Applies To:
Show Versions3-DNS Controller versions 1.x - 4.x
- 4.5.14, 4.5.13, 4.5.12, 4.5.11, 4.5.10
6
Administration and Monitoring
- Monitoring and administration utilities provided on the 3-DNS Controller
- Managing user accounts
- Managing the SSH Console
- Overview of the Network Map
- Viewing system statistics
- Overview of the Internet Weather Map
- Working with command line utilities
- Configuring Email
- Using a serial terminal with the 3-DNS Controller
- Shutting down the 3-DNS Controller
Monitoring and administration utilities provided on the 3-DNS Controller
The 3-DNS Controller provides several utilities for monitoring and administration. You can perform configuration tasks and monitor system statistics for all components of the 3-DNS Controller with these utilities:
- Configuration utility
The Configuration utility is a browser-based application you can use to configure and monitor the 3-DNS Controller. The Configuration utility supports Netscape® Navigator, version 4.7x, and Microsoft® Internet Explorer, version 5.0, 5.5, or 6.0. - Setup utility
The Setup utility is a menu-driven command line utility that you can use to configure many of the platform settings for the 3-DNS Controller. You can also use the browser-based version of the Setup utility for the initial configuration of the 3-DNS Controller. If you are using the Setup utility to make changes to your existing configuration, we recommend that you use the command line version of the utility. To access the Setup utility from the command line, type setup. - 3-DNS Maintenance menu
The 3-DNS Maintenance menu is a command line utility you can use to configure the 3-DNS Controller. Use the 3-DNS Maintenance menu to simplify certain tasks such as updating the big3d agent and configuring ssh access. To access the 3-DNS Maintenance menu from the command line, type 3dnsmaint. - MindTerm SSH Client
The MindTerm SSH Client is a secure shell tool with which you can use, from the Configuration utility, the command line utilities from a web browser. - Network Map
The Network Map is an interactive screen, in the Configuration utility, where you can view your physical and logical configurations simultaneously. - Statistics screens
Using the Statistics screens in the Configuration utility, you can view a myriad of performance and metrics details about the 3-DNS Controller, the servers and the virtual servers it manages, and the load balancing it performs. - 3dpipe utility
Using the 3dpipe utility, you can perform the following tasks, at the command line:
- View lists of configured data centers, servers, virtual servers, wide IPs, and pools
- View the status (enabled or disabled) of configured data centers, servers, virtual servers, wide IPs, and pools
- Enable configured data centers, servers, virtual servers, wide IPs, and pools
- Disable, for a specific time period, configured data centers, servers, virtual servers, wide IPs, and pools
- View summary statistics for the 3-DNS Controller itself
- View lists of configured data centers, servers, virtual servers, wide IPs, and pools
- bigpipe utility
You can use the bigpipe utility to maintain and monitor the platform components of the 3-DNS Controller, including VLANs, interfaces, and self IP addresses. Review Appendix C, bigpipe Command Reference , for a complete explanation of working with the bigpipe utility.
Managing user accounts
When you run the Setup utility for the first time to configure your base network, the 3-DNS Controller automatically creates two special user accounts--root and admin. As an option, you can also specify within the Setup utility that you want the 3-DNS Controller to create a third account, support, which gives F5 Networks support personnel access to your system. For information on using the Setup utility to create the root, admin, and support accounts, see the 3-DNS Administrator Guide, Chapter 3, Using the Setup Utility .
Once the Setup utility has created these accounts, you will most likely want to create additional administrative accounts and assign various system access levels, or user roles, to them, on an ongoing basis.
The remainder of this section addresses the following topics:
- Understanding user roles
- Creating and authorizing local user accounts
- Creating and authorizing remote user accounts
- Managing passwords for local accounts
- Managing system accounts
If you are running the 3-DNS module on a BIG-IP system, you manage user accounts using the BIG-IP Configuration utility. See the BIG-IP Reference Guide for more information.
Understanding user roles
Users who have user roles assigned to them fall into one of two categories: fully-privileged users, or restricted users. The following sections describe these user-role categories.
Fully-privileged users
Fully-privileged users are those who have full access to a 3-DNS Controller for administration purposes. When creating accounts for users to whom you want to grant full privileges, you can choose one of three different roles. The role you choose for a user depends on the type of user interface that the user will use to administer the 3-DNS Controller. Because each role has full access to the 3-DNS Controller, users with these user roles have privileges to change their own roles or other users' roles.
The roles for fully-privileged users are:
- Full Web Read/Write
This access level provides the user with full access to all administrative tasks. Users with this access level can access the 3-DNS Controller through the Configuration utility and iControl, but not through the command line interface. - CLI + Full Web Read/Write
This access level provides the user with full access to all administrative tasks. Users with this access level can access the 3-DNS Controller through all external interfaces--the Configuration utility, the command line interface, and the iControl interface. - CLI
This access level provides the user with full access to all administrative tasks, using the command line interface.
