Page tree

Contents

In this example, you set up an HA pair of NIOS appliances to provide internal DNS and DHCP services. The HA pair answers internal queries for all hosts in its domain (corpxyz.com). It forwards internal queries for external sites to ns1.corpxyz.com at 10.1.5.2 and ns2.corpxyz.com at 2.2.2.2. It also uses DHCP to provide dynamic and fixed addresses. You can deploy the HA appliance in IPv4, IPv6 or dual mode(IPv4 and IPv6), but the configuration example uses IPv4 addresses.

The HA pair consists of two appliances (nodes). The IP addresses of the VIP (virtual IP) address of the HA pair and the HA and LAN1 ports on each node are as follows:

HA Pair IP Addresses

VIP 10.1.4.10 (the address that the active node of the HA pair uses)

Node 1

Node 2

  • LAN1 10.1.4.6
  • HA 10.1.4.7
  • LAN1 10.1.4.8
  • HA 10.1.4.9


The virtual router ID number for the HA pair is 150. The ID number must be unique for this network segment. When you create the corpxyz.com zone on the HA pair, you import DNS data from the legacy server at 10.1.4.11.

Figure 6.6 Example 2 Network Diagram

An HA pair of NIOS appliances provide internal DNS services. It answers internal queries for all hosts in its domain. It forwards internal queries for external sites to ns1 and ns2. It also serves DHCP, providing both dynamic and fixed addresses. 

Cabling Appliances to the Network and Turning On Power

Connect Ethernet cables from the LAN1 and HA ports on both NIOS appliances to a switch in the server network and turn on the power for both appliances. For information about installing and cabling the appliance, refer to the user guide or installation guide that ships with the product.

Specifying Initial Network Settings

Before you can configure the appliances through Grid Manager, you must be able to make a network connection to them. The default network settings of the LAN1 port are 192.168.1.2/24 with a gateway at 192.168.1.1 (the HA and MGMT ports do not have default network settings). To change these settings, you can use the LCD or make a console connection to each appliance.

Node 1

Using the LCD or console port on one of the appliances, enter the following information:

  • IP Address: 10.1.4.6 (for the LAN1 port)
  • Netmask: 255.255.255.0
  • Gateway: 10.1.4.1

Node 2

Using the LCD or console port on the other appliance, enter the following information:

  • IP Address: 10.1.4.8 (for the LAN1 port)
  • Netmask: 255.255.255.0
  • Gateway: 10.1.4.1

After you confirm your network settings, the Infoblox GUI application automatically restarts.

Specifying Appliance Settings

When you make the initial HTTPS connection to a NIOS appliance, the Infoblox NIOS Startup Wizard guides you through the basic deployment of the appliance on your network. To set up an HA pair, you must connect to and configure each appliance individually.

Node 1

  1. Open an Internet browser window and enter https://10.1.4.6.
  2. Accept the certificate when prompted. Several certificate warnings may appear during the login process. This is normal because the preloaded certificate is self-signed and has the hostname www.infoblox.com, which does not match the destination IP address you entered in step 1. To stop the warning messages from occurring each time you log in to Grid Manager, you can generate a new self-signed certificate or import a third-party certificate with a common name that matches the FQDN (fully-qualified domain name) of the appliance. This is a very simple process. For information about certificates, see Creating a Login Banner.
  3. Enter the default username and password (admin and infoblox) on the Grid Manager login page, and then click Login or press Enter. For information, see Logging on to the NIOS UI.
  4. Read the Infoblox End-User License Agreement, and then click I Accept to proceed.
  5. Read about the Infoblox Customer Experience Improvement Program and choose whether to participate (opt in) or not participate (opt out) in the program. By default, participation is enabled. If you want to opt out of the program, select To Opt-Out of the alert program, please click hereFor more information about the program, see Configuring the Customer Experience Improvement Program.
  6. Click OK. Grid Manager may take a few seconds to load your user profile.
  7. In the first screen of the NIOS Setup wizard, complete the following:
    • Type of Network Connectivity: Select IPv4 as the communication protocol from the drop-down list.
    • Select Configuring an HA pair and click Yes to configure the first appliance.
    • Send HA and Grid Communication over: Select IPv4 from the drop-down list for VRRP advertisements.
  8. In the NIOS Startup wizard, select Configuring an HA pair. Click Yes to configure the first appliance.
  9. Click Next and complete the following to configure network settings:
    • Host Name: Enter ns3.corpxyz.com.
    • HA Pair Name: Use the default name Infoblox.
    • Shared Secret: Enter 37eeT1d.
  10. Click Next and complete the following to set properties for the first node:
    • Virtual Router ID: Enter 150.
    • Required Ports and Addresses: In the table, click the empty fields and enter the following information for each corresponding interface in the table:
      • VIP (IPv4): 10.1.4.10
      • Node 1 HA (IPv4): 10.1.4.7
      • Node 2 HA (IPv4): 10.1.4.9
      • Node 1 LAN1 (IPv4): 10.1.4.6
      • Node 2 LAN1 (IPv4): 10.1.4.8
      • Subnet Mask: 255.255.255.0
      • Gateway: 10.1.4.1

