Applies To:
Show Versions3-DNS Controller versions 1.x - 4.x
- 2.0.1 PTF-01, 2.0.1, 2.0.0
7
Monitoring and Administration
- Monitoring and administration utilities provided on the 3DNS Controller
- Working with the 3DNS Maintenance menu
- Controlling network traffic patterns with production rules
- Working with the production rules scripting language
- Setting up the 3DNS SNMP agent
- Changing passwords for the 3DNS Controller
- Viewing system statistics
Monitoring and administration utilities provided on the 3DNS Controller
The 3DNS Controller provides utilities for monitoring and administration of the 3DNS Controller. You can monitor system statistics for all components of your 3DNS Controller, as well as perform configuration tasks.
The 3DNS Controller provides the following configuration, monitoring, and administration utilities:
- F5 Configuration utility
The F5 Configuration utility is a browser-based application that you can use to configure and monitor the 3DNS Controller. You may have used the F5 Configuration utility to define your network setup. The F5 Configuration utility supports Netscape Navigator, version 4.5, and Internet Explorer, version 4.x. - 3DNS Maintenance menu
Use the 3DNS Maintenance menu to simplify certain tasks such as starting the big3d agent and editing the wideip.conf file.
Working with the 3DNS Maintenance menu
The 3DNS Maintenance menu is a tool you can use to manually configure and monitor the 3DNS Controller only if you do not work with either the browser-based Configuration utility or the NameSurfer application.
You can use the 3DNS Maintenance menu to perform the following types of manual configuration tasks:
- Configure wide IPs
- View statistics
- Work with the big3d agent
- Manage synchronized files
- Work with security issues
- Configure the 3DNS web server
- Work with syncd
Figure 7.1 shows the 3DNS Maintenance menu:
3 D N S(®) Maintenance Menu
Generate RSA Authentication
Generate and Copy iQuery Encryption Key
Check versions of named, BIG/ip kernel and needed big3d
Edit big3d matrix
Install and Start big3d
Edit BIND Configuration
Edit 3DNS Configuration
Synchronize Metrics Data
Check big3d
Restart big3d
Reconfigure 3DNS Web Administration
Restart 3DNS Administration
Change/Add Users for 3DNS Web Administration
Dump and List named Database
Stop syncd
Restart syncd
Checkpoint synced files
Rollback checkpoint
Enter 'q' to Quit
To use the 3DNS Maintenance menu
- Type the following command to open the menu:
3dnsmaint
- Select the command to execute, then press the Enter key.
Each command is described in the sections that follow.
Configuring wide IPs
You can use the following commands to edit BIND and 3DNS Controller configuration files. However, we recommend that you use NameSurfer to handle BIND Configuration, and that you use the F5 Configuration utility to configure wide IPs.
Edit BIND Configuration
The Edit BIND Configuration command opens the named.conf file for editing. You should only use this command if you are performing all configuration tasks manually. It is important that you do not use this command if you are using the F5 Configuration utility or NameSurfer.
Edit 3DNS Configuration
The Edit 3DNS Configuration command runs the edit_wideip script, which performs the following tasks:
- Opens the wideip.conf file for editing.
- Copies the wideip.conf file to all other 3DNS Controllers in the local 3DNS Controller's sync group.
- Restarts named.
Viewing statistics
You can use the following command to view various 3DNS Controller statistics. For more statistics information, you can also use the Statistics area of the F5 Configuration utility (as described earlier in this chapter).
Dump and List named Database
The Dump and List named Database command corresponds to the 3dprint script, which lets you view these statistics screens on the command line:
- sum
Displays summary statistics, such as the 3DNS Controller version, the total number of resolved requests, and the load balancing methods used to resolve requests. - paths
Displays path statistics, such as round trip time and packet completion rate. - ldns
Displays statistics collected for local DNS servers, including the number of resolution requests received from a given server, and the current protocol used to probe the server. - vs
Displays statistics about BIG/ip and host virtual servers, such as the server state, and the number of times it has received resolution requests. - bigips
Displays statistics about all BIG/ip Controllers known to the 3DNS Controller, including the number of virtual servers each BIG/ip Controller manages, and the number of times that the 3DNS Controller resolves requests to those virtual servers. - hosts
Displays statistics about all hosts known to the 3DNS Controller, including the number of times that the 3DNS Controller resolves requests to the host. - wips
Displays statistics about each wide IP defined on the 3DNS Controller, including load balancing information and the remaining time to live before the wide IP's metrics data needs to be refreshed.
Working with the big3d agent
You can use the following commands to work with the big3d agent, which collects information about paths between a data center and a specific local DNS server.
Check versions of named, BIG/ip kernel and needed big3d
The Check versions of named, BIG/ip kernel and needed big3d command runs the big3d_version script, which displays version numbers for all BIG/ip Controllers known to the 3DNS Controller, as well as the version numbers of the big3d agent and named utility running on each BIG/ip Controller.
Edit big3d matrix
The Edit big3d matrix command opens for editing a file that lists version numbers for all BIG/ip Controllers known to the 3DNS Controller and the version numbers of the big3d agent and named utility running on each BIG/ip Controller.
You do not need to edit this file unless a new BIG/ip kernel or a named version create a conflict. If this happens, you need to place a new version of the big3d agent on all BIG/ip Controllers.