The three roles listed above all grant the same level of user access, that is, full access to the 3-DNS Controller. Thus, these roles are not intended as a way to restrict administrative access; rather, they are provided strictly as a way to define the method of user access, for administrative convenience.
Restricted users
Restricted users are those whose administrative access to a 3-DNS Controller is limited. When creating accounts for users to whom you want to restrict access, you can choose one of three different roles, where each role represents a different level of access to the 3-DNS Controller. The role you choose depends on the level of restricted access that you want to grant to the user. The roles for restricted users are:
- Partial Web Read/Write
This access level allows the user to view information and to change the status of objects in the configuration to either enabled or disabled. Users with this access level can access the 3-DNS Controller through the Configuration utility only. - Web Read Only
This access level allows the user to view information using the Configuration utility only. Users with this access level do not have access to Add buttons, certain toolbar or tab items, Apply buttons, Update buttons, or Remove buttons. - None
This access level is the default access level, and prevents the user from accessing the 3-DNS Controller altogether.
The procedure that you use to create and manage user accounts depends on whether you have configured user authentication to use either the local LDAP database that resides on the 3-DNS Controller, or an external (remote) server. The following sections describe how to assign access levels based on these two different authentication scenarios.
The root, admin, and support accounts require special consideration when managing them. For information on managing these accounts, see Managing system accounts .
Creating and authorizing local user accounts
When you are using the local LDAP database on the 3-DNS Controller to authenticate users, your 3-DNS administrative accounts (including user names and passwords) are created and stored in the local LDAP database on the 3-DNS Controller, using the Configuration utility. Then you use the Configuration utility to assign a level of access, or user role, to each user account. Upon user authentication, the 3-DNS Controller checks the local LDAP database to determine the access level for that user. An exception to this is the root account, which is stored in the UNIX /etc/passwd file, rather than in the local LDAP database.
You assign access levels to users at the time that you create their user accounts or by changing the properties of an existing account.
Creating, changing, and deleting user accounts
You can use the Configuration utility to create new user accounts on the 3-DNS Controller. For each user account that you create, you can assign one level of access control.
To display a list of existing user accounts using the Configuration utility
- In the navigation pane, click System Admin.
- Click the User Administration tab.
This displays a list of all existing local user accounts.
The Configuration utility only displays those accounts that are stored in the local LDAP database. Thus, the root account does not appear in the list of user accounts, given that the account is stored elsewhere.
To create a user account using the Configuration utility
- In the navigation pane, click System Admin.
- Click the User Administration tab.
This displays a list of all local user accounts, except for the root account. - Click the Add button.
- In the Add User section, type the following information:
- User ID
Type the user ID you want to assign the user. - Password
Type the password you want to assign the user. - Retype Password
Retype the password you want to assign the user.
- User ID
- Select an access level for the user.
- Click Done.
To change the properties of a user account using the Configuration utility
- In the navigation pane, click System Admin.
- Click the User Administration tab.
This displays a list of all local user accounts, except for the root account. - Click a user account name.
This displays the properties of that account. - Change the password, or select a new access level for the account.
- Click Apply.
Warning:
If you have a redundant system configuration and you change the password on the admin account, you must also change the password on the second unit in the redundant system, to ensure that the bigpipe config sync command operates correctly.
To delete a user account using the Configuration utility
- In the navigation pane, click System Admin.
- Click the User Administration tab.
This lists the user roles currently assigned to local user accounts. - In the Local Users box, locate a user name for which you want to delete a user role, and click the Remove button.
Note that you cannot delete the admin user account.
Creating and authorizing remote user accounts
When you are using a remote LDAP or RADIUS authentication server, you create and store your 3-DNS administrative accounts (including user names and passwords) on that remote server, using the mechanism supplied by that server's vendor.
To configure user authorization in this case, you use the Configuration utility to assign a specific access level, or user role, to each remote user account. This access information is then stored in the 3-DNS Controller's local LDAP database. When a user, whose account information is stored remotely, logs into the 3-DNS Controller and is granted authentication, the 3-DNS Controller then checks its local LDAP database to determine the access level that is assigned to that user.
If no user role is assigned to a remote user account, then the 3-DNS Controller assigns access based on a role called the Default Role. Using the Configuration utility, you can set the access level for the Default Role.
The following sections describe the procedures for assigning user roles to remote user accounts.
To display a list of user roles for remote accounts using the Configuration utility
- In the navigation pane, click System Admin.
- Click the User Administration tab.
This displays the Remote User Roles box, which lists the remote user accounts to which you have assigned an access level, as well as the Default Role and its access level. Also displayed is the Local Users box, showing the admin account, which is always stored locally on the 3-DNS Controller.
Any user account that has not been assigned a remote user role automatically inherits the access level assigned to the Default Role.
To assign a user role for a remote account using the Configuration utility
- In the navigation pane, click System Admin.