        Note

        Some fields are prepopulated by Grid Manager based on the existing configuration of the appliance. All fields are required.

  11. Click Next and complete the following to set admin password:
    • Would you like to set admin password?: Click No.
  12. Click Next and complete the following to configure time settings:
    • Time Zone: Select UMT – 8:00 Pacific Time (US and Canada), Tijuana from the drop-down list.
    • Would you like to enable NTP?: Select Yes to synchronize the time with external NTP servers, and then click the Add icon. Grid Manager adds a row to the NTP Server table. Click the row and enter 10.120.3.10 in the NTP Server field.
  13. Click Next to view the summary of the configuration. Review the information and verify that it is correct. You can change the information you entered by clicking Previous to go back to a previous step.
  14. Click Finish.

Node 2

  1. From the System tab, select the System Manager tab, and then click System Properties -> Setup Wizard from the Toolbar.
  2. In the first screen of the NIOS Setup wizard, complete the following:
    • Type of Network Connectivity: Select IPv4 as the communication protocol from the drop-down list.
    • Select Configuring an HA pair and click Yes for configuring node 2 of the HA pair.
  3. In the NIOS Startup wizard, select Configuring an HA pair to configure an independent HA pair. Click No for configuring node 2 of the HA pair.
  4. Click Next, and then complete the following to configure network settings:
    • HA Virtual IP address: Enter 10.1.4.10.
    • HA Pair Name: Use the default name Infoblox.
    • Shared Secret: Enter 37eeT1d.
    • Show Password: Click this to display the shared secret.
  5. Click Next, and then complete the following to set properties for the second appliance:
    • IP Address: Enter 10.1.4.8.
    • Subnet Mask: Enter 255.255.255.0.
    • Gateway: Enter 10.1.4.1.
  6. Click Next to view the summary of the configuration. Review the information and verify that it is correct. You can change the information you entered by clicking Previous to go back to a previous step.
  7. Click Finish.

The setup of the HA pair is complete. From now on, when you make an HTTPS connection to the HA pair, use the VIP address 10.1.4.10.

Enabling Zone Transfers

To allow the NIOS appliance to import zone data from the legacy server at 10.1.4.11, you must configure the legacy server to allow zone transfers to the appliance at 10.1.4.10.

Legacy BIND Server

  1. Open the named.conf file using a text editor and change the allow-transfer statement to allow zone transfers to the appliance at 10.1.4.10. For a sample of the required changes to the named.conf file.
  2. After editing the named.conf file, restart DNS service for the change to take effect.

Legacy Windows 2000/2003 Server

Navigate to the corpxyz.com Properties dialog box, and then add 10.1.4.10 to the list of IP addresses to which you want to allow zone transfers. 

Importing Zone Data

You can import zone data from a legacy server to an independent HA pair. Use the following information:

  • Forward-mapping zone: corpxyz.com
  • Import zone from: 10.1.4.11
  • Reverse-mapping zone: 1.1.1.0

Defining Networks, Reverse-Mapping Zones, DHCP Ranges, and Infoblox Hosts

In this task, you enter data manually. For large data sets, you have the option of using the Data Import Wizard for loading DNS and DHCP configurations and data to make the process more efficient. To download the Data Import Wizard, visit www.infoblox.com/import/.

