Anda di halaman 1dari 830

Infoblox Administrator Guide

NIOS 4.3 for Infoblox Core Network Services Appliances

Copyright Statements
2009, Infoblox Inc. All rights reserved. The contents of this document may not be copied or duplicated in any form, in whole or in part, without the prior written permission of Infoblox, Inc. The information in this document is subject to change without notice. Infoblox, Inc. shall not be liable for any damages resulting from technical errors or omissions which may be present in this document, or from use of this document. This document is an unpublished work protected by the United States copyright laws and is proprietary to Infoblox, Inc. Disclosure, copying, reproduction, merger, translation, modification, enhancement, or use of this document by anyone other than authorized employees, authorized users, or licensees of Infoblox, Inc. without the prior written consent of Infoblox, Inc. is prohibited. For Open Source Copyright information, see Appendix C, "Open Source Copyright and License Statements", on page 759.

Trademark Statements
Infoblox, the Infoblox logo, DNSone, NIOS, IDeal IP, bloxSDB, bloxHA and bloxSYNC are trademarks or registered trademarks of Infoblox Inc. All other trademarked names used herein are the properties of their respective owners and are used for identification purposes only.

Company Information
Infoblox is located at: 4750 Patrick Henry Drive Santa Clara, CA 95054-1851, USA Web: www.infoblox.com

support.infoblox.com
Phone: 408.625.4200 Toll Free: 888.463.6259 Outside North America: +1.408.716.4300 Fax: 408.625.4201

Product Information
Hardware Models: Infoblox-250, -500, -550, -550-A, -1000, -1200, -1050, -1050-A, -1550, -1550-A, -1552, -1552-A, and -2000 Document Number: 400-0172-003, Rev. A Document Updated: April 22, 2009

Warranty Information
Your purchase includes a 90-day software warranty and a one year limited warranty on the Infoblox appliance, plus an Infoblox Warranty Support Plan and Technical Support. For more information about Infoblox Warranty information, refer to Infoblox Web site, or contact Infoblox Technical Support.

Contents
Preface. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Document Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22 Documentation Organization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22 Documentation Conventions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24 Whats New . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26 Related Documentation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26 Customer Care . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27 User Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27 Software Upgrades . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27 Technical Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

Part 1 Appliance Administration


Chapter 1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
NIOS Appliance Software Packages and Upgrades . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32 Product Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32 Deployment Scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34 Scenario 1 Independent NIOS Appliances . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34 Scenario 2 Basic Grid with Independent NIOS Appliances . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35 Scenario 3 Infoblox Grid with NIOS Virtual Appliances as Grid Members . . . . . . . . . . . . . . . . . . . . . . . . . . . 36 Scenario 4 Multiple Grids . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37 Scenario 5 Primary and Secondary NIOS Appliances . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38

Chapter 2 Infoblox GUI. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39


Management System Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41 Accessing the Infoblox GUI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41 Connecting to a NIOS Appliance with JWS (Java Web Start) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42 About The Grid Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46 Installing the Grid Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46 Connecting to a NIOS Appliance Using the Grid Manager. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47 Setting Login Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48 SSL (Secure Sockets Layer) Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50 Managing Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51 Understanding the GUI Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53 Main Interface Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53 Customizing a Perspective Layout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56 Creating a Login Banner on a NIOS Appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57 Customizing Columns . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57 Home Perspective . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58 Using Global Search . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60 Printing from the GUI. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61 Accessing IP Address Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62 Logging in to IP Address Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62

NIOS 4.3r4

Infoblox Administrator Guide (Rev. A)

Multilingual Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62 Host Names Support for Microsoft Windows Code Pages. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63 RADIUS Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63 UTF-8 Supported Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63 UTF-8 Support Limitations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64 Exporting Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64 Exporting Data from Panels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64 Exporting Data to a CSV File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66

Chapter 3 Managing Administrators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69


About Admin Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71 About Admin Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73 Creating a Superuser Admin Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73 About Limited-Access Admin Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74 About Admin Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75 Creating Limited-Access Admin Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76 Deleting Admin Roles and Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77 Viewing Admin Group Assignments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77 About Administrative Permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78 Applying Permissions and Managing Conflicts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79 Defining Permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81 Viewing and Managing Permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85 Modifying Permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86 Removing Permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86 Administrative Permissions for Common Tasks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87 Administrative Permissions for Grid Members . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89 Administrative Permissions for Scheduling Tasks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90 Managing DNS Resource Permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91 Administrative Permissions for DNS Views . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92 Administrative Permissions for Zones . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93 Administrative Permissions for Resource Records . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94 Administrative Permissions for Shared Record Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95 Managing Administrative Permissions for DHCP Resources. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96 Administrative Permissions for Network Views . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97 Administrative Permissions for Networks and Shared Networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98 Administrative Permissions for Fixed Addresses. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100 Administrative Permissions for DHCP Ranges . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101 Administrative Permissions for DHCP Templates. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102 Administrative Permissions for MAC Address Filters. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103 Administrative Permissions for Network Discovery. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103 Administrative Permissions for the DHCP Lease History. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104 Administrative Permissions for the RADIUS Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104 Administrative Permissions for File Distribution Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106 Authenticating Administrators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107 Creating Local Admins. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107 Modifying and Removing an Admin Account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108 About Remote Admins. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108 Authenticating Using RADIUS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110 Remote RADIUS Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111 Configuring RADIUS Authentication on the NIOS Appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111 Adding RADIUS Servers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112

Infoblox Administrator Guide (Rev. A)

NIOS 4.3r4

Testing the RADIUS Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113 Maintaining the RADIUS Admins Server List on the NIOS Appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113 Disabling a RADIUS Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113 Configuring a RADIUS Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114 Configuring Admin Groups on the Remote RADIUS Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114 Configuring Remote Admin Accounts on the Remote RADIUS Server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114 Authorization Groups Using RADIUS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115 Accounting Activities Using RADIUS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115 Authenticating Admin Accounts Using Active Directory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116 Admin Authentication Using Active Directory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117 Configuring Active Directory Authentication for Admins. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117 Defining the Admin Policy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118 Specifying a List of Remote Admin Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118 Configuring the Default Admin Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118 Configuring a List of Authentication Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119 Changing Password Length Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119 Notifying Administrators. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119

Chapter 4 Managing Appliance Operations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121


Managing Time Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123 Changing Time and Date Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123 Changing Time Zone Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123 Monitoring Time Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124 Using NTP for Time Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125 Authenticating NTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126 NIOS Appliance as NTP Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128 Configuring a NIOS Appliance as an NTP Client. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129 NIOS Appliance as NTP Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132 Configuring a NIOS Appliance as an NTP Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133 Scheduling Tasks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136 Enabling and Disabling Task Scheduling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136 Scheduling a Task . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136 Viewing Scheduled Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137 Rescheduling and Deleting Scheduled Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138 Guidelines for Upgrading, Backing Up, and Restoring the Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138 Managing Security Operations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139 Enabling Support Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139 Enabling Remote Console Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139 Permanently Disabling Remote Console and Support Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140 Restricting HTTP Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140 Enabling HTTP Redirection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141 Modifying GUI Session Timeout Settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141 Disabling the LCD Input Buttons. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141 Modifying Security for a Grid Member . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142 Ethernet Port Usage. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143 Modifying Ethernet Port Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148 Using the LAN2 Port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149 NIC Failover . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150 Enabling DHCP on LAN2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151 Enabling DNS on LAN2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152

NIOS 4.3r4

Infoblox Administrator Guide (Rev. A)

Using the MGMT Port. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153 Appliance Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154 Grid Communications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156 DNS Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159 Setting Static Routes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161 Enabling DNS Resolution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164 Managing Licenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165 Viewing the Installed Licenses on a NIOS Appliance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165 Obtaining a 60-Day Temporary License . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165 Obtaining and Adding a License. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166 Removing Licenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166 Using the Recycle Bin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168 Disabling the Recycle Bin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169 Enabling the Recycle Bin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169 Viewing the Recycle Bin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169 Restoring Objects in the Recycle Bin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170 Emptying the Recycle Bin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170 Shutting Down, Rebooting, and Resetting a NIOS Appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171 Rebooting a NIOS Appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171 Shutting Down a NIOS Appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171 Resetting a NIOS Appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171 Managing the Disk Subsystem on the Infoblox-2000 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173 About RAID 10 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173 Evaluating the Status of the Disk Subsystem . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174 Replacing a Failed Disk Drive . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174 Disk Array Guidelines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175 Restarting Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176 Canceling a Scheduled Restart . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178

Chapter 5 Monitoring the Appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179


Viewing Detailed Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180 Appliance Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180 Service Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180 DB Capacity Used . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181 Disk Usage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181 FAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181 HA, LAN1, LAN2, or MGMT Port. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182 LCD . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182 Memory Usage. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182 Power Supply . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182 RAID . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183 RAID Battery. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183 Temperatures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183 Replication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183 Using a Syslog Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 185 Specifying Syslog Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 185 Configuring Syslog for a Grid Member . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186 Setting DNS Logging Categories. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187 Viewing the Syslog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188 Searching for Text . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188 Downloading the Syslog File. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189

Infoblox Administrator Guide (Rev. A)

NIOS 4.3r4

Monitoring Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190 Using the Audit Log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190 Using the Replication Log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192 Using the Traffic Capture Tool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193 Using the Capacity Report. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194 Monitoring DNS Transactions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195

Chapter 6 Monitoring with SNMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201


Understanding SNMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202 SNMP MIB Hierarchy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203 MIB Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204 Infoblox MIBs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205 Loading the Infoblox MIBs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205 RADIUS MIBs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205 ibTrap MIB . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206 ibPlatformOne MIB . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229 ibDHCPOne MIB . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 237 ibDNSOne MIB . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 240 ibIPWC MIB . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 242 Configuring SNMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247 Accepting SNMP Queries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247 Setting System Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247 Adding SNMP Trap Receivers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 248 Configuring SNMP for a Grid Member . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 248

Chapter 7 Changing Software and Merging Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249


Upgrading NIOS Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 250 Downgrading Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 250 Reverting to the Previously Running Software Version . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 250 Backing Up and Restoring a Configuration File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 251 Backing Up Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 251 Automatically Backing Up a Data File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 252 Downloading a Backup File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 253 Restoring a Configuration File. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 255 Loading a Configuration File on a Different Appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 256 Downloading a Support Bundle . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 257

Part 2 Appliance Deployment


Chapter 8 Deploying Independent Appliances . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 261
Independent Deployment Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 262 Deploying a Single Independent Appliance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 263 Method 1 Using the LCD. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 264 Method 2 Using the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 264 Method 3 Using the Infoblox NIOS Startup Wizard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 266 Method 4 Using the GUI. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 267

NIOS 4.3r4

Infoblox Administrator Guide (Rev. A)

Configuration Example: Deploying a NIOS Appliance for External DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 268 Cable the Appliance to the Network and Turn On Power . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 269 Specify Initial Network Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 269 Specify Appliance Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 270 Define a NAT Address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 271 Enable Zone Transfers on the Legacy Name Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 271 Import Zone Data. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 272 Designate the New Primary on the Secondary Name Server (at the ISP Site) . . . . . . . . . . . . . . . . . . . . . . . . . 274 Configure NAT and Policies on the Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 274 Deploying an Independent HA Pair. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 275 Method 1 Using the Infoblox NIOS Startup Wizard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 277 Method 2 Using the GUI. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 279 Configuration Example: Configuring an HA Pair for Internal DNS and DHCP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 281 Cable Appliances to the Network and Turn On Power . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 282 Specify Initial Network Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 283 Specify Appliance Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 283 Enable Zone Transfers on the Legacy Name Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 285 Import Zone Data. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 285 Define Networks, Reverse-Mapping Zones, DHCP Ranges, and Infoblox Hosts. . . . . . . . . . . . . . . . . . . . . . . . 287 Define Multiple Forwarders. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 289 Enable Recursion on External DNS Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 290 Modify the Firewall and Router Configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 290 Enable DHCP and Switch Service to the NIOS Appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 291 Manage and Monitor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 292 Verifying the Deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 293 Single Independent Appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 293 Independent HA Pair . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 293 Forcing an HA Failover . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 293 Infoblox Tools for Migrating Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 294 Upgrading Software on an Independent Appliance or HA Pair . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 295 Acquiring Software Upgrade Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 295 Distributing Software Upgrade Files. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 295 Running the Software Upgrade. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 295