- Click the User Administration tab.
- Click the Add User Role button.
The Add User screen opens. - In the User ID box, type a user name that is stored on your remote authentication server.
- In the Access Level box, select an access level to assign to that user.
- Click Done.
To change a user role for a remote account using the Configuration utility
- In the navigation pane, click System Admin.
- Click the User Administration tab.
This lists the user roles currently assigned to remote user accounts. - In the Remote User Roles box, click a user name.
This displays the user role properties for that user account. - In the Access Level box, select a different access level.
- Click Apply.
To delete a user role for a remote account using the Configuration utility
- In the navigation pane, click System Admin.
- Click the User Administration tab.
This lists the user roles currently assigned to remote user accounts. - In the Remote User Roles box, locate a user name for which you want to delete a user role and click the Delete button.
Managing passwords for local user accounts
Sometimes, the users who have accounts stored in the local LDAP database might need to change their passwords. Users can change their passwords by accessing the User Administration screen of the Configuration utility, and then displaying the properties of their user accounts.
This method of changing a password applies not only to the user accounts you create from within the Configuration utility, but also to the admin and support accounts that the Setup utility created when you configured your base network.
For the procedure on changing passwords for locally-stored user accounts, see To change the properties of a user account using the Configuration utility .
To change the password for the root account, you must re-run the Setup utility. For more information, see the following section.
Managing system accounts
As previously described, the Setup utility automatically creates three system accounts--root, admin, and support. Only the support account is optional.
These accounts must be managed in the following ways:
- The root account
The root account is defined in the /etc/passwd file on the 3-DNS Controller, and therefore does not reside in either the local LDAP database or a remote LDAP database. To initially create the root account and set its password, you run the Setup utility. To change the root account password later, you must re-run the Setup utility. Because the root account does not reside in the local or a remote LDAP database, it does not appear on the User Administration screens of the Configuration utility. The access level for this account is fixed during creation and cannot be changed. - The admin account
The admin account is defined in the local LDAP database on the 3-DNS Controller. To initially create the admin account and set its password, you run the Setup utility. To change its password later, you use the Configuration utility's User Administration screens. Note, however, that due to redundant system considerations, you must change the password on both units of the redundant system configuration, and you cannot delete the password for this account. The access level for this account is fixed during creation and cannot be changed, except when performing an upgrade. - The support account
The support account is defined in the local LDAP database on the 3-DNS Controller. To initially create the support account and set its password, you run the Setup utility. Unlike the root and admin accounts, however, creating the support account is optional. To change the password and access level for this account later, you use the Configuration utility's User Administration screens.
Managing the SSH Console
An SSH console gives you the ability to use a command line interface to securely manage your local 3-DNS Controller. You can either use the MindTerm SSH console that is available in the navigation pane of the Configuration utility, or you can download a different SSH console from the home screen of the Configuration utility.
Using the MindTerm SSH Client
With the MindTerm SSH Client, you can open an SSH session to the 3-DNS Controller from the Configuration utility. The 3-DNS Controller uses the MindTerm SSH Client to enable secure command line administration from a web browser. You can perform any of the command line tasks in a popup console screen.
Warning:
The MindTerm SSH client requires a Java virtual machine to operate. If you are unable to run the MindTerm SSH client, make sure that you have a Java virtual machine installed, and that your browser has Java enabled in the Preferences, or Options, section. For more information on Java virtual machines and download options, visit your web browser manufacturer's web site.
To open the MindTerm SSH Client using the Configuration utility
- In the navigation pane, click MindTerm SSH Client.
A popup screen opens. - When you see the command prompt, press Enter.
- Log in to the 3-DNS Controller as you normally would.
When you use the MindTerm SSH Client, you can administer only the local 3-DNS Controller. If you wish to administer remote systems, you do so using an SSH or Telnet session from the command line on the local 3-DNS Controller. For information about installing an SSH client on the administrative workstation, see the following section.
Downloading an SSH client to your administrative workstation
From 3-DNS units that support encrypted communications, you can download the SSH client to your administrative workstation in preparation for remote command line access. In addition to running 3-DNS Controller command line utilities, you can also use the SSH suite for file transfer to and from the 3-DNS Controller, as well as for remote backups.
The SSH client is available for both Windows® and UNIX® platforms, and you can download your preferred client either from the web server or using an FTP connection. You can find detailed information about the SSH client in the documentation provided on the web server, or on the Documentation and Software CD-ROM.
Downloading the SSH client from the web server
- Connect to the 3-DNS Controller using https:// rather than http:// in the URL.
- In the Additional Software Downloads section, click the SSH Clients link.
- From the SSH Clients page, you can select the SSH Client appropriate to your operating system.
You can also download the SSH clients from the Software and Documentation CD, or from the AskF5 web site, http://tech.f5.com.
