C.D | Brocade Communications Systems 12.4.00 guide

1 Secure GSLB

9.After the key-exchange (fingerprint) takes place, the key must be saved on both the controller and site ServerIron ADX using the crypto key-exchangesave-peer-keycommand. Notice there is an erase-peer-keyoption also.

SLB-Ctrl-ServerIronADX(config)#crypto		key-exchange	?
A.B.C.D	IP address of peer	key in flash
erase-peer-key	Erase peer public	key in flash
passive	Save peer public key into flash
save-peer-key	Save peer public key into flash		save-peer-key
SLB-Ctrl-ServerIronADX(config)#crypto		key-exchange	save-peer-key

To verify the communication state and public fingerprint key entry being exchanged, enter a command such as in the following:

SLB-ServerIronADX(config)#show gslb security peer Public key for peer 2.2.2.1

Valid duration(seconds): 30000000 loaded from flash 0

Peer authentication handshake done 1 key get from peer 2.2.2.1 fingerprint:

63743f5c a1b77dbf 68adbb8e 46379203 9647c77c

Public key for peer 2.2.2.3

Valid duration(seconds): 30000000 loaded from flash 1

Peer authentication handshake done 1 key get from peer 2.2.2.3 fingerprint:

f16b1cdc 547b3e5c ac77f284 b2ebe711 8f4b9722

SLB-ServerIronADX#sh gslb security key-fingerprint Key fingerprint index: 1

Peer IP address for this key 2.2.2.3 f16b1cdc 547b3e5c ac77f284 b2ebe711 8f4b9722 Valid duration(seconds): 29999965

Syntax: show gslb security peer

Syntax: show gslb security key-fingerprint

Selecting a peer public key management option

After the key exchange is completed, there are three key-management options provided to you.

Select the desired option based on the level of security required, balanced with an acceptable level of administration overhead for the key exchange.

To select the one-time option, enter the following command.

Secure-ServerIronADX(config)#gslb auth-encrypt-communication peer-pub-key-expire one-time

If you do not set a peer-pub-key-expire, the default value is 180 seconds.

Syntax: [no] gslb auth-encrypt-communication peer-pub-key-expire [one-time never <timeout>]

62	ServerIron ADX Global Server Load Balancing Guide
	53-1002437-01

Image 74

Brocade Communications Systems 12.4.00 manual Selecting a peer public key management option, C.D

