GTM™ – Global Traffic Manager™ Overview
The Global Traffic Manager (a.k.a. GTM) and now referred to as DNS, is one of the cutting-edge modules offered on F5 Networks® BIG-IP® platform. “Global” is the right word for this module because it has the ability to make name resolution load balancing decisions for systems located anywhere in the world, not just the US. You can think of the GTM as an intelligent DNS that is security-minded. In other words its logic can make informed decisions on correlating a hostname to an IP address while keeping security in check.
Most things you do on the Internet or private networks will start with name resolution, so it makes sense if you’re going to load balance an application it would start at this layer – resolving names to IPs based on availability, performance, and even persistence. It’s important to note, traffic does not “route” through the GTM, the GTM simply tells you the best IP to route to based on metrics for the URL in question. That IP can be almost anything really, but usually it’s an actual server, or a virtual IP that fronts multiple servers. Like a traditional DNS architecture you usually have multiple GTMs in your architecture, this is for redundancy/availability.
The main configuration element in a GTM is called a Wide IP or WIP for short, or as my significant other likes to call it, a “Wipey” 😉
There are many configuration elements that work in concert with a WIP, but at the base of it all is the Wide IP. A WIP equates to the common URL you’re load balancing, for example www.yourcompany.com. A pool or pools are usually attached to a WIP which contain the IPs it’s intelligently resolving. Like your run-of-the-mill DNS server, the GTM does not tell the requester any information about ports. Though, the monitors associated with the pool members can indeed monitor availability or performance on ports.
LTM® – Local Traffic Manager™ Overview
The Local Traffic Manager, aka LTM, is the most popular module offered on F5 Networks BiG-IP® platform. The real power of the LTM is it’s a Full Proxy, allowing you to augment client and server side connections. All while making informed load balancing decisions on availability, performance, and persistence. “Local” in the name is important, opposed to the GTM, traffic actually flows through the LTM to the servers it balances traffic to. Usually the servers it’s load balancing sit “locally” in the same data center as the LTM, though that is not a requirement. With SNAT configured on the VIP, if you can route to it you can load balance it – so it’s possible to have servers in different data centers be a part of the same pool in an LTM VIP.
The main configuration element on an LTM is the Virtual IP or VIP for short. There are a plethora of configuration elements that work with VIPs, but at the heart of the technology it’s a VIP they are all a part of. Like a WIP, VIPs equate to the URL you’re load balancing, but at its lowest level. Like a WIP it usually contains a pool with the servers it’s load balancing & monitor(s) to measure availability / performance.
Some of the Key differences of the GTM vs LTM –
- The biggest difference between the GTM and LTM, as mentioned earlier, is traffic doesn’t actually flow through the GTM to your servers.
- The GTM is an intelligent name resolver, intelligently resolving names to IP addresses.
- Once the GTM provides you with an IP to route to you’re done with the GTM until you ask it to resolve another name for you.
- Similar to a usual DNS server, the GTM does not provide any port information in its resolution.
- The LTM doesn’t do any name resolution and assumes a DNS decision has already been made.
- When traffic is directed to the LTM traffic flows directly through its’ full proxy architecture to the servers it’s load balancing.
- Since the LTM is a full proxy it’s easy for it to listen on one port but direct traffic to multiple hosts listening on any port specified.
How do the GTM & LTM work together?
The GTM and LTM can work together or they can be totally independent. If your organization owns both modules it’s usually using them together, and that’s where the real power comes in. They do this via a proprietary protocol called iQuery®. iQuery, functioning on TCP port 4353, reports VIP availability / performance back to the GTMs. The GTMs can then dynamically resolve VIPs that live on an LTM(s).
When a GTM has LTMs as servers in its configuration, there is no need to monitor the actual VIP(s) with application monitors, as the LTM is doing that & iQuery reports the information back to the GTM.
As you can see the GTM & LTM modules are powerful tools in the world of application delivery & load balancing. Together, the GTM & LTM make one lean, mean, application delivery machine!
Questions? Comments? Or would you like to share how your organization is using the LTM & GTM modules? Well chime right in below!
