Manual Chapter : Configuring BIG-IP DNS on a Network with One Route Domain

Applies To:

Show Versions Show Versions

BIG-IP LTM

  • 17.0.0, 16.1.5, 16.1.4, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0

BIG-IP DNS

  • 17.0.0, 16.1.5, 16.1.4, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0
Manual Chapter

Configuring BIG-IP DNS on a Network with One Route Domain

Overview: How do I deploy BIG-IP DNS on a network with one route domain?

You can deploy BIG-IP DNS on a network where BIG-IP Local Traffic Manager (LTM) is configured with one route domain and no overlapping IP addresses.
For BIG-IP systems that include both LTM and BIG-IP DNS, you can configure route domains on internal interfaces only. F5 Networks does not support the configuration of route domains on a standalone BIG-IP DNS.
BIG-IP DNS deployed on a network in front of a BIG-IP LTM configured with a route domain
BIG-IP DNS deployed on a network in front of a BIG-IP LTM configured with a route       domain

Creating VLANs for a route domain on BIG-IP LTM

Create two VLANs on BIG-IP LTM through which traffic can pass to a route domain.
  1. On the Main tab, click
    Network
    VLANs
    .
    The VLAN List screen opens.
  2. Click
    Create
    .
    The New VLAN screen opens.
  3. In the
    Name
    field, type
    external
    .
  4. In the
    Tag
    field, type a numeric tag, between 1-4094, for the VLAN, or leave the field blank if you want the BIG-IP system to automatically assign a VLAN tag.
    The VLAN tag identifies the traffic from hosts in the associated VLAN.
  5. If you want to use Q-in-Q (double) tagging, use the
    Customer Tag
    setting to perform the following two steps. If you do not see the
    Customer Tag
    setting, your hardware platform does not support Q-in-Q tagging and you can skip this step.
    1. From the
      Customer Tag
      list, select
      Specify
      .
    2. Type a numeric tag, from 1-4094, for the VLAN.
    The customer tag specifies the inner tag of any frame passing through the VLAN.
  6. For the
    Interfaces
    setting:
    1. From the
      Interface
      list, select an interface number or trunk name.
    2. From the
      Tagging
      list, select
      Tagged
      or
      Untagged
      .
      Select
      Tagged
      when you want traffic for that interface to be tagged with a VLAN ID.
    3. If you specified a numeric value for the
      Customer Tag
      setting and from the
      Tagging
      list you selected
      Tagged
      , then from the
      Tag Mode
      list, select a value.
    4. Click
      Add
      .
    5. Repeat these steps for each interface or trunk that you want to assign to the VLAN.
  7. If you want the system to verify that the return route to an initial packet is the same VLAN from which the packet originated, select the
    Source Check
    check box.
  8. For the
    Hardware SYN Cookie
    setting, select or clear the check box.
    When you enable this setting, the BIG-IP system triggers hardware SYN cookie protection for this VLAN.
    Enabling this setting causes additional settings to appear. These settings appear on specific BIG-IP platforms only.
  9. For the
    Syncache Threshold
    setting, retain the default value or change it to suit your needs.
    The
    Syncache Threshold
    value represents the number of outstanding SYN flood packets on the VLAN that will trigger the hardware SYN cookie protection feature.
    When the
    Hardware SYN Cookie
    setting is enabled, the BIG-IP system triggers SYN cookie protection in either of these cases, whichever occurs first:
    • The number of TCP half-open connections defined in the LTM setting
      Global SYN Check Threshold
      is reached.
    • The number of SYN flood packets defined in this
      Syncache Threshold
      setting is reached.
  10. For the
    SYN Flood Rate Limit
    setting, retain the default value or change it to suit your needs.
    The
    SYN Flood Rate Limit
    value represents the maximum number of SYN flood packets per second received on this VLAN before the BIG-IP system triggers hardware SYN cookie protection for the VLAN.
  11. Click
    Finished
    .
    The screen refreshes, and it displays the new VLAN in the list.
Repeat this procedure, but in Step 3, name the VLAN
internal
.