Chapter 9 Deploying a Grid . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 297


Introduction to Grids . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 298 Grid Communications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 299 NAT Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 300 Automatic Software Version Coordination . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 303 Grid Bandwidth Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 305 Creating a Grid Master . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 307 VRRP Advertisements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 309 Port Numbers for Grid Communication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 310 Creating an HA Grid Master. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 311 Creating a Single Grid Master. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 313 Adding Grid Members . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 317 Adding a Single Member. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 317 Adding an HA Member . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 318 Configuration Example: Configuring a Grid . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 320 Cable All Appliances to the Network and Turn On Power . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 321 Create the Grid Master . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 322 Define Members on the Grid Master . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 324 Join Appliances to the Grid . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 325
8 Infoblox Administrator Guide (Rev. A) NIOS 4.3r4

Import DHCP Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 327 Import DNS Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 328 Using the Wizard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 329 After Using the Wizard. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 331 Enabling IPv6 On a Grid Member . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 333 About IPv6 Addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 333 Configuring IPv6 on a Grid Member . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 334 Configuration Example: Configuring IPv6 on a Grid Member . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 334 Managing a Grid . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 337 Changing Grid Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 337 Setting the MTU for VPN Tunnels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 337 Removing a Grid Member . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 338 Promoting a Master Candidate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 338 Upgrading NIOS Software on a Grid . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 339 Lite Upgrades. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 339 Uploading NIOS Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 340 About Upgrade Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 340 Distributing Software Upgrade Files. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 341 Testing a Software Upgrade . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 345 Performing a Software Upgrade . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 346 Monitoring Distribution and Upgrade Status. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 350

Part 3 Service Configuration


Chapter 10 Managing DNS Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 357
Configuring DNS Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 360 DNS Configuration Checklist. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 361 Restarting Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 362 Using Infoblox DNS Views. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 363 Default DNS View. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 365 DNS Views and Network Views . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 365 Creating DNS Views. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 365 Specifying Match Lists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 367 Adding Zones to a DNS View. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 368 Adding Records to a Zone . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 368 Managing DNS Views . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 370 Configuration Example: Configuring a DNS View. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 372 Understanding DNS for IPv6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 374 IPv6 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 374 Configuring DNS for IPv6 Addressing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 375 Delegating Zone Authority to Name Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 376 Specifying a Primary Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 376 Specifying a Secondary Server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 377 Configuring Authoritative Zones. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 380 Creating an Authoritative Forward-Mapping Zone. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 380 Creating an Authoritative Reverse-Mapping Zone . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 381 Adding an Authoritative Subzone. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 383 Creating a Root Zone . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 385

NIOS 4.3r4

Infoblox Administrator Guide (Rev. A)

Importing Zone Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 386 Allowing Zone Transfers to an Appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 389 Importing Data into Zones . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 389 How Specific Zones and Records Are Imported . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 390 Restoring Zone Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 390 Restoring Zone Data After a Zone Import Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 391 Restoring Zone Data After a Zone Reimport Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 391 Configuring Delegated, Forward, and Stub Zones . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 392 Configuring a Delegated Zone . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 392 Configuring a Forward Zone . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 395 Configuring Stub Zones. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 397 Using Name Server Groups. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 407 Creating Name Server Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 407 Applying Name Server Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 409 Managing Zones . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 410 Locking and Unlocking Zones . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 410 Modifying Zones . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 411 Removing Zones . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 411 Enabling and Disabling Zones . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 413 About DNSSEC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 414 DNSSEC Resource Records . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 415 DNSKEY Resource Records . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 415 RRSIG Resource Record. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 415 NSEC Resource Record . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 415 DS Resource Record . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 416 Configuring NIOS Appliances to Support DNSSEC. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 416 Enabling DNSSEC. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 418 Using the Recycle Bin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 420 Viewing the Recycle Bin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 420 Restoring Objects in the Recycle Bin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 420 Emptying the Recycle Bin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 421 Specifying Host Name Restrictions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 422 Grid Level . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 422 Member Level . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 423 Zone Level . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 423 Obtaining a List of Invalid Record Names . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 424 Associating Shared Record Groups With Zones. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 424 Configuring Extensible Attributes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 424 Host Records . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 425 Understanding Host Records . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 425 Adding Hosts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 427 Adding Bulk Hosts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 429 Specifying Bulk Host Name Formats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 429 Before Defining Bulk Host Name Formats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 429 Configuring Bulk Hosts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 432

10

Infoblox Administrator Guide (Rev. A)

NIOS 4.3r4

Adding Resource Records . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 434 Adding A Records . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 434 Adding NS Records . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 435 Adding AAAA Records . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 436 Adding PTR Records. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 436 Adding MX Records . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 437 Adding SRV Records . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 439 Adding TXT Records. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 439 Adding CNAME Records. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 440 Adding DNAME Records . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 443 Specifying Time To Live Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 448 Managing Hosts and Resource Records . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 450 Modifying, Disabling, or Deleting a Host or Record. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 450 Viewing DNS Record Listings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 451

Chapter 11 Shared Records. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 453


Understanding Shared Records . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 454 Shared Records Benefits. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 455 Shared Records Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 455 Shared Records Limitations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 455 Using Shared Records . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 456 Configuring Shared Record Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 456 Viewing Records in Shared Record Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 457 Associating Shared Record Groups With Zones. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 457 Viewing Zones Associated With Shared Record Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 457 Removing Shared Record Group Zone Associations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 458 Deleting and Recovering Shared Record Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 458 Using the Shared Record Group API . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 458 Adding Shared Records. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 459 Adding Shared A Records . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 459 Adding Shared AAAA Records. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 459 Adding Shared MX Records. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 460 Adding Shared SRV Records . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 460 Adding Shared TXT Records . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 461 Configuration Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 462

Chapter 12 Configuring DNS Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 465


Configuring DNS Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 466 Changing General DNS Properties for a Grid . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 466 Enabling Zone Transfers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 468 Specifying DNS Queries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 470 Configuring a DNS Blackhole List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 472 Specifying Root Name Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 474 Specifying Sort Lists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 475 Using Forwarders with a Grid . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 475 Using Forwarders with a Member . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 476 Specifying Minimal Response Returns. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 476 Disabling and Enabling DNS Service for a Grid Member . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 476 Configuring Additional IP Addresses for a Grid Member. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 477

NIOS 4.3r4

Infoblox Administrator Guide (Rev. A)

11

Configuring DNS Zone Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 478 Disabling Forwarding for a Zone . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 478 Specifying TTL Settings for a Zone . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 478 Changing the SOA Name for a Zone . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 479 Setting the Serial Number in the SOA Record . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 479 Adding an E-mail Address to the SOA Record . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 479 Allowing Zone Transfers for a Zone. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 480 Allowing Query Access for a Zone. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 481 Viewing DNS Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 482 Viewing DNS Cache Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 482 Viewing a DNS Configuration File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 482 Viewing DNS Zone Statistics. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 482

Chapter 13 Configuring IP Routing Options. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 483


Multiple IP Addresses on an Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 484 IP Addressing on an Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 484 Configuring IP Addresses on the Loopback Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 484 Advertising Loopback IP Addresses to the Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 485 Configuration Example: Configuring IP Addresses on the Loopback Interface . . . . . . . . . . . . . . . . . . . . . . . . 485 Anycast Addressing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 486 Network Communication Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 486 OSPF . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 488 Configure OSPF on an Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 488 Configure an Anycast Address on an Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 490 Configuration Example: Configuring Anycast Addressing on the Appliance . . . . . . . . . . . . . . . . . . . . . . . . . . 490

Chapter 14 Managing DHCP Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 493


About Network Views . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 495 Creating Network Views . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 496 Deleting Network Views . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 496 Configuring a DHCP Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 497 Adding a Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 497 Splitting a Network into Subnets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 498 Expanding/Joining a Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 500 Adding a Shared Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 502 Viewing Networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 502 Modifying a Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 503 Removing a Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 503 Enabling and Disabling a Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 503 Configuring IP Addresses and DHCP Address Ranges. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 504 Creating and Managing Templates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 508 About Network Templates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 508 Creating and Managing Network Templates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 509 Creating and Managing DHCP Range Templates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 511 Creating and Managing Fixed Address Templates. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 514 Configuring Extensible Attributes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 518 Using the Recycle Bin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 519 Viewing the Recycle Bin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 519 Restoring Items in the Recycle Bin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 519 Emptying the Recycle Bin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 519

12

Infoblox Administrator Guide (Rev. A)

NIOS 4.3r4

Chapter 15 Configuring DHCP Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 521


Configuring DHCP Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 523 DHCP Configuration Checklist. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 525 Configuring DHCP Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 526 Enabling DHCP and Setting Member Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 528 Specifying Ping Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 529 Specifying DHCP Lease Times. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 530 Specifying BOOTP Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 531 Specifying Custom DHCP Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 533 Defining Option 60 (Vendor-Class-Identifier) Match Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 534 Defining Custom Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 534 Configuring Advanced DHCP Options. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 536 Configuring the DHCP Option Space . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 536 Adding Vendor Option Spaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 536 Configuring DNS Updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 537 Enabling DHCP Logging. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 537 Defining Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 538 Configuring a MAC Address Filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 542 Configuring Option Filters. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 544 Configuration Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 547 Example DHCP Configuration File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 548 Configuring User Class Filters. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 549 Configuring a Relay Agent Filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 550 Managing DHCP Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 552 Configuring DHCP Failover . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 553 DHCP Failover Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 553 Creating a Failover Association. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 554 Monitoring the Failover Association. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 555 Failover Association Operations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 555 Viewing DHCP Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 556 Viewing a DHCP Configuration File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 556 Viewing DHCP Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 556

Chapter 16 Using Network Discovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 557


About Network Discovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 558 Administrative Permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 559 Discovery Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 560 Supported Discovery Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 561 Configuring Network Discovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 563 Updating the Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 564 Starting a Discovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 565 Monitoring Discovery Status. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 566 Viewing Discovered Data. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 567 Attributes of Discovered Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 567 Types of Discovered Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 567 Display of Discovered Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 568 Filtering Discovered Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 568 Searching Discovered Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 569

NIOS 4.3r4

Infoblox Administrator Guide (Rev. A)

13

Managing Discovered Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 569 Managing Unmanaged Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 569 Resolving Conflicting Addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 571 Configuring DNS and DHCP for a Host . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 572 Clearing the Discovered Timestamp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 573

Chapter 17 Configuring DDNS Updates from DHCP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 575


Understanding DDNS Updates from DHCP. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 576 Configuring DHCP for DDNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 579 Specifying a Domain Name for DHCP Clients. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 580 Configuring DDNS on the DHCP Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 581 Sending Updates to DNS Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 582 Client FQDN Option (Option 81) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 583 Generating Host Names for DNS Updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 585 Updating DNS for Clients with Fixed Addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 586 Resending DNS Updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 586 Configuring DNS Update Verification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 587 Configuring DNS for DDNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 590 Enabling the DNS Server to Receive Updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 590 Forwarding Updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 592 Authenticating Updates with TSIG . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 593 Supporting Active Directory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 595 About GSS-TSIG . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 596 Sending DDNS Updates to a DNS Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 597 Sending GSS-TSIG-Authenticated Updates to a DNS Server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 597 Configuring DHCP to Send GSS-TSIG Updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 599 Receiving DDNS Updates from DHCP Clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 606 Receiving GSS-TSIG-Authenticated Updates from DHCP Clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 608 Configuring DNS to Receive GSS-TSIG Updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 610