John S says
I’m coming from the Netscaler side of the world – this has helped me so much to get a basic understanding and allow me to dig in further into LTM/GTM. With what’s going on with Citrix & Netscaler I imagine there are going to be more engineers like me looking to cross over.
Mance says
Exactly what I was looking for to help me understand the difference between ltm & GTM – which is now apparently called the DNS module from F5 – thank you sir!
Atul Pratap Singh says
Hi Austin,
Thanks for writing the nice article. I have one question.
Can GTM/LTM combo achieve the “Dynamic Failover” ie route the traffic to DC2 LTM ONLY WHEN DC1 cluster is down ?
Here is my Deployment:
KONG(DC1, DC2) -> GTM(DC1, DC2) -> LTM{DC1, DC2} -> PCF Cluster (DC1, DC2)
Austin Geraci says
Hi Atul!
Yes for sure! Though it can be active / active, you can definitely have a Wide-IP resolve traffic in an Active Standby scenario only when one DC is down. You would accomplish that using the Global Availability load balancing method for your Wide-IP’s Pool. The Global Availability load balancing method distributes DNS name resolution requests based on the order of resources you have in your list. It’s important to understand the GTM aka DNS module doesn’t “route” traffic, it’s an intelligent resolver. In this instance your intelligent resolver will resolve the secondary DC when the first one is down – ie the DNS module resolve your request to the first available resource’s IP in your list. In other words, only when a resource becomes unavailable does the DNS module resolve requests to the next resource in the list. The network inbetween you and the resource will take care of the actual routing 🙂
Mark Thomas says
Good summary. I am learning this as a part of deplying Linux servers. Back in 2014 but looks like pretty much what it is today. Pretty cool product as I see LTM front application servers quite nicely. Thank you.
Joel Teixeira says
Hey Austin,
Thanks for the article, great comparisson. A lot more clear to me now the key differences. May I ask you if you can point me out some hardening guide for GTM (now, BigIP DNS)? I’ve been strugling to find some security implementation / baseline guide.
Austin Geraci says
There is a general hardening article that applies to some pieces that effect the GTM/DNS like ensuring interfaces used for iQuery communication are appropriately locked down, but unfortunately there is not a good guide that spells out the specific and how they relate to the GTM/DNS pieces. I’m sure you found it but the general hardening article is – K53108777 – support.f5.com/csp/article/K53108777 .
To secure GTM/DNS a lot of it will fall to BIND which is behind GTM/DNS for some parts of the product. So consulting general guides on good BIND security practices can help – but there’s definitely the F5 nuances that will need to be taken into consideration.
We have some really strong DNS folks on our team who have done this for some of the most critical environments out there. Happy to help with a bit of professional services for a health-check / audit to ensure everything is secure and no gaps exist – reach out.
Lesli says
Hola Austin!
Tengo dos DC
Actualmente para llevar acabo el modulo de DNS es necesario implementar las Wide Ip?
Actualmente migre la zonas de DNS, pero no se si pueda resolver de esta manera?,
Austin Geraci says
My Spanish is a lil shaky, but I’ll do my best. It sounds like you’re asking if Wide-IPs are necessary to host zones and provide resource record resolution if you use the GTM/DNS module. The answer is no, Wide-IPs are used for intelligent resolution based on health, performance, etc etc of the applications that typically live in multiple data centers & clouds.
If you just want host zones and provide resolution for all types of resource records you can certainly do that with the DNS/GTM module in an authoritative or non-authoritative fashion using the ZoneRunner interface built into the DNS/GTM module.
Rajib Sutradhar says
Hi Austin,
Quite a sometime i am looking for a way to route the user traffic across the datacentres where infrastructure is configured as active-active.
I spoke with our GTM support team and he confirmed that in case request is coming from same ldns then in wide IP(GTM) configuration they can enabled persistence to mapped the traffic to specific DC. However user session raised mutiple request while browsing through web pages and could be possible thay landed into different ldns.
In your articles you mentioned that traffic do not flow through GTM, hence believe that GTM have no capabilities to read the packets to ensure that session persistence is managed across the DC.