The Install and Start big3d command uses the matrix file to determine which version of the big3d agent to transfer.
Install and Start big3d
The Install and Start big3d command runs the big3d_install script, which installs and starts the appropriate version of the big3d agent on each BIG/ip Controller in the network.
Check big3d
The Check big3d command runs the big3d_check script, which verifies that each BIG/ip Controller is running the big3d agent.
Restart big3d
The Restart big3d command runs the big3d_restart script, which stops and restarts the big3d agent on each BIG/ip Controller.
Managing synchronized files
You can use the following commands to copy metrics data to a new 3DNS Controller, archive synchronized files, or retrieve an archive.
Synchronize Metrics Data
The Synchronize Metrics Data command runs the 3dns_sync_metrics script, which prompts you to either copy metrics data from the local 3DNS Controller to other 3DNS Controllers, or from a remote 3DNS Controller to the local 3DNS Controller.
You should only use this command when you are configuring a new 3DNS Controller.
Checkpoint synced files
The Checkpoint synced files command runs the syncd_checkpoint script, which creates a checkpoint file. A checkpoint file is a compressed tar file that contains an archive of the files that are synchronized.
For more information, see syncd_checkpoint , on page B-38.
Rollback checkpoint
The Rollback checkpoint command runs the syncd_rollback script, which unrolls a checkpoint file.
For more information, see syncd_rollback , on page B-39.
Working with security issues
You can use the following menu commands to address security issues for your network setup:
- Generate RSA Authentication
- Generate and Copy Encryption iQuery Key
Generate RSA Authentication
The Generate RSA Authentication command runs the 3dns_auth script, which generates a password authentication by setting the RSA Authentication parameter to yes in /etc/sshd_config.conf and copying the ssh key to each 3DNS Controller and BIG/ip Controller. When prompted for an RSA passphrase, press the Enter key instead of typing a password.
For more information, see 3dns_auth , on page B-31.
Generate and Copy Encryption iQuery Key
The Generate and Copy Encryption iQuery key command runs the install_key script, which then runs the F5makekey script. F5makekey generates a seed key for encrypting communications between the 3DNS Controller and BIG/ip Controller.
For more information, see install_key and F5makekey , on page B-37.
Note: This command is not available in the international version of 3DNS Controller.
Using the 3DNS web server
You can use the following commands to configure the 3DNS web server.
Reconfigure 3DNS Web Administration
The Reconfigure 3DNS Web Administration command runs the 3dns_web_config script, which lets you make configuration changes to the 3DNS web server.
Restart 3DNS Administration
The Restart 3DNS Administration command runs the 3dns_admin_start script, which restarts the 3DNS web server.
Change/Add Users for 3DNS Web Administration
The Change/Add Users for 3DNS Web Administration command runs the 3dns_web_passwd script, which lets you provide restricted or administrative access to the 3DNS web server for selected users only, and assigns passwords for those users. Users with restricted access have access to the statistics area only. Users with administrative access have access to all areas of the 3DNS web server. If you do not use this script, no user has access to the 3DNS web server.
Note: The 3dns_web_passwd script is run by the First-Time Boot utility.
Working with syncd
You can use the following commands to work with syncd, the synchronization daemon that runs on all 3DNS Controllers. The function of syncd is to update and synchronize all 3DNS Controller configuration files.
Stop syncd
The Stop syncd command runs the syncd_stop script, which stops the syncd daemon, if it is running.
Restart syncd
The Restart syncd command runs the syncd_start script, which restarts the syncd daemon if it is already running, or starts it if it is not.
Controlling network traffic patterns with production rules
Production rules are a policy-based management tool that you can use to dynamically change how the 3DNS Controller distributes connections across the network. You can also use production rules to send system administrators notifications of specific events. Production rules are based on triggers, such as time of day, current traffic patterns, or current traffic volume. For example, you can configure a production rule that changes the load balancing mode to QOS during your peak business hours, and you can configure a production rule that notifies you when the number of name resolution requests exceeds a specific number.
You can create production rules that apply to the system in general, or you can create production rules for specific wide IPs.
If you want to configure basic production rules, we recommend that you use the F5 Configuration utility. If you want to create custom production rules, you should review the following section, Working with the production rules scripting language , on page 7-15, which describes the scripting language you use to configure production rules manually. You may also want to contact a technical support engineer for additional assistance with complex configurations.
Setting up production rules in the F5 Configuration utility
The F5 Configuration utility uses a wizard-style format to help you set up production rules. The screen prompts that you see during the configuration process vary, depending on the items you select in each screen. However, to configure any production rule, you essentially perform three basic steps:
- Define the type of rule
There are two types of rules: global production rules and wide IP production rules. - Define the rule trigger
There are two types of rule triggers: a set time or time interval, and specific system events. - Defining the action taken
There are two basic types of rule actions: sending user-definable messages to log files or email accounts, and changing specific load balancing settings.The following sections discuss each production rule option in detail, and should provide you all of the information you need to complete the production rule wizard.
Viewing, adding, and deleting production rules
When you click Production Rules in the Configuration utility, the Production Rules wizard screen opens. The screen displays the list of existing global and wide IP production rules. You can add a new rule by clicking the Add Production Rule toolbar button, which actually starts the production rule wizard. The wizard prompts you to specify the various production rule options, and then allows you to review your selections before you save the production rule to the configuration.
