F5 Logo MyF5
Search
  1. MyF5 Home
  2. Knowledge Centers
  3. BIG-IP DNS
  4. BIG-IP DNS: Implementations
  5. Configuring BIG-IP DNS on a Network with One Route Domain
Manual Chapter : Configuring BIG-IP DNS on a Network with One Route Domain

Applies To:

Show Versions Show Versions

BIG-IP DNS

  • 13.0.1, 13.0.0
Manual Chapter
Table of Contents | << Previous Chapter | Next Chapter >>

Overview: How do I deploy BIG-IP DNS on a network with one route domain?

You can deploy BIG-IP® DNS on a network where BIG-IP Local Traffic Manager™ (LTM®) is configured with one route domain and no overlapping IP addresses.

CAUTION:
For BIG-IP systems that include both LTM and BIG-IP DNS, you can configure route domains on internal interfaces only. F5 Networks does not support the configuration of route domains on a standalone BIG-IP DNS.
BIG-IP DNS deployed on a network in front of a BIG-IP LTM configured with a route domain

BIG-IP DNS deployed on a network in front of a BIG-IP LTM configured with a route domain

Task summary

Perform these tasks to configure a route domain, and then to configure BIG-IP DNS to be able to monitor the LTM systems.

Creating VLANs for a route domain on BIG-IP LTM

You need to create two VLANs on BIG-IP® LTM® through which traffic can pass to a route domain.
  1. On the Main tab, click Network > VLANs .
    The VLAN List screen opens.
  2. Click Create.
    The New VLAN screen opens.
  3. In the Name field, type external.
  4. In the Tag field, type a numeric tag, between 1-4094, for the VLAN, or leave the field blank if you want the BIG-IP system to automatically assign a VLAN tag.
    The VLAN tag identifies the traffic from hosts in the associated VLAN.
  5. For the Interfaces setting:
    1. From the Interface list, select an interface number or trunk name.
    2. From the Tagging list, select Tagged or Untagged.
      Select Tagged when you want traffic for that interface to be tagged with a VLAN ID.
    3. If you specified a numeric value for the Customer Tag setting and from the Tagging list you selected Tagged, then from the Tag Mode list, select a value.
    4. Click Add.
    5. Repeat these steps for each interface or trunk that you want to assign to the VLAN.
  6. If you want the system to verify that the return route to an initial packet is the same VLAN from which the packet originated, select the Source Check check box.
  7. For the Hardware SYN Cookie setting, select or clear the check box.
    When you enable this setting, the BIG-IP system triggers hardware SYN cookie protection for this VLAN.
    Enabling this setting causes additional settings to appear. These settings appear on specific BIG-IP platforms only.
  8. For the Syncache Threshold setting, retain the default value or change it to suit your needs.
    The Syncache Threshold value represents the number of outstanding SYN flood packets on the VLAN that will trigger the hardware SYN cookie protection feature.

    When the Hardware SYN Cookie setting is enabled, the BIG-IP system triggers SYN cookie protection in either of these cases, whichever occurs first:

    • The number of TCP half-open connections defined in the LTM® setting Global SYN Check Threshold is reached.
    • The number of SYN flood packets defined in this Syncache Threshold setting is reached.
  9. For the SYN Flood Rate Limit setting, retain the default value or change it to suit your needs.
    The SYN Flood Rate Limit value represents the maximum number of SYN flood packets per second received on this VLAN before the BIG-IP system triggers hardware SYN cookie protection for the VLAN.
  10. Click Finished.
    The screen refreshes, and displays the new VLAN in the list.
Repeat this procedure, but in Step 3, name the VLAN internal.

