Lightboard Lessons: F5 BIG-IP DNS (GTM) iQuery Protocol Overview
In this episode of Lightboard Lessons, I introduce iQuery, the F5 proprietary protocol utilized by BIG-IP DNS to exchange system configuration with other BIG-IP DNS systems and performance metrics with all other BIG-IP systems configured to do so.
Resources
Published Aug 09, 2017
Version 1.0
JRahm
Admin
AdminJRahmAdmin
Admin
Andy_304337Cirrus
Nice and short video on iquery
sachin_80710Nimbostratus
Good video on GTM sync group, very less explanation on iquery protocol. Request you please have one more video only on iquery how it work and how to view details passed between iquery.
Is it possible to modify cipher list used in iquery? How to view(cli) the list of cipher list used in iquery?
vladimir_klepc1Hi Jason. I'm confused how both CMI (DSC) and iquery(big3d) use same tcp port 4353. According the https://support.f5.com/csp/article/K17333 : CMI uses the same port as iQuery tcp:4353, but is independent of iQuery and the port configuration options available for the port. If you are using iQuery, you must allow port 4353 in your port lockdown settings.
How can the two different applications use the same tcp/4353 port?
- JRahm
I don't know specifically why that is the case, but I imagine the protocol handshakes and messaging with CMI is a special workaround allowed by the system vs iQuery, which must be explicitly allowed. I can press for further details if it makes a difference for your security concerns, please let me know.
- vladimir_klepc1
Thank you for your quick reply) It is not the buisness case. I am confused how TMM can diffenciate traffic inside single TCP/4353 connection for MCPD and BIG3D.
- JRahm
I don't have access to the source code so I can't be sure, but think of it like a virtual server with a single port and an iRule. You can do a lot of decision making during protocol negotiation with an iRule, where you can reject or accept based on criteria you evaluate in headers and/or payload.
- snormoyle_36342
watching this video i understand that every GTM must communicate with every LTM and GTM.
so if i have 9 GTM and 40 LTM then each GTM talks to each LTM
- JRahm
If those 9 GTM are all responsible for all the LTMs, then yes. Out of curiosity, why so many GTMs? Is that for traffic load reasons or geographic distribution?
- snormoyle_36342
yes the 9 gtm are placed world wide. 5 in north America, 2 in asia, and 2 in eurpose.
Chause1hope you are well?
I have two question regarding a full mesh between DNS (GTM) and LTM's
Question 1
Here is my example:
3 DC's (Call them DC1/2/3)
Each DC contains 1 GTM and 2 LTM's
When a netstat command is executed how many tcp 4353 (iquery) connections should be seen on say DC 1?
I would say that it will be 9 as there is a connection to all GTM's and LTM's in each DC and then a connection to the GTM itself in the DC1
Question 2
Config sync between GTM's
Again 3 DC's same as above
netstat shows that DC 3 iquery is incomplete
DC1 -> DC2 OK
DC1 -> DC3 FAILED
DC2 -> DC1 OK
DC2 -> DC3 FAILED
DC3 -> DC1 OK
DC3 -> DC2 OK
Chnages made on DC 3 will not sync to any of the other GTM's is this correct?
Thanks
