great explanation, i watched few times to get more understanding. i run GTM / LTM lab and try disable/enable remove/add to see the effect before making any changes in production.
Thank you for the informative video! I am new on F5, have some experience with LTM but none with DNS, I notice that F5 puts a lot of emphasis on the 3 steps to synchronize iQuery communication, and the big3d agent is crucial for this. However, I really would like to know what big3d agent IS or which information it collects, is there any devcentral page with this info? Thank
Hi. These support articles should help: Manual Chapter : Communications Between BIG-IP GTM and Other Systems: techdocs.f5.com/kb/en-us/products/big-ip_gtm/manuals/product/gtm-concepts-11-5-0/2.html Manual Chapter : Authenticating with SSL Certificates Signed by a Third Party: techdocs.f5.com/kb/en-us/products/big-ip-dns/manuals/product/bigip-dns-implementations-13-1-0/13.html Manual Chapter : Integrating BIG-IP DNS Into a Network with BIG-IP LTM Systems: techdocs.f5.com/kb/en-us/products/big-ip-dns/manuals/product/bigip-dns-implementations-13-1-0/1.html
When talking about iQuery between a GTM and an LTM, which device *initiates* the iQuery connection? Does the GTM initiate the iQuery to the LTM or does the LTM initiate the iQuery to the GTM? This affects how we open our firewall rules to allow iQuery.
gtmd initiates the iquery connection to big3d on itself and other GTM/LTM devices, so you would need to allow GTM src to GTM dst:4353/tcp and GTM src to LTM dst:4353/tcp for the iquery mesh to function properly. Resources: support.f5.com/csp/article/K14227 support.f5.com/csp/article/K55502976#link_08_01
big3d_install and bigip_add command both do cert exchange but I am confused what would be the order here. Also if we are adding a new gtm in the sync group, do i need to run the bigip_add command from the existing gtms or gtm_add command from the new gtm box will do that for us?
big3d_install (from gtm) should only be necessary if the big3d version is earlier than the one installed on GTM and the LTMs are already part of the iquery mesh. If that is not the case, you should use bigip_add and it will take care of the cert exchange and the big3d install/update in one command from one gtm in the sync group, the others will then attempt to connect to the new mesh endpoint after receiving updates. Details: support.f5.com/csp/article/K13312 support.f5.com/csp/article/K43300744 Sorry for the delay, I've been OoO for a little while.
Thank you so much for this video. I'm bringing up a whole new GTM infra with 4 BigIP DNS boxes broken up into two HA pairs. with all 4 devices having a clean config, do I need to run the bigip_add and the gtm_add in each device to the other 3?
you will run bigip_add on the GTM with a target of each LTM, including the standby devices in each HA pair. Once you have the first GTM configured, you can run the gtm_add on the second one with a target of the first you configured and you should be good to go. gtm_add should not target an LTM.
there is redundant command : bigip_add. According to K13312 if you do big3d_install the certs are exchanged also . Done . bigip_add is redundant action if you do big3d_install. bigip_add you can use if you already know that you have the same big3d version on all systems.
In what context? Assuming you just want to add records to zones defined in ZoneRunner, you just go to DNS->Zones->ZoneRunner->Zone List, click on the zone you want to add the record to (or just DNS->Zones->ZoneRunner->Resource Record List and select the appropriate zone name), then click create, select CAA as the type, then fill out your appropriate details.
Hi guy I have config GTM between F5 DNS and LTM. Whe we config server, using heath monitor : Bigip, >>> Error: Monitor /Common/bigip from /Common/ltm_hostname : no reply from big3d: timed out Please help me
Hi Guys, I need to implement 4 gtm boxes, each pair on each site, first the 4 boxes must be on the same sync group or each pair in one group ? Is it necessary a communication between gtm boxes on different sites ?
didn't explain what is the real purspose of iquery between GTM and LTM and what I will lose if I have 3rd party load balancer and iquery between GTM and 3rd party load balancer doesn't exist.
Hi YH, thanks for the feedback. The purpose of iQuery is covered in the first minute: enables communication between gtmd and big3d daemons on GTM devices. You are correct that if you use a 3rd party local load balancer that you will need to use an alternative to the bigip monitor in GTM, but there are plenty of options on that front.
Gracias! estoy aprendiendo de F5 DNS
great explanation, i watched few times to get more understanding. i run GTM / LTM lab and try disable/enable remove/add to see the effect before making any changes in production.
Hey, thanks for the comment! Glad you enjoy the videos!
