored. This
setting is helpful if you want to take systems in and out of service
without modifying the 3-DNS configuration.
◆ OFF
When the Discovery setting is set to OFF, the 3-DNS Controller does
not collect any configuration information from the BIG-IP system and
3-DNS® Administrator Guide5 - 15
Chapter 5
host systems in the network. Instead, you must make all changes to the
configuration either by using the Configuration utility, or by editing the
wideip.conf file. Note that this is the default setting
Note
In the Configuration utility, auto-configuration is labeled Discovery.
.
To modify the auto-configuration setting for a BIG-IP system
using the Configuration utility
1. In the navigation pane, expand the Servers item, and then click
BIG-IP.
The BIG-IP List screen opens.
2. Click the name of the BIG-IP system for which you want to modify
the auto-configuration setting.
The Modify BIG-IP screen opens.
3. In the Discovery box, select one of the following settings: ON, ON/NO DELETE, or OFF.
4. Click Update.
The configuration updates with the new setting.
To modify the auto-configuration setting for a host using the
Configuration utility
1. In the navigation pane, expand the Servers item, and then click
Host.
The Host List screen opens.
2. Click the name of the host for which you want to modify the
auto-configuration setting.
The Modify Host screen opens.
3. In the Discovery box, select one of the following settings: ON, ON/NO DELETE, or OFF.
4. Click Update.
The configuration updates with the new setting.
To modify the auto-configuration setting for a 3-DNS Controller
using the Configuration utility
1. In the navigation pane, expand the Servers item, and then click
3-DNS.
The 3-DNS List screen opens.
5 - 16
2. Click the name of the host for which you want to modify the
auto-configuration setting.
The Modify 3-DNS screen opens.
3. In the Discovery box, select one of the following settings: ON, ON/NO DELETE, or OFF.
4. Click Update.
The configuration updates with the new setting.
Configuring global variables
The global variables determine the default settings for iQuery messages,
synchronization, encryption, and default load balancing parameters. The
default values for the global variables are sufficient for most load balancing
situations.
To configure global parameters using the Configuration utility
1. In the navigation pane, click System.
The System - General screen opens. Note that global parameters are
grouped into several categories on this screen. Each category has its
own toolbar item, and online help is available for each parameter.
Essential Configuration Tasks
2. Make general global changes at the System - General screen or, to
make changes to global parameters in other categories, click the
appropriate toolbar item.
3. Add the new global settings. For help on configuring the global
settings, click Help on the toolbar.
The new global parameters are added to your configuration.
3-DNS® Administrator Guide5 - 17
Chapter 5
5 - 18
6
Configuring a Globally-Distributed Network
• Understanding a globally-distributed network
• Using Topology load balancing
• Setting up a globally-distributed network
configuration
• Additional configuration settings and tools
Configuring a Globally-Distributed Network
Understanding a globally-distributed network
When you are familiar with your traffic patterns and are expanding into a
global marketplace, you can use the 3-DNS Controller to distribute requests
in an efficient and seamless manner using Topology load balancing. When
you use Topology load balancing, the 3-DNS Controller compares the
location information derived from the DNS query message to the topology
records in the topology statement. The system then distributes the request
according to the topology record that best matches the location information.
Figure 6.1 Topology load balancing in a globally-distributed network
3-DNS® Administrator Guide6 - 1
Chapter 6
Using Topology load balancing
The Topology load balancing mode is optimal for organizations that have
data centers in more than one country or on more than one continent. The
3-DNS Controller enables topology-based load balancing by resolving DNS
requests to the geographically closest server. The traditional topology load
balancing mode, which provides basic topology mapping functionality, uses
IP subnets of virtual servers and known LDNS servers. This can result in a
very large list of IP subnets to manage when you want to map a specific
geographic region.
To simplify topology load balancing, the 3-DNS Controller contains a
classifier that maps IP addresses to geographic locations. With this
classifier, the 3-DNS Controller resolves DNS requests to the
geographically closest LDNS server at either the country or the continent
level. The system then load balances the request to virtual servers in IP
subnets, wide IP pools, or data centers.
You can set up Topology load balancing either between wide IP pools or
within a wide IP pool. For the example in Figure 6.1, we configure
Topology load balancing between wide IP pools.
Setting up a globally-distributed network
configuration
By going through the following setup tasks, you can configure the 3-DNS
Controller to process requests, using Topology, in a globally-distributed
network. This configuration is based on the following assumptions:
• You have more than one data center.
• You have a 3-DNS Controller in each data center.
• You have BIG-IP systems, or other load balancing hosts, in the data
centers.
• You want to load balance requests to the geographically closest virtual
server.
If you use a CDN for some or all of your content delivery, please refer to
Chapter 7, Configuring a Content Delivery Network, to set up this
configuration.
The following sections describe, in order, the specific configuration tasks
you perform to set up a globally-distributed network. Please review the tasks
before you actually perform them, so that you are familiar with the process.
6 - 2
Loading...
+ hidden pages
You need points to download manuals.
1 point = 1 manual.
You can buy points or you can get point for every manual you upload.