GTM-1：概述及DNS原理

©F5Networks•1、GTM工作原理•2、一个域名xx.com在GTM上完整的配置步骤。wideip、pool、server、virtualserver、link之间是如何关联的？•3、pool和server的健康检查方式“bigip”怎么理解，设置健康检查是不是必要的?•4、pool里面的ttl一般设置多少，与ZoneRunner里面的ttl是不是同一个参数？修改该值对域名解析有什么影响？•5、GTM的负载均衡几种算法怎么理解，如何正确的应用？•6、两台GTM怎么配置同步，有哪些同步检测机制？•7、ZoneRunner里面的配置，A记录、Cname、PTR、SOA等。wideip和ZoneRunner应该先配哪个？•8、日常监控和巡检GTM哪些地方是重点需要关注的？AgendaF5GTM产品培训-GTM产品概述及DNS工作原理神州数码©F5NetworksF5’sAdaptiveTCPStack(TCPExpress)单独的流量处理操作系统(TMOS)F5集成架构平台独特的运营级别高性能硬件平台HighPerformanceSSLGeoLocationServicesRateShapingFastCacheHighPerformanceCompressionDynamicRoutingTCPMultiplexing&OptimalConnectionHandlingFullIPv6/IPv4GatewayiRulesProgrammingiControlAPIManagementControlPlane(MCP)FullL2SwitchingDoSandDDOSProtectioniSessions:F5secure,optimizedtunnelingUniversalSwitchingEngine(USE)UniversalPersistence:TransactionIntegrityHighSpeedLoggingSharedServicesArchitecture应用交付产品模块应用负载均衡(LTM)全局负载均衡(GTM)广域网优化(WOM)Web应用加速(WA)链路负载均衡(LC)应用安全(ASM)访问策略管理(APM)统一访问VPN–边界服务(Edge)--TheNextBigThing--©F5NetworksBIG-IPGlobalTrafficManager(GTM)BIG-IPGTM:Isawide-arealoadbalancer(alsocalledaGlobalServerLoadBalancer,orGSLB)UsesDomainNameService(DNS)asthetrafficmanagementmechanismPutsintelligenceintotheDNSresolutionprocessMonitorssiteavailabilityandperformanceCustomerscanpurchaseBIG-IPGTM:Asasoftwaremoduleadd-onforBIG-IPLocalTrafficManager™(LTM)OrasastandaloneproductonBIG-IPhardware©F5NetworksGTM主要功能BIG-IPGTM基本功能:智能解析服务器标准的BINDServerBIG-IPGTM增强功能Multicore(CMP)BIG-IPGTMv11DNSLoadbalanceDNSSECDNSExpressIPAnycastIntegration©F5NetworksStandardDNSDNSserverlimitationsDoesnotprovide“true”highavailability•DNScannotdetermineifsiteisuporevenexistsOnlysupportsroundrobinloadbalancing•DNSwillcontinuetoresolvetoasite,evenifthesiteisdownNoabilityto“persist”ifanapplicationisstatefulMostDNSserversare:Unix/LinuxboxesrunningBINDMicrosoftDNSBIG-IPGTMcanrunbothintelligentDNSresolutionandBINDresolutionZoneRunnerisaBIG-IPGTMGUIinterfaceforBIND©F5NetworksScalableGTMPerformanceNewPlatformOptionsGTMisnowrunninginTMMandCMPenabled•Queries/second125kto200kQPSpercore•GTMVE–1TMM=upto150kQPSdependingonserverCPU•GTM2000standalone–2cores=~300kQPS•GTM4000standalone–4cores=~600kQPS•GTM11050standalone–12cores=~2.4MillionQPS•VIPRIONGTMmodulescaleswithblades=upto6.6MillionQPSBIP-IP2000s•212KL7RPS•2KSSLTPS(2Kkey)•75KL4CPS•5GbpsL7TPUT•210GigabitFiberPorts(SFP,)•8GigabitEthernetCUports•Upgradeableto2200sBIG-IP2200s•425KL7RPS•4KSSLTPS(2Kkey)•150KL4CPS•5GbpsL7TPUT•210GigabitFiberPorts(SFP,)•8GigabitEthernetCUportsBIG-IP4000s•