Chapter 18 Managing IP Data IPAM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 617


Managing and Viewing IP Address Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 618 About Extensible Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 618 Defining Extensible Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 620 Modifying Extensible Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 622 Deleting Extensible Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 623 Searching for Data in Extensible Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 623 Adding, Modifying, and Removing Host Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 624 Adding, Modifying, and Removing DNS Records . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 624 Modifying DHCP Options. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 624 Converting DHCP Leases, Fixed Addresses, and Reserved Addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 624 Monitoring Overall DHCP Address Usage. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 627 Setting Watermark Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 627 Viewing IPAM Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 631 Downloading IPAM Status Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 631 Viewing IPAM Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 632 Viewing DHCP and DNS Usage and Device Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 632 Searching and Sorting IPAM Data. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 633 Viewing DHCP Lease Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 633

14

Infoblox Administrator Guide (Rev. A)

NIOS 4.3r4

Viewing Historical DHCP Lease Records. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 635 Logging Member and Selective Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 635 Searching DHCP Lease Event Records . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 636 Viewing Lease Event Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 637 Exporting and Importing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 638

Chapter 19 NAC Foundation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 639


About the NAC Foundation Module . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 641 DHCP Authentication Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 641 Configuring the NAC Foundation Module . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 644 Configuring DHCP Ranges for Authorization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 645 Quarantined DHCP Range . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 645 Guest DHCP Range . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 645 Authorized DHCP Range . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 645 User Class Assignments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 646 Binding DHCP Ranges to the Quarantined and Authorized Levels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 646 Uploading Files for Customization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 647 Uploading Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 647 Creating Subdirectories . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 647 Managing the Image Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 648 Configuring the Captive Portal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 648 About Client Validation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 649 Configuring the McAfee Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 649 Enabling Validation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 650 About Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 650 Managing the Local User Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 650 Configuring the Self Service Portal. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 651 Importing Accounts from an Active Directory Server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 652 Configuring Active Directory Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 652 Configuring LDAP/LDAPS Authentication Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 652 Configuring the Authentication Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 653 Specifying an External Authentication Home RADIUS Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 654 About Guest Access. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 654 Configuring Guest Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 655 Viewing Guest and Authenticated Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 656 Configuration Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 658 Configure a Loopback Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 658 Configure a Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 658 Create DHCP Address Ranges in the Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 659 Configure AD Servers for Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 659 Bind DHCP Ranges to the Quarantined and Authorized Levels. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 659 Configure the Captive Portal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 660 Configure Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 661 Enable DHCP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 661 Verifying Your Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 661

NIOS 4.3r4

Infoblox Administrator Guide (Rev. A)

15

Chapter 20 File Distribution Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 663


File Distribution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 664 Enabling and Configuring TFTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 665 Enabling and Configuring HTTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 666 Enabling and Configuring FTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 667 Managing Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 668 Uploading Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 668 Creating a Directory Structure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 668 Modifying File Distribution Storage Settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 669 Viewing Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 669

Chapter 21 RADIUS Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 671


Understanding RADIUS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 673 Infoblox RADIUS Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 674 RADIUS Servers in a Grid . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 675 Authentication Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 676 Accounting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 676 Configuring RADIUS Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 677 Managing User Accounts in the Local Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 678 Adding Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 678 Importing Users From a Microsoft Active Directory Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 678 Viewing Imported Users and Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 680 Configuration Example: Importing Users from AD Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 680 Troubleshooting AD Error Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 682 Configuring LDAP Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 683 Managing Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 684 Generating a Self-Signed EAP Certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 684 Generating a Certificate Signing Request . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 685 Uploading Certificates to the Appliance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 685 Downloading Certificates from the Appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 685 About RADIUS Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 686 Defining Policies for User Groups. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 687 Using RADIUS Policies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 688 Configuring RADIUS Policies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 688 Managing Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 689 Configuring RADIUS Policy Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 689 Managing Policy Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 689 Assigning a Policy Group to a Grid Member. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 689 Network Access Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 690 Enabling RADIUS Services. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 691 RADIUS Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 691 RADIUS Accounting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 692 Understanding RADIUS Proxy Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 693 RADIUS Home Servers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 695 Configuring a RADIUS Authentication Home Server Object . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 696 Configuring a RADIUS Accounting Home Server Object . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 696 Managing RADIUS Proxy Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 697 Proxying RADIUS Access-Requests. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 698 Viewing the RADIUS Configuration File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 698 Proxying RADIUS Accounting-Requests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 698 Removing Home Servers and Shared Secret Relationships . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 699

16

Infoblox Administrator Guide (Rev. A)

NIOS 4.3r4

Chapter 22 IPAM WinConnect . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 701


Configuring IPAM WinConnect . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 702 Uploading a WinConnect Bundle . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 702 Viewing Bundle Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 702 Managing the WinConnect Bundles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 702 Configuring the WinConnect Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 703 Backing Up and Restoring Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 704 Monitoring WinConnect Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 704

Chapter 23 VitalQIP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 705


About VitalQIP on a Grid . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 706 HA Pair Grid Members . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 708 Deploying Grid Members as VitalQIP Remote Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 709 Uploading and Enabling VitalQIP Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 709 Launching VitalQIP on the Grid. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 713 Configuring Grid Members on the VitalQIP Enterprise Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 714 Using LDRM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 717 DHCP API . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 718 Monitoring VitalQIP Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 718 SNMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 719 Troubleshooting Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 719

Chapter 24 bloxTools Environment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 721


About the bloxTools Environment. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 722 System Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 722 Using the bloxTools Environment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 723 Configuring the Service. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 723 Uploading Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 724 Scheduling Tasks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 724 Monitoring the Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 724

Part 4 API Interface


Chapter 25 Infoblox DMAPI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 729
Introduction to Infoblox DMAPI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 730 Required Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 730 Infoblox DMAPI Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 731 Installing Perl and Infoblox DMAPI Packages. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 731 Infoblox Scripting Pack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 732 Running a Script . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 734 Testing the Connection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 734 Backing Up the Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 735 Writing a Script . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 736 Perl Information Resources. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 746 Infoblox-Specific Perl Resources. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 746 Perl Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 746

NIOS 4.3r4

Infoblox Administrator Guide (Rev. A)

17

Part 5 Reference Material


Appendix A Product Compliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 749
Power Safety Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 750 AC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 750 DC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 750 Agency Compliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 751 FCC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 751 Canadian Compliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 751 VCCI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 752 RFC Compliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 753 DNS RFC Compliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 753 DHCP RFC Compliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 755

Appendix B Regular Expressions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 757


Supported Expressions for Search Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 757

Appendix C Open Source Copyright and License Statements . . . . . . . . . . . . . . . . . . . . 759


GNU General Public License . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 761 GNU Lesser General Public License . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 764 Apache Software License, Version 2.0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 770 perl Artistic License . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 775 ISC BIND Copyright . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 776 ISC DHCP Copyright. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 777 Julian Seward Copyright . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 778 Carnegie Mellon University Copyright . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 778 Thai Open Source Software Center Copyright . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 779 Ian F. Darwin Copyright . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 780 Lawrence Berkeley Copyright . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 781 MIT Kerberos Copyright. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 781 BSD License . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 782 David L. Mills Copyright . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 783 OpenLDAP License. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 783 OpenSSL License . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 784 VIM License . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 785 ZLIB License . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 787 Wietse Venema Copyright . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 787 ECLIPSE SOFTWARE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 788 Eclipse Public License - v 1.0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 788 AOP Alliance (Java/J2EE AOP standards) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 792 ASM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 792 Distributed Computing Laboratory, Emory University . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 793 COMMON DEVELOPMENT AND DISTRIBUTION LICENSE (CDDL). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 793 The FreeType Project LICENSE. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 797 The Independent JPEG Group's JPEG software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 801 Net-SNMP. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 803 The PHP License, version 3.01 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 809

18

Infoblox Administrator Guide (Rev. A)

NIOS 4.3r4

Appendix D Hardware Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 811


About the Hardware Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 812 Identifying the Front Panel Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 812 Using the LCD Panel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 813 Using the Serial Console . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 813 Ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 814 About Back Panel Components. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 815 Connecting the Ethernet Cables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 815 Independent Appliance Cabling Using the LAN or Serial Port. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 815 HA Pair Appliance Cabling Using the LAN and HA Ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 816 Cabling for the MGMT Port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 817 Rack Mounting Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 821 Chassis Warning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 821 Rack Mounting and Safety . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 821 Hardware Platform Specifications and Requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 822 System Specifications. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 822 Environmental Specifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 822 AC Electrical Power Specifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 822 DC Electrical Power Specifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 822

Appendix E vNIOS Appliance Limitations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 823


vNIOS for Cisco . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 823 vNIOS for Riverbed . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 824

Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 825

NIOS 4.3r4

Infoblox Administrator Guide (Rev. A)

19

20

Infoblox Administrator Guide (Rev. A)

NIOS 4.3r4

Preface
This guide explains how to install, configure, and manage a NIOS appliance. This preface describes the content and organization of this guide, and provides information about how to find additional product information, including accessing Technical Support:

Document Overview on page 22 Documentation Organization on page 22 Documentation Conventions on page 24 Whats New on page 26 Related Documentation on page 26 Customer Care on page 27 User Accounts on page 27 Software Upgrades on page 27 Technical Support on page 27

NIOS 4.3r4

Infoblox Administrator Guide (Rev. A)

21

Preface

Document Overview
This guide describes how to install, configure, and manage NIOS appliances using NIOS 4.3r4. This manual was last updated on April 22, 2009. For updated documentation, visit our Support site at: http://support.infoblox.com.

Documentation Organization
This guide consists of five parts, as described in the following table.

Section

Content

Part 1 Appliance Administration Chapter 1, Overview, on page 31

Chapters 1 7
Provides general information about the NIOS software, plus provides definitions of the terms used to explain how NIOS appliances operate. It provides examples of how the appliances can be used in your network. Explains how to use the GUI of the NIOS appliance by defining what the GUI components are and how to use them. Explains how to configure and manage administrator groups and accounts in the local database and on external RADIUS servers. Explains how to configure NTP, secure administrative access, set routes, enable DNS resolution, activate licenses, and reset the NIOS appliance. It also provides information about ethernet and service port usage. Explains the purpose of the various logs and provides information on using syslog to monitor the NIOS appliance. Explains how to configure SNMP to monitor the NIOS appliance. It also describes the SNMP traps that the NIOS appliance can send and the Infoblox MIBs. Explains how to upgrade and downgrade software, and how to backup, merge, revert, and restore configuration files.

Chapter 2, Infoblox GUI, on page 39 Chapter 3, Managing Administrators, on


page 69

Chapter 4, Managing Appliance Operations, on page 121

Chapter 5, Monitoring the Appliance, on


page 179

Chapter 6, Monitoring with SNMP, on page


201

Chapter 7, Changing Software and Merging Files, on page 249 Part 2 Appliance Deployment Chapter 8, Deploying Independent Appliances, on page 261 Chapter 9, Deploying a Grid, on page 297

Chapters 8 9
Explains how to deploy single independent appliances and independent HA (high availability) pairs. Addresses grid deployment considerations and explains how to deploy single NIOS appliances and HA pairs as grid masters and members.

