Manuals / Brands / TV and Video / Home Theater Server / Brocade Communications Systems / TV and Video / Home Theater Server

Brocade Communications Systems 12.4.00 Selecting a peer public key management option

1 267

Download 267 pages, 2.34 Mb

62 ServerIron ADX Global Server Load Balancing Guide

53-1002437-01

Secure GSLB

1

9. After the key-exchange (fingerprint) takes place, the key must be saved on both the controller

and site ServerIron ADX using the crypto key-exchange save-peer-key command. Notice there is

an erase-peer-key option also.

SLB-Ctrl-ServerIronADX(config)#crypto key-exchange ?

A.B.C.D IP address of peer

erase-peer-key Erase peer public key in flash

passive

save-peer-key Save peer public key into flash

SLB-Ctrl-ServerIronADX(config)#crypto key-exchange save-peer-key

To verify the communication state and public fingerprint key entry being exchanged, enter a

command such as in the following:

Syntax: show gslb security peer

Syntax: show gslb security key-fingerprint

Selecting a peer public key management option

After the key exchange is completed, there are three key-management options provided to you.

Select the desired option based on the level of security required, balanced with an acceptable level

of administration overhead for the key exchange.

To select the one-time option, enter the following command.

Secure-ServerIronADX(config)#gslb auth-encrypt-communication peer-pub-key-expire

one-time

If you do not set a peer-pub-key-expire, the default value is 180 seconds.

Syntax: [no] gslb auth-encrypt-communication peer-pub-key-expire [one-time | never | <timeout>]

SLB-ServerIronADX(config)#show gslb security peer

Public key for peer 2.2.2.1

Valid duration(seconds): 30000000

loaded from flash 0

Peer authentication handshake done 1

key get from peer 2.2.2.1

fingerprint:

63743f5c a1b77dbf 68adbb8e 46379203 9647c77c

Public key for peer 2.2.2.3

Valid duration(seconds): 30000000

loaded from flash 1

Peer authentication handshake done 1

key get from peer 2.2.2.3

fingerprint:

f16b1cdc 547b3e5c ac77f284 b2ebe711 8f4b9722

SLB-ServerIronADX#sh gslb security key-fingerprint

Key fingerprint index: 1

Peer IP address for this key 2.2.2.3

f16b1cdc 547b3e5c ac77f284 b2ebe711 8f4b9722

Valid duration(seconds): 29999965

Contents

Main Brocade Communications Systems, Incorporated Document History 53-1002437-01 New document January 2012 Title Publication number Summary of changes Date ServerIron ADX Global Server Load Balancing Guide Contents About This Document Chapter 1 Global Server Load Balancing Page Page Chapter 2 Global Server Load Balancing for IPv6 Appendix A Reference Materials Page About This Document Audience Supported hardware and software Document conventions Notice to the reader Related publications Getting technical help or reporting errors Web access E-mail and telephone access Page Chapter Global Server Load Balancing Global Server Load Balancing overview Basic concepts Page GSLB example Page GSLB policy Server health Weighted IP metric Weighted site metric Site ServerIron ADXs session capacity threshold Active bindings metric Round-trip time between the remote ServerIron ADX and the client Geographic location of the server Site ServerIron ADXs connection load Site ServerIron ADXs available session capacity tolerance Site ServerIron ADXs FlashBack speed Site ServerIron ADXs administrative preference The least response selection Round robin selection Page Minimum required configuration FIGURE 2 Controller SI Site SI Minimum required configuration Syntax: show gslb policy Configuring GSLB 1 Configuring GSLB TABLE 1 Feature See page... TABLE 1 Proxy for DNS server Adding a source IP address Configuring real server and virtual server for the DNS server Enabling the GSLB protocol Configuring a site Specifying site locations Specifying GSLB controller locations Configuring a zone Applying GSLB to CNAME records Configuring HTTP health check parameters Configuring DNS domain name aliases Configuring null host names Configuration example Private VIPs for GSLB FIGURE 3 Configuring a public IP address for a VIP SI SI Private VIP display information Displaying GSLB IP information Configuring GSLB protocol parameters Changing the protocol port number Changing the GSLB protocol update period Modifying GSLB parameters related to DNS responses Page Page Page Changing the GSLB policy metrics Configuring GSLB protocol parameters 1 TABLE 2 Configuring GSLB protocol parameters Changing the order of GSLB policy metrics Disabling or re-enabling individual GSLB policy metrics Clearing DNS selection counters Implementing the weighted IP metric TABLE 3 TABLE 4 Page Implementing the weighted site metric TABLE 5 TABLE 6 Page Page Implementing the active bindings metric Page GSLB active bindings enhancements Configuring connection load parameters Changing the session-table capacity threshold and tolerance values Changing the FlashBack tolerance values Modifying round-trip time values Page Page Enabling default geographic location Secure GSLB Initial session key generation RSA challenge dialogue GSLB message content randomization Configuring secure GSLB Configuring secure-communication on the controller Generating RSA key pair Exchanging public keys Page Selecting a peer public key management option Regenerating the session keys Manually regenerating the session keys Dynamically regenerating the session keys Minimum GSLB configuration Site persistence in GSLB using stickiness Algorithm Enabling sticky GSLB Allowing sticky sessions for a specific prefix length Configuring the sticky GSLB session life time Displaying current sticky GSLB sessions Site persistence in GSLB using stickiness 1 Sticky GSLB counters Deleting sticky GSLB session for a specific client Deleting all sticky GSLB sessions Site persistence in GSLB using hashing Enabling hash-based GSLB persistence Displaying the hash table Hashing scheme IP address allocation IP address failure or removal from domain Rehash: new IP address for a domain or change of state Disabling rehash Hash-persist hold-down: boot up considerations if rehash disabled Manually forcing rehash for a domain Site persistence in GSLB using hashing 1 Syntax: clear gslb phash zone-name <zone-name> host-name <host-name> Show commands Weighted distribution of sites with hash-based persistence Overview of distribution of sites with hash-based persistence GSLB hash-based persistence GSLB weighted hash-based persistence Hashing scheme IP address allocation IP address failure or removal from domain Rehashing for new IP address for a domain or state change from down to up Disabling rehash on introduction of new IP addresses or state change from down to healthy Rehash: change in hash weight Disabling rehash on change in hash weight configuration Configuring distribution of sites with hash-based persistence Enabling weighted hash-based GSLB persistence GSLB hash based site persistence with configurable subnet mask length Configuring weights for domain IP addresses Disabling rehash on introduction of new IP addresses or state change from down to healthy Disable rehash when weight for an IP is changed Hash persist hold down timer Manually forcing rehash for a domain Clear GSLB phash counters Show