Please confirm if the understanding the correct? If not, then does GTM has capability to maintain user based persistence(cookies based in our case) across the DC.
Sanjay Mishra says
Austin
Very good and nicely explained site for person who is even not good with networking.
I had a question linked to Oracle RAC which already has SCAN-VIP configured in DNS resolved to 3 IPs round robin to Oracle Cluster for load balancing user connection among cluster nodes.
My setup has one Primary Cluster ( accessible to client with Scan-vipP)and One Standby Cluster (accessible to client only when activate using Scan-vipS) Both Primary and Standby are differnt Data Center.
Now due to some Application issue they cannot configure both Scan-vipP and Scan-vipS in their configuration which can easily take the Application connection to Activated/Live server and so anytime if we activate Standby, also need to make manual configuration changes to Application and cause lots of downtime. So looking for F5 solution which can monitor the live cluster and send the connection request to it.
So if I had to use GTM due to two different DataCenter and already have DNS based VIP (Scan-vipP and Scan-vipS) , what else is required for the configuration so that application can provide some host/VipName which can take the connection to live data center in either location and not required manual configuration changes on Application files.
DO I need additional VIP on local F5 and another WideIP or so?
Austin Geraci says
Hi Sanjay,
I would need more information but it sound like you need a typical LTM / GTM setup that has a local VIP in each data center and a WIP that is globally available between the sites – then tun the load balancing methods to accommodate your failover methodology. Feel free to reach out to us if you’re looking for some in-depth consulting help.
Amit Kumar Singh says
Hi Austin,
Could you please suggest me how to clear statics(Errs)?
F5 (/Common)(tmos)# show /net interface 6/1.2
——————————————————————
Net::Interface
Name Status Bits Bits Pkts Pkts Drops Errs Media
In Out In Out
——————————————————————
6/1.2 up 4.9P 5.1P 839.9G 936.9G 23.0K 456 10000SR-FD
Austin Geraci says
Hi Amit! You can clear statistics on an interface, also known as counters, with the following command: tmsh reset-stats net interface – you can also do this from the GUI – navigate to – Network –> Interfaces —> then click on the Statistics tab
Erik says
Hi Austin,
Is it possible to delete persistence records manually on GTM? Currently running v13.1.
Austin Geraci says
Unfortunately as far as I know you can’t delete GTM aka F5 DNS persistence records out of the box, but I’ve included a bit of a work around below. I know it’s a bit more complicated, but topology may be better suited than gtm persistence.
The following work around will kill GTM persistence records as soon as you disable a pool or datacenter in F5 gtm/dns.
Disable the Drain Persistent Requests variable to terminate persistent requests immediately after disabling a pool or data center. Perform one of the following procedures to make it happen:
BIG-IP DNS (12.x and later) and BIG-IP GTM 11.5.0 – 11.6.1)
1 – Log in to the BIG-IP DNS/BIG-IP GTM Configuration utility.
2 – Navigate to DNS > Settings > GSLB > General.
3 – In the GSLB section, clear the Drain Persistent Requests check box.
4 – To save changes, click Update.
BIG-IP GTM 10.x – 11.4.1
1 – Log in to the BIG-IP GTM Configuration utility.
2 – Navigate to System > Configuration > Global Traffic > General.
3 – In the Configuration section, clear the Drain Persistent Requests check box.
4 – To save changes, click Update.
Sameer says
Good Articale.
How do the GTM & LTM work together?, Please give more explanation on this and also the Flow how GTM will resolve the ip when LTM will come in to picture.
Why we use wideip as CNAME?
Austin Geraci says
Hi Sameer,
GTM and LTM work together by communicating via a protocol called iQuery.
This protocol allows groups of GTMs to have detailed information about Virtual Servers hosted on the LTMs and allows the GTM to delegate some functions, such as monitoring, to LTMs if desired.
The most leverages feature of this communication would be that the GTMs will be almost instantly aware of LTM virtual servers going up or going down.
Therefore, if a Wide-IP (dynamic DNS entity) on the GTM is configured to leverage a Virtual Server hosted on a properly configured LTM, it can make intellgent DNS resolution based on the availability of the Virtual Server.
