Nice and short video on iquery

Good video on GTM sync group, very less explanation on iquery protocol. Request you please have one more video only on iquery how it work and how to view details passed between iquery.

Is it possible to modify cipher list used in iquery? How to view(cli) the list of cipher list used in iquery?

Hi Jason. I'm confused how both CMI (DSC) and iquery(big3d) use same tcp port 4353. According the https://support.f5.com/csp/article/K17333 : CMI uses the same port as iQuery tcp:4353, but is independent of iQuery and the port configuration options available for the port. If you are using iQuery, you must allow port 4353 in your port lockdown settings.

How can the two different applications use the same tcp/4353 port?

I don't know specifically why that is the case, but I imagine the protocol handshakes and messaging with CMI is a special workaround allowed by the system vs iQuery, which must be explicitly allowed. I can press for further details if it makes a difference for your security concerns, please let me know.

Thank you for your quick reply) It is not the buisness case. I am confused how TMM can diffenciate traffic inside single TCP/4353 connection for MCPD and BIG3D.

I don't have access to the source code so I can't be sure, but think of it like a virtual server with a single port and an iRule. You can do a lot of decision making during protocol negotiation with an iRule, where you can reject or accept based on criteria you evaluate in headers and/or payload.

watching this video i understand that every GTM must communicate with every LTM and GTM.

so if i have 9 GTM and 40 LTM then each GTM talks to each LTM

If those 9 GTM are all responsible for all the LTMs, then yes. Out of curiosity, why so many GTMs? Is that for traffic load reasons or geographic distribution?

yes the 9 gtm are placed world wide. 5 in north America, 2 in asia, and 2 in eurpose.

  hope you are well?

I have two question regarding a full mesh between DNS (GTM) and LTM's

Question 1

Here is my example:

3 DC's (Call them DC1/2/3)

Each DC contains 1 GTM and 2 LTM's

When a netstat command is executed how many tcp 4353 (iquery) connections should be seen on say DC 1?

I would say that it will be 9 as there is a connection to all GTM's and LTM's in each DC and then a connection to the GTM itself in the DC1

Question 2

Config sync between GTM's

Again 3 DC's same as above

netstat shows that DC 3 iquery is incomplete

DC1 -> DC2 OK

DC1 -> DC3 FAILED

DC2 -> DC1 OK

DC2 -> DC3 FAILED

DC3 -> DC1 OK

DC3 -> DC2 OK

Chnages made on DC 3 will not sync to any of the other GTM's is this correct?

Thanks

Question 1: on DC1 GTM you will see 1 conn : client:server + server :client as a new line for its own big3d, + 1 for each other client outside as a server:client so 1+2+6: 9. 9 right

Q2: yes DC3 is isolated will act alone for that Dc only

 there is redundant command : bigip_add. According to K13312 if you do big3d_install the certs are exchanged as well . Done .

big3d_add is redundant action if you do big3d_install. bigip_add you can use if you already know that you have the same big3d version on all systems.

Think should be mentioned there on the board since confusion.

THX

Hi , I appreciate the feedback! I assume by big3d_add you mean bigip_add? If so, it could be redundant, but not necessarily so. If all the target systems have the latest big3d daemon, there's no need to run big3d_install at all.