Setting up an SSH client on a Windows 95 or Windows NT workstation
The SSH client installation file for Windows platforms is compressed in ZIP format. You can use standard ZIP tools, such as PKZip or WinZip to extract the file.
To unzip and install the SSH client
- Log on to the Windows workstation.
- Navigate to the directory to which you transferred the installation file. Run PKZip or WinZip to extract the files.
- The set of files extracted includes a Setup program. Run the Setup program to install the client.
- Start the SSH client.
- In the SSH Client window, from the Edit menu choose Properties.
The Properties dialog box opens. - In the Connection tab, in the Remote Host section, type the following items:
- In the Host Name box, type the 3-DNS Controller IP address or host name.
- In the User Name box, type the root user name.
- In the Options section, check Compression and set the Cipher option to Blowfish.
- Click the OK button.
Overview of the Network Map
The 3-DNS Network Map is a dynamic map that illustrates the physical and logical objects in your network. With the Network Map, you can:
- Visualize the overall structure of your 3-DNS network configuration
- Use the navigational tools to modify your network configuration
- View the enabled/disabled state of the various objects in your network
Figure 6.1 Example screen of the Network Map in the Configuration utility
In the Network Map, you can easily see how any component is related to the rest of the network, and how changes to the physical side of the network structure (for example, data centers or servers) can affect the logical side (for example, wide IPs or pools), and vice versa. As shown in Figure 6.1 , the wide IP pool, quote_pool, is made up of virtual servers on a BIG-IP system in the data center, NY Data Center.
Working with the Network Map
The Network Map is a highly interactive screen. Not only can you review and make changes to your 3-DNS configuration, but also you can use the information table to quickly check whether an object is enabled or disabled. The following sections describe some of the tasks you can do in the Network Map.
You can view the Network Map only from the Configuration utility.
To view the Network Map using the Configuration utility
- In the navigation pane, click Network Map.
The Network Map screen opens. - Click Undock if you want to open a popup screen of the Network Map.
For more information on working with the Network Map, click Help on the toolbar.
Using the Network Map to review and modify the network configuration
The Network Map contains the following objects: data centers, servers, wide IPs, pools, virtual servers. You can double-click any object on the Network Map to expand the object. The relationship of that object to the rest of the network becomes readily apparent, as the components of that object are highlighted in blue throughout the map. For example, if you double-click a data center, the data center expands, displaying and highlighting all of the servers that reside in that data center. Toward the bottom of the map, also highlighted are the wide IPs that contain a virtual server which belongs to the servers in the selected data center. You can continue to double-click the objects to narrow your scope.
From the Network Map, you can also navigate to the screens where you configure the various objects. You do this by right-clicking the object name. A popup menu opens, displaying various options from which you can choose, depending on what part of that object you want to configure. For example, if you right-click a wide IP name, and from the popup menu select Configure, the Modify Wide IP screen opens, where you can modify the settings for the wide IP definition.
Using the information table on the Network Map
When you double-click any object on the Network Map, the information table at the bottom of the Network Map screen displays the following details about that object:
- Object type
- Object name
- Object IP address
- Any child objects for the highlighted object
- Object status
You can also refresh the Network Map by clicking the Refresh button next to the information table.
Managing your configuration with the Network Map
The Network Map is a dynamic, illustrative map of the physical and logical components of your network. The Network Map lets you see how the data centers, servers, and virtual servers you configured are mapped to the wide IPs and pools you configured for load balancing. You can also make changes to your configuration from the Network Map, using the following options:
- You can double-click any object name on the Network Map to expand the object.
- You can right-click any object name to view a popup menu of configuration options for that object.
To manage your configuration using the Network Map
- In the navigation pane, click Network Map.
The Network Map screen opens. - To see the relationships between the components, double-click the component. The tree expands and the component is highlighted (in blue).
- To modify a component, right-click the component to view a popup menu, then select the item you want to change.
- You can also click the name of the component in the status bar in the lower portion of the screen to edit the component's configuration.
For more information on the features of the Network Map, click Help on the toolbar.
Warning:
The Network Map requires a Java virtual machine to operate. If you are unable to view the Network Map, make sure that you have a Java virtual machine installed and that your browser has Java enabled in the Preferences, or Options, section. For more information on Java virtual machines and download options, visit your web browser manufacturer's web site.