As for why you would want to CNAME to a Wide-IP, this helps reduce administration.
By leveraging the CNAME, it’s not necessary to make the GTM authortive for the primary zone in question, allowing you to intelligently resolve apps on a URL by URL basis – ie not zone dependent.
Eddy Alexandre says
Hello Austin,
Very informative post.
Thank you for sharing in simple terms what has been bothering some of us.
Keep the good work.
Best regards,
Eddy A.
Karthikeyan says
Any luck on EDNS0, where we can get the customer Source IP address and can try to do the customer source address based Proximity.
When a GTM is exposed for Public users, effective traffic distribution for sites will be possible only when customer source IP address is Know, rather than customer DNS IP.
We are looking for a solution for CDN provider, where GTM needs to take a decision to choose the POP with LTM (3rd Party-Not F5) and route the user traffic to that closer site.
Austin Geraci says
Definitely doable. Support for Extension Mechanisms for DNS (RFC6891) may not be 100% out of the box but there is an iRule command “DNS::edns0” that you can use to interact with pseudo-Resource Records (aka pseudo-RR) and use them with your topology configurations. Feel free to contact us if you’re looking for some specific help.
Karl says
Hi Austin, we have a pair of LTM in both data center can we use GTM even if we have non-dns traffic? it’s easier with DNS to dispatch traffic between two data centers but what about non-dns traffic? thank you
Austin Geraci says
Hi Karl,
You don’t have to only load balance DNS traffic, it can be any kind of traffic that starts with name resolution. That’s really the premise of data communications, devices need IP address to route traffic to them, but if each device has a different IP how do you provide high availability in multiple locations for your apps in multiple data centers that each have their own unique IPs? That’s what the GTM does for you – you can have one name for an application, but intelligently resolve different IPs based on any metric you can dream up, including availability.
Siva says
Hi Austin,
I would like to know the configuration procedure and the commands to use for A and quad A on GTM’s.
Rohit says
As per your comment above:
“resolving names to IPs based on availability, Performance, and even Persistence”
I am using GTM to resolve to available VIP (among my all DC’s) giving preference to local DC. Now I want to include logic in GTM to give preference to DC affinity over local DC. How should i do this? Can you provide some sample code here?
Austin Geraci says
Hi Rohit,
@”Now I want to include logic in GTM to give preference to DC affinity over local DC.”
I would need a bit more logic for an accurate answer, but I’ll take a stab at it against my better judgement ;).
If by “DC affinity” you mean persistence, and by “local dc” you mean you’re using something like topology or least hops, you can move away from your “local DC” logic and pick a different load balancing method like least connections. You can then turn persistence on at the WIP level. In v12 – DNS—> GSLB—> Persistence—> Enabled
James Cameron says
I have question can you have two vips with different ports and different IPs under a wip? Will it work ?
Austin Geraci says
Sure, why not? Remember, DNS does not care about ports, your monitors verifying health might – but like long hair, DNS don’t care!
Mahesh says
Really nice explanation!!
Dinesh says
In which network layer F5 will work ?if LTM it will work as Cisco switch and if GTM it will work as Router ,right ?
Austin Geraci says
Hi Dinesh,
The BIG-IP is a full proxy, which means it functions at multiple layers of the OSI model to delivery secure traffic intelligently.
I would not compare the LTM or the GTM / DNS modules to the the Data Link Layer 2, or the Network Layer 3.
Rather, I would say the BIG-IP functions at layers 2-7 of the OSI model. Depending on which features one utilizes, you will be delivering applications and operating at different / multiple layers. Does that make sense?
Robert says
Hello- This was a great post- Loved reading the article as well as the comments. I also have a quick question- and hopefully it comes across simple.
Can the F5 – GTM ( using Wipey 🙂 do it’s algorithms/checks such as Packet Rate, Round Trip Time- if the F5 is connected behind, let’s say a Nexus 7706?
Currently Our F5 GTM sit’s on the internet, resolving names and choosing between which ISP IP to use…but can the F5 still perform these decisions NOT directly connect to the internet?