Part 3 Service Configuration Chapter 10, Managing DNS Data, on page


357

Chapters 10 18
Explains how to manage grid data configurations that are inherited by DNS members and zones, such as zone type and mapping information. This chapter also describes how to configure DNS views and how to modify, remove and disable authoritative, delegated, and forward zones. It concludes with how to add, modify, remove, and disable hosts and records.

22

Infoblox Administrator Guide (Rev. A)

NIOS 4.3r4

Document Overview

Section

Content Explains how to configure and use shared records. Shared records are groups of DNS resource records that you can assign to one or more zones. Use shared records to create and update multiple resource records shared by different zones. Explains how to configure the DNS services provided by the grid, which includes time-to-live (TTL) settings, zone transfers, queries, root name servers, dynamic updates, sort lists, and Transaction Signatures (TSIG) for DNS. This chapter also describes how to specify broadcast addresses, routers, and DNS servers. It describes how to specify and update zones on external servers and for fixed addresses. This chapter concludes with how to use the view DNS configuration files and statistical reports. Explains how to enable and configure anycast addressing as well as configure multiple IP address on loopback interfaces on the NIOS appliance. Explains how to configure networks, and features such as creating split and shared networks. This chapter also describes how to modify, remove and disable networks. This chapter concludes with how to add, modify, remove, and disable fixed addresses and DHCP address ranges. Templates are provided for creating networks, ranges, and fixed addresses. Explains how to manage grid data configurations that are inherited by DHCP members and networks, DHCP address ranges, and fixed addresses. This chapter explains how to configure the DHCP services provided by each member, which includes lease times, BOOT servers, and custom options. This chapter concludes with how to use the view DHCP configuration files and statistical reports. Explains how to configure and manage the network discovery feature. Explains how to set up DHCP and DNS services to work together to support DDNS (dynamic DNS) updates. Explains how to monitor IP address usage using the IPAM (IP address management) software module. Provides an overview of the NAC Foundation module and its components, and describes how to set parameters and configure various security functions. Explains the TFTP, HTTP and FTP services that the NIOS appliance provides for uploading and downloading data to and from a NIOS appliance.

Chapter 11, Shared Records, on page 453

Chapter 12, Configuring DNS Services, on


page 465

Chapter 13, Configuring IP Routing Options,


on page 483

Chapter 14, Managing DHCP Data, on page


493

Chapter 15, Configuring DHCP Services, on


page 521

Chapter 16, Using Network Discovery, on


page 557

Chapter 17, Configuring DDNS Updates from DHCP, on page 575 Chapter 18, Managing IP Data IPAM, on
page 617

Chapter 19, NAC Foundation, on page 639

Chapter 20, File Distribution Services, on


page 663

Chapter 21, RADIUS Services, on page 671 Explains how to configure RADIUS services on a NIOS appliance. Chapter 22, IPAM WinConnect, on page
701 Explains how to configure a NIOS appliance to run the IPAM WinConnect service. This chapter describes how to upload an IPAM WinConnect bundle, set operational parameters, and monitor the WinConnect service.

NIOS 4.3r4

Infoblox Administrator Guide (Rev. A)

23

Preface

Section

Content Explains how to configure NIOS appliances as VitalQIP DNS and DHCP remote servers. This chapter describes how to configure NIOS appliances to upload and manage VitalQIP binary bundles and policy files in a grid. Explains how to configure the bloxTools Environment, which provides a pre-installed environment for hosting custom web-based applications.

Chapter 23, VitalQIP, on page 705

Chapter 24, bloxTools Environment, on


page 721

Part 4 API Interface Chapter 25, Infoblox DMAPI, on page 729 Part 5 Reference Material Appendix A, "Product Compliance", on
page 749

Chapter 22
Provides an overview of the DMAPI interface and describes how to set up and use the Infoblox API.

Appendices A E
Provides product information, such as hardware and software specification and requirements. This appendix also supplies agency compliance and safety information and concludes with RFC compliance information for the product. Lists regular expressions that the NIOS appliance supports for searches. Provides the Open Source copyright and license information for the product. Describes the hardware components and explains how to rackmount and cable an Infoblox appliance. It also lists the hardware requirements and specifications. Describes the limitations of the NIOS virtual appliances.

Appendix B, "Regular Expressions", on


page 757

Appendix C, "Open Source Copyright and License Statements", on page 759 Appendix D, "Hardware Information", on
page 811

Appendix E, "vNIOS Appliance Limitations",


on page 823

Documentation Conventions
The text in this guide follows these style conventions. Style bold
input

Usage Indicates anything that you input by clicking, choosing, selecting, or typing in the GUI, or by pressing on the keyboard. Signifies command line entries that you type. Signifies variables typed into the GUI that you need to modify specifically for your configuration, such as command line variables, file names, and keyboard characters. Indicates that you will select the named tab.

variable
+ (for tabname)

> (for tabname)

24

Infoblox Administrator Guide (Rev. A)

NIOS 4.3r4

Document Overview

Variables
Infoblox uses the following variables to represent values that you type, such as file names and IP addresses: Variable Value Name of a group of administrators Name of the appliance administrator IP address range DHCP template Domain name Directory name Filter name Fixed address template Grid Master Grid Member Host name of an independent appliance Grid name IPv4 address Grid member name Subnet mask IP address of a network Name of a NAS Network template Network view Name of a policy on RADIUSone Name of a Policy Group Number of a port; predefined for certain protocols Name of a RADIUS server One of the services available from the Grid Manager DHCP template DNS view DNS zone

admin_group admin_name addr_range DHCP_template domain_name directory filter_name fixed_address_template grid_master grid_member hostname grid ip_addr member netmask network network_access_server network_template network_view policy policy_group port RADIUS_server service template_type dns_view zone

Navigation
Infoblox technical documentation uses an arrow -> to represent navigation through the GUI. For example, to access Grid Properties, the description is as follows: From the Grid perspective, click grid -> Edit -> Grid Properties.

NIOS 4.3r4

Infoblox Administrator Guide (Rev. A)

25

Preface

Whats New
The following sections are new or have been updated in this version of this guide: Task Scheduling: You can now schedule tasks, such as adding hosts or modifying fixed addresses, for a future date and time. The scheduling feature is useful when you want to add, modify, or delete specific records at a desired data and time. Using this feature, you can streamline your day-to-day operations. For example, you can schedule the deletion of records that you use for testing when the test time is up. You can also reassign an IP address to a fixed address when the location of the server to which the fixed address is assigned changes from one network to another. For information, see Scheduling Tasks on page 136. External NTP Servers for Grid Members: In a grid, you can now configure the grid master and grid members as NTP clients that synchronize their clocks with external NTP servers. They can in turn function as NTP servers to other appliances in the network. This allows you to deploy multiple NTP servers to ensure accurate and reliable time across the network. For information, see Using NTP for Time Settings on page 125. GSS-TSIG Dynamic DNS Updates To/From Microsoft Windows Server 2008: NIOS appliances now support secure dynamic DNS updates using GSS-TSIG to and from Microsoft DNS and DHCP servers running Microsoft Windows Server 2008 Enterprise (x64) English version. For information, see About GSS-TSIG on page 596.

In addition, Net Map now provides a zoom features that allows you to enlarge and reduce your view of selected areas in the network map. You can zoom in on an area until it displays up to 128 IP addresses per row, for a total of 1024 addresses in the map. With the zoom feature, you can focus on different areas in your address space. In addition, the Zoom Controller keeps track of each selected zoom level, so you can quickly zoom to a previously selected area in the map. For information, refer to the Infoblox Administrator Guide for IP Address Manager. Infoblox now provides support for PortIQ appliances. When you deploy Infoblox PortIQ appliances in a network, you can synchronize network infrastructure data with the NIOS appliance, and then view the data in the IP Map and List panels of IP Address Manager. PortIQ appliances track where devices connect to network switches and routers, and provide information about the ports on the switches to which the devices connect. For information about PortIQ appliances, visit the Infoblox Support site at http://www.infoblox.com/products/portiq-appliances.cfm.

Related Documentation
Other NIOS appliance documentation:

Infoblox CLI Guide Infoblox API Documentation Infoblox Administrator Guide for IP Address Manager Infoblox-500, Infoblox-1000 and Infoblox-1200 Quick Start Infoblox User Guide for the Infoblox-1050, 1550, and 1552 Appliances Infoblox User Guide for the Infoblox-500, 550 Appliance Infoblox Installation Guide for the Infoblox-550, -1050, -1550, and -1552 Appliances Infoblox Installation Guide for the Infoblox-550-A, -1050-A, -1550-A, and -1552-A Appliances Infoblox Installation Guide for the Infoblox-250 Appliance Infoblox Installation Guide for the Infoblox-2000 Appliance Quick Start Guide for Installing NIOS Software on Riverbed Services Platforms Quick Start Guide for Installing vNIOS Software on Cisco Application eXtension Platforms Infoblox Safety Guide

To provide feedback on any of the Infoblox technical documents, please e-mail techpubs@infoblox.com.

26

Infoblox Administrator Guide (Rev. A)

NIOS 4.3r4

Customer Care

Customer Care
This section addresses user accounts, software upgrades, licenses and warranties, and technical support.

User Accounts
The Infoblox appliance ships with a default user name and password. Change the default admin account password immediately after the system is installed to safeguard its use. Make sure that the NIOS appliance has at least one administrator account with superuser privileges at all times, and keep a record of your account information in a safe place. If you lose the admin account password, and did not already create another superuser account, the system will need to be reset to factory defaults, causing you to lose all existing data on the NIOS appliance. You can create new administrator accounts, with or without superuser privileges. For more information, refer to Managing Administrators on page 41.

Software Upgrades
Software upgrades are available according to the Terms of Sale for your system. Infoblox notifies you when an upgrade is available. Register immediately with Infoblox Technical Support at http://www.infoblox.com/support/product_registration.cfm to maximize your Technical Support.

Technical Support
Infoblox Technical Support provides assistance via the Web, e-mail, and telephone. The Infoblox Support web site at http://support.infoblox.com provides access to product documentation and release notes, but requires the user ID and password you receive when you register your product online at: http://www.infoblox.com/support/product_registration.cfm.

NIOS 4.3r4

Infoblox Administrator Guide (Rev. A)

27

Preface

28

Infoblox Administrator Guide (Rev. A)

NIOS 4.3r4

Part 1 Appliance Administration


This section provides basic information about the NIOS appliance, including a description of the various modules and a list of product terminology, a description of the user interface and information about basic configuration tasks. It includes the following chapters: Chapter 1, "Overview", on page 31 Chapter 2, "Infoblox GUI", on page 39 Chapter 3, "Managing Administrators", on page 69 Chapter 4, "Managing Appliance Operations", on page 121 Chapter 5, "Monitoring the Appliance", on page 179 Chapter 6, "Monitoring with SNMP", on page 201 Chapter 7, "Changing Software and Merging Files", on page 249

NIOS 4.3r4

Infoblox Administrator Guide (Rev. A)

29

30

Infoblox Administrator Guide (Rev. A)

NIOS 4.3r4

Chapter 1 Overview
This chapter provides general information about the NIOS appliance operating system and software modules. It defines terms used in this manual and describes various deployment scenarios. The topics in this chapter include:

NIOS Appliance Software Packages and Upgrades on page 32 Product Terminology on page 32 Deployment Scenarios on page 34 Scenario 1 Independent NIOS Appliances on page 34 Scenario 2 Basic Grid with Independent NIOS Appliances on page 35 Scenario 3 Infoblox Grid with NIOS Virtual Appliances as Grid Members on page 36 Scenario 4 Multiple Grids on page 37 Scenario 5 Primary and Secondary NIOS Appliances on page 38

NIOS 4.3r4

Infoblox Administrator Guide (Rev. A)

31

Overview

NIOS Appliance Software Packages and Upgrades


All NIOS appliances run the NIOS operating system. NIOS appliances provide core services and a framework for integrating all the components of the modular Infoblox solution. The appliances support local HA (high availability) both at the appliance and database levels via bloxHA failover and bloxSYNC database synchronization. For information about HA pairs, see Deploying an Independent HA Pair on page 275 and Adding an HA Member on page 318. NIOS appliances support the following software packages: The DNSone software package is fully-BIND compliant. It provides integrated DNS and DHCP services with built-in IPAM services. DNSone stores all DNS and DHCP data in the integrated bloxSDB semantic database, which is built into NIOS. It includes a TFTP server for downloading firmware and configuration files to VoIP phones. The NSQ (Network Services for Alcatel-Lucent VitalQIP)software package provides support for Lucents VitalQIP IP address management software. The Grid upgrade provides a real-time, integrated services and data management framework that integrates a collection of distributed appliances into a unified grid. The Network Services for VoIP package provides integrated DNS, DHCP, TFPT, and RADIUS proxy services. The NSA (Network Services for Authentication) software package provides support for the RADIUS (Remote Authentication Dial-In User Service) protocol and the underlying authentication methods required for 802.1X authentication, as well as the Infoblox grid module. The Network Services Suite (NSS) provides integrated DNS, DHCP, TFPT, RADIUS, and the grid services. The IPAM WinConnect package provides powerful tools and capabilities for managing your IP environment and IP address data at an enterprise level.