commands Debug command Displaying the contents of active RTT cache entries Affinity FIGURE 5 Defining the affinity Displaying RTT prefix cache entries Displaying affinity selection counters GSLB domain-level affinity Overview of GSLB domain-level affinity Command line interface Creating a domain-level affinity group Specifying affinities definitions for the domain-level affinity group Configuring an affinity for prefix 0.0.0.0/0 Associating the domain-level group with a domain Show commands Debug command DNS cache proxy Enabling DNS cache proxy Displaying DNS cache proxy state Displaying DNS cache proxy statistics Combining the DNS cache proxy and DNS override features GSLB DNS type any query Transparent DNS query intercept FIGURE 6 Redirecting queries Page Redirecting queries and perform GSLB Responding to queries directly Displaying transparent DNS query intercept statistics Enabling DNS request logging TABLE 7 Support for the RTT metric TABLE 8 BP support as GSLB agent Distributed health checks for GSLB Disabling the distributed health check feature for an individual site ServerIron ADX Enabling the distributed health check feature for an individual site ServerIron ADX Disabling or re-enabling distributed health check Clearing the distributed health check settings for a site ServerIron ADX Configuring the health status reporting interval Configuring the agent health report interval Debugging the distributed health check Impact of distributed health checks on the Flashback metric Configuration examples FIGURE 7 Page DNSSEC FIGURE 8 Page DNSSEC Verification with DIG The following example shows dig being used to validate a DNSSEC response. DNSSEC GSLB in DNS proxy mode Cache proxy mode Configuring DNSSEC for GSLB Configuring a zone for DNSSEC Configuring a backend ADNS server as DNNSEC capable Configuring load balancing of plain DNS request across all servers Displaying DNSSEC configuration Displaying DNSSEC statistics Host-level policies for site selection Global vs host-level policy Configuring host-level policies Defining a name for a host-level GSLB policy Configuring the parameters for the host-level policy Page Page Page Applying a host-level policy to a GSLB host Displaying host-level policy information Displaying a host-level policy Host-level policies for site selection Displaying all GSLB policies Syntax: show gslb policy host-policy-all To view all defined host-level policies, enter the following command. Displaying the policy used for hosts Displaying the number of host-level policies Deleting GSLB host-level policies Deleting a policy that is not applied to a host Configuration example Geographic region for a prefix How geographic location is determined Configuring a geographic prefix Displaying the number of geographic prefixes Displaying information about geographic prefix Example configuration Smoothing mechanism for RTT measurements Configuring enhanced RTT smoothing Parameters to smooth RTT variances Enabling enhanced RTT smoothing Disabling enhanced RTT smoothing Configuring the parameters Page Page Smoothing mechanism for RTT measurements 1 Example Smoothing mechanism for RTT measurements Determining if the new RTT smoothing mechanism is enabled Round-trip times Passive RTT gathering FIGURE 9 Active RTT gathering FIGURE 10 Support for both active and passive RTT Active RTT gathering issues and trade-offs Enabling active RTT Discarding passive RTT Disabling passive RTT gathering Configuring active RTT parameters Configuring active RTT query message interval Specifying how often to report the active RTT Configuring the cache interval for active RTT prefix Configuring the active RTT refresh interval Setting the RTT algorithm modes Page Probes for RTT gathering Accepting DNS RTT measurements Enabling the DNS prober Sending DNS probes on a different port Aging out prefixes when ICMP probe fails Aging out prefixes when DNS probe fails Active RTT gathering and high availability support Displaying RTT information Displaying the RTT gathering mechanism Round-trip times 1 Displaying the active RTT gathering configuration To view the active RTT gathering configuration parameters, enter the following command. TABLE 9 Round-trip times Displaying the RTT information of a client IP address Syntax: show gslb cache <ip-address> TABLE 9 Page Round-trip times Displaying the RTT algorithm mode To display the RTT algorithm mode, enter the following command. For example, enter a command such as the following: GSLB affinity for high availability Configuring an HA group Enabling dynamic detection Displaying HA information Displaying all HA groups Displaying the HA peer for a site Displaying the dynamically detected HA pairs FIGURE 11 GSLB optimization Optimized VIP list processing Increased VIP support per site and reduced CPU usage on GSLB controller Page GSLB optimization Configuration example On controller ServerIron ADX, configure the following commands. On the site ServerIron ADX, configure the following commands. Guidelines and recommendations for using this feature Displaying GSLB information Displaying site information The following example shows information displayed when the connection-load metric is enabled. Syntax: show