Note that you can modify existing production rules by clicking the rule name in the list, and you can delete a production rule at any time by clicking the trash can icon next to the rule name.
Choosing the rule type
The first step in the production rule wizard is to choose whether the production rule is a global production rule or a wide IP production rule.
- Global production rules
Global production rules send messages to log files or to specific email accounts, based on a set time interval or on standard events. The standard events are listed and described in the following section. - Wide IP production rules
Wide IP production rules are based either on the time of day, or on standard events. Wide IP production rules can change the current load balancing modes for the preferred, alternate, or fallback methods, they can reconfigure ratio settings for individual virtual servers, and they can reconfigure the coefficients for Quality of Service mode. Wide IP production rules can also send messages to log files or email accounts.After you choose a rule type, the wizard prompts you to name the rule and allows you to add a brief description of the rule.
Defining time-based triggers
The next step in the wizard prompts you to choose a trigger for the production rule. There are two basic types of triggers that you can set up: time-based triggers and event-based triggers. This section describes the options for the time-based triggers, and the following section describes options for the event-based triggers. Once you review the information for the type of trigger you want to set up, you can skip to the section about choosing an action on page 7 -14 .
Time-based triggers include two types. Global production rules trigger on set time intervals, while wide IP production rules trigger at specific times on specific days. To set a time interval for a global production rule, you simply define the number of seconds that elapse between each action the production rule executes.
A wide IP production rule can trigger at a specific time of day, on a specific day of the week, on a specific date, or at a specific time on a specific date. The following procedures explain how to set up each type of time trigger for wide IP production rules.
To apply a time of day variable
- From the Time Variable table, select Time.
- From the Start Time, Hour box, select the hour you want the production rule action to begin.
- From the Start Time, Minutes box, select the minute you want the production rule action to begin.
- From the Stop Time, Hour box, select the hour you want the production rule action to stop.
- From the Stop Time, Minutes box, select the minute you want the production rule action to stop.
Once you define the time of day that triggers the production rule, you continue with the wizard and begin to define the production rule action.
To apply a day of the week variable
- From the Time Variable table, select Day. A table appears from which you select the day to start and stop the action.
- From the Start Day box, select the day you want the production rule action to begin.
- From the Stop Day box, select the day you want the production rule action to stop.
Once you define the day of the week that triggers the production rule, you continue with the wizard and begin to define the production rule action.
To apply a date variable
- From the Time Variable table, select Date. A table opens from which you select the date to start and stop the action.
- From the Start Date box, type the date you want the production rule action to begin (mm/dd/yyyy).
- From the Stop Date box, type the date you want the production rule action to stop (mm/dd/yyyy).
Once you define the date that triggers the production rule, you continue with the wizard and begin to define the production rule action.
To apply a combined date and time variable
- From the Time Variable table, select Date/Time. Two tables open where you select the start and stop dates and times.
- From the Start Date box, type the date you want the production rule action to begin (mm/dd/yyyy).
- From the Stop Date box, type the date you want the production rule action to stop (mm/dd/yyyy).
- From the Start Time, Hour box, select the hour you want the production rule action to begin.
- From the Start Time, Minutes box, select the minute you want the production rule action to begin.
- From the Stop Time, Hour box, select the hour you want the production rule action to stop.
- From the Stop Time, Minutes box, select the minute you want the production rule action to stop.
Once you define the date and time that triggers the production rule, you continue with the wizard and begin to define the production rule action.
Defining event-based triggers
Both global production rules and wide IP production rules can trigger on standard events, such as when a name resolution process begins. Wide IP production rules support two additional types of event-based triggers. You can set a wide IP production rule to trigger when a specific local DNS server makes a name resolution request, or to trigger when a user-specified number of name resolution requests are received by the 3DNS Controller.
The list of standard events that can trigger both global and wide IP production rules includes the following:
- ResolveNameBegin
The production rule takes action each time the 3DNS Controller receives a new resolution request. - ResolveNameEnd
The production rule takes action each time the 3DNS Controller completes a name resolution. - FallbackToStatic
The production rule takes action each time the fallback load balancing method is used in a wide IP. - SIGINT
The production rule takes action each time the 3DNS Controller receives a SIGINT command. - SIGHUP
The production rule takes action each time the 3DNS Controller receives a SIGHUP command. - ReapPaths
The production rule takes action each time the 3DNS Controller reaps obsolete path information. - CRC_Failure
The production rule takes action each time iQuery communications on the 3DNS Controller experiences a CRC failure. - DownServer
The production rule takes action each time the 3DNS Controller detects that another 3DNS Controller, BIG/ip Controller, or host server becomes unavailable. - DownVS
The production rule takes action each time the 3DNS Controller detects that a virtual server becomes unavailable. - DoneINT
The production rule takes action after the wideip.conf file is read on startup (a one-time event). - DoneConfigFile
The production rule takes action each time the 3DNS Controller configuration is re-read (when an ndc reload command is issued, for example).
