Manual Chapter : 3-DNS Reference Guide, version 4.6.2: Administration and Monitoring

Applies To:

Show Versions Show Versions

3-DNS Controller versions 1.x - 4.x

  • 4.6.4, 4.6.3, 4.6.2
Manual Chapter

6

Administration and Monitoring


Monitoring and administration utilities provided on the 3-DNS Controller

The 3-DNS Controller provides several utilities for monitoring and administration. You can perform configuration tasks and monitor system statistics for all components of the 3-DNS Controller with these utilities:

  • Configuration utility
    The Configuration utility is a browser-based application you can use to configure and monitor the 3-DNS Controller. The Configuration utility supports Netscape® Navigator, version 4.7x, and Microsoft® Internet Explorer, version 5.0, 5.5, or 6.0.
  • Setup utility
    The Setup utility is a menu-driven command line utility that you can use to configure many of the platform settings for the 3-DNS Controller. You can also use the browser-based version of the Setup utility for the initial configuration of the 3-DNS Controller. If you are using the Setup utility to make changes to your existing configuration, we recommend that you use the command line version of the utility. To access the Setup utility from the command line, type setup.
  • 3-DNS Maintenance menu
    The 3-DNS Maintenance menu is a command line utility you can use to configure the 3-DNS Controller. Use the 3-DNS Maintenance menu to simplify certain tasks such as updating the big3d agent and configuring ssh access. To access the 3-DNS Maintenance menu from the command line, type 3dnsmaint.
  • MindTerm SSH Client
    The MindTerm SSH Client is a secure shell tool with which you can use, from the Configuration utility, the command line utilities from a web browser.
  • Network Map
    The Network Map is an interactive screen, in the Configuration utility, where you can view your physical and logical configurations simultaneously.
  • Statistics screens
    Using the Statistics screens in the Configuration utility, you can view a myriad of performance and metrics details about the 3-DNS Controller, the servers and the virtual servers it manages, and the load balancing it performs.
  • 3dpipe utility
    Using the 3dpipe utility, you can perform the following tasks, at the command line:

    • View lists of configured data centers, servers, virtual servers, wide IPs, and pools
    • View the status (enabled or disabled) of configured data centers, servers, virtual servers, wide IPs, and pools
    • Enable configured data centers, servers, virtual servers, wide IPs, and pools
    • Disable, for a specific time period, configured data centers, servers, virtual servers, wide IPs, and pools
    • View summary statistics for the 3-DNS Controller itself
  • bigpipe utility
    You can use the bigpipe utility to maintain and monitor the platform components of the 3-DNS Controller, including VLANs, interfaces, and self IP addresses. Review Appendix C, bigpipe Command Reference , for a complete explanation of working with the bigpipe utility.

Managing user accounts

When you run the Setup utility for the first time to configure your base network, the 3-DNS Controller automatically creates two special user accounts--root and admin. As an option, you can also specify within the Setup utility that you want the 3-DNS Controller to create a third account, support, which gives F5 Networks support personnel access to your system. For information on using the Setup utility to create the root, admin, and support accounts, see the 3-DNS Administrator Guide ,Chapter 3, Using the Setup Utility.

Once the Setup utility has created these accounts, you will most likely want to create additional administrative accounts and assign various system access levels, or user roles, to them, on an ongoing basis.

The remainder of this section addresses the following topics:

  • Understanding user roles
  • Creating and authorizing local user accounts
  • Creating and authorizing remote user accounts
  • Managing passwords for local accounts
  • Managing system accounts

Note


If you are running the 3-DNS module on a BIG-IP system, you manage user accounts using the BIG-IP Configuration utility. See the BIG-IP Reference Guide for more information.

Understanding user roles

Users who have user roles assigned to them fall into one of two categories: fully-privileged users, or restricted users. The following sections describe these user-role categories.

Fully-privileged users

Fully-privileged users are those who have full access to a 3-DNS Controller for administration purposes. When creating accounts for users to whom you want to grant full privileges, you can choose one of three different roles. The role you choose for a user depends on the type of user interface that the user will use to administer the 3-DNS Controller. Because each role has full access to the 3-DNS Controller, users with these user roles have privileges to change their own roles or other users' roles.

The roles for fully-privileged users are:

  • Full Web Read/Write
    This access level provides the user with full access to all administrative tasks. Users with this access level can access the 3-DNS Controller through the Configuration utility and iControl, but not through the command line interface.
  • CLI + Full Web Read/Write
    This access level provides the user with full access to all administrative tasks. Users with this access level can access the 3-DNS Controller through all external interfaces--the Configuration utility, the command line interface, and the iControl interface.
  • CLI
    This access level provides the user with full access to all administrative tasks, using the command line interface.

Note


The three roles listed above all grant the same level of user access, that is, full access to the 3-DNS Controller. Thus, these roles are not intended as a way to restrict administrative access; rather, they are provided strictly as a way to define the method of user access, for administrative convenience.

