Brocade Communications Systems 12.4.00 - page 73

ServerIron ADX Global Server Load Balancing Guide 61

53-1002437-01

Secure GSLB 1

NOTE

When you specify a TCP port for the key exchange communication, DO NOT use port 182, or

the port that you configured for GSLB communication traffic. The default destination TCP port

for key exchange is 56895.

To change default TCP port when doing public key exchange, enter a command such as the

following:

ServerIronADX(config)# crypto key-exchange passive 111

3. David connects to Bob's device and send his RSA public key. The fingerprint of the key is

displayed on David's screen.

SLB-Ctrl-ServerIronADX(config)#crypto key-exchange 100.1.1.1

Ctrl-ServerIronADX

Public key for Ctrl-ServerIronADX:

Serial Number

Fingerprint 7355edda 95906e7e f04e38a3 61f640fa c2e61fa7

The command syntax is crypto key-exchange <IP address> <name> [<decimal>].

The <IP address> parameter specifies peer IP address this device talks to. The <name>

parameter specifies the host name of local device. The <decimal> parameter specifies TCP

port used for the key exchange communication, such as the following:

ServerIronADX(config)# crypto key-exchange 100.1.1.1 test 111

4. Bob receives David's public key. The fingerprint is printed on Bob's screen. Both Bob and David

read out the fingerprint and verify they match.

SLB-Site-ServerIronADX(config)#

Public key for Ctrl-ServerIronADX:

Serial Number

Fingerprint 7355edda 95906e7e f04e38a3 61f640fa c2e61fa7

Add this public key to the configuration?(enter 'y' or 'n'):

If they are the same, Bob answers `Y' to accept David's public key.

5. David waits for Bob to send his public key.

Wait for peer to send a key(enter 'y' or 'n'): y

Waiting ....

6. Bob sends back his public key.

Send peer a key in return(enter 'y' or 'n'): y

Public key for Site-ServerIronADX:

Serial Number

Fingerprint 92c8e6a2 cfe214e8 2645886f 2c7c6379 e0bfd96e

7. On David's device, Bob's fingerprint is displayed. Once again, both Bob and David read out the

fingerprint to verify the key.

SLB-Ctrl-ServerIronADX(config)#

Public key for Site-ServerIronADX:

Serial Number

Fingerprint 92c8e6a2 cfe214e8 2645886f 2c7c6379 e0bfd96e

8. David accepts Bob's public key and adds it to his database. The key exchange is complete.

Add this public key to the configuration?(enter 'y' or 'n'): y

Contents

Main Brocade Communications Systems, Incorporated Document History 53-1002437-01 New document January 2012 Title Publication number Summary of changes Date ServerIron ADX Global Server Load Balancing Guide Contents About This Document Chapter 1 Global Server Load Balancing Page Page Chapter 2 Global Server Load Balancing for IPv6 Appendix A Reference Materials Page About This Document Audience Supported hardware and software Document conventions Notice to the reader Related publications Getting technical help or reporting errors Web access E-mail and telephone access Page Chapter Global Server Load Balancing Global Server Load Balancing overview Basic concepts Page GSLB example Page GSLB policy Server health Weighted IP metric Weighted site metric Site ServerIron ADXs session capacity threshold Active bindings metric Round-trip time between the remote ServerIron ADX and the client Geographic location of the server Site ServerIron ADXs connection load Site ServerIron ADXs available session capacity tolerance Site ServerIron ADXs FlashBack speed Site ServerIron ADXs administrative preference The least response selection Round robin selection Page Minimum required configuration FIGURE 2 Controller SI Site SI Minimum required configuration Syntax: show gslb policy Configuring GSLB 1 Configuring GSLB TABLE 1 Feature See page... TABLE 1 Proxy for DNS server Adding a source IP address Configuring real server and virtual server for the DNS server Enabling the GSLB protocol Configuring a site Specifying site locations Specifying GSLB controller locations Configuring a zone Applying GSLB to CNAME records Configuring HTTP health check parameters Configuring DNS domain name aliases Configuring null host names Configuration example Private VIPs for GSLB FIGURE 3 Configuring a public IP address for a VIP SI SI Private VIP display information Displaying GSLB IP information Configuring GSLB protocol parameters Changing the protocol port number Changing the GSLB protocol update period Modifying GSLB parameters related to DNS responses Page Page Page Changing the GSLB policy metrics Configuring GSLB protocol parameters 1 TABLE 2 Configuring GSLB protocol parameters Changing the order of GSLB policy metrics Disabling or re-enabling individual GSLB policy metrics Clearing DNS selection counters Implementing the weighted IP metric TABLE 3 TABLE 4 Page Implementing the weighted site metric TABLE 5 TABLE 6 Page Page Implementing the active bindings metric Page GSLB active bindings enhancements Configuring connection load parameters Changing the session-table capacity threshold and tolerance values Changing the FlashBack tolerance values Modifying round-trip time values Page Page Enabling default geographic location Secure GSLB Initial session key generation RSA challenge dialogue GSLB message content randomization Configuring secure GSLB Configuring secure-communication on the controller Generating RSA key pair Exchanging public keys Page Selecting a peer public key management option Regenerating the session keys Manually regenerating the session keys Dynamically regenerating the session keys Minimum GSLB configuration Site persistence in GSLB using stickiness Algorithm Enabling sticky GSLB Allowing sticky sessions for a specific prefix length Configuring the sticky GSLB session life time Displaying current sticky GSLB sessions Site persistence in GSLB using stickiness 1 Sticky GSLB counters Deleting sticky GSLB session for a specific client Deleting all sticky GSLB sessions Site persistence in GSLB using hashing Enabling hash-based GSLB persistence Displaying the hash table Hashing scheme IP address allocation IP address failure or removal from domain Rehash: new IP address for a domain or change of state Disabling rehash Hash-persist hold-down: boot up considerations if rehash disabled Manually forcing rehash for a domain Site persistence in GSLB using hashing 1 Syntax: clear gslb phash zone-name <zone-name> host-name <host-name> Show commands Weighted distribution of sites with hash-based persistence Overview of distribution of sites with hash-based persistence GSLB hash-based persistence GSLB weighted hash-based persistence Hashing scheme IP address allocation IP address failure or removal from domain Rehashing for new IP address for a domain or state change from down to up Disabling rehash on introduction of new IP addresses or state change from down to healthy Rehash: change in hash weight Disabling rehash on change in hash weight configuration Configuring distribution of sites with hash-based persistence Enabling weighted hash-based GSLB persistence GSLB hash based site persistence with configurable subnet mask length Configuring weights for domain IP addresses Disabling rehash on introduction of new IP addresses or state change from down to healthy Disable rehash when weight for an IP is changed Hash persist hold down timer Manually forcing rehash for a domain Clear GSLB phash counters Show commands