gslb site [<name>] The <name> parameter specifies a site name. The show gslb site display shows the following information. TABLE 10 Displaying real server information TABLE 10 Displaying DNS zone and hosts TABLE 11 Displaying detailed DNS information TABLE 11 TABLE 12 Displaying metric information Displaying the default GSLB policy To display the default GSLB policy, enter the following command. Syntax: show gslb default This display shows the following information. TABLE 13 Displaying the user-configured GSLB policy TABLE 13 Displaying RTT information TABLE 14 Displaying GSLB resources TABLE 15 Displaying dynamic server information TABLE 15 Displaying dynamic real server information Displaying virtual server information Displaying the port bindings Listing the real servers Specifying the source IP of probes Displaying information in the prefix cache Page SNMP traps and syslog messages Syslog messages Disabling and re-enabling traps GSLB error handling for unsupported DNS requests Default settings for GSLB error handling Using GSLB error handling with transparent intercept mode Error handling response format Disable or re-enabling GSLB error handling Configuring the return code Viewing error handling statistics Clearing the error handling statistics Page Chapter Global Server Load Balancing for IPv6 Global server load balancing for IPv6 overview GSLB for IPv6 feature support Modes Policy metrics Features Secure GSLB GSLB for IPv6 example FIGURE 12 Basic GSLB for IPv6 configuration TABLE 16 Configuring the GSLB controller Adding a VIP for the ADNS server Enabling DNS cache proxy Enabling DNS override Configuring zones Specifying DNS override IP lists Configuring sites Site ServerIron ADX configuration Enabling the GSLB protocol Basic configuration example Configuration on GSLB ServerIron ADX (GSLB controller) Configuration on site ServerIron ADXs Advanced GSLB configuration for IPv6 TABLE 17 Advanced GSLB configuration for IPv6 Configuring GSLB policy metrics for IPv6 TABLE 18 TABLE 17 Feature See page... Advanced GSLB configuration for IPv6 2 TABLE 18 Advanced GSLB configuration for IPv6 You can change the order in which the GSLB ServerIron ADX applies the policy metrics. Changing the order of GSLB for IPv6 policy metrics TABLE 18 Page Resetting GSLB policy metrics Disabling or re-enabling individual GSLB policy metrics Server (host) health metric Weighted IP metric Enabling the weighted IP metric Specifying the weight of IP addresses in the IP list Weighted site metric TABLE 19 DNS response processing Traffic distribution specifications TABLE 20 Configuring weighted site metrics Session capacity threshold metric Active bindings metric DNS response processing Enabling active bindings Configuring weighted active bindings Using minimum active bindings Tracking an application port for active bindings Geographic location metric Configuring a geographic prefix Specifying site locations Specifying GSLB controller locations Enabling default geographic location Available session capacity metric FlashBack speed metric Administrative preference metric Configuring administrative preference for a site Least response selection metric Round robin selection metric Sticky persistence for IPv6 Enabling sticky persistence for IPv6 Specifying sticky session prefix lengths Specifying sticky session life times Deleting sticky sessions High availability considerations for IPv6 sticky persistence Hash-based persistence for IPv6 Specifying hash-based persistence prefix lengths Manually forcing a rehash for a domain Weighted hash-based persistence for IPv6 Enabling weighted hash-based GSLB persistence GSLB hash-based persistence with configurable subnet mask length Configuring weights for domain IP addresses Disabling rehash on introduction of new IP addresses or state change from down to healthy Disabling rehash when weight for an IP is changed Hash persist hold down timer Configuring DNS response parameters Configuring an active-only policy Configuring a best-only policy GSLB of ANY queries Displaying GSLB for IPv6 configurations Show commands for basic GSLB configurations Displaying DNS cache proxy statistics TABLE 21 Displaying the default GSLB policy TABLE 22 TABLE 22 Displaying the user-configured GSLB policy TABLE 22 Displaying information about a geographic prefix Displaying results of traffic distribution for weighted sites The first example shows the first two sites. The second example shows the third site. Displaying DNS zone and hosts TABLE 23 TABLE 23 Clearing DNS selection counters Displaying detailed DNS information Displaying site information TABLE 24 The show gslb site sunnyvale command returns the following information: TABLE 25 Syntax: show gslb site [<site-name>] The <site-name> parameter specifies a site name. Show commands for advanced features Displaying the hash table TABLE 25 Clearing GSLB phash counters Troubleshooting GSLB for IPv6 configurations Displaying GSLB debug counters TABLE 26 Troubleshooting GSLB for IPv6 configurations 2 Troubleshooting GSLB for IPv6 configurations Troubleshooting IPv6 lists Debug trace for GSLB Page Appendix A Reference Materials RFC IPv4 IPv6 DNS DNS A DNS IPv6 address assignment TABLE 28 DNS A