Choosing the action
After you specify the production rule trigger, the wizard prompts you to choose the action that the production rule takes. Note that the actions that a production rule can take depend in part on whether the production rule is a global rule or a wide IP rule. For example, both global production rules and wide IP production rules can send user-defined messages to log files, or to specific email accounts, but only wide IP production rules can alter load balancing modes.
- Sending user-defined messages
Both global and wide IP production rules can send user-defined messages to the syslog file, or to a specific email account. - Changing the load balancing mode settings
Wide IP production rules can change load balancing mode settings for the wide IP. You can change the preferred, alternate, and fallback methods, and you can change QOS coefficient settings. - Changing virtual server ratios
You can change virtual server ratios to alter the distribution load when the load balancing mode is set to Ratio. - Specifying a virtual server to return
You can specify that the 3DNS Controller return a specific virtual server, rather than choosing a virtual server using load balancing.Once you specify an action, the production rules wizard prompts you to review all of the production rule settings, and then saves the production rule to the configuration.
Working with the production rules scripting language
The production rules scripting language uses constructs and statements that are similar in syntax to Perl script and the C programming language. If you have a good working knowledge of Perl or C, you may want to create your own custom production rules using the guidelines in this section in conjunction with the examples provided both here and in the sample wideip.conf file (installed on the 3DNS Controller and also available in Appendix A).
If you need to add custom production rules to your configuration, but you do not want to work out the implementation yourself, you can contact a professional services representative for assistance.
Inserting production rules in the wideip.conf file
Production rules are part of the wideip.conf file, and you can either insert them directly in the file, or you can store them in a separate file and include them by reference. If you want to use the Configuration utility to manage the 3DNS Controller configuration, you must store manually configured production rules in a separate file and include them by reference. If you attempt to use custom production rules in a file that you edit using the F5 Configuration utility, the production rule syntax may become corrupt.
If you include custom production rules directly in the wideip.conf file, you must manually edit and maintain the wideip.conf file; you cannot use the F5 Configuration utility for configuration administration.
Execution and management of production rules
The 3dscript utility manages and executes production rules according the following guidelines:
- 3dscript supports conditional execution of production rules using the if statement. You can use if statements for wide IP production rules, and in global production rules only if they are embedded within a when or an every statement.
- 3dscript supports event-driven execution of production rules using the when statement. You can use the when statement only in global production rules.
- 3dscript supports periodic execution of production rules using the every statement. You can use the every statement only in global production rules.
- Each production rule is uniquely identified by a label.
- Each production rule can be deleted using its label.
- All production rules at the global scope can be deleted.
- All production rules at the wideip-pool scope can be deleted.
- Each production rule can be replaced.
- Each production rule can be annotated with a character string.
The if statement
The if statement is a standard statement which defines an event condition that triggers a production rule action. Typically you use if statements in wide IP production rules. An if statement must adhere to the following guidelines:
- The if statement can be specified in the scope of a wide IP pool statement.
- The if statement can be nested in another if statement.
- Multiple if statements can be specified in the same scope.
- Nesting if statements is unlimited except by the memory capacity of the 3DNS Controller.
- The first form of an if statement:
if(conditional-expression) { <action> ... }
- The second form of an if statement:
if(conditional-expression) { <action> ... } else { <action> ... }
- The conditional-expression is composed of one of:
- A primitive-expression
- A primitive-expression followed by a relational-operator followed by a primitive-expression
- A primitive-expression followed by an arithmetic-operator followed by a primitive-expression
- Two conditional-expressions joined by a logical-operator
- The primitive-expression can be one of:
- A keyword which is evaluated when the conditional expression is evaluated
- An intrinsic function which is evaluated when the conditional expression is evaluated
- A literal value enclosed in full quotes
- A conditional-expression enclosed in parenthesis
- A unary-operator followed by a conditional-expression enclosed in parenthesis
- A logical-operator is one of:
- || (logical OR)
- && (logical AND)
- A relational-operator is one of:
- == (equality)
- != (not equal)
- > (greater than)
- >= (greater than or equal to)
- < (less than)
- <= (less than or equal to)
- An arithmetic-operator is one of:
- mod (modulus)
- A unary operator is one of:
- ! (unary negation)
- (unary minus)
- A keyword is one of:
- day
- time
- date
- datetime
- ldns_ip
- wip_ip
- wip_name
- wip_num_resolves
- preferred
- alternate
- fallback
- rtt
- completion_rate
- hops
- packet_rate
- topology
- An intrinsic function is one of:
- isLdnsInNet(ip, mask)
- isLdnsInAS(ip, mask)
- The precedence of logical, relational, and unary operators is the same as in ANSI-c.
The when statement
The when statement is a standard statement which defines a specific event condition that triggers a production rule action. A when statement can be used only in global production rules, and it must adhere to the following guidelines:
- The when statement can be specified at the top scope of wideip.conf, after the wideip definition(s) and before the topology statement.
- Multiple when statements can be specified in the same scope.
- Nesting of when statements is not allowed.
- The form of a when statement:
when(event) { <action> ... }
- An event can be one of the following (see page 7 -13 for detailed descriptions of each event):
- ResolveNameBegin
- ResolveNameEnd
- FallbackToStatic
- SIGINT
- SIGHUP
- SIGUSR1
- SIGUSR2
- SIGCHLD
- ReapPaths
- ReapLdns
- CRC_Failure
- DownServer
- DownVS
- DoneInit
- DoneConfigFile
The every statement
The every statement is a standard statement which defines a time interval at which the production rule action triggers, such as every 60 seconds. An every statement can be used only for a global production rule, and it must adhere to the following guidelines:
- The every statement can be specified at the top scope of wideip.conf, after the wideip definition(s) and before the topology statement.