Viewing system statistics
Using the Configuration utility, you can view current statistics about the following objects in the configuration:
Statistics screen |
Description |
---|---|
Summary |
Provides information about the 3-DNS Controller itself. |
Globals |
Provides information on the global settings for the 3-DNS Controller. |
Metrics |
Provides performance information for the servers, virtual servers, and pools you have configured. |
Links |
Provides information about the router links in the network. |
P95 Billing |
Provides information about the average actual link utilization compared to purchased bandwidth. |
Disabled |
Provides information on the servers, virtual servers, wide IPs, pools, and data centers that are currently disabled. |
Requests |
Provides information on the virtual connections between local DNS servers and virtual servers for given wide IPs in the network. |
Data Centers |
Provides information on the data centers in your network. |
Sync Group |
Provides information on the 3-DNS Controllers that are in the same sync group as the controller that you are looking at. |
Wide IPs |
Provides information on the wide IPs, pools, and virtual servers in the pools. |
ECV |
Provides performance information for any ECV health monitors you have configured. |
3-DNS |
Provides information on the 3-DNS Controllers you have configured. |
BIG-IP |
Provides information on the BIG-IP systems you have configured. |
EDGE-FX |
Provides information on the EDGE-FX systems you have configured. |
Probers |
Provides information on the probers you have configured. |
Hosts |
This statistics screen provides information on the hosts you have configured. |
Virtual servers |
Provides information on the virtual servers you have configured. |
Weather Map |
Provides information on the average round trip times, average completion rates, and average router hops between the data centers or links you have configured and local DNS servers. |
Paths |
Provides information on the paths created by the 3-DNS Controller when paths are required to fulfill name resolution requests. |
Local DNS |
Provides information on the local DNS servers in the 3-DNS Controller database. |
To view system statistics
- In the navigation pane, expand the Statistics item.
- From the list, select the item representing the statistics you wish to view.
- For details about the information displayed on a specific statistics screen, click Help on the toolbar.
Overview of the Internet Weather Map
The Internet Weather Map statistics screen, in the Configuration utility, provides the following data about the Internet:
- The average round trip time between the local DNS servers on a particular continent and the data centers or links in your network
- The average completion rate between the local DNS servers on a particular continent and the data centers or links in your network
- The average number of router hops between the local DNS servers on a particular continent and the data centers or links in your network
The data displayed in the Internet Weather Map is based on path data, which is collected when you use a dynamic load balancing mode such as Round Trip Times or Quality of Service. For more information on dynamic load balancing modes, see Using dynamic load balancing modes .
To view the Internet Weather Map statistics screen using the Configuration utility
- Expand the Statistics item in the navigation pane.
- Click Weather Map.
The Internet Weather Map Statistics screen opens. - For information on working with the Internet Weather Map Statistics screen, view the online help.
The round trip time and completion rate data on the Internet Weather Map Statistics screen are based on path metrics. If you do not have path probing activated, the data on this screen is stale. The router hops data are based on information collected by the traceroute utility. If you do not allow the 3-DNS Controller to collect hops information, the average router hops data is stale.
To activate path probing and hops data collection using the Configuration utility
- In the navigation pane, click System.
The System - General screen opens. - On the toolbar, click Metric Collection.
The System - Metric Collection screen opens. - Check the Allow Probing box.
The 3-DNS Controller can now collect path information for the data centers in your configuration. - Check the Allow Hops box.
The 3-DNS Controller can now collect router hops information for the data centers in your configuration.
Working with the Average Round Trip Time table
In the Average Round Trip Time table on the Internet Weather Map Statistics screen, you can view the following information:
- The average round trip time for each data center or link to each continent
- For each data center or link, the best average round trip time to the local DNS servers on a particular continent. This value is indicated by bold text within the table.
- For each continent, the best average round trip time from the data centers or links. This value is indicated by underlined text within the table.
If you hold the mouse pointer over the Information button ( ), you can view the following additional information:
- For a particular data center or link, the number of local DNS servers used to calculate the average round trip time
- For all the local DNS servers that have been probed by a particular data center, the percentage of those local DNS servers that are located on a particular continent
- For all the local DNS servers on a particular continent, the percentage of those local DNS servers that have been probed by a particular data center or link
Working with the Average Completion Rate table
In the Average Completion Rate table on the Internet Weather Map Statistics screen, you can view the following information:
- The average completion rate for each data center or link to each continent
- For each data center or link, the best average completion rate to the local DNS servers on a particular continent. This value is indicated by bold text within the table.
- For each continent, the best average completion rate from the data centers or over the links. This value is indicated by underlined text within the table.
If you hold the mouse pointer over the Information button (), you can view the following additional information:
- For a particular data center or link, the number of local DNS servers used to calculate the average completion rate
- For all the local DNS servers that have been probed by a particular data center or link, the percentage of those local DNS servers that are located on a particular continent
- For all the local DNS servers on a particular continent, the percentage of those local DNS servers that have been probed by a particular data center or link
Working with the Average Router Hops table
In the Average Router Hops table on the Internet Weather Map Statistics screen, you can view the following information:
- The average number of router hops between each data center or link and each continent
- For each data center or link, the best average number of router hops to the local DNS servers on a particular continent. This value is indicated by bold text within the table.
- For each continent, the best average number of router hops from the data centers or over the links. This value is indicated by underlined text within the table.