Creating a route domain on the BIG-IP system

Before you create a route domain:
  • Ensure that an external and an internal VLAN exist on the BIG-IP® system.
  • If you intend to assign a static bandwidth controller policy to the route domain, you must first create the policy. You can do this using the BIG-IP Configuration utility.
  • Verify that you have set the current partition on the system to the partition in which you want the route domain to reside.
You can create a route domain on BIG-IP system to segment (isolate) traffic on your network. Route domains are useful for multi-tenant configurations.
  1. On the Main tab, click Network > Route Domains .
    The Route Domain List screen opens.
  2. Click Create.
    The New Route Domain screen opens.
  3. In the Name field, type a name for the route domain.
    This name must be unique within the administrative partition in which the route domain resides.
  4. In the ID field, type an ID number for the route domain.
    This ID must be unique on the BIG-IP system; that is, no other route domain on the system can have this ID.
    An example of a route domain ID is 1.
  5. In the Description field, type a description of the route domain.
    For example: This route domain applies to application traffic for Customer A.
  6. For the Strict Isolation setting, select the Enabled check box to restrict traffic in this route domain from crossing into another route domain.
  7. For the Parent Name setting, retain the default value.
  8. For the VLANs setting, from the Available list, select a VLAN name and move it to the Members list.
    Select the VLAN that processes the application traffic relevant to this route domain.
    Configuring this setting ensures that the BIG-IP system immediately associates any self IP addresses pertaining to the selected VLANs with this route domain.
  9. For the Dynamic Routing Protocols setting, from the Available list, select one or more protocol names and move them to the Enabled list.
    You can enable any number of listed protocols for this route domain.
  10. From the Bandwidth Controller list, select a static bandwidth control policy to enforce a throughput limit on traffic for this route domain.
  11. From the Partition Default Route Domain list, select either Another route domain (0) is the Partition Default Route Domain or Make this route domain the Partition Default Route Domain.
    This setting does not appear if the current administrative partition is partition Common.
    When you configure this setting, either route domain 0 or this route domain becomes the default route domain for the current administrative partition.
  12. Click Finished.
    The system displays a list of route domains on the BIG-IP system.
You now have another route domain on the BIG-IP system.

Creating a self IP address for a route domain on BIG-IP LTM

Ensure that external and internal VLANs exist on BIG-IP® LTM®, before you begin creating a self IP address for a route domain.
Create a self IP address on LTM that resides in the address space of the route domain.
  1. On the Main tab, click Network > Self IPs .
  2. Click Create.
    The New Self IP screen opens.
  3. In the Name field, type a unique name for the self IP address.
  4. In the IP Address field, type an IP address.
    This IP address must represent a self IP address in a route domain. Use the format x.x.x.x%n, where n is the route domain ID, for example, 10.1.1.1%1.
    The system accepts IPv4 and IPv6 addresses.
  5. In the Netmask field, type the network mask for the specified IP address.

    For example, you can type 255.255.255.0.

  6. From the VLAN/Tunnel list, select external.
  7. From the Port Lockdown list, select Allow Default.
  8. Click Finished.
    The screen refreshes, and displays the new self IP address.
Repeat all steps, but in Step 6 (from the VLAN/Tunnel list) select VLAN internal.

Defining a server for a route domain on BIG-IP DNS

Ensure that at least one data center exists in the configuration.
On a BIG-IP® DNS system, define a server that represents the route domain.
  1. On the Main tab, click DNS > GSLB > Servers .
    The Server List screen opens.
  2. Click Create.
    The New Server screen opens.
  3. In the Name field, type a name for the server.
    Important: Server names are limited to 63 characters.
  4. From the Product list, select BIG-IP System.
  5. From the Data Center list, select the data center where the server resides.
  6. From the Prober Preference list, select the preferred type of prober(s).
    Option Description
    Inherit From Data Center By default, a server inherits the prober preference selection assigned to the data center in which the server resides.
    Inside Data Center A server selects the probers from inside the data center where the server resides.
    Outside Data Center A server selects the probers from outside the data center where the server resides.
    Specific Prober Pool Select one of the Prober pools from the drop-down list. When assigning the Prober pool at the server level.