Creating a route domain on the BIG-IP system

Before you create a route domain:
  • Ensure that an external and an internal VLAN exist on the BIG-IP system.
  • Verify that you have set the current partition on the system to the partition in which you want the route domain to reside.
You can create a route domain on BIG-IP system to segment (isolate) traffic on your network. Route domains are useful for multi-tenant configurations.
  1. On the Main tab, click
    Network
    Route Domains
    .
    The Route Domain List screen opens.
  2. Click
    Create
    .
    The New Route Domain screen opens.
  3. In the
    Name
    field, type a name for the route domain.
    This name must be unique within the administrative partition in which the route domain resides.
  4. In the
    ID
    field, type an ID number for the route domain.
    This ID must be unique on the BIG-IP system; that is, no other route domain on the system can have this ID.
    An example of a route domain ID is
    1
    .
  5. For the
    Parent Name
    setting, retain the default value.
  6. For the
    VLANs
    setting, from the
    Available
    list, select a VLAN name and move it to the
    Members
    list.
    Select the VLAN that processes the application traffic relevant to this route domain.
    Configuring this setting ensures that the BIG-IP system immediately associates any self IP addresses pertaining to the selected VLANs with this route domain.
  7. Click
    Finished
    .
    The system displays a list of route domains on the BIG-IP system.
You now have another route domain on the BIG-IP system.

Creating a self IP address for a route domain on BIG-IP LTM

Ensure that VLANs exist on BIG-IPLTM, before you begin creating a self IP address for a route domain.
Create a self IP address on the BIG-IP system that resides in the address space of the route domain.
  1. On the Main tab, click
    Network
    Self IPs
    .
  2. Click
    Create
    .
    The New Self IP screen opens.
  3. In the
    Name
    field, type a unique name for the self IP address.
  4. In the
    IP Address
    field, type an IP address.
    This IP address must represent a self IP address in a route domain. Use the format
    x.x.x.x%n
    , where
    n
    is the route domain ID, for example, 10.1.1.1%1.
    The system accepts IPv4 and IPv6 addresses.
  5. In the
    Netmask
    field, type the network mask for the specified IP address.
    For example, you can type
    255.255.255.0
    .
  6. From the
    VLAN/Tunnel
    list, select the VLAN that you assigned to the route domain that contains this self IP address.
  7. From the
    Port Lockdown
    list, select
    Allow Default
    .
  8. Click
    Finished
    .
    The screen refreshes, and displays the new self IP address.
Create additional self IP addresses based on your network configuration.