Restricted users

Restricted users are those whose administrative access to a 3-DNS Controller is limited. When creating accounts for users to whom you want to restrict access, you can choose one of three different roles, where each role represents a different level of access to the 3-DNS Controller. The role you choose depends on the level of restricted access that you want to grant to the user. The roles for restricted users are:

  • Partial Web Read/Write
    This access level allows the user to view information and to change the status of objects in the configuration to either enabled or disabled. Users with this access level can access the 3-DNS Controller through the Configuration utility only.
  • Web Read Only
    This access level allows the user to view information using the Configuration utility only. Users with this access level do not have access to Add buttons, certain toolbar or tab items, Apply buttons, Update buttons, or Remove buttons.
  • None
    This access level is the default access level, and prevents the user from accessing the 3-DNS Controller altogether.

The procedure that you use to create and manage user accounts depends on whether you have configured user authentication to use either the local LDAP database that resides on the 3-DNS Controller, or an external (remote) server. The following sections describe how to assign access levels based on these two different authentication scenarios.

Note


The root, admin, and support accounts require special consideration when managing them. For information on managing these accounts, see Managing system accounts .

Creating and authorizing local user accounts

When you are using the local LDAP database on the 3-DNS Controller to authenticate users, your 3-DNS administrative accounts (including user names and passwords) are created and stored in the local LDAP database on the 3-DNS Controller, using the Configuration utility. Then you use the Configuration utility to assign a level of access, or user role, to each user account. Upon user authentication, the 3-DNS Controller checks the local LDAP database to determine the access level for that user. An exception to this is the root account, which is stored in the UNIX /etc/passwd file, rather than in the local LDAP database.

You assign access levels to users at the time that you create their user accounts or by changing the properties of an existing account.

Creating, changing, and deleting user accounts

You can use the Configuration utility to create new user accounts on the 3-DNS Controller. For each user account that you create, you can assign one level of access control.

To display a list of existing user accounts using the Configuration utility
  1. In the navigation pane, click System Admin.
  2. Click the User Administration tab.
    This displays a list of all existing local user accounts.

Note


The Configuration utility only displays those accounts that are stored in the local LDAP database. Thus, the root account does not appear in the list of user accounts, given that the account is stored elsewhere.
To create a user account using the Configuration utility
  1. In the navigation pane, click System Admin.
  2. Click the User Administration tab.
    This displays a list of all local user accounts, except for the root account.
  3. Click the Add button.
  4. In the Add User section, type the following information:

    • User ID
      Type the user ID you want to assign the user.
    • Password
      Type the password you want to assign the user.
    • Retype Password
      Retype the password you want to assign the user.
  5. Select an access level for the user.
  6. Click Done.

To change the properties of a user account using the Configuration utility
  1. In the navigation pane, click System Admin.
  2. Click the User Administration tab.
    This displays a list of all local user accounts, except for the root account.
  3. Click a user account name.
    This displays the properties of that account.
  4. Change the password, or select a new access level for the account.
  5. Click Apply.

Warning


If you have a redundant system configuration and you change the password on the admin account, you must also change the password on the second unit in the redundant system, to ensure that the bigpipe config sync command operates correctly.
To delete a user account using the Configuration utility
  1. In the navigation pane, click System Admin.
  2. Click the User Administration tab.
    This lists the user roles currently assigned to local user accounts.
  3. In the Local Users box, locate a user name for which you want to delete a user role, and click the Remove button.
    Note that you cannot delete the admin user account.

Creating and authorizing remote user accounts

When you are using a remote LDAP, RADIUS or RSA SecurID authentication server, you create and store your 3-DNS administrative accounts (including user names and passwords) on that remote server, using the mechanism supplied by that server's vendor.

To configure user authorization in this case, you use the Configuration utility to assign a specific access level, or user role, to each remote user account. This access information is then stored in the 3-DNS Controller's local LDAP database. When a user, whose account information is stored remotely, logs into the 3-DNS Controller and is granted authentication, the 3-DNS Controller then checks its local LDAP database to determine the access level that is assigned to that user.

If no user role is assigned to a remote user account, then the 3-DNS Controller assigns access based on a role called the Default Role. Using the Configuration utility, you can set the access level for the Default Role.

The following sections describe the procedures for assigning user roles to remote user accounts.

To display a list of user roles for remote accounts using the Configuration utility
  1. In the navigation pane, click System Admin.
  2. Click the User Administration tab.
    This displays the Remote User Roles box, which lists the remote user accounts to which you have assigned an access level, as well as the Default Role and its access level. Also displayed is the Local Users box, showing the admin account, which is always stored locally on the 3-DNS Controller.

Note


Any user account that has not been assigned a remote user role automatically inherits the access level assigned to the Default Role.
To assign a user role for a remote account using the Configuration utility
  1. In the navigation pane, click System Admin.
  2. Click the User Administration tab.
  3. Click the Add User Role button.
    The Add User screen opens.
  4. In the User ID box, type a user name that is stored on your remote authentication server.
  5. In the Access Level box, select an access level to assign to that user.
  6. Click Done.