Any feedback would be appreciated! Thanks ! – Rob Oliveira
Austin Geraci says
Hi Robert,
As long as the GTM/DNS probers can communicate with the LDNS making the requests on behalf of the client, as well as the LTMs hosting VIPs it’s intelligently resolving, it doesn’t matter where it sits. Again, you just need to ensure the GTM/DNS probers you specify can communicate – ie the requests are not being blocked by FWs and they can route there/back.
Take a look at this article for a little bit more insight on which protocols and ports you may need to ensure are open to the LDNSs, referenced below for your convenience, but read the full article here – https://support.f5.com/kb/en-us/products/big-ip_gtm/manuals/product/gtm_config_10_2/gtm_metrics_collection.html?sr=44631287
To/From the LTMs you will need iQuery TCP 4353 & TCP 22 open – ensure they’re open for the correct Source & Destinations.
DNS_REV
The DNS_REV probe sends a DNS message to the probe target LDNS querying for a resource record of class IN, type PTR. Most versions of DNS answer with a record containing their fully-qualified domain name. The system makes these requests only to measure network latency and packet loss; it does not use the information contained in the responses.
DNS_DOT
The DNS.DOT probe sends a DNS message to the probe target LDNS querying for a dot (.). If the LDNS is not blocking queries from unknown addresses, it answers with a list of root nameservers. The system makes these requests only to measure network latency and packet loss; it does not use the information contained in the responses.
UDP
The UDP probe uses the user datagram protocol (UDP) to query the responsiveness of an LDNS. The UDP protocol provides simple but unreliable datagram services. The UDP protocol adds a checksum and additional process-to-process addressing information. UDP is a connectionless protocol which, like TCP, is layered on top of IP. UDP neither guarantees delivery nor requires a connection. As a result, it is lightweight and efficient, but the application program must take care of all error processing and retransmission.
TCP
The TCP probe uses the transmission control protocol (TCP) to query the responsiveness of an LDNS. The TCP protocol is the most common transport layer protocol used on Ethernet and Internet. The TCP protocol adds reliable communication, flow-control, multiplexing, and connection-oriented communication. It provides full-duplex, process-to-process connections. TCP is connection-oriented and stream-oriented.
ICMP
The ICMP probe uses the Internet control message protocol (ICMP) to query the responsiveness of an LDNS. The ICMP protocol is an extension to the Internet Protocol (IP). The ICMP protocol generates error messages, test packets, and informational messages related to IP.
Dom Hamilton says
Great article Austin,
I’m familiar with LTM but not GTM. I have a scenario with 2 DC’s – both using different ISP’s/IP’s etc. If i deploy an LTM and GTM in each and cluster them in an active/standby configuration.
If have the domain name “star.com” and i need clients on the internet to resolve “go.star.com” to say 10.10.10.10 – do i need to go to my domain regisstrar and set the public IP’s of the GTM’ as name servers?
I dont understand how the root internet DNS servers know the GTM’s are authoritative for the domain “star.com” or which GTM to go to if there clustered on different public IP’s?
Austin Geraci says
Thanks Dom.
If you set your Name Servers to your GTMs for your primary domain you will be making your GTMs authortive for the whole domain – which can give you many benefits, but comes with implications as well.
If you don’t want to manage all of your DNS resource records from the GTMs you can delegate / forward a subdomain like wideip.star.com to your GTMs & point CNAMES from your main domain to that long name -www.star.com to -www.wideip.star.com.
That’s pretty straight forward if you manage your name servers for star.com. If you are using your registrars Name Servers, they may have limitations on subdomains and your control over them. If that is the case, you could also use a completely different domain like somethingstar.com and point those NS records to the GTMs. You then create Wide-IPs like -www.somethingstar.com in the GTMs. In your registrar for your main domain you would create a CNAME of -www.star.com to -www.somethingstar.com.
I know that can get confusing – As always, if you want to ensure success on this project, just reach out via the contact us, or give us a phone call. We would be glad to dive in!