425KL7RPS•4.5KSSLTPS(2Kkey)•150KL4CPS•10GbpsL7TPUT•210GigabitFiberPorts(SFP,)•8GigabitEthernetCUports:•Upgradeableto4200vBIG-IP4200v•850KL7RPS•9KSSLTPS(2Kkey)•300KL4CPS•10GbpsL7TPUT•210GigabitFiberPorts(SFP,)•8GigabitEthernetCUports:BIP-IP5000s•750KL7RPS•10KSSLTPS(2Kkey)•350KL4CPS•15GbpsL7TPUT•810GigabitFiberPorts(SFP,)•4GigabitEthernetCUports•Upgradeableto5200vBIG-IP5200v•1.5ML7RPS•21KSSLTPS(2Kkey)•700KL4CPS•15GbpsL7TPUT•810GigabitFiberPorts(SFP,)•4GigabitEthernetCUportsBIG-IP11000•2.5ML7RPS•20KSSLTPS(2Kkey)•1ML4CPS•24GbpsL7TPUT•1010GigabitFiberPorts(SFP,)BIG-IP11050•2.5ML7RPS•20KSSLTPS(2Kkey)•1ML4CPS•40GbpsL7TPUT•1010GigabitFiberPorts(SFP,)BIG-IP10000s•1ML7RPS•21KSSLTPS(2Kkey)•500KL4CPS•40GL7TPUT•1610GigabitFiberPorts(SFP,)•240GigabitFiberPorts(QSFP,)•Upgradeableto10200vBIG-IP7000s•800KL7RPS•15KSSLTPS(2Kkey)•390KL4CPS•20GbpsL7TPUT•810GigabitFiberPorts(SFP,)•4GigabitEthernetCUports:•Upgradeableto7200vBIG-IP7200v•1.6ML7RPS•25KSSLTPS(2Kkey)•775KL4CPS•20GbpsL7TPUT•810GigabitFiberPorts(SFP,)•4GigabitEthernetCUports:BIG-IP10200v•2ML7RPS•42KSSLTPS(2Kkey)•1ML4CPS•40GL7TPUT•1610GigabitFiberPorts(SFP,)•240GigabitFiberPorts(QSFP,)•FIPSandSSLVersions©F5NetworksHowacachepoisoningattackworksSource:IEEE©F5NetworksWhatisDNSSEC?©F5NetworksDNSExpressIn-memoryDNSServerforhigh-speedresponseandDDoSprotectionHigh-speed,highresponseauthoritativeDNSserver•AuthoritativeDNSservingoutofRAM•Configurationsizefortensofmillionsofrecords•Zonetransferandnotifyforupdates•ScalableDNSPerformance•Estimatedperformance125k–200kQPSpercoreDNSExpressinTMOSDNSServerAnswerDNSQueryManageDNSRecordsNICOSAdminAuthRolesDynamicDNSDHCPAnswerDNSQueryAnswerDNSQueryAnswerDNSQueryAnswerDNSQuery©F5NetworksDNSExpress©F5NetworksIPAnycastImprovements•IPAnycast=RouteHealthInjectionforDNSListener•1NameServerIPAddressmultipledevices•RoutingArchitecturesendsquerytoclosestdevice–Usesnetworking/routingweights–CanbeusedinsideadatacentertoclusterGTMs•CheckboxinDNSListener,monitorsGTMdautomaticallyforRHI•AddRoutingModuletoStandaloneGTM©F5NetworksNetworkTopologyServer1RouterBRouterCRouterDClient10.10.1.110.10.1.1Server2RouterARoutingTablefromRouterA:DestinationMaskNext-HopDistance192.168.0.0/29127.0.0.1010.10.1.1/32192.168.0.1110.10.1.1/32192.168.0.22192.168.0.1192.168.0.2192.168.0.3©F5NetworksClientNearRouter“A”Server1RouterBRouterCRouterDClient10.10.1.110.10.1.1Server2RouterARoutingTablefromRouterA:DestinationMaskNext-HopDistance10.10.1.1/32192.168.0.1110.10.1.1/32192.168.0.22192.168.0.1192.168.0.2192.168.0.3192.16