Product Terminology
Before you begin, review Table 1.1 for a description of some key terminology. Some terms, such as grids and high availability, are used in different ways by other networking-product vendors. The alphabetically arranged table can help you understand the terms and concepts as Infoblox uses them and as they are used in this guide.

Table 1.1 Product Terminology


Term DNSone Gateway HA address Description The software package that enables the NIOS appliance to provide DNS, DHCP and TFTP services. You can add the Grid upgrade to NIOS appliances running DNSone. The default router for the immediate network segment of an interface. The IP address of the HA port. The active node of the grid master uses this address for grid communications, network data and services, andif the MGMT port is disabledGUI access. See Ethernet Port Usage on page 143. Two physical Infoblox appliances that are linked to perform as a single virtual appliance in an HA (high availability) configuration. In this configuration, one appliance is the active node and the other is the passive node. The fully qualified domain name(s) of the NIOS appliance that you are configuring. A group of NIOS appliances that are connected together to provide a single point of appliance administration and service configuration in a secure, highly available environment.

HA pair

Host name Grid

32

Infoblox Administrator Guide (Rev. A)

NIOS 4.3r4

Product Terminology

Term Grid Master

Description The grid member that maintains the semantic database that is distributed among all members of the grid. You connect to the GUI of the grid master to configure and monitor the entire grid. Any single NIOS appliance or HA pair of Infoblox appliances that belong to a grid. Each member can use the data and the services of the grid. You can also modify settings so that a member can use unique data and member-specific services. The Grid upgrade provides grid capabilities. The IP address of the LAN port. The active node of the grid master uses this address for management protocols if the MGMT port is disabled. The passive node uses its LAN port for grid communications and management protocols if the MGMT port is disabled. See Ethernet Port Usage on page 143. Enables a grid member to assume the role of grid master as a disaster recovery measure. The IP address that both nodes comprising the grid master use for management protocols. Also, when you enable the MGMT port, the active node of the grid master uses the MGMT address for GUI access. See Ethernet Port Usage on page 143. Infoblox appliances and Infoblox Virtual Appliances that run NIOS software. A third-party hardware platform that runs the vNIOS software package. Supported platforms are Riverbed Steelhead appliances with Riverbed Services Platform modules and Cisco Application eXtension Platforms in Integrated Services Routers. A single component of an HA (high availability) pair. An HA pair consists of an active node and a passive node. Specifying the services provided by your NIOS appliances, such as enabling DNS and DHCP, configuring dynamic updates, creating sort lists, using custom options and filters at the grid, member, zone, and network level. The shared IP address of an HA pair. A VIP address links to the HA port on the active node. The VRID (virtual router ID) identifies the VRRP (Virtual Router Redundancy Protocol) HA pair to which the NIOS appliance belongs. Through this ID, two HA nodes identify each other as belonging to the same HA pair and they obtain a virtual MAC address to share together with a VIP (virtual IP address). The VRID can be any number between 1 and 255, and it must be unique on the local LAN so that it does not conflict with any other NIOS appliances using VRRP on the same subnet. A portion of the domain name space for which a NIOS appliance or another name server is authoritative (for example, has the SOA [start of authority] record). A zone can also be delegated or forwarded. Zones are the primary objects used to manage DNS data and DNS services.

Grid Member

Grid LAN address

Master Candidate MGMT Address

NIOS appliance NIOS virtual appliance

Node Service configuration

Virtual IP Virtual Router ID

Zone

NIOS 4.3r4

Infoblox Administrator Guide (Rev. A)

33

Overview

Deployment Scenarios
The NIOS appliances can fit into network topologies in a variety of ways, and can provide DNS and DHCP services in a variety of ways. This section introduces some typical ways that you can deploy your NIOS appliances:

Scenario 1 Independent NIOS Appliances on page 34 Scenario 2 Basic Grid with Independent NIOS Appliances on page 35 Scenario 3 Infoblox Grid with NIOS Virtual Appliances as Grid Members on page 36 Scenario 4 Multiple Grids on page 37 Scenario 5 Primary and Secondary NIOS Appliances on page 38

Scenario 1 Independent NIOS Appliances


The simplest type of deployment is one that uses independent appliances, as shown in Figure 1.1.

Figure 1.1 Independent NIOS Appliances

Network Clients

Independent HA Pair Providing DNS Services

Internet Independent Appliance Providing DHCP Services

GUI Client

In the sample deployment that is shown above, three appliances are deployed as independent appliances as follows: An independent HA pair of Infoblox appliances that provides DNS services An independent standalone Infoblox appliance that provides DHCP services

An Infoblox appliance can provide network services as an HA pair or as an independent appliance without being part of a grid. Independent appliances can provide DNS and DHCP services at the same time. Note: When an Infoblox appliance is used as an independent appliance, that appliance assumes the identity of the grid master in the GUI, even though it is not part of an actual grid.

34

Infoblox Administrator Guide (Rev. A)

NIOS 4.3r4

Deployment Scenarios

Scenario 2 Basic Grid with Independent NIOS Appliances


Multiple NIOS appliances can be deployed within a grid (see Figure 1.2). A grid consists of a master and at least one member. A member can be a single NIOS appliance or an HA pair that provides DNS and DHCP services seamlessly across an entire network. The NIOS appliance also provides connectivity for external primary name servers that operate independently from a grid.

Figure 1.2 Grid and Independent Appliances


Independent Primary Server

Network Clients

GUI Client

Internet

Independent DNS Secondary Server Grid

Grid Master Grid Member HA Grid Member

A grid is controlled through a single GUI. The Infoblox GUI allows you to centrally configure and monitor any or all grid members. This approach reduces the time normally required to configure multiple network appliances and services because you can enter all of the settings, appliance data, and network services for each member using one interface, not all the individual interfaces of each member on a recurring basis. The Infoblox distributed database architecture enables all grid members to instantaneously receive changes to the grid configuration settings because there is automatic synchronization between all of the NIOS appliances via a secure link.

NIOS 4.3r4

Infoblox Administrator Guide (Rev. A)

35

Overview

Scenario 3 Infoblox Grid with NIOS Virtual Appliances as Grid Members


You can install Infoblox vNIOS software on a Riverbed Steelhead appliance running RSP (Riverbed Services Platform) or on a Cisco AXP (Application eXtension Platform) service module in an ISR (Integrated Services Router), and configure it as a NIOS virtual appliance. You can configure the NIOS virtual appliance as a grid member, but not as an HA pair, a grid master, or a grid master candidate. (For a complete list of the limitations of NIOS virtual appliances, see vNIOS Appliance Limitations on page 823.)

Figure 1.3 illustrates NIOS virtual appliances in a grid. In the illustration, the grid master and the grid master
candidate are Infoblox HA pairs in the data center. The Cisco vNIOS virtual appliance is a grid member in one branch office, the Riverbed vNIOS virtual appliance is a grid member in another branch office, and the other grid members are Infoblox appliances.

Figure 1.3 Infoblox Grid with NIOS Virtual Appliances


Branch Office - North

Data Center Grid Master Candidate

Grid Master Branch Office - East

Cisco vNIOS Virtual Appliance Branch Office - West Branch Office - South Riverbed vNIOS Virtual Appliance

36

Infoblox Administrator Guide (Rev. A)

NIOS 4.3r4

Deployment Scenarios

Scenario 4 Multiple Grids


The NIOS appliance is designed to manage independently-controlled grids, each from a unique location (see Figure 1.4). For example, a global network could be managed by four independent grids. The NIOS appliance is designed for scalable implementations to ease your network management needs. Each grid is centrally managed, which significantly reduces costs associated with DNS and DHCP management tasks.

Figure 1.4 Multiple Grids

European Grid Americas Grid Asia/PAC Grid

Australian Grid

GUI Clients

NIOS 4.3r4

Infoblox Administrator Guide (Rev. A)

37

Overview

Scenario 5 Primary and Secondary NIOS Appliances


NIOS appliances can also be deployed with other network servers. For example, Figure 1.5 shows how a NIOS appliance can operate as the primary DNS server along with two secondary name servers (a local secondary name server and a NIOS appliance external secondary server) without the NIOS appliances being part of a grid. The primary DNS server is deployed inside the corporate internal firewall. In this case, the primary DNS server is an HA pair of Infoblox appliances, which provides redundancy in the event of hardware failure. The NIOS appliance external secondary name server is deployed outside of the companys internal firewall. In this case, the NIOS appliance external secondary name server is a single NIOS appliance, but it could have been an HA pair.

Figure 1.5 Primary and Secondary Servers

Network Clients

Independent HA Pair (Primary Server)

Internet

GUI Client

DNS Server (Secondary Server) Independent Appliance (External Secondary Server)

Because the external secondary name server is outside of the corporate network, it provides an offsite source of name resolution for the corporate customers and partners should the corporate connection to the Internet fail. Moreover, even when the corporate link to the Internet is up, the external secondary server receives most of the queries for data in the corporate external zones. This type of deployment results in the following benefits: The use of the corporate Internet connection for name resolution traffic is minimized. Name resolution by Internet name servers is faster.