Debug command Displaying the contents of active RTT cache entries Affinity FIGURE 5 Defining the affinity Displaying RTT prefix cache entries Displaying affinity selection counters GSLB domain-level affinity Overview of GSLB domain-level affinity Command line interface Creating a domain-level affinity group Specifying affinities definitions for the domain-level affinity group Configuring an affinity for prefix 0.0.0.0/0 Associating the domain-level group with a domain Show commands Debug command DNS cache proxy Enabling DNS cache proxy Displaying DNS cache proxy state Displaying DNS cache proxy statistics Combining the DNS cache proxy and DNS override features GSLB DNS type any query Transparent DNS query intercept FIGURE 6 Redirecting queries Page Redirecting queries and perform GSLB Responding to queries directly Displaying transparent DNS query intercept statistics Enabling DNS request logging TABLE 7 Support for the RTT metric TABLE 8 BP support as GSLB agent Distributed health checks for GSLB Disabling the distributed health check feature for an individual site ServerIron ADX Enabling the distributed health check feature for an individual site ServerIron ADX Disabling or re-enabling distributed health check Clearing the distributed health check settings for a site ServerIron ADX Configuring the health status reporting interval Configuring the agent health report interval Debugging the distributed health check Impact of distributed health checks on the Flashback metric Configuration examples FIGURE 7 Page DNSSEC FIGURE 8 Page DNSSEC Verification with DIG The following example shows dig being used to validate a DNSSEC response. DNSSEC GSLB in DNS proxy mode Cache proxy mode Configuring DNSSEC for GSLB Configuring a zone for DNSSEC Configuring a backend ADNS server as DNNSEC capable Configuring load balancing of plain DNS request across all servers Displaying DNSSEC configuration Displaying DNSSEC statistics Host-level policies for site selection Global vs host-level policy Configuring host-level policies Defining a name for a host-level GSLB policy Configuring the parameters for the host-level policy Page Page Page Applying a host-level policy to a GSLB host Displaying host-level policy information Displaying a host-level policy Host-level policies for site selection Displaying all GSLB policies Syntax: show gslb policy host-policy-all To view all defined host-level policies, enter the following command. Displaying the policy used for hosts Displaying the number of host-level policies Deleting GSLB host-level policies Deleting a policy that is not applied to a host Configuration example Geographic region for a prefix How geographic location is determined Configuring a geographic prefix Displaying the number of geographic prefixes Displaying information about geographic prefix Example configuration Smoothing mechanism for RTT measurements Configuring enhanced RTT smoothing Parameters to smooth RTT variances Enabling enhanced RTT smoothing Disabling enhanced RTT smoothing Configuring the parameters Page Page Smoothing mechanism for RTT measurements 1 Example Smoothing mechanism for RTT measurements Determining if the new RTT smoothing mechanism is enabled Round-trip times Passive RTT gathering FIGURE 9 Active RTT gathering FIGURE 10 Support for both active and passive RTT Active RTT gathering issues and trade-offs Enabling active RTT Discarding passive RTT Disabling passive RTT gathering Configuring active RTT parameters Configuring active RTT query message interval Specifying how often to report the active RTT Configuring the cache interval for active RTT prefix Configuring the active RTT refresh interval Setting the RTT algorithm modes Page Probes for RTT gathering Accepting DNS RTT measurements Enabling the DNS prober Sending DNS probes on a different port Aging out prefixes when ICMP probe fails Aging out prefixes when DNS probe fails Active RTT gathering and high availability support Displaying RTT information Displaying the RTT gathering mechanism Round-trip times 1 Displaying the active RTT gathering configuration To view the active RTT gathering configuration parameters, enter the following command. TABLE 9 Round-trip times Displaying the RTT information of a client IP address Syntax: show gslb cache <ip-address> TABLE 9 Page Round-trip times Displaying the RTT algorithm mode To display the RTT algorithm mode, enter the following command. For example, enter a command such as the following: GSLB affinity for high availability Configuring an HA group Enabling dynamic detection Displaying HA information Displaying all HA groups Displaying the HA peer for a site Displaying the dynamically detected HA pairs FIGURE 11 GSLB optimization Optimized VIP list processing Increased VIP support per site and reduced CPU usage on GSLB controller Page GSLB optimization Configuration example On controller ServerIron ADX, configure the following commands. On the site ServerIron ADX, configure the following commands. Guidelines and recommendations for using this feature Displaying GSLB information Displaying site information The following example shows information displayed when the connection-load metric is enabled. Syntax: show gslb