Contents

ServerIron ADX Brocade Communications Systems, Incorporated Contents ServerIron ADX Global Server Load Balancing Guide Page Gslb for IPv6 example Gslb for IPv6 feature supportGlobal server load balancing for IPv6 overview IPv4 IPv6Page Document conventions AudienceSupported hardware and software Text formatting Bold text Mail and telephone access Getting technical help or reporting errorsWeb access Related publicationsPage Global Server Load Balancing Global Server Load Balancing overview Basic concepts Global Server Load Balancing overview Global Server Load Balancing configuration Gslb example DNS Gslb policy Weighted IP metric Server health Active bindings metric Weighted site metricSite ServerIron ADX’s session capacity threshold Geographic location of the server Site ServerIron ADX’s FlashBack speed Site ServerIron ADX’s connection loadSite ServerIron ADX’s available session capacity tolerance Round robin selection Site ServerIron ADX’s administrative preferenceLeast response selection 128 Minimum required configuration Basic controller and site communication Syntax show gslb policy Configuring Gslb Configuring GslbPage Proxy for DNS server Proxy for DNS serverAdding a source IP address Syntax no server source-ipip-addr ip-mask default-gateway Syntax no gslb protocol Configuring a siteEnabling the Gslb protocol Specifying site locations Syntax no gslb site name Syntax no gslb dns zone-name name Configuring a zoneSpecifying Gslb controller locations Applying Gslb to Cname records Syntax no dns cname-detect Configuring Http health check parameters Cname status is shown in bold type Configuring DNS domain name aliases Syntax host-info host-namealias alias-name Configuring null host namesConfiguration example Private VIPs for Gslb Syntax dns override Configuring a public IP address for a VIP Private VIPs for Gslb Show gslb dns detail the following is an example Private VIP display informationDisplaying Gslb IP information Syntax show server virtual-name-or-ip Configuring Gslb protocol parametersChanging the protocol port number Syntax show gslb site Syntax no protocol status-interval num Changing the Gslb protocol update periodModifying Gslb parameters related to DNS responses You can modify the following DNS-related Gslb parameters Removing IP addresses for sites that fail a health check Syntax no dns best-only Changing the TTL for DNS records Changing the query intervalSyntax no dns check-interval num Syntax no dns ttl num Syntax no dns ttl Enabling DNS override Syntax no dns override Changing the Gslb policy metrics Configuring Gslb protocol parameters Gslb policy metrics Metric Default Configuration options Connection load Changing the order of Gslb policy metrics Syntax no metric-order set list Syntax metric-order default Disabling or re-enabling individual Gslb policy metrics Clearing DNS selection counters Syntax clear gslb dns zone-name name Implementing the weighted IP metric DNS response processing Syntax host-info www ip-weight IP address weight Configuring weighted IP metricsSyntax no weighted-ip Syntax no gslb dns zone name For name, enter up to 32 characters Implementing the weighted site metric Syntax show gslb dns zone San Jose 50% New York 30% London 20% Total 100 100% Syntax no weighted-site Syntax gslb site site name Traffic distribution specificationsConfiguring weighted site metrics Syntax weight weight First example shows the first two sites Syntax show gslb traffic site Implementing the active bindings metric Site Three Enabling active bindings Configuring weighted active bindings Gslb active bindings enhancements Configuring connection load parameters Specifying the site connection limit Syntax no connection-load limit average-load Changing the sampling intervals and sample rate Changing the sample interval weight Syntax no connection-load weights weight1 weight2...weight8 Syntax no num-session tolerance num Changing the FlashBack tolerance valuesSyntax no capacity threshold num Syntax no flashback application tcp tolerance num Modifying round-trip time values Changing the RTT cache interval Syntax no round-trip-time cache-prefix num Syntax no round-trip-time cache-interval numChanging the RTT cache prefix Changing the RTT tolerance Syntax no round-trip-time explore-percentage num Adding static prefix cache entries Enabling default geographic location Secure GslbPage RSA challenge dialogue Gslb message content randomizationConfiguring secure Gslb Secure Gslb Configuring secure-communication on the controller Generating RSA key pair Exchanging public keys Bob sends back his public key Selecting a peer public key management option C.D Dynamically regenerating the session keys Regenerating the session keysManually regenerating the session keys Syntax clear gslb session-keys Site persistence in Gslb using stickiness Minimum Gslb configuration Algorithm Site persistence in Gslb using stickiness Enabling sticky Gslb Syntax no