Networks

You can create all the subnetworks individually (which in this example are 10.1.1.0/24, 10.1.2.0/24, 10.1.4.0/24, and 10.1.5.0/24), or you can create a parent network (10.1.0.0/16) that encompasses all the subnetworks and then use the Infoblox split network feature to create the individual subnetworks automatically. The split network feature accomplishes this by using the IP addresses that exist in the forward-mapping zones to determine which subnets it needs to create. This example uses the split network feature. For information about creating networks, see Configuring IPv4 Networks.

  1. From the Data Management tab, select the IPAM tab, and then click Add -> Add IPv4 Network from the Toolbar.
  2. In the Add Network wizard, complete the following:
    • Address: 10.1.0.0
    • Netmask: Use the netmask slider to select the /16 (255.255.0.0) netmask.
  3. Click Next to select a server. Click the Add icon. Grid Manager displays ns3.corpxyz.com in the table.
  4. Click Save & Close.
  5. On the IPAM tab, select the 10.1.0.0/16 check box, and then select Split from the Toolbar.
  6. In the Split Network dialog box, complete the following:
    • Subnetworks: Move the slider to 24.
    • Immediately Add: Select Only networks with ranges and fixed addresses.
    • Automatically create reverse-mapping zones: Select this check box.
  7. Click OK.
    The appliance creates the following 24-bit subnets for the imported Infoblox hosts:
    • 10.1.1.0/24
    • 10.1.2.0/24
    • 10.1.4.0/24
    • 10.1.5.0/24
  8. From the IPAM tab, select the 10.1.1.0/24 check box, and then click the Edit icon.
  9. In the DHCP Network editor, enter information on the following tabs:
    • GeneralComment: MGT
    • Server Assignment: Add ns3.corpxyz.com as a server
  10. Click Save & Close.
  11. To modify the other networks, repeat steps #8 – 10 for each network and use the following information:
    • 10.1.2.0/24 Network:
      • Comment: Dev
      • Server Assignment: ns3.corpxyz.com
    • 10.1.4.0/24 Network:
      • Comment: Server
      • Server Assignment: ns3.corpxyz.com
    • 10.1.5.0/24 Network:
      • Comment: DMZ
      • Server Assignment: ns3.corpxyz.com

DHCP Ranges

  1. On the Data Management tab, select the DHCP tab -> Networks tab -> 10.1.1.0/24, and then click Add -> DHCP Range from the Toolbar.
  2. In the Add Range wizard, complete the following:
    Start:
    10.1.1.10
    End:
    10.1.1.50
  3. Click Next, and then select Server. Grid Manager displays ns3.corpxyz.com as the assigned member.
  4. Click Save & Close.
  5. In the Networks tab, click 10.1.2.0/24, and then click Add -> DHCP Range from the Toolbar.
  6. In the Add Range wizard, complete the following:
    Start:
    10.1.2.10
    End: 10.1.2.50
  7. Click Next, and then select Server. Grid Manager displays ns3.corpxyz.com as the assigned member.
  8. Click Save & Close.

Infoblox Hosts

Defining both a MAC and IP address for an Infoblox host definition creates a DHCP host entry—like a fixed address— that you can manage through the host object. To add a MAC address to each host record that the appliance created when you imported forward—and reverse—mapping zone records:

  1. On the Data Management tab, select the IPAM tab -> 10.1.1.0/24 -> 10.1.1.2.
  2. In the Related Objects tab, select the check box of the host record, and then click the Edit icon.
  3. In the Host Record editor, click the MAC Address field, and then enter the following:
    • MAC Address: 00:00:00:aa:aa:aa
  4. Click Save & Close.
  5. Follow steps 1 – 4 to modify hosts with the following information:
    • printer2
      • IP Address: 10.1.2.2
      • MAC Address: 00:00:00:bb:bb:bb
    • storage1
      • IP Address: 10.1.4.2
      • MAC Address: 00:00:00:dd:dd:dd
    • storage2
      • IP Address: 10.1.4.3
      • MAC Address: 00:00:00:ee:ee:ee
    • proxymail
      • IP Address: 10.1.4.4
      • AC Address: 00:00:00:ff:ff:ff
    • proxyweb
      • IP Address: 10.1.4.5
      • MAC Address: 00:00:00:11:11:11
    • www
      • IP Address: 10.1.5.5
      • MAC Address: 00:00:00:55:55:55
    • mail
      • IP Address: 10.1.5.6
      • MAC Address: 00:00:00:66:66:66
    • ftp
      • IP Address: 10.1.5.7
      • MAC Address: 00:00:00:77:77:77

Defining Multiple Forwarders

Since ns3.corpxyz.com is an internal DNS server, you configure it to forward DNS queries for external DNS name resolution to the primary and secondary DNS servers—ns1.corpxyz.com at 10.1.5.2 and ns2.corpxyz.com at 2.2.2.2.