Defining a server for a route domain on BIG-IP DNS

Ensure that at least one data center exists in the configuration.
On a BIG-IP DNS system, define a server that represents the route domain.
  1. On the Main tab, click
    DNS
    GSLB
    Servers
    .
    The Server List screen opens.
  2. Click
    Create
    .
    The New Server screen opens.
  3. In the
    Name
    field, type a name for the server.
    Server names are limited to 63 characters.
  4. From the
    Product
    list, select
    BIG-IP System
    .
  5. From the
    Data Center
    list, select the data center where the server resides.
  6. From the
    Prober Preference
    list, select the preferred type of prober(s).
    Inherit From Data Center
    By default, a server inherits the prober preference selection assigned to the data center in which the server resides.
    Inside Data Center
    A server selects the probers from inside the data center where the server resides.
    Outside Data Center
    A server selects the probers from outside the data center where the server resides.
    Specific Prober Pool
    Select one of the Prober pools from the drop-down list. When assigning the Prober pool at the server level.
    Note
    :
    Prober pools are not used by the bigip monitor.
  7. From the
    Prober Fallback
    list, select the type of prober(s) to be used if insufficient numbers of the preferred type are available.
    Inherit From Data Center
    By default, a server inherits the prober fallback selection assigned to the data center in which the server resides.
    Any Available
    For selecting any available prober.
    Inside Data Center
    A server selects probers from inside the data center where the server resides.
    Outside Data Center
    A server selects probers from outside the data center where the server resides.
    None
    No fallback probers are selected. Prober fallback is disabled.
    Specific Prober Pool
    Select one of the probers from the list When you want to assign a prober pool at the server level.
  8. In the BIG-IP System devices area, add the self IP address that you assigned to the VLAN that you assigned to the route domain.
    Do not include the route domain ID in this IP address. Use the format x.x.x.x, for example, 10.10.10.1.
  9. In the
    Health Monitors
    setting, assign the
    bigip
    monitor to the server by moving it from the
    Available
    list to the
    Selected
    list.
  10. From the
    Availability Requirements
    list, select an option and enter any required values.
    All Health Monitors
    By default, specifies that all of the selected health monitors must be successful before the server is considered up (available).
    At Least
    The minimum number of selected health monitors that must be successful before the server is considered up.
    Require
    The minimum number of successful probes required from the total number of probers requested.
  11. From the
    Virtual Server Discovery
    list, select how you want virtual servers to be added to the system.
    Virtual server discovery is supported when you have only one route domain.
    Disabled
    Use this option when you plan to manually add virtual servers to the system, or if your network uses multiple route domains. This is the default value.
    Enabled
    The system automatically adds virtual servers using the discovery feature.
    Enabled (No Delete)
    The system uses the discovery feature and does not delete any virtual servers that already exist.
  12. Click
    Finished
    .
    The Server List screen opens displaying the new server in the list.

Running the big3d_install script

Determine the self IP addresses of the BIG-IP systems that you want to upgrade with the latest
big3d
agent. Ensure that port
22
is open on these systems.
Run the
big3d_install
script on the DNS system you are adding to your network. This upgrades the
big3d
agents on the other BIG-IP systems on your network. It also instructs these systems to authenticate with the other BIG-IP systems through the exchange of SSL certificates. For additional information about running the script, see K13312 on AskF5.com (
www.askf5.com
).
You must perform this task from the command-line interface.
All target BIG-IP systems must be running the same or an older version of BIG-IP software.
  1. Log in as
    root
    to the BIG-IP DNS system you are adding to your network.
  2. Run this command to access
    tmsh
    :
    tmsh
  3. Run this command to run the
    big3d_install
    script:
    run gtm big3d_install
    <IP_addresses_of_target BIG-IP_systems>
    The script instructs BIG-IP DNS to connect to each specified BIG-IP system.
  4. If prompted, enter the
    root
    password for each system.
The SSL certificates are exchanged, authorizing communications between the systems. The
big3d
agent on each system is upgraded to the same version as is installed on the BIG-IP DNS system from which you ran the script.

Running the bigip_add script

You must determine the self IP addresses of the LTM systems that you want to communicate with BIG-IP DNS before you start this task.
You run the
bigip_add
script on the BIG-IP DNS system you are installing on a network that includes other BIG-IP systems of the same version. This script exchanges SSL certificates so that each system is authorized to communicate with the other. For additional information about running the script, see K13312 on AskF5.com (
www.askf5.com
).
The BIG-IP DNS and BIG-IP LTM systems must have TCP port
22
open for the script to work. You must perform this task from the command-line interface.
  1. Log in as
    root
    to the BIG-IP DNS system you are installing on your network.
  2. Run this command to access
    tmsh
    .
    tmsh
  3. Run this command to run the
    bigip_add
    utility:
    run gtm bigip_add
    <IP_addresses_of_BIG-IP_LTM_systems>
    The utility exchanges SSL certificates so that each system is authorized to communicate with the other.

Implementation result

You now have an implementation in which BIG-IP DNS can monitor virtual servers on BIG-IP LTM® systems configured with one route domain.