Santhosh says
Hi Austin,
Thanks for the wonderful write up!! i am new to F5. we are currently planning to migrate our DNS servers from window based to F5 GTM. We have two Datacenters, one Datacenter is primary and handles al the user/application traffic. The 2nd datacenter is new one and not in production yet. I am not confident enough to conclude which is the best deployment. Below are my questions.
1) Should have one GTM on each DC with Active/active or active/standby?
2) Today our window based external DNS servers are present in the DMZ zone, i studied about implementing the GTM before the perimeter (firewall). What is the advantage/ disadvantage of implementing the GTM before firewall?
Austin Geraci says
1) You wont get much of an advantage in a “typical” deployment with your GTMs (now refereed to as DNS by F5) in an active / active deployment within a single DC. Without much information, I would recommend an Active / Standby approach – allowing you to perform upgrades and handle a device failure within the local DC seamlessly.
2) There are a ton of advantages, and no disadvantages. First and foremost the BIG-IP is a ICSA certified firewall, and by default will only allow traffic in that you specify. — See here – https://www.icsalabs.com/vendor/f5-networks-inc .
A few Advantages to placing F5s BIG-IP GTM – DNS in front of your legacy Firewalls:
• The F5 BIG-IP is a firewall, Save $ by decommissioning your legacy firewalls
• Eliminate another point of failure
• Your firewall is probably a bottleneck far before the BIG-IP becomes one
• Removing the bandwidth bottleneck of your FWs, the F5 devices can process an enormous amount of QPS (Queries Per Second) inherently & utilizing DNS Express.
• DNS Express can mitigate distributed denial-of-service attacks (DDoS) and increase the volume of DNS request resolutions on both the local BIND server on the BIG-IP system and any back-end DNS servers.
In summary – there are a ton of features and benefits the GTM / DNS can offer from a general DOS, Security, and a QPS standpoint. Adding a firewall in front of them is only going to introduce another point of failure and create throughput limitations.
As far as disadvantages, I really can’t think of any – I would ask you, or anyone reading this to give us some benefits a legacy firewall provides being in front of the F5 BIG-IP?
Chris Spiller says
Austin,
Thanks for this excellent write-up! It was just the high-level overview of BIG-IP I needed to familiarize myself with F5’s load-balancing model as I migrate from a Citrix NetScaler -based environment to one built entirely atop BIG-IP.
All the best,
Chris
Austin Geraci says
Glad you found it useful Chris, feel free to reach out if you need any help. We have a ton of expertise migrating away from the Citrix Netscaler platform. You should feel confident your team made the right choice 😉
Srini says
Hi Austin,
Appreciate all your efforts and patience to answer so many questions which has been thrown at you.
It would be very helpful if you could provide me the detailed procedure for upgrading F5 LTM.
Regards,
Srini
Surjit Singh konwar says
Thanks Austin for this detailed explanation about GTM and LTM and it helped me a lot . I am very much new to this technology and planning to completely move to F5-ADC and it makes me passionate too when I get a chance to work on any F5 related issues.
Harish says
Hi Austin,
Thank you for this detailed explanation found it very useful.
I have a query regarding a GTM and LTM setup. I have a experienced issue where the VIP on LTM is showing available but GTM marking the pool member down. Iquery happens fine and wonder is the other VIP which is hosted on same LTM member on the GTM which is part of different pool is marked available both on GTM and LTM.
What all needs to be checked?
Thanks in advance
Hari.
TUSHAR says
Hi Austin,its really good explanation about GTM and LTM very helpfull.heartly thanks to you for such post.can you show some video how to add URL from Scratch means to add RUL,A record and all.i am working on f5 but no guidance about that but want to learn F5 i am very curious about how things work in F5.if you have any CBT nugget kind of this please share me the link.
Thank you for your all explanations
Andreas Bernhard says
Hello austin nice too meet you, I’m andreas from Indonesia. Thanks for your article about GTM and LTM, I hope I can take exam 101 around 3 month (january 2016) ^^
Kumar says
Thanks, Austin , This is very good inforamation about GTM and LTM.
I am new to GTM and LTM and have question on GTM.
What kind of configuration is required to ensure that GTM forwards client specific session requests to same LTM .
thanks in advance.