  1. From the Data Management tab, select the DNS tab, and then select System DNS Properties from the Toolbar.
  2. In the System DNS Properties editor, click the Add icon on the Forwarders tab. Grid Manager adds a row to the table. Complete the following:
    • Address: Type 2.2.2.2. Click Add again to add another forwarder.
    • Address: Type 10.1.5.2.
  3. Save the configuration and click Restart if it appears at the top of the screen.

Each of the forwarders is assigned a random response time. The appliance sends the initial outbound query to the forwarder that has the lowest response time. If the first forwarder does not reply, the appliance tries the one with the next lowest random response time. The appliance adjusts and keeps track of the response times of the forwarders and uses the quicker one for future queries. If the quicker forwarder does not respond, the appliance then uses another one.

Enabling Recursion on External DNS Servers

Since the HA pair forwards outbound queries to the two external DNS servers ns1.corpxyz.com (10.1.5.2) and ns2.corpxyz.com (2.2.2.2) for resolution, you must enable recursion on those servers. When a DNS server employs recursion, it queries other DNS servers for a domain name until it either receives the requested data or an error that the requested data cannot be found. It then reports the result back to the server that queried—in this case, the internal DNS server ns3.corpxyz.com (10.1.4.10), which in turn reports back to the DNS client.

Infoblox Server in the DMZ Network (ns1.corpxyz.com, 10.1.5.2)

  1. On the Data Management tab, select the DNS tab, and then click System DNS Properties from the Toolbar.
  2. In the System DNS Properties editor, select the Allow Recursion check box on the Queries tab, and then click the Add icon -> IPv4 Address. Grid Manager adds a row to the Allow recursive queries from table. Complete the following:
    • Permission: Select Allow from the drop-down list.
    • Name: Enter 10.1.1.52.
  3. Save the configuration and click Restart if it appears at the top of the screen.

BIND Server at ISP Site (ns2.corpxyz.com, 2.2.2.2)

  1. Open the named.conf file using a text editor and change the recursion and allow-recursion statements to allow recursive queries from 1.1.1.8 (the NAT address of ns3).

options {
zone-statistics yes;
directory "/var/named/named_conf"; version"";
recursion yes;
listen-on { 127.0.0.1; 2.2.2.2; };

allow-recursion {1.1.1.8;};
transfer-format many-answers;
};

    2. After editing the named.conf file, restart DNS service for the change to take effect.

Windows 2000/2003 Server at ISP Site (ns2.corpxyz.com, 2.2.2.2)

  1. Click Start -> All Programs -> Administrative Tools -> DNS.
  2. Right-click ns3, and then select Properties -> Advanced.
  3. On the Advanced page in the ns3 Properties dialog box, clear the Disable recursion check box.
  4. To save the configuration change and close the ns3 Properties dialog box, click OK.

Modifying the Firewall and Router Configurations

Configure the firewall and router in your internal network to allow the following DHCP, DNS, and NTP traffic:

  • To allow messages to pass from the DHCP clients in the DMZ—the web, mail, and FTP servers—to ns3 in the Server network, configure policies and DHCP relay agent settings on the firewall.
  • To forward DHCP messages from DHCP clients in the MGT and Dev networks to ns3 in the Server network, configure relay agent settings on the router.
  • To translate the private IP address of ns3 (10.1.4.10) to the public IP address (1.1.1.8) when forwarding DNS queries from ns3 to ns2, set a MIP (mapped IP) address on the firewall.
  • To allow DNS queries from ns3 to ns1 and ns2 and NTP traffic from ns3 to the NTP server, configure firewall policies.