Enjoyed the video and impressed at your ability to write backwards so easily!
They don't actually write backwards - they write normally but flip the video in post-processing edit.
Thank you for the informative video! I am new on F5, have some experience with LTM but none with DNS, I notice that F5 puts a lot of emphasis on the 3 steps to synchronize iQuery communication, and the big3d agent is crucial for this. However, I really would like to know what big3d agent IS or which information it collects, is there any devcentral page with this info? Thank
Hi. These support articles should help:
Manual Chapter : Communications Between BIG-IP GTM and Other Systems: techdocs.f5.com/kb/en-us/products/big-ip_gtm/manuals/product/gtm-concepts-11-5-0/2.html
Manual Chapter : Authenticating with SSL Certificates Signed by a Third Party: techdocs.f5.com/kb/en-us/products/big-ip-dns/manuals/product/bigip-dns-implementations-13-1-0/13.html
Manual Chapter : Integrating BIG-IP DNS Into a Network with BIG-IP LTM Systems: techdocs.f5.com/kb/en-us/products/big-ip-dns/manuals/product/bigip-dns-implementations-13-1-0/1.html
How to identify which physical interface it will use? Mgmt or tmm
Awesome explanation and very informative. Thanks for sharing.
When talking about iQuery between a GTM and an LTM, which device *initiates* the iQuery connection? Does the GTM initiate the iQuery to the LTM or does the LTM initiate the iQuery to the GTM? This affects how we open our firewall rules to allow iQuery.
gtmd initiates the iquery connection to big3d on itself and other GTM/LTM devices, so you would need to allow GTM src to GTM dst:4353/tcp and GTM src to LTM dst:4353/tcp for the iquery mesh to function properly. Resources:
support.f5.com/csp/article/K14227
support.f5.com/csp/article/K55502976#link_08_01
@@devcentral Nice, thank you so much!
big3d_install and bigip_add command both do cert exchange but I am confused what would be the order here. Also if we are adding a new gtm in the sync group, do i need to run the bigip_add command from the existing gtms or gtm_add command from the new gtm box will do that for us?
big3d_install (from gtm) should only be necessary if the big3d version is earlier than the one installed on GTM and the LTMs are already part of the iquery mesh. If that is not the case, you should use bigip_add and it will take care of the cert exchange and the big3d install/update in one command from one gtm in the sync group, the others will then attempt to connect to the new mesh endpoint after receiving updates. Details:
support.f5.com/csp/article/K13312
support.f5.com/csp/article/K43300744
Sorry for the delay, I've been OoO for a little while.
Thanks Jason for the clarification.
Thank you so much for this video. I'm bringing up a whole new GTM infra with 4 BigIP DNS boxes broken up into two HA pairs. with all 4 devices having a clean config, do I need to run the bigip_add and the gtm_add in each device to the other 3?
you will run bigip_add on the GTM with a target of each LTM, including the standby devices in each HA pair. Once you have the first GTM configured, you can run the gtm_add on the second one with a target of the first you configured and you should be good to go. gtm_add should not target an LTM.
there is redundant command : bigip_add. According to K13312 if you do big3d_install the certs are exchanged also . Done .
bigip_add is redundant action if you do big3d_install. bigip_add you can use if you already know that you have the same big3d version on all systems.
Please explain how to setup a CAA record in bigip DNS GTM
In what context? Assuming you just want to add records to zones defined in ZoneRunner, you just go to DNS->Zones->ZoneRunner->Zone List, click on the zone you want to add the record to (or just DNS->Zones->ZoneRunner->Resource Record List and select the appropriate zone name), then click create, select CAA as the type, then fill out your appropriate details.
Thanks for a Beautiful video
Hi guy
I have config GTM between F5 DNS and LTM.
Whe we config server, using heath monitor : Bigip,
>>> Error: Monitor /Common/bigip from /Common/ltm_hostname : no reply from big3d: timed out
Please help me
Hi Guys,
I need to implement 4 gtm boxes, each pair on each site, first the 4 boxes must be on the same sync group or each pair in one group ?
Is it necessary a communication between gtm boxes on different sites ?
didn't explain what is the real purspose of iquery between GTM and LTM and what I will lose if I have 3rd party load balancer and iquery between GTM and 3rd party load balancer doesn't exist.
Hi YH, thanks for the feedback. The purpose of iQuery is covered in the first minute: enables communication between gtmd and big3d daemons on GTM devices. You are correct that if you use a 3rd party local load balancer that you will need to use an alternative to the bigip monitor in GTM, but there are plenty of options on that front.