- Multiple every statements can be specified in the same scope.
- Nesting of every statements is not allowed.
- The form of the every statement:
every(<seconds>) { <action> ... }
Production rule actions
The production rules language supports the following actions. Not all actions apply to all production rule types. For example, the actions that change load balancing settings are valid only for wide IP production rules. Actions such as defining a log string can be used in either global production rules or wide IP production rules. Each action below specifies which production rule types can use it.
- preferred <lbmode>
This action changes the preferred load balancing method in a wide IP. You can use this action only in a wide IP production rule. - alternate <lbmode>
This action changes the alternate load balancing method in a wide IP. You can use this action only in a wide IP production rule. - fallback <lbmode>
This action changes the fallback load balancing method in a wide IP. You can use this action only in a wide IP production rule. - log(<string>)
This action sends the specified string to the syslog utility, which writes the string to the syslog file. You can use this action in either a wide IP production rule or a global production rule. - log2mail(<string>)
This action sends the specified string to the Sendmail utility, which creates a mail message and forwards it to the administrative email account specified for Sendmail (see log2mail on page B -13 for details about log2mail syntax). You can use this action in either a wide IP production rule or a global production rule. - vs(<ip>:<port>).ratio <n>
This action changes the ratio setting for a specific virtual server in a wide IP pool. You can use this action only in a wide IP production rule. - return_vs(<ip:port>)
This action skips the load balancing process and instead returns the specified virtual server to the requesting client. You can use this action only in a wide IP production rule.
Production rule examples
The following examples offer a variety of custom production rules that you may want to implement or expand on for your own network. Other production rule examples are included in the sample wideip.conf file installed on the 3DNS Controller (and available in Appendix A).
Load balancing according to time of day
you can set up production rules, ahead of time, to deal with future needs and client demands for events. For example, say your company has a software distribution scheduled for release next Tuesday at 5:00 p.m. Pacific Standard Time. The new software will be available for download from the FTP sites at that time, and you expect that during the first week, traffic will be 10 times normal, with frequent bursts during standard work hours, 7 a.m. to 6 p.m. However, the client base spans four time zones with an FTP server farm on the east coast in New York (192.168.101.50), and another on the west coast in Los Angeles (192.168.102.50). The 3DNS Controller is located on the east coast and runs on Eastern Standard Time. You are willing to accept some network latency in return for guaranteed connections.
Figure 7.2 shows a sample production rule that handles the connections according to anticipated load at specific times of the day.
wideip {
address 192.168.101.50:21
name "ftp.domain.com"
pool {
preferred ratio
address 192.168.101.50 ratio 2
address 192.168.102.50 ratio 1
rule "ftp_balance"
// Night time: qos
if(time > "21:00" && time < "07:00") {
preferred leastconn
}
else {
preferred ratio
// East Coast
rule "east" if(time < "10:00") {
vs.(192.168.101.50).ratio 3
vs.(192.168.102.50).ratio 1
}
// Both coasts are at peak demand
else {
rule "both" if(time < "18:00") {
vs.(192.168.101.50).ratio 1
vs.(192.168.102.50).ratio 1
}
// West Coast
else {
vs.(192.168.101.50).ratio 1
vs.(192.168.102.50).ratio 3
}
}
}
}
}
Figure 7.2 Load balancing by time of day
Load balancing according to LDNS
One interesting application of production rules is when you create a rule that triggers based on a specific local DNS server making a name resolution request. The following example is based on a web site published in three languages: English, Spanish, and Japanese. Suppose that the addresses in the network 10.10.0.0 are allocated to Japanese speakers, and the addresses in the network 10.11.0.0 are allocated to Spanish speakers. The production rule shown in Figure 7.3 uses the address of the requesting LDNS to determine which virtual server should receive the connection.
wideip {
address 192.168.101.50:80
name "www.domain.com"
pool {
rule "Japanese" if(isLdnsInNet(10.10.0.0, 255.255.0.0)) {
return_vs(192.168.103.50:80)
}
else {
rule "Spanish" if(isLdnsInNet(10.11.0.0, 255.255.0.0)) {
return_vs(192.168.102.50:80)
}
else { // assume English
return_vs(192.168.101.50:80)
}
}
address 192.168.101.50 // English
address 192.168.102.50 // Spanish
address 192.168.103.50 // Japanese
}
}
Figure 7.3 Load balancing by IP address of local DNS
Hacker detection
Another interesting example of triggering a production rule based on the requesting local DNS server is to take evasive action against known hackers attempting to access your system. The production rule shown in Figure 7.4 sends the hacker to a special server, rather than flat out rejecting the connection. As an alternative, you could change the rule to return a non-routable or non-existent address.
when(ResolveNameBegin) {
rule "roach_motel" if(isLdnsInNet(10.20.30.4, 255.255.255.0)) {
// Send this guy to our "roach motel" for hackers.
// This address doesn't need to be listed in any wideip pool.