site [<name>] The <name> parameter specifies a site name. The show gslb site display shows the following information. TABLE 10 Displaying real server information TABLE 10 Displaying DNS zone and hosts TABLE 11 Displaying detailed DNS information TABLE 11 TABLE 12 Displaying metric information Displaying the default GSLB policy To display the default GSLB policy, enter the following command. Syntax: show gslb default This display shows the following information. TABLE 13 Displaying the user-configured GSLB policy TABLE 13 Displaying RTT information TABLE 14 Displaying GSLB resources TABLE 15 Displaying dynamic server information TABLE 15 Displaying dynamic real server information Displaying virtual server information Displaying the port bindings Listing the real servers Specifying the source IP of probes Displaying information in the prefix cache Page SNMP traps and syslog messages Syslog messages Disabling and re-enabling traps GSLB error handling for unsupported DNS requests Default settings for GSLB error handling Using GSLB error handling with transparent intercept mode Error handling response format Disable or re-enabling GSLB error handling Configuring the return code Viewing error handling statistics Clearing the error handling statistics Page Chapter Global Server Load Balancing for IPv6 Global server load balancing for IPv6 overview GSLB for IPv6 feature support Modes Policy metrics Features Secure GSLB GSLB for IPv6 example FIGURE 12 Basic GSLB for IPv6 configuration TABLE 16 Configuring the GSLB controller Adding a VIP for the ADNS server Enabling DNS cache proxy Enabling DNS override Configuring zones Specifying DNS override IP lists Configuring sites Site ServerIron ADX configuration Enabling the GSLB protocol Basic configuration example Configuration on GSLB ServerIron ADX (GSLB controller) Configuration on site ServerIron ADXs Advanced GSLB configuration for IPv6 TABLE 17 Advanced GSLB configuration for IPv6 Configuring GSLB policy metrics for IPv6 TABLE 18 TABLE 17 Feature See page... Advanced GSLB configuration for IPv6 2 TABLE 18 Advanced GSLB configuration for IPv6 You can change the order in which the GSLB ServerIron ADX applies the policy metrics. Changing the order of GSLB for IPv6 policy metrics TABLE 18 Page Resetting GSLB policy metrics Disabling or re-enabling individual GSLB policy metrics Server (host) health metric Weighted IP metric Enabling the weighted IP metric Specifying the weight of IP addresses in the IP list Weighted site metric TABLE 19 DNS response processing Traffic distribution specifications TABLE 20 Configuring weighted site metrics Session capacity threshold metric Active bindings metric DNS response processing Enabling active bindings Configuring weighted active bindings Using minimum active bindings Tracking an application port for active bindings Geographic location metric Configuring a geographic prefix Specifying site locations Specifying GSLB controller locations Enabling default geographic location Available session capacity metric FlashBack speed metric Administrative preference metric Configuring administrative preference for a site Least response selection metric Round robin selection metric Sticky persistence for IPv6 Enabling sticky persistence for IPv6 Specifying sticky session prefix lengths Specifying sticky session life times Deleting sticky sessions High availability considerations for IPv6 sticky persistence Hash-based persistence for IPv6 Specifying hash-based persistence prefix lengths Manually forcing a rehash for a domain Weighted hash-based persistence for IPv6 Enabling weighted hash-based GSLB persistence GSLB hash-based persistence with configurable subnet mask length Configuring weights for domain IP addresses Disabling rehash on introduction of new IP addresses or state change from down to healthy Disabling rehash when weight for an IP is changed Hash persist hold down timer Configuring DNS response parameters Configuring an active-only policy Configuring a best-only policy GSLB of ANY queries Displaying GSLB for IPv6 configurations Show commands for basic GSLB configurations Displaying DNS cache proxy statistics TABLE 21 Displaying the default GSLB policy TABLE 22 TABLE 22 Displaying the user-configured GSLB policy TABLE 22 Displaying information about a geographic prefix Displaying results of traffic distribution for weighted sites The first example shows the first two sites. The second example shows the third site. Displaying DNS zone and hosts TABLE 23 TABLE 23 Clearing DNS selection counters Displaying detailed DNS information Displaying site information TABLE 24 The show gslb site sunnyvale command returns the following information: TABLE 25 Syntax: show gslb site [<site-name>] The <site-name> parameter specifies a site name. Show commands for advanced features Displaying the hash table TABLE 25 Clearing GSLB phash counters Troubleshooting GSLB for IPv6 configurations Displaying GSLB debug counters TABLE 26 Troubleshooting GSLB for IPv6 configurations 2 Troubleshooting GSLB for IPv6 configurations Troubleshooting IPv6 lists Debug trace for GSLB Page Appendix A Reference Materials RFC IPv4 IPv6 DNS DNS A DNS IPv6 address assignment TABLE 28 DNS A