NIOS appliances can also operate as forwarders or caching-only servers, either as a single node or as part of an HA pair. A forwarder is responsible for handling queries from the internal name servers for Internet domain names (queries that they cannot process themselves because they lack Internet connectivity). Just as the primary DNS server is located inside the corporate internal firewall, the forwarder is also located inside the firewall. Consequently, you must configure firewall rules that allow the forwarder to perform the following tasks: Send queries to the Internet name servers Receive responses from those Internet name servers Block unsolicited DNS messages from the Internet name servers

38

Infoblox Administrator Guide (Rev. A)

NIOS 4.3r4

Chapter 2 Infoblox GUI


This chapter introduces the two versions of the Infoblox GUI (Graphical User Interface) and the Infoblox web interface for network and IP address management: Infoblox Grid Manager GUI for NIOS appliances running a software package, such as DNSone or the NSQ (Network Services for Lucent VitalQIP) package, with the Grid upgrade Infoblox Device Manager GUI for NIOS appliances running a software package without the Grid upgrade IP Address Manager provides access to your NIOS appliance for network and IP address management

The chapter lists the requirements for the management system you use to access a NIOS appliance, explains how to access the NIOS appliance, describes the components of the Infoblox Grid Manager GUI, and introduces the IP Address Manager GUI. Topics in this chapter include:

Management System Requirements on page 41 Accessing the Infoblox GUI on page 41 Connecting to a NIOS Appliance with JWS (Java Web Start) on page 42 About The Grid Manager on page 46 Installing the Grid Manager on page 46 Connecting to a NIOS Appliance Using the Grid Manager on page 47 Setting Login Options on page 48 SSL (Secure Sockets Layer) Protocol on page 50 Managing Certificates on page 51 Understanding the GUI Components on page 53 Main Interface Components on page 53 Customizing a Perspective Layout on page 56 Creating a Login Banner on a NIOS Appliance on page 57 Customizing Columns on page 57 Home Perspective on page 58 Using Global Search on page 60 Printing from the GUI on page 61 Accessing IP Address Manager on page 62 Logging in to IP Address Manager on page 62

NIOS 4.3r4

Infoblox Administrator Guide (Rev. A)

39

Infoblox GUI

Multilingual Support on page 62 UTF-8 Supported Fields on page 63 UTF-8 Support Limitations on page 64 Exporting Data on page 64 Exporting Data on page 64 Exporting Data on page 64 Exporting Data from Panels on page 64 Exporting Data to a CSV File on page 66

40

Infoblox Administrator Guide (Rev. A)

NIOS 4.3r4

Management System Requirements

Management System Requirements


The management system is the computer from which you configure and manage the NIOS appliance. The management system must meet the following requirements to operate a NIOS appliance.

Figure 2.1 Software and Hardware Requirements for the Management System
Management System Software Requirements GUI ACCESS Internet Explorer 6.0 or higher on Microsoft Windows XP and Internet Explorer 7.0 on Windows Vista or Mozilla 1.7 or higher on Linux Fedora Core 5 or higher, Red Hat and Sun Java Runtime Environment (JRE) version 1.5.0_14 or version 1.6 JWS application, which is automatically installed with JRE 1.5.0_14 or higher CLI ACCESS Secure Socket Shell (SSH) client that supports SSHv2 Terminal emulation program, such as minicom or Hilgraeve Hyperterminal Microsoft

Management System Hardware Requirements Minimum System: 500 MHz CPU with 256 MB RAM available to the product GUI, and 56 Kbps connectivity to NIOS appliance Recommended System: 1 GHz (or higher) CPU with 512 MB RAM available for the product GUI, and network connectivity to NIOS appliance Monitor Resolution: 1024 x 768 (minimum) to 1600 x 1200 (maximum)

Note: If the browser used to manage the NIOS appliance has a pop-up blocker enabled, you must turn off the pop-up blocker for the IP address used to manage the NIOS appliance.

Accessing the Infoblox GUI


Before you access the Infoblox GUI, connect your NIOS appliance to the network as described in the installation guide, user guide or quick start guide that shipped with your product. Refer to Hardware Information on page 811 for more information on cabling and powering up the NIOS appliance. Note: Before proceeding, make sure that your computer meets the current requirements for the GUI client as described in Management System Requirements. You can access and log in to a NIOS appliance using JWS (Java Web Start). You can use any computer on your network that runs the following applications: JRE (Java Runtime Environment) version 1.5.0_14 or version 1.6 JWS application, which is automatically installed with the corresponding version of the JRE Standard browser that associates JNLP (Java Network Launching Protocol) file types with the JWS application

Alternatively, you can install the Grid Manager on management systems running one of the supported Microsoft Windows operating systems, as described in About The Grid Manager on page 46.

NIOS 4.3r4

Infoblox Administrator Guide (Rev. A)

41

Infoblox GUI

Connecting to a NIOS Appliance with JWS (Java Web Start)


To make an initial management connection to the NIOS appliance using JWS: 1. Start your browser, and enter https://ip_addr, where ip_addr is the IP address of the NIOS appliance that you entered through the LCD or serial port, or the default IP address 192.168.1.2. See Using the LCD Panel on page 813 and Using the Serial Console on page 813. The NIOS appliance sends its server certificate to the browser to authenticate itself during the SSL (Secure Socket Layer) handshake. Because the default certificate is self-signed, your browser does not have a trusted CA (certificate authority) certificate or a cached NIOS appliance server certificate (saved from an earlier connection) to authenticate the NIOS appliance certificate. Also, the host name in the default certificate is www.infoblox.com, which is unlikely to match the host name of your NIOS appliance. Consequently, messages appear warning that the certificate is not from a trusted certifying authority and that the host name on the certificate is either invalid or does not match the name of the site that sent the certificate. Note: To eliminate certificate warnings, you can replace the default self-signed certificate with a different certificate that has the host name of your NIOS appliance. You can either generate another self-signed certificate with the right host name and save it to the CA certificate store of your browser (and, later in the procedure, to the certificate stores for JWS and the downloaded GUI application), or request a CA-signed certificate with the right host name and load it on the NIOS appliance. For information, see Managing Certificates on page 51. 2. Either accept the certificate just for this session or save it to the certificate store of your browser. 3. On the NIOS appliance home page, click Launch Grid Manager or Launch Device Manager. The browser and JWS perform the following operations: a. The browser requests the JNLP (Java Network Launching Protocol) file from the NIOS appliance and sends the file it receives to JWS (Java Web Start). Because this is the initial connection attempt, JWS does not yet have this file cached. In subsequent connection attempts, comparing the newly downloaded JNLP file with the cached file can indicate whether JWS needs to update any items that the file specifies. c. If JWS discovers there is no cached JNLP file or that the new JNLP file differs from the earlier file, JWS builds an SSL tunnel to the sources specified in the JNLP file. For this initial connection, JWS must make an SSL connection to the NIOS appliance to download the GUI application. JWS displays a security warning prompting you to accept or reject the NIOS appliance certificate the NIOS appliance sends to authenticate itself. If the default certificate is in use, warning messages appear stating the certificate is not from a trusted certifying authority, and that the host name on the certificate is either invalid or does not match the name of the site. This is the same certificate that the NIOS appliance uses to authenticate itself during all SSL handshakes. 4. Either accept the NIOS appliance server certificate just for this SSL session, or save it permanently to the JWS server certificate store. After the SSL tunnel is established, the NIOS appliance begins to download the GUI application, which is signed with a different certificate than the server certificate the NIOS appliance uses to authenticate itself during SSL handshakes. The certificate authenticating the GUI application is signed by Verisign. When received by JWS, it displays a security warning prompting you to accept or reject the signed application. 5. Do one of the following: Click Yes to accept the authenticity of the Infoblox GUI application for this download. Click Always to accept the authenticity of the Infoblox GUI application for this and future downloads by saving the certificate to the JWS application certificate store. Note: To manage server certificates in JWS, open the Java Application Cache Viewer, and then click Edit -> Preferences -> Security -> Certificates.

b. JWS checks for the JNLP file in its cache and, if it finds it, compares it with the recently received JNLP file.

42

Infoblox Administrator Guide (Rev. A)

NIOS 4.3r4

Accessing the Infoblox GUI

JWS downloads the Infoblox GUI application and any other items it needsor, for subsequent connections, just the items it needs to update. For this initial connection, JWS downloads the GUI application. It might also download a different version of JRE. The NIOS appliance supports JRE 1.5.0_14 or JRE 1.6. 6. After the Infoblox GUI application download is complete, begin the login process by choosing the host name of the NIOS appliance from the Hostname drop-down list. 7. Enter the user name and password. The default user name is admin, and the default password is infoblox. Note: The user name and password are case-sensitive. Infoblox recommends changing them after you log in. For more details, refer to Authenticating Administrators on page 107. To reuse the same user name, select Options -> Save User Name. The NIOS appliance saves the user name and it appears automatically the next time you invoke the GUI. The GUI application initiates an SSL connection to the NIOS appliance. The NIOS appliance sends its server certificate to authenticate itself to the application. If the default certificate is in use, warning messages appear stating the certificate is not from a trusted certifying authority and that the host name on the certificate is either invalid or does not match the name of the site. 8. Accept the certificate for this session, or save it permanently to the server certificate store of the GUI application. Note: To manage CA (Certificate Authority) and server certificates in the Infoblox GUI application, open the GUI application login prompt, and select Options -> Manage Certificates. The SSL tunnel completes, and the login process continues. If the login is successful, the connection between the Infoblox GUI application and the NIOS appliance is complete. If the login is not successful, an error message appears and the login prompt returns. When the session ends, the Infoblox GUI application remains in the Java sandbox. You can launch it from this location the next time you want to connect to the NIOS appliance.

NIOS 4.3r4

Infoblox Administrator Guide (Rev. A)

43

Infoblox GUI

Figure 2.2 Java Web Start Initial Access

= CA (Certificate Authority) Certificates = Server Certificates = Java Application Certificates

= Infoblox Server Certificate (authenticates the appliance when establishing an SSL tunnel) = Application Certificate (authenticates GUI application during download)

Management Client Browser Certificates Browser

SSL Tunnel JNLP File Download

NIOS appliance

1 The browser and appliance form an SSL


tunnel. The browser either accepts the appliance certificate automatically or the administrator accepts it manually. Then the browser downloads the JNLP (Java Network Launching Protocol) file and passes it to the Java application. GUI Application Download

Certificate authenticating the appliance to management system browser

Java Certificates

Java Sandbox

+
Certificates authenticating appliance and downloaded GUI application to Java application

2 The JNLP files instructs Java to check if it

Infoblox GUI Application

has the latest GUI application and downloads it if necessary. Java and the appliance form a new SSL tunnel between themselves. If Java automatically accepts the two certificatesone authenticating the appliance and the other authenticating the GUI applicationor if the administrator accepts them manually, the GUI application download proceeds. Commands

GUI Certificates

GUI Application

application and 3 The Infoblox GUI third SSL tunnel.thethe GUI appliance form a If application accepts the appliance certificate automatically or the administrator accepts it manually, the administrator can complete the login and begin sending commands to the appliance.

Certificates authenticating an appliance to GUI application

After you make the initial connection, you can start the Infoblox GUI application with one of these methods: Browser This is identical to the initial connection. Start your browser, and enter https://domain_name or https://ip_addr to reach the NIOS appliance. Infoblox GUI Application Shortcut If you created a shortcut (when prompted by JWS), double-click the shortcut icon on your desktop. JWS checks the JNLP file and the NIOS appliance resource files (.jar files containing components of the Infoblox GUI application) for updates. JWS downloads any updated items it might find, and then the GUI application login prompt appears. Java Application Cache Viewer Open the Java Application Cache Viewer, and click the Infoblox GUI application that you want to use. Then click either Launch Online or Launch Offline. When you select Launch Online, JWS checks the JNLP file and the NIOS appliance resource files for updates before the GUI application connects to the NIOS appliance. When you select Launch Offline, JWS does not check for updates before the Infoblox GUI application connects to the NIOS appliance.
Infoblox Administrator Guide (Rev. A) NIOS 4.3r4

44

Accessing the Infoblox GUI

Running a Single GUI Application


JWS can use the same Infoblox GUI application for different NIOS appliances as long as each NIOS appliance is running the same version of software. However, each time you use the browser to initiate a connection to a different NIOS appliance, JWS downloads the GUI application to the Java sandboxeven if you have already downloaded the same version of the application when connecting to another NIOS appliance. If you manage a number of independent NIOS appliances, this can result in many unnecessary downloads. To use the same GUI application for multiple NIOS appliances running the same software version, do not begin the connection process from the browser. Instead, do the following: 1. Use the GUI application shortcut or open the Java Application Cache Viewer. 2. Click the GUI application that you want to use, and then click Launch Online (to check for updates) or Launch Offline (to bypass update checks).

