Forum Discussion

F5_324021's avatar
F5_324021
Icon for Cirrus rankCirrus
Sep 24, 2017

GTM Design For External DNS Queries

Hello,   I'm a little bit confused here as I'm setting up my upcoming project design which includes 2 boxes with GTM and LTM modules each, and each box will be located in a site (SITE A, SITEB),G...
application delivery
BIG-IP DNS
  • F5_324021's avatar
    F5_324021
    Oct 09, 2017

    Hello,

     

    what about the A record ip address of the Ns gtm1 is it the ip address of the listener configured on the GTM or is it the self ip address of the GTM?

     

    Also i have another question when doing the same delegation from the external DNS (Internet side) the delegation configuration will be as you stated the following:-

     

    ns1.gtm.example.com A X.X.X.X wip.example.com NS ns1.gtm.example.com

     

    Here the X.X.X.X Ip address will be the piblic ip address of the GTM to be natted on the firewall or what?regardless if its the listener or the self ip of the GTM.

     

    Hope you can help me

     

    Thank you..

     

F5_324021's avatar
F5_324021
Icon for Cirrus rankCirrus

Hello,

 

what about the A record ip address of the Ns gtm1 is it the ip address of the listener configured on the GTM or is it the self ip address of the GTM?

 

Also i have another question when doing the same delegation from the external DNS (Internet side) the delegation configuration will be as you stated the following:-

 

ns1.gtm.example.com A X.X.X.X wip.example.com NS ns1.gtm.example.com

 

Here the X.X.X.X Ip address will be the piblic ip address of the GTM to be natted on the firewall or what?regardless if its the listener or the self ip of the GTM.

 

Hope you can help me

 

Thank you..

 

Kevin_K_51432's avatar
Kevin_K_51432
Historic F5 Account
Oct 09, 2017

Greetings,

I hope terrible ascii topology is helpful:

    Internet

    Firewall <------+
    |          11.22.33.44
    |               |
    LTM             |
    192.168.10.44   |
                   GTM

Using the topology, the server object for LTM would be created as follows:

    gtm server testing {
        addresses {
            11.22.33.44 {
                device-name /Common/testing
                translation 192.168.10.44
            }
        }

GTM will connect through the firewall to the LTM. It will use the firewall IP (address) for DNS queries, while understanding that the real IP address (translation) is 192.168.10.44.

The added benefit here is that GTM is going to probe the same path as customer will, so if there's a firewall issue, GTM will detect and act accordingly (depending on configuration).

Virtual servers would follow the same IP address scheme. One Important, you can't auto-discover unfortunately. From K14707:

Important: The BIG-IP DNS system does not auto discover virtual severs on the BIG-IP LTM devices that reside behind a firewall NAT. You must manually add the BIG-IP LTM virtual servers to the BIG-IP DNS configuration.

    my_vip_one {
      destination 11.22.33.45:http   
      enabled
      monitor none
      translation-address 192.168.10.45
      translation-port any

    }

This article will give all of the necessary background to understand more if you are curious:

https://support.f5.com/csp/article/K14707

Thanks!

Kevin