To change a user role for a remote account using the Configuration utility
  1. In the navigation pane, click System Admin.
  2. Click the User Administration tab.
    This lists the user roles currently assigned to remote user accounts.
  3. In the Remote User Roles box, click a user name.
    This displays the user role properties for that user account.
  4. In the Access Level box, select a different access level.
  5. Click Apply.

To delete a user role for a remote account using the Configuration utility
  1. In the navigation pane, click System Admin.
  2. Click the User Administration tab.
    This lists the user roles currently assigned to remote user accounts.
  3. In the Remote User Roles box, locate a user name for which you want to delete a user role and click the Delete button.

Managing passwords for local user accounts

Sometimes, the users who have accounts stored in the local LDAP database might need to change their passwords. Users can change their passwords by accessing the User Administration screen of the Configuration utility, and then displaying the properties of their user accounts.

This method of changing a password applies not only to the user accounts you create from within the Configuration utility, but also to the admin and support accounts that the Setup utility created when you configured your base network.

For the procedure on changing passwords for locally-stored user accounts, see To change the properties of a user account using the Configuration utility .

Note


To change the password for the root account, you must re-run the Setup utility. For more information, see the following section.

Managing system accounts

As previously described, the Setup utility automatically creates three system accounts--root, admin, and support. Only the support account is optional.

These accounts must be managed in the following ways:

  • The root account
    The root account is defined in the /etc/passwd file on the 3-DNS Controller, and therefore does not reside in either the local LDAP database or a remote LDAP database. To initially create the root account and set its password, you run the Setup utility. To change the root account password later, you must re-run the Setup utility. Because the root account does not reside in the local or a remote LDAP database, it does not appear on the User Administration screens of the Configuration utility. The access level for this account is fixed during creation and cannot be changed.
  • The admin account
    The admin account is defined in the local LDAP database on the 3-DNS Controller. To initially create the admin account and set its password, you run the Setup utility. To change its password later, you use the Configuration utility's User Administration screens. Note, however, that due to redundant system considerations, you must change the password on both units of the redundant system configuration, and you cannot delete the password for this account. The access level for this account is fixed during creation and cannot be changed, except when performing an upgrade.
  • The support account
    The support account is defined in the local LDAP database on the 3-DNS Controller. To initially create the support account and set its password, you run the Setup utility. Unlike the root and admin accounts, however, creating the support account is optional. To change the password and access level for this account later, you use the Configuration utility's User Administration screens.

Managing the SSH Console

An SSH console gives you the ability to use a command line interface to securely manage your local 3-DNS Controller. You can either use the MindTerm SSH console that is available in the navigation pane of the Configuration utility, or you can download a different SSH console from the home screen of the Configuration utility.

Using the MindTerm SSH Client

With the MindTerm SSH Client, you can open an SSH session to the 3-DNS Controller from the Configuration utility. The 3-DNS Controller uses the MindTerm SSH Client to enable secure command line administration from a web browser. You can perform any of the command line tasks in a popup console screen.

Warning


The MindTerm SSH client requires a Java virtual machine to operate. If you are unable to run the MindTerm SSH client, make sure that you have a Java virtual machine installed, and that your browser has Java enabled in the Preferences, or Options, section. For more information on Java virtual machines and download options, visit your web browser manufacturer's web site.
To open the MindTerm SSH Client using the Configuration utility
  1. In the navigation pane, click MindTerm SSH Client.
    A popup screen opens.
  2. When you see the command prompt, press Enter.
  3. Log in to the 3-DNS Controller as you normally would.

Note


When you use the MindTerm SSH Client, you can administer only the local 3-DNS Controller. If you wish to administer remote systems, you do so using an SSH or Telnet session from the command line on the local 3-DNS Controller. For information about installing an SSH client on the administrative workstation, see the following section.

Downloading an SSH client to your administrative workstation

From 3-DNS units that support encrypted communications, you can download the SSH client to your administrative workstation in preparation for remote command line access. In addition to running 3-DNS Controller command line utilities, you can also use the SSH suite for file transfer to and from the 3-DNS Controller, as well as for remote backups.

The SSH client is available for both Windows® and UNIX® platforms, and you can download your preferred client either from the web server or using an FTP connection. You can find detailed information about the SSH client in the documentation provided on the web server, or on the Documentation and Software CD-ROM.

Downloading the SSH client from the web server
  1. Connect to the 3-DNS Controller using https:// rather than http:// in the URL.
  2. In the Additional Software Downloads section, click the SSH Clients link.
  3. From the SSH Clients page, you can select the SSH Client appropriate to your operating system.

Note


You can also download the SSH clients from the Software and Documentation CD, or from the AskF5 web site, http://tech.f5.com.

Setting up an SSH client on a Windows 95 or Windows NT workstation

The SSH client installation file for Windows platforms is compressed in ZIP format. You can use standard ZIP tools, such as PKZip or WinZip to extract the file.