Figure 2.3 Java Application Cache Viewer

GUI Application for the NIOS appliance

3. When the login prompt appears, either select an existing host name from the Hostname drop-down list, or type a new host name in the Hostname field. Then enter the correct user name and password, and click Login.

Clearing Cache on a Linux Computer


The following error message usually indicates that you must clear your Linux computer cache:
Server software version xx-xx-xx is not compatible with this GUI application. Obtain a compatible GUI version by pointing a browser at https://xx.xx.xx."

Enter the following commands on a Linux terminal window to clear your computer's cache:
cd /.java/deployment/cache/javaws rm -rf https

This clears the cache. 1. Open a web browser and go to the same web address (https://xx.xx.xx). 2. Click Launch ID Grid.

NIOS 4.3r4

Infoblox Administrator Guide (Rev. A)

45

Infoblox GUI

About The Grid Manager


You can install the Infoblox Grid Manager on a computer running any of the following Microsoft Windows operating systems: Microsoft Windows XP with Service Pack 2 Microsoft Windows Vista with Service Pack 1

The Grid Manager installs the NIOS appliance JRE files and GUI application files in a container within a Java sandbox on your computer. After the installation, the files remain in the sandbox and the Grid Manager always launches from this location. The files in the sandbox are used only by the Grid Manager and do not affect any other Java application on your system. Thus, your system can have a different version of the JRE for other applications. The Grid Manager installs a complete, self-contained application package that can handle multiple versions of NIOS. It automatically caches the GUI version it uses to connect to a NIOS appliance. When you attempt to connect to a NIOS appliance that is running a different GUI version, the Grid Manager automatically detects the difference and downloads the other GUI version, after your confirmation. This allows you to easily connect to NIOS appliances running different versions of the NIOS software. You can configure the number of cached versions on your local computer as explained in Managing Cache Settings on page 49.

Installing the Grid Manager


Note the following guidelines when installing the Grid Manager: On a computer running Microsoft Windows XP: If the computer is in a domain, all users except restricted users can install the Grid Manager. If the computer is not in a domain, only Administrators can install the Grid Manager. Users with administrator rights can install the Grid Manager on a computer running Microsoft Windows Vista. Other users are prompted for the administrator password when they try to install Grid Manager.

These restrictions pertain to the Grid Manager installation only. After it is installed, any user can access the Grid Manager. To install the Grid Manager: 1. Download the Grid Manager setup.exe file from the Infoblox Support web site. 2. Double-click the .exe file to launch the Grid Manager Wizard. 3. In the Welcome splash screen, click Next. 4. Accept the License Agreement, and click Next. 5. Verify and/or change information in the Customer Information screen, and click Next. 6. Verify and/or change the local installation folder (C:\Program Files\Infoblox) on your computer, and click Next. 7. Verify the installation settings, and click Install. The Wizard installs the new files in the destination folder. 8. At the end of the installation procedure, click Finish. A Launch Infoblox Grid Manager icon appears on the desktop and Infoblox Grid Manager appears in the Start menu of your computer.

46

Infoblox Administrator Guide (Rev. A)

NIOS 4.3r4

About The Grid Manager

Changing the File Location


Note that in some cases, because of limited permissions or other restrictions, you cannot write to a system file. In this case, before you launch the Grid Manager, you can change the environment variable to point to a directory for which you have write permission. 1. Right click My Computer on the desktop. 2. Select Properties -> Advanced tab -> Environment Variables. 3. In the User Environment Variables dialog box, click New. 4. In the New User Variables dialog box, do the following and then click OK: Type INFOBLOX_UI_CACHE_DIR in the Variable Name field. Type the name of a directory for which you have write permission in the Variable Value field. 5. Click OK to close the User Environment Variables dialog box.

Connecting to a NIOS Appliance Using the Grid Manager


1. To launch the Infoblox Grid Manager, double-click the Launch Infoblox Grid Manager icon on your desktop or click Start > All Programs > Infoblox, Inc. > Infoblox Grid Manager > Launch Infoblox Grid Manager. I f you are launching the Grid Manager for the first time, it detects that there are no installed versions in the cache and does the following: Copies the JAR files from the local installation folder to the following location on your management system:
C:\Documents and Settings\user\Application Data\Infoblox\Install\NIOS_version

Unpacks the JAR files to the following directory:


C:\Documents and Settings\user\Application Data\Infoblox\deploy\NIOS version

Note that you can change the directory as described in Changing the File Location. Creates a log file for the GUI deployment called ibdeploy.log. Launches the login dialog box. 2. Enter the IP address of the NIOS appliance or grid master to which you are connecting. Infoblox Grid Manager looks for the correct software version in the cache on the computer: If this is the first time you are connecting to that NIOS appliance, it does not find the files in the cache and displays a message indicating that the appropriate version of the software is not found in the cache, and offers to download the new version. If you click OK, Grid Manager downloads the files to a folder in C:\Documents and Settings\user\Application Data\Infoblox\Install\NIOS version. After the download is complete, the Infoblox Grid Manager login screen displays. When you launch Grid Manager to connect to the same NIOS appliance, it detects the server software information in the current cache and launches using this cache file; if there is a more recent version, it picks up the more recent version and stores this in the cache. 3. Enter your user name and password. The default user name is admin, and the default password is infoblox. Note: The user name and password are case-sensitive. To reuse the same user name, select Options -> Save User Name. The NIOS appliance saves the user name and it appears automatically the next time you invoke the GUI. The GUI application initiates an SSL connection to the NIOS appliance. The NIOS appliance sends its server certificate to authenticate itself to the application. If the default certificate is in use, warning messages appear stating that the certificate is not from a trusted certifying authority and that the host name on the certificate is either invalid or does not match the name of the site.

NIOS 4.3r4

Infoblox Administrator Guide (Rev. A)

47

Infoblox GUI

4. Accept the certificate for this session, or save it permanently to the server certificate store of the GUI application. Note: To manage CA (Certificate Authority) and server certificates in the Infoblox GUI application, open the GUI application login prompt, and select Options -> Manage Certificates. The SSL tunnel completes, and the login process continues. If the login is successful, the connection between the Infoblox GUI application and the NIOS appliance is complete. If the login is not successful, an error message appears and the login prompt returns. When the session ends, the Infoblox GUI application remains in the Java sandbox. It launches from this location the next time you want to connect to the NIOS appliance.

Setting Login Options


The NIOS Login dialog box provides several options that you can set to facilitate the login process.

Specify the Host Name


You can define the default host name that appears when the login prompt displays: Select Options -> Hostname, and then select one of the following: Initial: Retains the host name that you enter when you first install the NIOS appliance. Last used: Enters a host name when you log in and retains it for subsequent logins. Blank: Leaves the host name blank whenever you log in.

Save User Name


You can save your user name so that you do not have to type it each time you log in. Select Options -> Save User Name

Manage Certificates
You can manage CA (Certificate Authority) and server certificates in the NIOS appliance. You can import certificates, select and view their details, or remove them. 1. Select Options -> Manage Certificate. The NIOS GUI Certificates dialog appears. 2. Select the Server Certificates or the CA Certificates tab and click Import. 3. Navigate to where the certificate is located and click Open. You can manually import a certificate into the clients data store. You can also delete a certificate (select it and click Remove) and view detailed information on it (select it and click Details).

48

Infoblox Administrator Guide (Rev. A)

NIOS 4.3r4

About The Grid Manager

Managing Cache Settings


By default, Grid Manager caches 10 NIOS versions on your computer. You can change this default at any time in the Login dialog box. Each cache file uses approximately 15 MB of disk space. Consider this when setting the number of cache files for retention. When the system meets the predefined maximum number of cache files, it deletes the first (oldest) and then adds the new version to the cache file. To edit the cache settings: 1. Select the Options menu -> Cache Settings. 2. In the Cache Settings dialog box, enter the number of GUI versions to cache. You can enter a number between 2 and 32. Note that when you use a Linux computer to first connect to a NIOS appliance, JWS automatically downloads the GUI application to your computer. Though this initial version is retained in the cache, the Grid Manager does not include it in the total number of cached versions. It includes only the versions that it downloads. Therefore, when your computer connects to a NIOS appliance that is running a different version and the Grid Manager downloads it to your computer, it includes this version in the total number of cached versions.

NIOS 4.3r4

Infoblox Administrator Guide (Rev. A)

49

Infoblox GUI

SSL (Secure Sockets Layer) Protocol


When you log in to the NIOS appliance, your computer makes an HTTPS (Hypertext Transfer Protocol over Secure Sockets Layer protocol) connection to the NIOS appliance. HTTPS is the secure version of HTTP, the client-server protocol used to send and receive communications throughout the Web. HTTPS uses SSL (Secure Sockets Layer) to secure the connection between a client and server. SSL provides server authentication and encryption. The NIOS appliance supports SSL versions 2 and 3. When a client first connects to a server, it starts a series of message exchanges, called the SSL handshake. During this exchange, the server authenticates itself to the client by sending its server certificate. A certificate is an electronic form that verifies the identity and public key of the subject of the certificate. (In SSL, the subject of the certificate is the server.) Certificates are typically issued and digitally signed by a trusted third party, the Certificate Authority (CA). A certificate contains the following information: the dates it is valid, the issuing CA, the server name, and the public key of the server. A server generates two distinct but related keys: a public key and a private key. During the SSL handshake, the server sends its public key to the client. Once the client validates the certificate, it encrypts a random value with the public key and sends it to the server. The server decrypts the random value with its private key. The server and the client use the random value to generate the master secret, which they in turn use to generate symmetric keys. The client and server end the handshake when they exchange messages indicating that they are using the symmetric keys to encrypt further communications.

Figure 2.4 SSL Handshake

Client contacts the NIOS appliance and recommends certain parameters, such as SSL version, cipher settings, and session-specific data.

The appliance either agrees or recommends other parameters. It also sends its certificate which contains its public key. Plain Text Cipher Text

Client encrypts random number with the public key and sends it to the appliance. The appliance uses its private key to decrypt the message.

Cipher The client and the appliance generate the master secret, and then the symmetric keys. Text The client and the appliance agree to encrypt all messages with symmetric keys.

Cipher Text

The client and the appliance send all their messages through the SSL tunnel which uses the cipher settings and encryption to secure their connection. Public Key Private Key

50

Infoblox Administrator Guide (Rev. A)

NIOS 4.3r4

SSL (Secure Sockets Layer) Protocol

Managing Certificates
The NIOS appliance generates a self-signed certificate when it first starts. A self-signed certificate is signed by the subject of the certificate, and not by a CA (Certificate Authority). This is the default certificate. When your computer first connects to the NIOS appliance, it sends this certificate to authenticate itself to your browser. Because the default certificate is self-signed, your browser does not have a trusted CA certificate or a cached NIOS appliance server certificate (saved from an earlier connection) to authenticate the NIOS appliance certificate. Also, the host name in the default certificate is www.infoblox.com, which is unlikely to match the host name of your NIOS appliance. Consequently, messages appear warning that the certificate is not from a trusted certifying authority and that the host name on the certificate is either invalid or does not match the name of the site that sent the certificate. Either accept the certificate just for this session or save it to the certificate store of your browser. To eliminate certificate warnings, you can replace the default self-signed certificate with a different certificate that has the host name of your NIOS appliance. The NIOS appliance supports X.509 certificates in .PEM format. After initial login, you can do one of the following: Generate another self-signed certificate with the correct host name and save it to the certificate store of your browser. Generate a self-signed certificate, see Generating a Self-Signed Certificate on page 51. Request a CA-signed certificate with the correct host name and load it on the NIOS appliance. Use a certificate from a CA by generating a certificate signing request as described in Generating a Certificate Signing Request on page 52. When you receive the certificate from the CA, import it as described in Importing a Certificate on page 52.