sticky Configuring the sticky Gslb session life timeAllowing sticky sessions for a specific prefix length Syntax no sticky age value Displaying current sticky Gslb sessions Syntax show session all offset Sticky Gslb counters Syntax show gslb dns detail Deleting all sticky Gslb sessions Site persistence in Gslb using hashingDeleting sticky Gslb session for a specific client Enabling hash-based Gslb persistence Hashing scheme Syntax show gslb phash table Rehash new IP address for a domain or change of state IP address allocationIP address failure or removal from domain Rank Disabling rehash Syntax hash-persist hold-down time Syntax hash-persist persist-rehash-disable time-outManually forcing rehash for a domain Show commands Syntax show gslb phash table zone-name name host-name name Weighted distribution of sites with hash-based persistenceWeighted distribution of sites with hash-based persistence This section contains the following subsections Hashing scheme Gslb weighted hash-based persistenceGslb hash-based persistence IP address allocation IP address failure or removal from domain Rehash change in hash weight Disabling rehash on change in hash weight configuration Syntax no prefix-len-hash-persist length Enabling weighted hash-based Gslb persistenceSyntax no hash-persist weighted Syntax host-info host-nameip-hash-weight IPaddress weight Configuring weights for domain IP addressesDisable rehash when weight for an IP is changed Hash persist hold down timer Syntax no hash-persist disable-weight-rehash Clear Gslb phash counters Show commandsManually forcing rehash for a domain Syntax show gslb policy host-policy-name policy-name Displaying the contents of active RTT cache entries Affinity Affinity Defining the affinity Syntax gslb affinity Displaying RTT prefix cache entries Syntax show gslb cache ip-addr Overview of Gslb domain-level affinity Gslb domain-level affinityDisplaying affinity selection counters Syntax show gslb dns detail name Creating a domain-level affinity group Command line interfaceConfiguring an affinity for prefix 0.0.0.0/0 Associating the domain-level group with a domain Show gslb resources Show gslb affinity-group group-numberSyntax show gslb affinity-group group-number Syntax show gslb resources Show gslb dns detail DNS cache proxyDNS cache proxy Syntax show gslb dns detail zone-name Displaying DNS cache proxy state To enable DNS cache proxy, enter the following commandsEnabling DNS cache proxy Syntax no dns cache-proxy Syntax show gslb global-stat DNS cache proxy Disable the defaultDisplaying DNS cache proxy statistics Combining the DNS cache proxy and DNS override features Gslb DNS type any query Transparent DNS query intercept Transparent DNS query intercept configuration Redirecting queries Transparent DNS query intercept Syntax no port dns Syntax no server remote-name name ip-addrSyntax no source-nat Syntax no server virtual-name-or-ip name ip-addrintercept Syntax ip policy index cache udp dns global Redirecting queries and perform GslbSyntax no bind dns real-server-namedns Responding to queries directly Displaying transparent DNS query intercept statistics Syntax dns transparent-intercept Each message shows the following information Enabling DNS request loggingSyntax no gslb log-dns Support for the RTT metric Enabling DNS request logging Gslb request information Enabling DNS request logging Distributed health checks for GslbBP support as Gslb agent Syntax no si-name name ip-addrno-si-dist-health-check ADX Disabling or re-enabling distributed health check Configuring the health status reporting intervalSyntax no si-name name ip-addrenable-si-dist-health-check Syntax no no-distributed-health-check Syntax no health-status-interval secs Configuring the agent health report intervalDebugging the distributed health check Syntax no agent-health-report-interval secs Impact of distributed health checks on the Flashback metric Example Configuration examplesTopology Example Example Dnssec Example with Authentication Chain Steps involved in a Dnssec resolution are Dnssec Dnssec Gslb in DNS proxy mode Verification with DIG Configuring a zone for Dnssec Configuring Dnssec for GslbCache proxy mode Configuring a backend Adns server as Dnnsec capable Syntax no port dns use-dnssec-servers-for-dns-queries Displaying Dnssec configurationDisplaying Dnssec statistics Syntax no server use-dnssec-servers-for-dns-queries Global vs host-level policy Configuring host-level policiesHost-level policies for site selection Host-level policies for site selection Configuring the parameters for the host-level policy Defining a name for a host-level Gslb policy Syntax no dns active-only Removing all IP addresses except the best address Syntax no flashback To re-enable this metric, enter the following commandDisabling or re-enabling the Flashback metric Modifying Flashback tolerance Enabling the Health Check metric Enabling the Geographic metricSyntax no geographic