To unzip and install the SSH client
  1. Log on to the Windows workstation.
  2. Navigate to the directory to which you transferred the installation file. Run PKZip or WinZip to extract the files.
  3. The set of files extracted includes a Setup program. Run the Setup program to install the client.
  4. Start the SSH client.
  5. In the SSH Client window, from the Edit menu choose Properties.
    The Properties dialog box opens.
  6. In the Connection tab, in the Remote Host section, type the following items:

    • In the Host Name box, type the 3-DNS Controller IP address or host name.
    • In the User Name box, type the root user name.
  7. In the Options section, check Compression and set the Cipher option to Blowfish.
  8. Click the OK button.

Overview of the Network Map

The 3-DNS Network Map is a dynamic map that illustrates the physical and logical objects in your network. With the Network Map, you can:

  • Visualize the overall structure of your 3-DNS network configuration
  • Use the navigational tools to modify your network configuration
  • View the enabled/disabled state of the various objects in your network

Figure 6.1 Example screen of the Network Map in the Configuration utility

In the Network Map, you can easily see how any component is related to the rest of the network, and how changes to the physical side of the network structure (for example, data centers or servers) can affect the logical side (for example, wide IPs or pools), and vice versa. As shown in Figure 6.1 , the wide IP pool, quote_pool, is made up of virtual servers on a BIG-IP system in the data center, NY Data Center.

Working with the Network Map

The Network Map is a highly interactive screen. Not only can you review and make changes to your 3-DNS configuration, but also you can use the information table to quickly check whether an object is enabled or disabled. The following sections describe some of the tasks you can do in the Network Map.

Note


You can view the Network Map only from the Configuration utility.
To view the Network Map using the Configuration utility
  1. In the navigation pane, click Network Map.
    The Network Map screen opens.
  2. Click Undock if you want to open a popup screen of the Network Map.
    For more information on working with the Network Map, click Help on the toolbar.

Using the Network Map to review and modify the network configuration

The Network Map contains the following objects: data centers, servers, wide IPs, pools, virtual servers. You can double-click any object on the Network Map to expand the object. The relationship of that object to the rest of the network becomes readily apparent, as the components of that object are highlighted in blue throughout the map. For example, if you double-click a data center, the data center expands, displaying and highlighting all of the servers that reside in that data center. Toward the bottom of the map, also highlighted are the wide IPs that contain a virtual server which belongs to the servers in the selected data center. You can continue to double-click the objects to narrow your scope.

From the Network Map, you can also navigate to the screens where you configure the various objects. You do this by right-clicking the object name. A popup menu opens, displaying various options from which you can choose, depending on what part of that object you want to configure. For example, if you right-click a wide IP name, and from the popup menu select Configure, the Modify Wide IP screen opens, where you can modify the settings for the wide IP definition.

Using the information table on the Network Map

When you double-click any object on the Network Map, the information table at the bottom of the Network Map screen displays the following details about that object:

  • Object type
  • Object name
  • Object IP address
  • Any child objects for the highlighted object
  • Object status

You can also refresh the Network Map by clicking the Refresh button next to the information table.

Managing your configuration with the Network Map

The Network Map is a dynamic, illustrative map of the physical and logical components of your network. The Network Map lets you see how the data centers, servers, and virtual servers you configured are mapped to the wide IPs and pools you configured for load balancing. You can also make changes to your configuration from the Network Map, using the following options:

  • You can double-click any object name on the Network Map to expand the object.
  • You can right-click any object name to view a popup menu of configuration options for that object.
To manage your configuration using the Network Map
  1. In the navigation pane, click Network Map.
    The Network Map screen opens.
  2. To see the relationships between the components, double-click the component. The tree expands and the component is highlighted (in blue).
  3. To modify a component, right-click the component to view a popup menu, then select the item you want to change.
  4. You can also click the name of the component in the status bar in the lower portion of the screen to edit the component's configuration.

For more information on the features of the Network Map, click Help on the toolbar.

Warning


The Network Map requires a Java virtual machine to operate. If you are unable to view the Network Map, make sure that you have a Java virtual machine installed and that your browser has Java enabled in the Preferences, or Options, section. For more information on Java virtual machines and download options, visit your web browser manufacturer's web site.

Viewing system statistics

Using the Configuration utility, you can view current statistics about the following objects in the configuration:

 

Statistics screen

Description

Summary

Provides information about the 3-DNS Controller itself.

Globals

Provides information on the global settings for the 3-DNS Controller.

System Graphs

Provides CPU usage and memory usage statistics for the 3-DNS Controller in a graphical format so that you can view changes and trends in statistics over time.

Metrics

Provides performance information for the servers, virtual servers, and pools you have configured.

Links

Provides information about the router links in the network.

P95 Billing

Provides information about the average actual link utilization compared to purchased bandwidth.

Disabled

Provides information on the servers, virtual servers, wide IPs, pools, and data centers that are currently disabled.

Requests

Provides information on the virtual connections between local DNS servers and virtual servers for given wide IPs in the network.