Austin Geraci says
Hi Kumar, glad you found it helpful. What you’re referencing is “persistence”. How can the GTM (now called BIG-IP DNS) provide persistence? Persistence can be provided by the GTM / BIG-IP DNS in a several different ways, some obvious, other not so obvious. This applies to a Virtual Server that lives on an LTM that the GTM is talking iQuery with, and it can also apply to a generic host – ie a server not behind an LTM. Let’s talk about a few ways the GTM provides persistence, this is not an exhaustive list:
•Persistence at the WIP level- This is where the GTM is going to key on the LDNS IP / CIDR making the DNS request on the clients behalf, NOT the client IP – that’s an important distinction. How do you set persistence at the WIP level in the GTM BIG-IP DNS? From the GUI – DNS–>GSLB–>Create or select a Wide IP –> Pools Section / Tab –> Persistence can be enabled or disabled. If you enable Persistence here you can specify the TTL, IPv4 CIDR, and IPv6 CIDR. Remember there are supporting iRule commands where you can do basically anything you want DNS wise with this information and make your decision more intelligently.
•Persistence by Load Balancing Method – There are a few load balancing methods by the nature of their functionality provide persistence to the end user:
• •Static Persist – This load balancing method is what is sounds like, it statically provided persistence to the end user. How does Static
persist work on the f5? In short the GTM / BIG-IP DNS uses the persist mask, with the source IP address of the LDNS and uses an
algorithm (partly based on an MD5 hash of the pool makeup) to determine the the answer to the end user. The CIDR for the LDNS are
set globally with this option, not on a per WIP basis like your WIP level persistence. You can set that globally here: DNS –> Settings
–> GSLB –> Load Balancing –> you will then v4 & v6 Static Persist CIDR settings. So what does this mean in plain
english? You will end up providing the SAME answer to the SAME LDNS until you manually change the makeup of your pool – ie
adding deleting, changing the order etc of members. You will most likely not end up with an exact 50/50 split of traffic using static
persist, but this option does have it’s applications with stubborn persistence situations.
• •Global Availability – This basically allows you to create a Primary / Failover type situation, so inadvertently you are providing
persistence.
• •Topology- This is where you can provide resolution via records & regions – you can do things like key on the GEO-IP of a
continent, Country, Data Center, IP Subnet, ISP, Pool, another Region, or even a State. By the nature of this logic, you can ensure a user
only resolves the IP(s) in the region you specify. But what if you connect a pool with multiple members for a region? or Multiple Pools?
You would then have to user WIP level persistence in conjunction with topology. I can go on about Topology for days – so I will save
more info for it’s own article on Topology.
Ganesh says
Nice post Austin
Austin Geraci says
Thanks Ganesh – send me other topics you would like me to cover!
Kavya says
A really good post. Thanks for posting this.
I have a small question. Suppose
Techglaze.gslb.internal.webvalley.com is the WIP that has three VIPs as pool members. (3 VIPS at 3 different data centers).
1.techglaze-prod-pool
2.techglaze-dr-pool
3.techglaze-or-pool
nslookup techglaze resolves to WIP techglaze.gslb.internal.webvalley.com which should resolve to one of the VIPs of the 3 pools set up at GTM(each pool set up as a VIP at LTM of each data center) depending on which VIP GTM chooses.
Where does DNS set up come into picture here?
Austin Geraci says
The answer could vary depending on your DNS setup. You didn’t specify a top level domain (TLD) for “techglaze”, lets assume it’s .com, since the record you provided ended in a .com, but “techglaze.gslb.internal.webvalley.com” doesn’t resolve as well.. so I can’t do any real investigation.
DNS on the Internet is always going to start at your local DNS Server – aka LDNS. You ask your LDNS what the IP is for techglaze.com, lets assume it has not recently looked it up and it doesn’t have it in cache. It’s then going to Query the Internet Root Servers for the .com TLD then query the .com TLD servers to find out which name servers are authoritative for techglaze.com.