If you hold the mouse pointer over the Information button (), you can view the following additional information:
- For a particular data center or link, the number of local DNS servers used to calculate the average number of router hops
- For all the local DNS servers that have been probed by a particular data center or link, the percentage of those local DNS servers that are located on a particular continent
- For all the local DNS servers on a particular continent, the percentage of those local DNS servers that have been probed by a particular data center or link
Interpreting the Internet Weather Map data
You can use the data in the Internet Weather Map (IWM) to compare performance between data centers or links. By comparing data center performance over time, you can stage your content in the data centers based on actual usage. The two data points that help you determine which data center has the best performance are the RTT response time (lower is better), and the Completion Rate (higher is better). One easy way to compare data center or link performance over time is to print a screen shot of the IWM at a certain time every day.
You can also use the IWM data to determine which data center or link best serves content for which continent. By analyzing which data center or link provides the best response (usually the lowest RTT and the highest relative completion rate) for a given continent, you can localize your content in the data center that provides the most efficient content delivery.
Working with command line utilities
The 3-DNS includes several command line utilities. These utilities allow you to configure various features of the 3-DNS Controller from the command line. For additional 3-DNS configuration options, you may also want to review the following chapters. For information on working with the Setup utility, see the 3-DNS Administrator Guide, Chapter 3, Using the Setup Utility .
Viewing command line utilities documentation
You can access the most current documentation on 3-DNS utilities by using the Configuration utility or by using the command line. You can view all the documentation for the 3-DNS Controller from the main screen of the Configuration utility, including the man pages for the utilities that are shipped with the system.
To view 3-DNS man pages using the Configuration utility
- Log on to the Configuration utility.
- From the Online Documentation section of the 3-DNS Controller home screen, click 3-DNS Man Pages.
A screen containing an index of 3-DNS man pages opens.
To display a list of utilities that fall into a particular category
To display a list of utilities that fall into a particular category, type the following command:
man -k <category>
For example, to get a list of utilities that pertain to DNS, type the following command, and a list of utilities that pertain to DNS appears.
man -k dns
To display documentation for a specific 3-DNS utility
To display the man page for a specific utility, type the following command:
man <utility>
For example, if you type the following command, the 3dparse man page appears:
man 3dparse
Working with the 3-DNS Maintenance menu
The 3-DNS Maintenance menu is a utility that you can use to configure and monitor the 3-DNS Controller from the command line. You can perform the following tasks:
- Work with security issues
- Work with the big3d agent
Figure 6.2 shows the main screen of the 3-DNS Maintenance menu.
3-DNS (R) Maintenance Menu Configure SSH communication with remote devices Generate and Copy iQuery Encryption Key Check remote versions of big3d Install and Start big3d Enter 'q' to Quit |
To use the 3-DNS Maintenance menu from the command line
- On the command line, type the following command to open the menu:
3dnsmaint
- From the menu, choose the command to you wish to run, and press the Enter key.
Each command is described in the following sections.
Working with security issues
You can use the following commands to address security issues for your network setup.
Configure SSH communication with remote devices
The Configure SSH communication with remote devices command runs the config_ssh script, which configures secure shell access to any new 3-DNS Controller, BIG-IP, or EDGE-FX system that is added to a network. For more information, see Working with scripts .
Generate and Copy iQuery Encryption key
The Generate and Copy iQuery Encryption key command runs the install_key script, which then runs the F5makekey program. The F5makekey program generates a seed key for encrypting communications between the 3-DNS Controller and any BIG-IP systems or EDGE-FX systems in the network. For more information, see Working with scripts .
Working with the big3d agent
You can use the following commands to work with the big3d agent, which collects information about paths between a data center and a specific local DNS server.
Check remote versions of big3d
The Check remote versions of big3d command runs the big3d_version script. This script checks that the correct version of big3d is running on all BIG-IP systems and EDGE-FX systems known to the 3-DNS Controller.
Install and Start big3d
The Install and Start big3d command runs the big3d_install script, which installs and starts the appropriate version of the big3d agent on each BIG-IP system and EDGE-FX system in the network.
Restart big3d
The Restart big3d command runs the big3d_restart script, which stops and restarts the big3d agent on each BIG-IP system and EDGE-FX system in the network.
Working with scripts
The 3-DNS Controller ships with several scripts to simplify many configuration and maintenance tasks. This chapter provides information about the functionality of these scripts. If you plan on performing a task from the command line that uses a script, you should find this section helpful. Many scripts correspond to commands on the 3-DNS Maintenance menu, so you may want to also review Working with the 3-DNS Maintenance menu .
Before you edit a script, make a backup copy of the original.
3dns_add script
Use the 3dns_add script to add a new 3-DNS Controller to an existing sync group in your network. The 3dns_add script copies all configuration information from an existing 3-DNS Controller onto the new system. For more details on using this script, refer to the 3-DNS Administrator Guide, Chapter 10, Adding a 3-DNS Controller to an Existing Network .
Warning:
You can accidentally remove all configuration information on your existing 3-DNS Controller if you do not follow the guidelines in the 3-DNS Administrator Guide, Chapter 10, Adding a 3-DNS Controller to an Existing Network . Use caution when you run this script.