Firewall

For example, enter the following commands on a Juniper firewall running ScreenOS 4.x or later:

DHCP Relay Configuration

set address trust ns3 10.1.4.10/32

set interface ethernet2 dhcp relay server-name 10.1.4.10

set policy from dmz to trust ns1 ns3 DHCP-Relay permit

DNS Forwarding

set interface ethernet1 mip 1.1.1.8 host 10.1.4.10

set policy from trust to untrust ns3 ns2 dns permit

set policy from trust to dmz ns3 ns1 dns permit

NTP

set policy from dmz to untrust ns1 ntp_server ntp permit

Router

For example, enter the following commands on a Cisco router running IOS for release 12.x or later:

DHCP Relay Configuration
interface ethernet1

ip helper-address 10.1.4.10 interface ethernet2

ip helper-address 10.1.4.10

Enabling DHCP and Switching Service to the NIOS Appliance

With the Infoblox in place and the firewall and router configured for relaying DHCP messages, you can switch DHCP service from the legacy DHCP server at 10.1.4.11 to the HA pair at 10.1.4.10 (VIP address).

Note

To minimize the chance of duplicate IP address assignments during the transition from the legacy DHCP server to the appliance, shorten all lease times to a one-hour length in advance of the DHCP server switch. Then, when you take the legacy DHCP server offline, the DHCP clients quickly move to the new server when their lease renewal efforts fail, and they broadcast DHCPDISCOVER messages. To determine how far in advance you need to shorten the lease length, find the longest lease time (for example, it might be two days). Then change the lease length to one hour at a slightly greater interval of time before you plan to switch DNS service to the appliance (for example, three days before the switch over).

By changing the lease length this far in advance, you can be sure that all DHCP leases will be one-hour leases at the time of the switch-over. If the longest lease length is longer—such as five days—and you want to avoid the increased amount of traffic caused by more frequent lease renewals over a six-day period, you can also employ a stepped approach: Six days before the switch-over, change the lease lengths to one-day leases. Then two days before the switch-over, change them to one-hour leases.

  1. Open an Internet browser window, enter https://10.1.4.10, and then log in to the appliance using the username admin and password SnD34n534.
  2. From the Data Management tab, select the DHCP tab, and then click Start from the Toolbar.
  3. In the Start Member DHCP Service dialog box, click Yes. The HA pair is ready to provide DHCP service to the network.
  4. Take the legacy DHCP server at 10.1.4.11 offline.
    When the DHCP clients are unable to renew their leases from the legacy DHCP server, they broadcast DHCPDISCOVER messages to which the new DHCP server responds.

Managing and Monitoring

Infoblox provides tools for managing IP address usage and several types of logs to view events of interest and DHCP and DNS data. After configuring the appliance, you can use the following resources to manage and monitor IP address usage, DNS and DHCP data, and administrator and appliance activity.

IPAM (IP Address Management)

IPAM offers the following services:

  • Simple IP address modification: Within a single IP address-centric data set, you can modify the Infoblox host, DHCP, and DNS settings associated with that IP address.
  • Address type conversion: Through IPAM functionality, you can make the following conversions:
    • Currently active dynamic addresses to fixed addresses, reserved addresses, or Infoblox hosts.
    • Fixed addresses to reservations or hosts.
    • Reservations to hosts.
  • Device classification: You can make detailed descriptions of appliances in DHCP ranges and appliances defined as Infoblox hosts and as fixed addresses.
  • Three distinct views of IP address usage: To monitor the usage of IP addresses on your network, you can see the following different views:
    • High-level overall network view: On the Data Management tab, select the IPAM tab -> member. You can view the network usage in the Net Map or List view. You can also drill down to specific IP address to get detailed information.
    • DHCP lease history records: From the Data Management tab, select the DHCP tab -> Leases tab -> Lease History.

Logs

The following list has some useful information:

  • Logs, as described in Monitoring the Appliance.
    • Audit Log – Contains administrator-initiated events.
    • System Log – Contains events related to hardware and software operations.
  • DNS statistics, as described in Configuring DNS Services.
    • DNS Configuration – Contains DNS server settings for the Infoblox DNS server.
    • Zone Statistics – Contains the results of all DNS queries per zone.
  • DHCP information, as described in Configuring DHCP Properties.
    • DHCP Configuration – Contains DHCP server settings and network, DHCP range, and host settings for the Infoblox DHCP server.
    • DHCP Leases – Contains a real-time record of DHCP leases.
    • DHCP Lease History – Contains a historical record of DHCP leases.
    • DHCP Statistics – Contains the number of currently assigned static and dynamic addresses, and the high and low watermarks per network.
    • Network Statistics – Contains the number of static hosts, dynamic hosts, and available hosts per network.

This page has no comments.