// It's reserved for us to watch hackers under the microscope.
log2mail("Hacker $ldns_ip came back")
return_vs(192.168.1.46:80)
}
}
Figure 7.4 Sending a hacker to a specific server
A related example, shown in Figure 7.5 , illustrates a production rule that deals with attacks against iQuery communications. The production rule would warn you if the 3DNS Controller detected a hack attempt against the iQuery protocol, based on a communication failure.
Rule "iQuery_hacked" when(CRC_Failure) {
log2mail("Got CRC Failure")
}
Figure 7.5 Detecting an iQuery failure due to potential attack
Setting up the 3DNS SNMP agent
This section describes the management and configuration tasks for the simple network management protocol (SNMP) agent and management information bases (MIBs) available with the 3DNS Controller.
Warning: You must configure the SNMP agent on the 3DNS Controller in order to monitor the 3DNS Controller using the F5 Networks see/IT Network Manager.
The 3DNS SNMP agent and MIBs allow you to manage the 3DNS Controller by configuring traps for the SNMP agent or polling the controller with your standard network management station (NMS).
You can configure the 3DNS SNMP agent to send traps to your management system with the F5 Configuration utility. You can also set up custom traps agent setup by editing several configuration files.
Security options are available that let you securely manage information collected by the 3DNS SNMP agent, including:
- Community names
- TCP wrappers
- View access control mechanism (VACM)
Downloading the MIBs
The 3DNS Controller includes a private 3DNS SNMP MIB. This MIB is specifically designed for use with the 3DNS Controller. You can configure the SNMP settings in the F5 Configuration utility, or on the command line.
SNMP management software requires that you use the MIB files associated with the device. You may obtain two MIB files from the 3DNS directory /usr/contrib/f5/mibs, or you can download the files from the Additional Software Downloads section of the F5 Configuration utility home page.
- 3dns.my
This is a vendor MIB that contains specific information for properties associated with specific F5 functionality, such as load balancing. - rfc1611.my
This is a DNS server MIB (RFC 1611) that provides standard management information.For information about the objects defined in 3dns.my, refer to the descriptions in the object identifier (OID) section of the MIB file. For information about the objects defined in rfc1611.my, refer to RFC 1611.
Understanding configuration file requirements
You need to make changes to several configuration files on the 3DNS Controller before you use the SNMP agent. Once you change these configuration files, you need to restart the SNMP agent.
/etc/hosts.deny
This file must be present to deny by default all UDP connections to the SNMP agent. The contents of this file are as follows:
ALL : ALL
/etc/hosts.allow
The /etc/hosts.allow file specifies the hosts that are allowed to access the SNMP agent. You can configure access to the SNMP agent with the /etc/host.allow file in one of two ways. You can either type in an IP address, or list of IP addresses, that are allowed to access the SNMP agent, or you can type in a network address and mask to allow a range of addresses in a subnetwork to access the SNMP agent.
For a specific list of addresses, type in the list of addresses you want to allow to access the SNMP agent. Addresses in the list must be separated by blank space or by commas. The basic syntax is as follows:
daemon: <IP address> <IP address> <IP address>
For example, by typing the following line, the SNMP agent accepts connections from the specified IP addresses:
snmpd: 128.95.46.5 128.95.46.6 128.95.46.7
For a range of addresses, the basic syntax is as follows, where daemon is the name of the daemon, and NETWORKADDRESS/MASK specifies the network that is allowed access:
daemon: NETWORKADDRESS/MASK
For example, the following line sets the snmpd daemon to allow connections from the 128.95.46.0/255.255.255.0 address:
snmpd: 128.95.46.0/255.255.255.0
The example above allows the 256 possible hosts from the network address 128.95.46.0 to access the SNMP daemon. Additionally, you may use the keyword ALL to allow access for all hosts or all daemons.
/usr/contrib/isode/etc/snmpd.rc
The /usr/contrib/isode/etc/snmpd.rc file controls most aspects of the SNMP agent. This file is used to set up and configure certain traps, passwords, and general SNMP variable names. A few of the necessary variables are listed below:
- System Contact Name
The System Contact is a MIB-II simple string variable defined by almost all SNMP boxes. It usually contains a user name, as well as an email address. This is set by the variable syscontact line. - Machine Location (string)
The Machine Location is a MIB-II variable that almost all boxes support. It is a simple string that defines the location of the box. This is set by the variable syslocation line. - Community String
The community string clear text password is used for basic SNMP security. This also maps to VACM groups, but for initial read/only access, it is limited to only one group. - Trap Configuration
Trap configuration is controlled by these entries in the /usr/contrib/isode/etc/snmpd.rc file. Each line defines the three parameters for a trap:
trap <community> <trap sink> [trap port]
The <community> parameter specifies the password, the <trap sink> parameter specifies the IP address to which the trap is sent, and the [trap port] specifies the port on which the trap is received. - System IP Setting
You must set the system IP address using the sysip command; if this setting is not present, the checktrap.pl script will fail to send all 3DNS-specific traps. Use the following syntax to set the system IP address:
sysip <3DNS IP address>
/etc/rc.local
The following entry in the /etc/rc.local file sets the SNMP agent to automatically start up when you boot the 3DNS Controller (Figure 7.6 ).