3dnsmaint script
The 3dnsmaint script opens the 3-DNS Maintenance menu. See Working with the 3-DNS Maintenance menu , for more information.
3ndc script
The 3ndc script starts the 3ndc utility, which is described in the 3ndc man page.
big3d_restart script
The big3d_restart script corresponds to the Restart big3d command on the 3-DNS Maintenance menu. This script stops and restarts the big3d agent on each BIG-IP system and EDGE-FX system known to the 3-DNS Controller.
big3d_version script
The big3d_version script corresponds to the Check remote versions of big3d command on the 3-DNS Maintenance menu. This script displays the version numbers for all BIG-IP systems and EDGE-FX systems known to the 3-DNS Controller, as well as the version numbers of the big3d agent running on those systems.
config_ssh script
The config_ssh script corresponds to the Configure SSH communication with remote devices command on the 3-DNS Maintenance menu. All 3-DNS scripts and synchronization require secure communications between systems. Any time you add a new 3-DNS Controller, BIG-IP system, or EDGE-FX system to a network, you can run the config_ssh script, and if no ssh key exists on the system, the script configures ssh access.
install_key script
The install_key script corresponds to the Generate and Copy iQuery Encryption Key command on the 3-DNS Maintenance menu. This script starts the F5makekey program, and generates a seed key for encrypting communications between the 3-DNS Controllers and (if you have any in your network) BIG-IP or EDGE-FX systems. The install_key script creates and distributes the iQuery key to all BIG-IP systems, EDGE-FX systems, and other 3-DNS Controllers in your network.
To start the F5makekey program, type the following at the command line, in the /usr/local/bin directory:
F5makekey
The F5makekey program creates the key in the /usr/local/bin/F5key.dat directory. The key contains a random length (12-52) of random content (1-255). This array of values is used by MD-160, a one-way hash function, to generate a key (7 characters in length) for the Blowfish encryption algorithm. Once the key is created, you need to move it to the /config/3dns/etc/F5key.dat directory. You must then create a link from the /config/3dns/etc/F5key.dat directory to the /usr/local/bin/F5key.dat directory.
We recommend that you use the Generate and Copy iQuery Encryption Key script to generate the keys that are required for encrypted communications.
Configuring Email
You can configure the 3-DNS Controller to send email notifications to you, or to other administrators, using the sendmail utility. The 3-DNS Controller includes a sample Sendmail configuration file that you can use to start with, but you must customize the Sendmail setup for your network environment before you can use it.
Before you begin setting up Sendmail, you may need to look up the name of the mail exchanger for your domain. If you already know the name of the mail exchanger, refer to Setting up the sendmail utility , for details about setting up the sendmail utility itself.
Finding the mail exchanger for your domain
You can use the nslookup command on any workstation that is configured for lookup. Once you find the primary IP address for your domain, you can find the mail exchanger for your domain.
To find the mail exchanger for your domain
- Identify the default server name for your domain. From a workstation capable of name resolution, type the following on the command line:
nslookup
- The command returns a default server name and corresponding IP address:
Default Server: <server name>
Address: <server> - Use the domain name to query for the mail exchanger:
set q=mx
<domain name>
The returned information includes the name of the mail exchanger. For example, the sample information shown in Figure 6.3 lists bigip.net as the preferred mail exchanger.
bigip.net preference = 10, mail exchanger = mail.siterequest.com bigip.net nameserver = ns1.bigip.net bigip.net nameserver = ns2.bigip.net bigip.net internet address = 192.168.112.1 ns1.bigip.net internet address = 192.168.112.2 ns2.bigip.net internet address = 192.168.112.3 |
Setting up the sendmail utility
When you actually set up the sendmail utility, you need to open and edit a couple of configuration files. Note that the 3-DNS Controller does not accept email messages, and that you can use the crontab utility to purge unsent or returned messages, and that you can send those messages to yourself or another administrator.
To set up and start the sendmail utility
- Copy /config/sendmail.cf.off to /config/sendmail.cf.
- To set the name of your mail exchange server, open the /config/sendmail.cf and set the DS variable to the name of your mail exchanger. The syntax for this entry is:
DS<MAILHUB_OR_RELAY>
- Save and close the /config/sendmail.cf file.
- If you want to allow the sendmail utility to flush outgoing messages from the queue for mail that cannot be delivered immediately:
- Open the /config/crontab file, and change the last line of the file to read:
0,15,30,45 * * * * root /usr/sbin/sendmail -q > /dev/null 2>&1
- Save and close the /config/crontab file.
- If you want to prevent returned or undelivered email from going unnoticed:
- Open the /config/aliases file and create an entry for root to point to you or another administrator at your site:
root: networkadmin@SiteOne.com
- Save and close the /config/aliases file.
- Run the newaliases command to generate a new aliases database that incorporates the information you added to the /config/aliases file.