Data Centers

Provides information on the data centers in your network.

Sync Group

Provides information on the 3-DNS Controllers that are in the same sync group as the controller that you are looking at.

Wide IPs

Provides information on the wide IPs, pools, and virtual servers in the pools.

ECV

Provides performance information for any ECV health monitors you have configured.

3-DNS

Provides information on the 3-DNS Controllers you have configured.

BIG-IP

Provides information on the BIG-IP systems you have configured.

EDGE-FX

Provides information on the EDGE-FX systems you have configured.

Probers

Provides information on the probers you have configured.

Hosts

This statistics screen provides information on the hosts you have configured.

Virtual servers

Provides information on the virtual servers you have configured.

Weather Map

Provides information on the average round trip times, average completion rates, and average router hops between the data centers or links you have configured and local DNS servers.

Paths

Provides information on the paths created by the 3-DNS Controller when paths are required to fulfill name resolution requests.

Local DNS

Provides information on the local DNS servers in the 3-DNS Controller database.

 
To view system statistics
  1. In the navigation pane, expand the Statistics item.
  2. From the list, select the item representing the statistics you wish to view.
  3. For details about the information displayed on a specific statistics screen, click Help on the toolbar.

Overview of the Internet Weather Map

The Internet Weather Map statistics screen, in the Configuration utility, provides the following data about the Internet:

  • The average round trip time between the local DNS servers on a particular continent and the data centers or links in your network
  • The average completion rate between the local DNS servers on a particular continent and the data centers or links in your network
  • The average number of router hops between the local DNS servers on a particular continent and the data centers or links in your network

The data displayed in the Internet Weather Map is based on path data, which is collected when you use a dynamic load balancing mode such as Round Trip Times or Quality of Service. For more information on dynamic load balancing modes, see Using dynamic load balancing modes .

To view the Internet Weather Map statistics screen using the Configuration utility
  1. Expand the Statistics item in the navigation pane.
  2. Click Weather Map.
    The Internet Weather Map Statistics screen opens.
  3. For information on working with the Internet Weather Map Statistics screen, view the online help.

The round trip time and completion rate data on the Internet Weather Map Statistics screen are based on path metrics. If you do not have path probing activated, the data on this screen is stale. The router hops data are based on information collected by the traceroute utility. If you do not allow the 3-DNS Controller to collect hops information, the average router hops data is stale.

To activate path probing and hops data collection using the Configuration utility
  1. In the navigation pane, click System.
    The System - General screen opens.
  2. On the toolbar, click Metric Collection.
    The System - Metric Collection screen opens.
  3. Check the Allow Probing box.
    The 3-DNS Controller can now collect path information for the data centers in your configuration.
  4. Check the Allow Hops box.
    The 3-DNS Controller can now collect router hops information for the data centers in your configuration.

Working with the Average Round Trip Time table

In the Average Round Trip Time table on the Internet Weather Map Statistics screen, you can view the following information:

  • The average round trip time for each data center or link to each continent
  • For each data center or link, the best average round trip time to the local DNS servers on a particular continent. This value is indicated by bold text within the table.
  • For each continent, the best average round trip time from the data centers or links. This value is indicated by underlined text within the table.

If you hold the mouse pointer over the Information button ( ), you can view the following additional information:

  • For a particular data center or link, the number of local DNS servers used to calculate the average round trip time
  • For all the local DNS servers that have been probed by a particular data center, the percentage of those local DNS servers that are located on a particular continent
  • For all the local DNS servers on a particular continent, the percentage of those local DNS servers that have been probed by a particular data center or link

Working with the Average Completion Rate table

In the Average Completion Rate table on the Internet Weather Map Statistics screen, you can view the following information:

  • The average completion rate for each data center or link to each continent
  • For each data center or link, the best average completion rate to the local DNS servers on a particular continent. This value is indicated by bold text within the table.
  • For each continent, the best average completion rate from the data centers or over the links. This value is indicated by underlined text within the table.

If you hold the mouse pointer over the Information button (), you can view the following additional information:

  • For a particular data center or link, the number of local DNS servers used to calculate the average completion rate
  • For all the local DNS servers that have been probed by a particular data center or link, the percentage of those local DNS servers that are located on a particular continent
  • For all the local DNS servers on a particular continent, the percentage of those local DNS servers that have been probed by a particular data center or link

Working with the Average Router Hops table

In the Average Router Hops table on the Internet Weather Map Statistics screen, you can view the following information:

  • The average number of router hops between each data center or link and each continent
  • For each data center or link, the best average number of router hops to the local DNS servers on a particular continent. This value is indicated by bold text within the table.
  • For each continent, the best average number of router hops from the data centers or over the links. This value is indicated by underlined text within the table.