# 3DNS SNMP Agent
if [ -f /usr/contrib/isode/etc/snmpd.rc ]; then
/sbin/snmpd -c /usr/contrib/isode/etc/snmpd.rc
fi
Figure 7.6 Starting the SNMP agent in the /etc/rc.local file.
If the /usr/contrib/isode/etc/snmpd.rc file is present on your system, the SNMP agent starts automatically.
Syslog
You must configure syslog to send syslog lines to checktrap.pl. If the syslog lines match the specified regular expression in the snmptrap.conf file, the checktrap.pl script generates a valid SNMP trap. The following line in the /etc/syslog.conf file causes the syslog utility to send the specified log output to the checktrap.pl script. The checktrap.pl script then compares the logged information against the snmptrap.conf file to determine if a trap should be generated:
local2.* | exec /sbin/checktrap.pl.
Configuring the 3DNS SNMP agent settings
You can use the F5 Configuration utility to configure the following aspects of the 3DNS SNMP agent:
- Client access
You can define a network address and netmask for a workstation from which SNMP requests are acceptable. - System information
You can name a system contact, a machine location, and a community string. - Trap configuration
You can enter a trap sink and a trap community.
To set SNMP properties in the F5 Configuration utility
The F5 Configuration utility provides sample SNMP settings for your reference. If you want to use the 3DNS SNMP MIB, you need to replace these sample settings with settings appropriate to your environment and your specific SNMP management software.
- Click SNMP in the navigation pane.
The SNMP Configuration screen opens. - In the 3DNS SNMP Configuration screen, check Enabled to allow access to the 3DNS SNMP agent.
- In the Allow Address box, type the address, or addresses, of the management system from which the agent can accept requests. The addresses can be IP addresses, or network addresses. This setting restricts access to management information to a specific computer or computers running a management system. If you type in a list of addresses, type a comma after the last address.
- In the Allow Netmask box, type the netmask for a range of IP addresses for machines from which the agent can accept requests.
Note that if you typed a list of IP addresses in the Allow Address box, or if you typed a network address in the Allow Address box, you should leave the Allow Netmask box blank. - In the System Contact box, type the contact name and email address for the person who should be contacted if the 3DNS Controller generates a trap.
- In the Machine Location box, enter a machine location, such as First Floor, or Building 1, that describes the physical location of the 3DNS Controller.
- In the Community String box, type a community name. The community name is a clear text password used for basic SNMP security and for grouping machines that you manage.
- In the Trap Sink box, type the host that should be notified when a trap is sent by the 3DNS SNMP agent.
- In the Trap Community box, type the community name to which this 3DNS Controller belongs. Traps sent from this box are sent to the management system managing this community.
- Click Update.
Configuring options for the checktrap script
The checktrap.pl script reads a set of lines from standard input. The script checks each line against a set of regular expressions. If a line matches the regular expression, an SNMP trap is sent.
Options for checktrap
snmpd_conf_file=<snmp configuration file>
This is the file that contains the SNMP variables. The checktrap.pl script gets trap configuration information from this file. The default is /usr/contrib/isode/etc/snmpd.rc.
trapd_conf_file=<snmp trap configuration file>
This is the file that contains the regular expression to SNMP trap OID mappings. It also contains a description string that is added to the trap message. The default is /etc/snmptrap.conf.
trap_program=<snmp trap program>
This is the program that sends the trap. This program should be the snmptrap program included with the 3DNS Controller. The default is /sbin/snmptrap.
no_date_strip
This turns off automatic date stripping. Normally, each input line is expected to begin with a date. Typically, this date is stripped off before the trap is sent. This option keeps the date information in the trap. The date is stripped from the trap by default.
usage
Prints a usage string.
Changing passwords for the 3DNS Controller
The First-Time Boot utility prompts you to define a password that allows remote access to the 3DNS Controller, and also prompts you to define a password for the 3DNS Web server. You can change these passwords at any time.
To change the root user password for command line access
- At the 3DNS Controller command line prompt, log in as root and use the passwd command.
- At the password prompt, enter the password you want to use for the 3DNS Controller and press Enter.
- To confirm the password, retype it and press Enter.
Changing passwords and adding new user IDs for the
3DNS web server
You can create new users for the 3DNS web server, change a password for an existing user, or recreate the password file altogether, without actually going through the 3DNS web server configuration process.
To add a new user ID using the F5 Configuration utility
- In the navigation pane, click User Admin.
The User Administration screen opens. - In the User Name box, type the user ID to add.
The user name cannot include any of the following special characters: colon (:), single quote ('), double quote ("), plus sign (+), ampersand (&), pound sign (#), or percent sign (%). - Type the password that the user will use to access the 3DNS server in the Password box.
- Confirm the password in the Retype Password box.
- In the Access Level box, assign either Read Only or Full Read/Write access.
- Click Add.
The new user ID appears in the Current Users table.
To change or add user information using the 3DNS Maintenance menu
Select the Change/Add Users for 3DNS Web Administration command.
To create new users and change passwords for existing users manually
The following command creates a new user ID, or changes the password for an existing user ID. In place of the <username> parameter, enter the user ID for which you want to create a password:
/var/f5/httpd/bin/htpasswd /var/f5/httpd/basicauth/users \ <username>
Once you enter the command, you are prompted to enter the new password for the named user.