Syntax no health-check Resetting the order of the metrics Syntax no num-session Configuring the Num-session ToleranceEnabling the Num-session metric Enabling the Preference metric Syntax no round-robin Enabling the Round-Trip-Time metric Syntax no weighted-ipEnabling the weighted site metric Syntax no round-trip-time Changing the RTT tolerance Applying a host-level policy to a Gslb host Syntax no weighted-siteDisplaying host-level policy information Displaying a host-level policy Displaying all Gslb policies Syntax show gslb policy host-policy-all Syntax show gslb dns zone I detail Displaying the policy used for hostsDisplaying the number of host-level policies Deleting a policy that is not applied to a host Configuration exampleDeleting Gslb host-level policies Syntax clear gslb host-policy policy-name Geographic region for a prefix How geographic location is determined For IPv6 Configuring a geographic prefixFor IPv4 Geographic region for a prefix Displaying the number of geographic prefixesDisplaying information about geographic prefix Syntax show gslb cache IP address prefix Example configuration Syntax show gslb cache all geographic user-configured 90% of 20ms + 10% of 40ms = 22ms Smoothing mechanism for RTT measurementsSmoothing mechanism for RTT measurements 90% of 22ms + 10% of 1 sec = 119ms 134 Enabling enhanced RTT smoothing Syntax gslb enhanced-rtt-smoothing Configuring the parameters Disabling enhanced RTT smoothing Specifying the ramp-down factor Specifying the ramp-up-factorSyntax no ramp-up-factor value Syntax no ramp-down-factor value State gets cleared. You can command in the simulation Syntax enable-sim-new-rtt-smoothSyntax disable-sim-new-rtt-smooth Syntax rtt-val value Smoothing mechanism for RTT measurements Smoothing mechanism for RTT measurements Passive RTT gathering Determining if the new RTT smoothing mechanism is enabledRound-trip times Round-trip times Active RTT gathering Passive RTT gathering Support for both active and passive RTT Active RTT gathering Active RTT gathering issues and trade-offs Enabling active RTT Disabling passive RTT gathering Syntax no gslb disable-rtt-gatheringDiscarding passive RTT Syntax no gslb active-rtt-gathering Configuring the cache interval for active RTT prefix Configuring active RTT parametersConfiguring active RTT query message interval Specifying how often to report the active RTT Syntax no gslb agent-rtt-refresh-interval value Configuring the active RTT refresh intervalSetting the RTT algorithm modes Using only passive RTT Probes for RTT gathering Syntax gslb dns-probe enable-fallbackSyntax gslb dns-probe disable-fallback Accepting DNS RTT measurements Enabling the DNS prober Aging out prefixes when Icmp probe failsAging out prefixes when DNS probe fails Sending DNS probes on a different port Active RTT gathering and high availability support Displaying RTT information Displaying the RTT gathering mechanism Displaying the active RTT gathering configuration Syntax show gslb active-rtt-info Syntax show gslb cache ip-address Displaying the RTT information of a client IP addressRound-trip times Show Gslb active RTT information This field Displays Displaying the RTT algorithm mode For example, enter a command such as the following Gslb affinity for high availability Configuring an HA groupGslb affinity for high availability Enabling dynamic detection Displaying the HA peer for a site Displaying HA informationDisplaying all HA groups Syntax no gslb dynamic-peer-detect Displaying the dynamically detected HA pairs View the configured HA group using the following command Gslb affinity for HA Optimized VIP list processing This command requires a reload to take effectGslb optimization Syntax no gslb process-vip-list-optimize Syntax no gslb dont-send-active-bindings Syntax no si ip-addressoptimized-dist-hcheckSyntax no gslb send-vip-list-optimize On the site ServerIron ADX, configure the following commands Gslb optimization Displaying site information Guidelines and recommendations for using this featureDisplaying Gslb information Displaying Gslb information Syntax show gslb site name Name parameter specifies a site name Site Displaying real server information Displaying Gslb information Global SLB site information Syntax rshow remote-ip-addrserver real virtual session bind Displaying DNS zone and hosts Syntax show gslb dns zone name Zone Displaying detailed DNS information Host a Flashback Displaying metric information Displaying the default Gslb policy Syntax show gslb default Displaying Gslb information Gslb policy information DNS TTL Displaying the user-configured Gslb policy ServerIronADXconfig# show gslb cache Static prefix cache entries on This command shows the following information Gslb resources Displaying Gslb resources Port binding information The TCP and UDP ports Displaying dynamic server informationDisplaying Gslb information Gslb resources Session statistics Another way to list the real