Forum Discussion
NimbostratusLInk Controller Mail domain delegation
Hello guys, I know it is weekend but hope you could help me ASAP. I want to perform delegation to a Link Controller to handle incoming traffic which will be directed to a mail service and a web service, both deployed in a unique physical server. The zone I think could be is as follows:
The delegation is quite simple I think. But there is a problem. I can send and receive mails in a load balanced way, but I cannot get access to the website. I have performed a tracert to images.example.com and the IP is resolved but in the final line it shows mail.example.com. In other words, every time I try to tracert images.example.com, I reach mail.example.com. I am using the same IPs for inbound traffic (web & mail), but I think there is not a problem due to I have different ports on each virtual server. The WideIPs are: mail.example.com & images.example.com. I think the delegation is wrong. Could you give me any advice? It is possible to load balance incoming mail traffic?
Hope you could help me. The example above is just a test environment. I will put the F5 LC in producction this night. so please...! :(
Thanks in advance
Jorge
7 Replies
StephanMantheyNacreous
In your example above I´m missing the trailing dots behind images.example.com.
Imho it should read:
images.example.com. IN NS lc1 images.example.com. IN NS lc2A delegation on your authoritative name server may look like this:
subdomain.f5test.local. IN NS lc_isp1.f5test.local. subdomain.f5test.local. IN NS lc_isp2.f5test.local. lc_isp1.f5test.local. IN A 10.1.0.253 lc_isp2.f5test.local. IN A 10.2.0.253 www.f5test.local. IN CNAME www.subdomain.f5test.local.Both specified link controller interfaces are treated as authoritative for the subdomain.
The link controller will be able to resolve www.subdomain.f5test.local to A records associated with virtual servers on your link controller.
To accomplish this you will need 2 virtual servers (one per ISP link) which will be assigned to the so called Wide IP on the link controller.
The virtual servers are bound to a local pool of servers (subset of LTM feature).
jmanya_44531Hello Stephan,
Really, I appreciate your help.
I understand the delegation you posted, but what about MX records? Can I load balance inbound SMTP traffic? I such case, how could be the delegation on the authoritative Name Server? Maybe just leaving a IN MX 10 mail.f5test.local line in the first group of NS and having a CNAME as follows: mail IN CNAME mail.subdomain.f5test.local?
Thanks a lot in advance for your help. Really...!
Jorge
- StephanManthey
By now I never recommended to balance incoming SMTP via link controller.
You can use priorities for your MX records and control it that way.
So for incoming mail you will have additional virtual servers to handle the related protocols.
At the same time SMTP has it´s build in redundancy. That´s why I don´t see a real need to use the link controller functionality for this task.
One thing to take care of is to SNAT outgoing mail traffic with the IP addresses associated with your MX records. Why? In case a reverse lookup is made at the receiving mail gateway it better points to an MX record.
To accomplish this, you will have protocol specific wildcard virtual servers for outbound traffic combined with a SNAT pool. SNAT pool members will be the virtual IP addresses for incoming mail.
TechgeeegHi Stephan, For the outgoing mails we have to create the VS which will be PerformanceL4 or Forwarding?? and it will be a Host or a network VS??
- StephanManthey
Hi,
it would be network virtual servers 0.0.0.0/0 on the relevant TCP ports. You can use your default gateway pool which contains the interfaces of your outbound router.
Instead of using SNAT AutoMap please create a SNATpool with the IP addresses of your virtual servers for inbound mail and use it with your network virtual servers. Thanks, Stephan - Techgeeeg
Hi Stephan,
Continuation to the above .... once the LC is implemented and everything is working fine if someone do nslookup or dig for the particular url it gives Name as test.subdomain.application.com and aliases as test.application.com if i want the reply of dig or nslookup to show only test.application.com and not the CNAME test.subdomain.application.com is it possible????
- StephanManthey
Hi Techgeeeg,
the CNAME response comes from your authoritative nameserver. There we have the so called delegation, to get the Link Controller involved into the name resolution process.
So the CNAME is required to return a hostname in a subdomain, which is handled by the Link Controller.
Now your local resolver will send a new A-query which will be resolved by the Link Controller. The answer will contain an A-record (virtual IP address). (If you create a hostname-based WideIP, the Link Controller will automatically map the assigned virtual servers VIPs as a resource. The automatic mapping requires the virtual IP addresses to belong to the same address range as the self IPs on VLANs, associated with your internet links. Manual changes in the wideip.conf / bigip_gtm.conf and config reload may be required.)
That´s more or less like a zone file with multiple A-records for a single hostname in BIND. The difference is in the availablity checking done by the Link Controller. Typically it will return a single A-record only, depending on the selected load balancing algorithm and it´s availability.
The Link Controller will return CNAME records as fallback method only.
I´m wondering, if your question is related to the high availability of incoming mail?
Thanks and happy holiday,
StephanPS:
1) Due to the bank holiday my responses may be delayed.
2) Unfortunately I don´t have access to a Link Controller right now (I own just a LTM/GTM combo).