    Note: Prober pools are not used by the bigip monitor.
  7. From the Prober Fallback list, select the type of prober(s) to be used if insufficient numbers of the preferred type are available.
    Option Description
    Inherit From Data Center By default, a server inherits the prober fallback selection assigned to the data center in which the server resides.
    Any Available For selecting any available prober.
    Inside Data Center A server selects probers from inside the data center where the server resides.
    Outside Data Center A server selects probers from outside the data center where the server resides.
    None No fallback probers are selected. Prober fallback is disabled.
    Specific Prober Pool Select one of the Probers from the drop-down list. When you want to assign a Prober pool at the server level.
  8. In the BIG-IP System devices area, add the self IP address that you assigned to the VLAN that you assigned to the route domain.
    Important: Do not include the route domain ID in this IP address. Use the format x.x.x.x, for example, 10.10.10.1.
  9. In the Health Monitors area, assign the bigip monitor to the server by moving it from the Available list to the Selected list.
  10. From the Availability Requirements list, select one of the following and enter any required values.
    Option Description
    All Health Monitors By default, specifies that all of the selected health monitors must be successful before the server is considered up (available).
    At Least The minimum number of selected health monitors that must be successful before the server is considered up.
    Require The minimum number of successful probes required from the total number of probers requested.
  11. From the Virtual Server Discovery list, select how you want virtual servers to be added to the system.
    Virtual server discovery is supported when you have only one route domain.
    Option Description
    Disabled Use this option when you plan to manually add virtual servers to the system, or if your network uses multiple route domains. This is the default value.
    Enabled The system automatically adds virtual servers using the discovery feature.
    Enabled (No Delete) The system uses the discovery feature and does not delete any virtual servers that already exist.
  12. Click Finished.
    The Server List screen opens displaying the new server in the list.

Running the big3d_install script

Determine the self IP addresses of the BIG-IP® systems that you want to upgrade with the latest big3d agent. Ensure that port 22 is open on these systems.
Run the big3d_install script on the DNS system you are adding to your network. This upgrades the big3d agents on the other BIG-IP systems on your network. It also instructs these systems to authenticate with the other BIG-IP systems through the exchange of SSL certificates. For additional information about running the script, see K13312 on AskF5.com (www.askf5.com).
Note: You must perform this task from the command-line interface.
Important: All target BIG-IP systems must be running the same or an older version of BIG-IP software.
  1. Log in as root to the BIG-IP DNS system you are adding to your network.
  2. Run this command to access tmsh:
    tmsh
  3. Run this command to run the big3d_install script:
    run gtm big3d_install <IP_addresses_of_target BIG-IP_systems>
    The script instructs BIG-IP DNS to connect to each specified BIG-IP system.
  4. If prompted, enter the root password for each system.
The SSL certificates are exchanged, authorizing communications between the systems. The big3d agent on each system is upgraded to the same version as is installed on the BIG-IP DNS system from which you ran the script.

Running the bigip_add script

You must determine the self IP addresses of the LTM® systems that you want to communicate with BIG-IP® DNS before you start this task.
You run the bigip_add script on the BIG-IP DNS system you are installing on a network that includes other BIG-IP® systems of the same version. This script exchanges SSL certificates so that each system is authorized to communicate with the other. For additional information about running the script, see K13312 on AskF5.com (www.askf5.com).
Note: The BIG-IP DNS and BIG-IP LTM systems must have TCP port 22 open for the script to work. You must perform this task from the command-line interface.
  1. Log in as root to the BIG-IP DNS system you are installing on your network.
  2. Run this command to access tmsh.
    tmsh
  3. Run this command to run the bigip_add utility:
    run gtm bigip_add <IP_addresses_of_BIG-IP_LTM_systems>
    The utility exchanges SSL certificates so that each system is authorized to communicate with the other.
The specified BIG-IP systems can now communicate with BIG-IP DNS.

Implementation result

You now have an implementation in which BIG-IP® DNS can monitor virtual servers on BIG-IP LTM® systems configured with one route domain.

Table of Contents | << Previous Chapter | Next Chapter >>
Contact Support Contact Support

Have a Question?

Support and Sales >

About F5

Education

F5 Sites

Support Tasks




©2023 F5 Networks, Inc. All rights reserved.


Trademarks Policies Privacy California Privacy Do Not Sell My Personal Information