servers Syntax show server dynamic real Displaying dynamic real server informationDisplaying virtual server information Syntax show server dynamic virtual Displaying the port bindingsListing the real servers Syntax show server dynamic bind Syntax gslb src-ip-active-rtt ip-address Specifying the source IP of probesDisplaying information in the prefix cache Syntax show gslb cache all Syntax show gslb cache all ip-addr Syntax show gslb cache all affinitySyntax show gslb cache all geographic static Syntax show gslb cache ip-addrlonger-than prefix-length Syntax show gslb cache ip-addrsmaller-than prefix-length Snmp traps and syslog messagesSnmp traps and syslog messages Syslog messages Syntax show logging Disabling and re-enabling traps Gslb error handling for unsupported DNS requestsSyntax no snmp-server enable traps trap-type Default settings for Gslb error handling Using Gslb error handling with transparent intercept mode Configuring the return code Error handling response formatDisable or re-enabling Gslb error handling Gslb error handling for unsupported DNS requests Syntax clear gslb unsupported-response-cnt Viewing error handling statisticsClearing the error handling statistics Gslb error handling for unsupported DNS requests Global Server Load Balancing for IPv6 Global server load balancing for IPv6 overview Gslb for IPv6 feature support IPv6 Gslb configuration Gslb for IPv6 example Basic Gslb for IPv6 configuration On Gslb ServerIron ADX controller Adding a VIP for the Adns server Configuring the Gslb controllerBasic Gslb for IPv6 configuration Enabling DNS cache proxy Configuring zones Enabling DNS override Host-nameparameter specifies the host name Specifying DNS override IP listsSyntax no host-info host-nameip-list ipv6-address Configuring sites Configuration on Gslb ServerIron ADX Gslb controller Site ServerIron ADX configurationBasic configuration example Enabling the Gslb protocol Configuration on site ServerIron ADXs Enable the Gslb protocol on each of the Site ServerIron ADXs Advanced Gslb configuration for IPv6 Gslb site persistence Configuring Gslb policy metrics for IPv6 Refer to Server host health Not supported Changing the order of Gslb for IPv6 policy metrics Refer to FlashBack speed metric Syntax no metric-order set list Resetting Gslb policy metrics Server host health metric Weighted IP metric Enabling the weighted IP metric For zone-name, enter up to 32 characters Specifying the weight of IP addresses in the IP listAdvanced Gslb configuration for IPv6 Weighted site metric Traffic distribution specifications DNS response processing Configuring weighted site metrics Session capacity threshold metric Syntax no active-bindings Active bindings metricEnabling active bindings Configuring weighted active bindings Geographic location metric Specifying Gslb controller locations Configuring a geographic prefixSpecifying site locations Available session capacity metric FlashBack speed metric Administrative preference metric Round robin selection metric Configuring administrative preference for a siteLeast response selection metric Sticky persistence for IPv6 Enabling sticky persistence for IPv6 Deleting sticky sessions Specifying sticky session prefix lengthsSpecifying sticky session life times Syntax no sticky ipv6-prefix-length decimal Hash-based persistence for IPv6 Specifying hash-based persistence prefix lengths Syntax no ipv6-prefix-len-hash-persist decimal Weighted hash-based persistence for IPv6Manually forcing a rehash for a domain Configuring weights for domain IP addresses Disabling rehash when weight for an IP is changed Configuring DNS response parameters Configuring an active-only policy Configuring a best-only policy Gslb of ANY queries Displaying DNS cache proxy statistics Displaying Gslb for IPv6 configurationsShow commands for basic Gslb configurations Displaying the default Gslb policy Displaying Gslb for IPv6 configurations DNS TTL Displaying the user-configured Gslb policy Displaying information about a geographic prefix ServerIronADX VIP === Displaying DNS zone and hosts When you configured the zone information Africa X100us Counters 2001db8abc Cfg Zone-nameparameter specifies a particular Gslb zone Specifying the weight of IP addresses in the IP list on Displaying site information ServerIronADXconfig# show gslb site Administrative preference metric on Site-nameparameter specifies a site name Show commands for advanced featuresDisplaying the hash table Displaying Gslb debug counters Troubleshooting Gslb for IPv6 configurationsClearing Gslb phash counters Syntax show gslb ipv6 phash active-ip allocation table Troubleshooting Gslb for IPv6 configurations Syntax show gslb message IPaddress Troubleshooting IPv6 listsDebug trace for Gslb Syntax debug track feature gslb algorithm sticky generic all Troubleshooting Gslb for IPv6 configurations IPv4 RFC IPv4IPv6 DNS South America IPv6 address assignment Address Designation Lacnic