If you hold the mouse pointer over the Information button (), you can view the following additional information:

  • For a particular data center or link, the number of local DNS servers used to calculate the average number of router hops
  • For all the local DNS servers that have been probed by a particular data center or link, the percentage of those local DNS servers that are located on a particular continent
  • For all the local DNS servers on a particular continent, the percentage of those local DNS servers that have been probed by a particular data center or link

Interpreting the Internet Weather Map data

You can use the data in the Internet Weather Map (IWM) to compare performance between data centers or links. By comparing data center performance over time, you can stage your content in the data centers based on actual usage. The two data points that help you determine which data center has the best performance are the RTT response time (lower is better), and the Completion Rate (higher is better). One easy way to compare data center or link performance over time is to print a screen shot of the IWM at a certain time every day.

You can also use the IWM data to determine which data center or link best serves content for which continent. By analyzing which data center or link provides the best response (usually the lowest RTT and the highest relative completion rate) for a given continent, you can localize your content in the data center that provides the most efficient content delivery.

Working with command line utilities

The 3-DNS includes several command line utilities. These utilities allow you to configure various features of the 3-DNS Controller from the command line. For additional 3-DNS configuration options, you may also want to review the following chapters. For information on working with the Setup utility, see the 3-DNS Administrator Guide . , Chapter 3, Using the Setup Utility

Viewing command line utilities documentation

You can access the most current documentation on 3-DNS utilities by using the Configuration utility or by using the command line. You can view all the documentation for the 3-DNS Controller from the main screen of the Configuration utility, including the man pages for the utilities that are shipped with the system.

To view 3-DNS man pages using the Configuration utility
  1. Log on to the Configuration utility.
  2. From the Online Documentation section of the 3-DNS Controller home screen, click 3-DNS Man Pages.
    A screen containing an index of 3-DNS man pages opens.
To display a list of utilities that fall into a particular category

To display a list of utilities that fall into a particular category, type the following command:

man -k <category>

For example, to get a list of utilities that pertain to DNS, type the following command, and a list of utilities that pertain to DNS appears.

man -k dns

To display documentation for a specific 3-DNS utility

To display the man page for a specific utility, type the following command:

man <utility>

For example, if you type the following command, the 3dparse man page appears:

man 3dparse

     

Working with the 3-DNS Maintenance menu

The 3-DNS Maintenance menu is a utility that you can use to configure and monitor the 3-DNS Controller from the command line. You can perform the following tasks:

  • Work with security issues
  • Work with the big3d agent

Figure 6.2 shows the main screen of the 3-DNS Maintenance menu.

Figure 6.2 The 3-DNS Maintenance menu main screen


3-DNS (R) Maintenance Menu

Configure SSH communication with remote devices
Generate and Copy iQuery Encryption Key
Check remote versions of big3d
Install and Start big3d
Enter 'q' to Quit
 
To use the 3-DNS Maintenance menu from the command line
  1. On the command line, type the following command to open the menu:

    3dnsmaint

  2. From the menu, choose the command to you wish to run, and press the Enter key.

Each command is described in the following sections.

Working with security issues

You can use the following commands to address security issues for your network setup.

Configure SSH communication with remote devices

The Configure SSH communication with remote devices command runs the config_ssh script, which configures secure shell access to any new 3-DNS Controller, BIG-IP, or EDGE-FX system that is added to a network. For more information, see Working with scripts .

Generate and Copy iQuery Encryption key

The Generate and Copy iQuery Encryption key command runs the install_key script, which then runs the F5makekey program. The F5makekey program generates a seed key for encrypting communications between the 3-DNS Controller and any BIG-IP systems or EDGE-FX systems in the network. For more information, see Working with scripts .

Working with the big3d agent

You can use the following commands to work with the big3d agent, which collects information about paths between a data center and a specific local DNS server.

Check remote versions of big3d

The Check remote versions of big3d command runs the big3d_version script. This script checks that the correct version of big3d is running on all BIG-IP systems and EDGE-FX systems known to the 3-DNS Controller.

Install and Start big3d

The Install and Start big3d command runs the big3d_install script, which installs and starts the appropriate version of the big3d agent on each BIG-IP system and EDGE-FX system in the network.

Restart big3d

The Restart big3d command runs the big3d_restart script, which stops and restarts the big3d agent on each BIG-IP system and EDGE-FX system in the network.

Working with scripts

The 3-DNS Controller ships with several scripts to simplify many configuration and maintenance tasks. This chapter provides information about the functionality of these scripts. If you plan on performing a task from the command line that uses a script, you should find this section helpful. Many scripts correspond to commands on the 3-DNS Maintenance menu, so you may want to also review Working with the 3-DNS Maintenance menu .

Note


Before you edit a script, make a backup copy of the original.

3dns_add script

Use the 3dns_add script to add a new 3-DNS Controller to an existing sync group in your network. The 3dns_add script copies all configuration information from an existing 3-DNS Controller onto the new system. For more details on using this script, refer to the 3-DNS Administrator Guide. , Chapter 10, Adding a 3-DNS Controller to an Existing Network

Warning


You can accidentally remove all configuration information on your existing 3-DNS Controller if you do not follow the guidelines in the 3-DNS Administrator Guide. , Chapter 10, Adding a 3-DNS Controller to an Existing Network. Use caution when you run this script.