- To turn the sendmail utility on, either reboot the system or type the following command:
/usr/sbin/sendmail -bd -q30m
Using a serial terminal with the 3-DNS Controller
There are two ways to add a serial terminal to the 3-DNS Controller. You can add a serial terminal in addition to the console, or you can add a serial terminal as the console. The difference between the two is:
- A serial terminal configured as a terminal displays a simple login. You can log in and run commands and edit files. In this case, you can use the serial terminal in addition to the keyboard and monitor.
- A serial terminal configured as the console displays system messages and warnings in addition to providing a login prompt. In this case, the serial terminal replaces the keyboard and monitor.
To connect the serial terminal to the 3-DNS Controller
Connect a serial line cable between the terminal device and the 3-DNS Controller. On the back of 3-DNS Controller is a male, 9-pin RS232C connector labeled Terminal. (Be sure not to confuse this with the fail-over connection which is also a male, 9-pin connector.)
Warning:
Do not use the fail-over cable to connect the serial terminal to the 3-DNS Controller. A null modem cable is required.
The connector is wired as a DTE device, and uses the signals described in Table 6.2 .
Pin | Source | Usage |
---|---|---|
1 | External | Carrier detect |
2 | External | Received data |
3 | Internal | Transmitted data |
4 | Internal | Data terminal ready |
5 | Both | Signal ground |
7 | Internal | Request to send |
8 | External | Clear to send |
The connector is wired for direct connection to a modem, with receipt of a Carrier Detect signal generating transmission of a login prompt by the 3-DNS Controller. If you are planning to connect to a terminal or to connect a PC and utilize a terminal emulation program such as HyperTerminalTM, you need a null modem cable with the wiring to generate the signals shown in Table 6.2 .
You can achieve acceptable operation by wiring pins 7 to 8 and pins 1 to 4 at the back of the 3-DNS Controller (and turning hardware flow control off in your terminal or terminal emulator).
Configuring a serial terminal in addition to the console
You can configure a serial terminal for the 3-DNS Controller in addition to the standard console.
To configure the serial terminal in addition to the console
- Connect the serial terminal to the 3-DNS Controller.
- Configure the serial terminal settings in your terminal or terminal emulator or modem as follows:
- 9600 baud
- 8 bits
- 1 stop bit
- No parity
- 9600 baud
- Open the /etc/ttys file and find the line that reads tty00 off. Modify it as shown here:
# PC COM ports (tty00 is DOS COM1)
tty00 "/usr/libexec/getty default" vt100 in secure
- Save and close the /etc/ttys file.
- Reboot the 3-DNS Controller.
Configuring a serial terminal as the console
You can configure the serial terminal as the console.
To configure the serial terminal as the console
- Disconnect the keyboard from the 3-DNS Controller.
- Connect the serial terminal to the 3-DNS Controller. When there is no keyboard connected to the 3-DNS Controller, the 3-DNS Controller defaults to using the serial port for the console.
- Configure the serial terminal settings in your terminal or terminal emulator or modem as follows:
- 9600 baud
- 8 bits
- 1 stop bit
- No parity
- 9600 baud
- Reboot the 3-DNS Controller.
Forcing a serial terminal to be the console
In the case where you have not yet connected the serial terminal or it is not active when the 3-DNS Controller is turned on, as it might be if you are using a terminal server or dial-up modem, you can force the controller to use the serial terminal as a console. Note that you do not need to disconnect the keyboard if you use this procedure to force the serial line to be the console.
To force a serial terminal to be the console
- Edit the /etc/boot.default file.
Find the entry -console auto. Change this entry to -console com. - Save the /etc/boot.default file and exit the editor.
- Plug the serial terminal into the serial port on the 3-DNS Controller.
- Turn on the serial terminal.
- Reboot the 3-DNS Controller.
Warning:
Once you configure a serial terminal as the console for the 3-DNS Controller, the following conditions apply:
Keyboard/monitor access is disabled, and logging in is only possible using Secure Shell (SSH), if configured, or the serial line.
If the /etc/boot.default file is corrupted, the system does not boot at all. Save a backup copy of the original file and keep a bootable CD-ROM on hand.
The /etc/boot.default file must contain either the line: -console com or the line: -console auto. Do not configure both settings. This could cause problems when you attempt to boot the system.
Shutting down the 3-DNS Controller
When you need to turn the 3-DNS Controller completely off, you need to complete two tasks. The first task is to shut down the 3-DNS software. After you shut down the 3-DNS software, you can turn off the power to the system.
To shut down the 3-DNS software from the command line
- To shut down the 3-DNS software, type the following command:
halt
- When you see the following message, it is safe to turn off the power to the physical system:
System is halted, hit reset, turn power off, or press return to reboot
Warning:
Do not remove the power supply from the power source to turn off the 3-DNS Controller. Doing so may result in irrevocable damage to the system.