To create a new password file manually
The following command recreates the 3DNS web server password file, and defines one new user ID and password. In place of the <username> parameter, enter the user ID that you want to create:
/var/f5/httpd/bin/htpasswd -c /var/f5/httpd/basicauth/users \ <username>
Once you enter the command, you are prompted to enter the new password for the named user.
Viewing system statistics
The 3DNS Controller lets you view current information about BIG/ip Controllers, other host machines, virtual servers, paths, and wide IPs in the configuration.
To view system statistics
- From the F5 Configuration utility, click Statistics.
- From the list, you can choose specific types of statistics, such as system statistics or virtual server metrics.
Viewing summary statistics
From the Statistics list, click Summary to view the following information about the 3DNS Controller system.
Note that you can configure how often to refresh the statistical information in all of the summary tables by changing the value in the Refresh Interval box and clicking Refresh.
General
Datacenter
BIG/ip
Host
Virtual servers
Wide IP
Local DNS
Path
Viewing current global values
From the Statistics list, click Globals to view information about the current and default values for each globals sub-statement. The table also indicates whether any changes you make require that you restart named.
Viewing data center statistics
From the Statistics list, click Data Centers to view the following information about the data centers, and the servers they contain, in your network.
Viewing sync group statistics
From the Statistics list, click Sync Groups to view the following information about the sync groups in your network.
Viewing wide IP statistics
From the Statistics list, click Wide IPs to view the following information about each configured wide IP on your network. The F5 Configuration utility generates a separate row for each wide IP.
Viewing 3DNS Controller statistics
From the Statistics list, click 3DNS to view the following information about each 3DNS Controller in your network. The F5 Configuration utility generates a separate row for each 3DNS Controller.
Viewing BIG/ip Controller statistics
From the Statistics list, click BIG/ip to view the following information about each BIG/ip Controller in your network. The F5 Configuration utility generates a separate table for each BIG/ip Controller.
Viewing prober statistics
From the Statistics list, click Probers to view information about each configured prober in your network.
The following lines appear above the table:
- Requests are sent each <number> seconds
Indicates how often path probe requests are sent to the probers. - Regulate paths increment <number> paths
Indicates the number of additional path probe requests to send to each prober, above the number of probe requests the prober satisfied in the previous interval. Helps ensure that each prober is working at capacity.Viewing host statistics
From the Statistics list, click Hosts to view the following information about the generic host machines in your network. The F5 Configuration utility generates a separate row for each host. The host's IP address appears in the third column of each row; the rest of the row provides information for that host.
Viewing virtual server statistics
From the Statistics list, click Virtual Servers to view the following information about each configured virtual server on your network. The F5 Configuration utility generates a separate row for each virtual server.
Virtual server statistics Item Description Refresh Interval Specifies how often to refresh the statistical information in this table. OK Indicates whether the specified virtual server is taken into consideration for load balancing. A green light indicates that the specified virtual server is up; red indicates that it is down; blue indicates that the virtual is unknown (new to the 3DNS Controller and that the 3DNS Controller has not yet collected metrics from it); yellow indicates that it is unavailable. See Virtual server decision criteria , on page 7-54. TTL Displays the remaining time to live (TTL) before a virtual server's metrics data needs to be refreshed. Type Indicates whether the specified virtual server is managed by a BIG/ip Controller (VSb) or other host machine (VSh). Virtual Address Displays the IP address of the specified virtual server. Virtual Port Displays the port number of the specified virtual server. Ratio Displays the weighting value for the specified virtual server. Connections Displays the number of current connections to the specified virtual server. Conn Limit Indicates whether the connection limit for this virtual server has been reached. Open indicates that the connection limit has not been reached and Full indicates that it has. Nodes Up Displays the number of nodes currently servicing the specified virtual server. Enabled Indicates whether the specified virtual server is available. Picks Displays the number of times this virtual server was chosen by a wide IP for load balancing. Refreshes Displays the number of times this data was refreshed. Total Bytes Displays the total number of bytes in and out on this port during the current interval. Total Packets Displays the total number of packets in and out on this port during the current interval. Last Refresh Displays the last time the 3DNS Controller received data about the specified virtual server. Virtual server decision criteria
A virtual server is available to be used in a load balancing decision only if the following conditions are met:
- The BIG/ip Controller or host that manages the virtual server is available.
- The virtual server is enabled.
- The virtual server's connection limit is not exceeded.
- The number of nodes servicing the virtual server is greater than 0.
- The data was refreshed within the specified TTL. The virtual server's TTL is specified on the System - Timers & Task Intervals screen in the F5 Configuration utility, or in the globals sub-statement vs_ttl.
Viewing path statistics
From the Statistics list, click Paths to view the following path information for your network. Paths are dynamically created by the 3DNS Controller for each name resolution request. The F5 Configuration utility generates a separate row for each prober-to-local DNS path. The total number of paths is shown at the bottom of the table.
Viewing local DNS statistics
From the Statistics list, click Local DNS to view the following information about each discovered local DNS on your network. The F5 Configuration utility generates a separate row for each local DNS.
Probing and discovery states
The following table lists and describes the path discovery states, which are relevant for the factories run by big3d agents.