3dnsmaint script

The 3dnsmaint script opens the 3-DNS Maintenance menu. See Working with the 3-DNS Maintenance menu , for more information.

3ndc script

The 3ndc script starts the 3ndc utility, which is described in the 3ndc man page.

big3d_restart script

The big3d_restart script corresponds to the Restart big3d command on the 3-DNS Maintenance menu. This script stops and restarts the big3d agent on each BIG-IP system and EDGE-FX system known to the 3-DNS Controller.

big3d_version script

The big3d_version script corresponds to the Check remote versions of big3d command on the 3-DNS Maintenance menu. This script displays the version numbers for all BIG-IP systems and EDGE-FX systems known to the 3-DNS Controller, as well as the version numbers of the big3d agent running on those systems.

config_ssh script

The config_ssh script corresponds to the Configure SSH communication with remote devices command on the 3-DNS Maintenance menu. All 3-DNS scripts and synchronization require secure communications between systems. Any time you add a new 3-DNS Controller, BIG-IP system, or EDGE-FX system to a network, you can run the config_ssh script, and if no ssh key exists on the system, the script configures ssh access.

install_key script

The install_key script corresponds to the Generate and Copy iQuery Encryption Key command on the 3-DNS Maintenance menu. This script starts the F5makekey program, and generates a seed key for encrypting communications between the 3-DNS Controllers and (if you have any in your network) BIG-IP or EDGE-FX systems. The install_key script creates and distributes the iQuery key to all BIG-IP systems, EDGE-FX systems, and other 3-DNS Controllers in your network.

To start the F5makekey program, type the following at the command line, in the /usr/local/bin directory:

F5makekey

The F5makekey program creates the key in the /usr/local/bin/F5key.dat directory. The key contains a random length (12-52) of random content (1-255). This array of values is used by MD-160, a one-way hash function, to generate a key (7 characters in length) for the Blowfish encryption algorithm. Once the key is created, you need to move it to the /config/3dns/etc/F5key.dat directory. You must then create a link from the /config/3dns/etc/F5key.dat directory to the /usr/local/bin/F5key.dat directory.

Note


We recommend that you use the Generate and Copy iQuery Encryption Key script to generate the keys that are required for encrypted communications.

Configuring Email

You can configure the 3-DNS Controller to send email notifications to you, or to other administrators, using the sendmail utility. The 3-DNS Controller includes a sample Sendmail configuration file that you can use to start with, but you must customize the Sendmail setup for your network environment before you can use it.

Before you begin setting up Sendmail, you may need to look up the name of the mail exchanger for your domain. If you already know the name of the mail exchanger, refer to Setting up the sendmail utility , for details about setting up the sendmail utility itself.

Finding the mail exchanger for your domain

You can use the nslookup command on any workstation that is configured for lookup. Once you find the primary IP address for your domain, you can find the mail exchanger for your domain.

To find the mail exchanger for your domain
  1. Identify the default server name for your domain. From a workstation capable of name resolution, type the following on the command line:

    nslookup

  2. The command returns a default server name and corresponding IP address:

    Default Server: <server name>
    Address: <server>

  3. Use the domain name to query for the mail exchanger:

    set q=mx
    <domain name>

    The returned information includes the name of the mail exchanger. For example, the sample information shown in Figure 6.3 lists bigip.net as the preferred mail exchanger.

    Figure 6.3 Sample mail exchanger information


    bigip.net preference = 10, mail exchanger = mail.siterequest.com
    bigip.net nameserver = ns1.bigip.net
    bigip.net nameserver = ns2.bigip.net
    bigip.net internet address = 192.168.112.1
    ns1.bigip.net internet address = 192.168.112.2
    ns2.bigip.net internet address = 192.168.112.3
     

Setting up the sendmail utility

When you actually set up the sendmail utility, you need to open and edit a couple of configuration files. Note that the 3-DNS Controller does not accept email messages, and that you can use the crontab utility to purge unsent or returned messages, and that you can send those messages to yourself or another administrator.

To set up and start the sendmail utility
  1. Copy /config/sendmail.cf.off to /config/sendmail.cf.
  2. To set the name of your mail exchange server, open the /config/sendmail.cf and set the DS variable to the name of your mail exchanger. The syntax for this entry is:

    DS<MAILHUB_OR_RELAY>

  3. Save and close the /config/sendmail.cf file.
  4. If you want to allow the sendmail utility to flush outgoing messages from the queue for mail that cannot be delivered immediately:

    1. Open the /config/crontab file, and change the last line of the file to read:

      0,15,30,45 * * * * root /usr/sbin/sendmail -q > /dev/null 2>&1

    2. Save and close the /config/crontab file.
  5. If you want to prevent returned or undelivered email from going unnoticed:

    1. Open the /config/aliases file and create an entry for root to point to you or another administrator at your site:

      root: networkadmin@SiteOne.com

    2. Save and close the /config/aliases file.
    3. Run the newaliases command to generate a new aliases database that incorporates the information you added to the /config/aliases file.
  6. To turn the sendmail utility on, either reboot the system or type the following command:

    /usr/sbin/sendmail -bd -q30m

Using a serial terminal with the 3-DNS Controller

There are two ways to add a serial terminal to the 3-DNS Controller. You can add a serial terminal in addition to the console, or you can add a serial terminal as the console. The difference between the two is:

  • A serial terminal configured as a terminal displays a simple login. You can log in and run commands and edit files. In this case, you can use the serial terminal in addition to the keyboard and monitor.
  • A serial terminal configured as the console displays system messages and warnings in addition to providing a login prompt. In this case, the serial terminal replaces the keyboard and monitor.
To connect the serial terminal to the 3-DNS Controller

Connect a serial line cable between the terminal device and the 3-DNS Controller. On the back of 3-DNS Controller is a male, 9-pin RS232C connector labeled Terminal. (Be sure not to confuse this with the fail-over connection which is also a male, 9-pin connector.)

Warning


Do not use the fail-over cable to connect the serial terminal to the 3-DNS Controller. A null modem cable is required.

The connector is wired as a DTE device, and uses the signals described in Table 6.2 .


 
Pin Source Usage
1 External Carrier detect
2 External Received data
3 Internal Transmitted data
4 Internal Data terminal ready
5 Both Signal ground
7 Internal Request to send
8 External Clear to send
 

The connector is wired for direct connection to a modem, with receipt of a Carrier Detect signal generating transmission of a login prompt by the 3-DNS Controller. If you are planning to connect to a terminal or to connect a PC and utilize a terminal emulation program such as HyperTerminalTM, you need a null modem cable with the wiring to generate the signals shown in Table 6.2 .

Note


You can achieve acceptable operation by wiring pins 7 to 8 and pins 1 to 4 at the back of the 3-DNS Controller (and turning hardware flow control off in your terminal or terminal emulator).

Configuring a serial terminal in addition to the console

You can configure a serial terminal for the 3-DNS Controller in addition to the standard console.

To configure the serial terminal in addition to the console
  1. Connect the serial terminal to the 3-DNS Controller.
  2. Configure the serial terminal settings in your terminal or terminal emulator or modem as follows:

    • 9600 baud
    • 8 bits
    • 1 stop bit
    • No parity
  3. Open the /etc/ttys file and find the line that reads tty00 off. Modify it as shown here:

    # PC COM ports (tty00 is DOS COM1)

    tty00 "/usr/libexec/getty default" vt100 in secure

  4. Save and close the /etc/ttys file.
  5. Reboot the 3-DNS Controller.

Configuring a serial terminal as the console

You can configure the serial terminal as the console.

To configure the serial terminal as the console
  1. Disconnect the keyboard from the 3-DNS Controller.
  2. Connect the serial terminal to the 3-DNS Controller. When there is no keyboard connected to the 3-DNS Controller, the 3-DNS Controller defaults to using the serial port for the console.
  3. Configure the serial terminal settings in your terminal or terminal emulator or modem as follows:

    • 9600 baud
    • 8 bits
    • 1 stop bit
    • No parity
  4. Reboot the 3-DNS Controller.

Forcing a serial terminal to be the console

In the case where you have not yet connected the serial terminal or it is not active when the 3-DNS Controller is turned on, as it might be if you are using a terminal server or dial-up modem, you can force the controller to use the serial terminal as a console. Note that you do not need to disconnect the keyboard if you use this procedure to force the serial line to be the console.

To force a serial terminal to be the console
  1. Edit the /etc/boot.default file.
    Find the entry -console auto. Change this entry to -console com.
  2. Save the /etc/boot.default file and exit the editor.
  3. Plug the serial terminal into the serial port on the 3-DNS Controller.
  4. Turn on the serial terminal.
  5. Reboot the 3-DNS Controller.

Warning


Once you configure a serial terminal as the console for the 3-DNS Controller, the following conditions apply:

Keyboard/monitor access is disabled, and logging in is only possible using Secure Shell (SSH), if configured, or the serial line.

If the /etc/boot.default file is corrupted, the system does not boot at all. Save a backup copy of the original file and keep a bootable CD-ROM on hand.

The /etc/boot.default file must contain either the line: -console com or the line: -console auto. Do not configure both settings. This could cause problems when you attempt to boot the system.

Shutting down the 3-DNS Controller

When you need to turn the 3-DNS Controller completely off, you need to complete two tasks. The first task is to shut down the 3-DNS software. After you shut down the 3-DNS software, you can turn off the power to the system.

To shut down the 3-DNS software from the command line
  1. To shut down the 3-DNS software, type the following command:

    halt

  2. When you see the following message, it is safe to turn off the power to the physical system:

    System is halted, hit reset, turn power off, or press return to reboot

Warning


Do not remove the power supply from the power source to turn off the 3-DNS Controller. Doing so may result in irrevocable damage to the system.