What is authoritative for techglaze.com? Are they DNS Servers? Or Are they the GTMs in question? If it’s DNS Servers, they would push the query to the GTMs via a CNAME or some type of delegation / forwarding. If it’s the GTMs, then DNS only comes into play within the scenario I described above “DNS on the Internet”.
BJ says
nice post!!
how can i verify if my GTM is load balancing properly to my configured pool members of wide ip?
Austin Geraci says
All depends on your configuration – can you post a sanitized config?
From the cli – tmsh list gtm wideip your-wideip & also list out the components with it, ie tmsh list gtm pool your-pool and anything else that is relevant.
The GTM normally does not log wideip requests, so you would have to turn it on to catch some logs – careful if you have a busy system..
Enable wideip logging on v10.x – v11.6:
———————-
From the CLI:
– tmsh modify /sys db gtm.querylogging value enable
– tmsh save /sys config
– Now you can review the log with vi /var/log/gtm or in real time tail -f /var/log/gtm
When you’re done, be a good lil sys admin and disable it 😉
– tmsh modify /sys db gtm.querylogging value disable
– tmsh save /sys config
Hope it helps!
BJ says
Thanks! i will try it!!
can i see these logs or any stats of requests coming to wide ip through GUI like we see connections to pool members in LTM
Bharath Selvaraj says
Hi Austin,
I would like to thank for your time and reply. The answers cleared my doubts.Thanks again.
Bharath Selvaraj says
Hi Austin,
This post is very helpful to understand the GTM. I would like to thanks for the same. Keep the good work.
I have few quick questions.
1. What is the main difference between DNS and GTM ?
2. Do we need DNS servers when using GTM ?
3. How the name resolution will reach GTM instead of DNS ?
Austin Geraci says
I’m glad you found it helpful Bharath!
1- The main difference between DNS & GTM is DNS by default can’t provide an intelligent answer like the GTM can. The only type of load balancing that is natively available when using DNS / BIND is “DNS round robin”, which happens when you create multiple A records for an object. That’s a pretty bad solution – for starters you can’t account for availablity of the servers you’re resolving or persist a user to a particular server. The GTM, though also running BIND in the background, offers intelligent resolution via custom F5 daemons like gtmd & big3d- accounting for server availability directly or through an LTM, providing persistence, geolocation, etc etc etc. There is so much you can base your responses on, you can even write iRules and attach them to your objects to get even a more intelligent response.
2- You can do it both ways, the GTMs work very nicely with enterprise DNS solutions like infoblox, or they can stand on their own.
3- However you want it to 😉 If you already have a DNS infrastructure in place a very popular way of pushing the “question” to the GTM is using a CNAME. For example, lets say I have a name server running BIND that is authoritative for the domain wtit.com, but I want to provide an intelligent answer via my GTMs for saas.wtit.com. I could deletegate wideip.wtit.com to my GTMs, then create a subdomain on my GTMs called wideip.wtit.com. I could then create a wideip on my gtms called saas.wideip.wtit.com, and then create a CNAME on the BIND server saas.wtit.com with the object of saas.wideip.wtit.com. POOF! whenever a user queries saas.wtit.com, the question is pushed to the GTMs. The alternative would be to make the GTM authoritative for my whole domain wtit.com with my registrar.
Naveen says
Hi Austin,
Could you please suggest me a best link or manual where I can learn about GTM/LTM with Mainframe.
Thanks,
Austin Geraci says
“mainframe” Can mean a lot of things, can you clarify a bit?
Sachin says
Thanks Austin for this detailed explanation. It helped a lot. I’m a Cisco person, does F5 certification pay i.e. Is F5 a good career move. Which business use F5 LTM/GTM products.
Thanks Again.
Austin Geraci says
No Problem Sachin! F5 is the market leader in Application Delivery / Load Balancing – subsequently, they have quite a large foot print. As for pay, it’s all relative. Personally I would never make a career move because of pay, make a career move because you have a passion for something, otherwise it may prove to be a poor decision.. Good Luck!
Austin Geraci says
No they are not physical “cards”, they are indeed software / license based and all a part of the Big-IP software suite.
F5 is now pushing some new pricing models that include all the modules, which is very very good news 🙂