Additionally, before you log in to the NIOS appliance, you can manage the certificates on the client machine. For information, see Manage Certificates on page 48

Generating a Self-Signed Certificate


You can replace the default certificate with a self-signed certificate that you generate. When you generate a self-signed certificate, you can specify the correct host name and change the public/private key size, enter valid dates and specify additional information specific to the NIOS appliance. If you have multiple appliances, you can generate a certificate for each appliance with the appropriate host names. To generate a self-signed certificate: 1. For a grid: From the Grid perspective, click + (for grid ) -> + (for Members ) -> grid_member -> Tools -> HTTPS Certificate -> Generate Self-Signed Certificate. For an independent appliance or HA pair: From the Device perspective, click hostname) -> Tools -> HTTPS Certificate -> Generate Self-Signed Certificate. 2. In the Create Self-Signed Certificate dialog box, enter the following: Key Size: Select either 2048 or 1024 for the length of the public key. *Days Valid: Specify the validity period of the certificate. *Common Name: Specify the domain name of the NIOS appliance. You can enter a fully qualified domain name (FQDN). Organization: Type the name of your company. Organizational Unit: Type the name of your department. Locality: Type a location, such as the city or town of your company. State or Province: Type the state or province. Country Code: Enter the 2-letter code that identifies the country, such as US. Administrators E-mail Address: Enter the e-mail address of the appliance administrator. Comment: Enter additional notes. An asterisk (*) indicates the field is required. 3. Click OK to close the Create a Self-Signed Certificate dialog box.

NIOS 4.3r4

Infoblox Administrator Guide (Rev. A)

51

Infoblox GUI

4. Click the Save icon. The NIOS appliance logs you out, or you can log out yourself. When you log in to the appliance again, it uses the certificate you generated.

Generating a Certificate Signing Request


You can generate a certificate signing request (CSR) that you can use to obtain a signed certificate from your own trusted CA. Once you receive the signed certificate, you can import it into the NIOS appliance, as described in Importing a Certificate on page 52. To generate a CSR: 1. For a grid: From the Grid perspective, click + (for grid ) -> + (for Members ) -> grid_member -> Tools -> HTTPS Certificate -> Generate Signing Request. or For an independent appliance or HA pair: From the Device perspective, click hostname) -> Tools -> HTTPS Certificate -> Generate Signing Request. 2. In the Create Certificate Signing Request dialog box, enter the following: Key Size: Select either 2048 or 1024 for the length of the public/private key pair. *Common Name: Specify the domain name of the NIOS appliance. You can enter a fully qualified domain name (FQDN). Organization: Type the name of your company. Organizational Unit: Type the name of your department. Locality: Type a location, such as the city or town of your company. State or Province: Type the state or province. Country Code: Enter the 2-letter code that identifies the country, such as US. Administrators E-mail Address: Enter the e-mail address of the appliance administrator. Comment: Enter additional notes. An asterisk (*) indicates the field is required. 3. Click OK to close the Create Certificate Signing Request dialog box. 4. In the Download filename dialog box, navigate to where you want to download the CSR, enter the file name and click Save.

Importing a Certificate
You can replace the default server certificate with a signed certificate from your own trusted CA. First, generate a certificate signing request as described inGenerating a Certificate Signing Request on page 52. When you import a certificate, the NIOS appliance finds the matching CSR and takes the private key associated with the CSR and associates it with the newly imported certificate. The appliance then automatically deletes the CSR. To import a certificate: 1. For a grid: From the Grid perspective, click + (for grid ) -> + (for Members ) -> grid_member -> Tools -> HTTPS Certificate -> Upload Certificate. or For an independent appliance or HA pair: From the Device perspective, click hostname -> Tools -> HTTPS Certificate -> Upload Certificate. 2. Navigate to where the certificate is located and click Open. The appliance imports the certificate and logs you out. When you log in to the appliance again, it uses the certificate you imported.

52

Infoblox Administrator Guide (Rev. A)

NIOS 4.3r4

Understanding the GUI Components

Understanding the GUI Components


You can view data and configuration settings and make configuration changes through the Infoblox GUI using the following two methods: Device Manager: When a NIOS appliance functions as an independent appliance, you launch the Device Manager to access the GUI. The name appears in the title bar of the browser window. Grid Manager: When the NIOS appliance is in a grid, you log in to the grid master and launch the Grid Manager. The name appears in the title bar of the browser window.

Main Interface Components


The following figure illustrates the typical layout of the Infoblox GUI. You can detach and move the GUI components and customize the GUI as necessary.

Figure 2.5 Infoblox GUI Overview


Menu Tool Bar Perspective

Editor Panels View and select items to edit. Detach and move panels, viewers and editors to customize the GUI layout. Properties Viewer View object properties. Enter and edit information.

Menu
Each item in the menu is a drop-down list of available options. The menu items change dynamically according to the perspective you are in. Tip: Select an item and right-click to quickly access menu options.

Tool Bar
The tool bar contains a Save icon which you click to save your configuration changes, and a Restart Services icon, which you click to restart services on a appliance or a grid.
Save Restart Services

NIOS 4.3r4

Infoblox Administrator Guide (Rev. A)

53

Infoblox GUI

Perspectives
A perspective is a container for tools used to manage the grid or appliance and its services. The Infoblox GUI application provides a set of perspectives, each focusing on a specific functional area. The GUI displays a perspective when you click the appropriate icon on the tool bar:
Home Perspective Icon DNS Perspective Icon Authentication, Authorization, and Accounting Perspective Icon Administrators Perspective Icon

Grid or Device Perspective Icon

DHCP and IPAM Perspective Icon

File Distribution Perspective Icon

Global Search Perspective Icon

Home: This perspective contains sections that display the overall grid service status and deleted objects in the recycle bin. It also contains sections with buttons and links that allow you to quickly access panels and editors for managing data in the DNS, AAA, Administrators, DHCP/IPAM, and File Distribution perspectives. For more information, see Home Perspective on page 58. Device: In this perspective, you configure an independent appliance and set its operational parameters. Grid: In this perspective, you configure a grid and set operational parameters. A Grid license is required for this feature. DNS: In this perspective, you enable and configure DNS services on the appliance or the grid. DHCP and IPAM: In this perspective, you enable and configure DHCP service and IP Address Management features. Administrators: In this perspective, you configure administrators. File Distribution: In this perspective, you enable and configure HTTP and TFTP (Trivial File Transfer Protocol) services. AAA: In this perspective, you configure RADIUS services to authenticate and authorize users, as well as manage user accounts, policies, and policy groups. Global Search: In this perspective, you search the entire database for a specific text string. All database objects matching the text string are displayed in this perspective. For information about this perspective, see Using Global Search on page 60. VitalQIP: This is not a standard part of the Infoblox GUI. In this perspective, you can configure the appliance to function as a VitalQIP remote server. A VitalQIP license is required for this feature. Note: The VitalQIP icon is displayed only when the NSQ software module and required licensing are installed.

54

Infoblox Administrator Guide (Rev. A)

NIOS 4.3r4

Understanding the GUI Components

Panel
Panels list objects that you can select and edit. You can expand or collapse lists by selecting the + or - sign beside an object. Panels can be opened and closed from the View menu on the top menu bar.

Shortcuts
Double-click the tab of a panel to fully expand; double-click the tab again to reset the panel. Select an object and right-click to display options. Double-click an item to edit it (open its editor). Ctrl+click to select multiple items.

Editor
You can enter information and configure objects in an editor. You can open multiple editors at one time. After you enter information in an editor, you must click the Save icon to save your changes.

Properties Viewer
Viewers display information about a selected object. You cannot edit or select objects in a viewer. However, you can expand, collapse, detach and move viewers to different locations.

Online Help
The Infoblox appliance ships with online help that you can access from anywhere in the GUI. The Help menu provides access to the following: About Infoblox Grid Manager: View information about the NIOS software version running on the appliance. Download Admin Guide: Download the Infoblox Administrator Guide. API Documentation: Display the API documentation. Training: Display information about Infoblox training workshops. Help Contents: Display the main Help system. Dynamic Help: Access Help for the active panel, editor, or viewer. A window is active when its title bar is highlighted.

In addition, to access Help for a dialog box, click the question mark (?) icon in the bottom left corner of the dialog box.

NIOS 4.3r4

Infoblox Administrator Guide (Rev. A)

55

Infoblox GUI

Customizing a Perspective Layout


You can customize the layout of a perspective, except for the Home perspective, by detaching and rearranging panels and views. In this way, you can structure your workspace for optimum efficiency. To customize a perspective layout:
1. Right-click the tab of the panel or view, and select Detached from the context menu. 2. Left-click and drag to the desired location.

3. Resize and tile multiple detached panels or views to create a custom layout.

56

Infoblox Administrator Guide (Rev. A)

NIOS 4.3r4

Understanding the GUI Components

Creating a Login Banner on a NIOS Appliance


To create a statement that appears on the top of the Login screen (a banner message), follow the procedures in this section. This function is useful for posting security warnings or user-friendly information well above the user name and password fields on the Login screen. A login banner message can be up to 3000 characters long. In a grid, perform this task on the grid master. To create a login banner: 1. From the Grid perspective, click grid -> Edit -> Grid Properties. or From the Device perspective, click hostname -> Edit -> Device Properties. 2. In the Grid (or Device) editor, click Security. 3. Select Enable Login Banner and enter the text you want displayed in the Banner Text field. 4. Click the Save icon.

Customizing Columns
The NIOS appliance supports the ability to customize columns displayed in any perspective or panel within the GUI. (An exception to this is the Properties view panel; the NIOS appliance does not support customizing columns within the Properties view panel.) You can move columns around and display or hide certain columns from view. For example, you might want to view only columns related to IP addresses without displaying location or appliance information in the DHCP Lease History panel. Resetting a perspective does not override column settings. The appliance retains changes to the columns even after you reset a perspective. Column settings are applied to all administrators and users accessing the appliance. If you customize the columns, your column settings appear to all other users when they log in to the appliance. You can customize columns in any of the following ways: Hide columns so that they are not shown in the display Show columns so that they are displayed and not hidden Select the order in which the columns are displayed within a panel Change the size of the columns. Each column can have maximum pixel size of 999

Note: You can select extensible attributes to be displayed in any position, except for the first column position.

Customizing Columns within the GUI


To customize columns: 1. From any perspective or panel, click Edit -> Edit Columns. 2. When the Edit Column dialog box appears, you can set the following options: SIze: Specify the column width, in pixels. You can specify any number from 1 through 999. Auto Fit: Resize the column width to accommodate the largest string in the column. Select the Auto Fit check box to enable this option. Keep in mind that enabling this option resizes for the current values within the column. This option does not resize for future values. Restore Default: Click Restore Default to restore back to the default column display. To hide and display columns, and change their order: Display column: Select the check box of each attribute or column you want to display. Click the Select All button to automatically select all columns available within the list. Hide column: Deselect the check box of each attribute or column you want to hide. Click the Deselect All button to automatically deselect all columns within the list, hiding all items.

NIOS 4.3r4

Infoblox Administrator Guide (Rev. A)

57

Infoblox GUI

Ordering columns: Select a column from the list and click Up to move that column to the left in the display. Click Down to move that column to the right in the display. 3. Click OK. You can also change the order of the columns in a panel by dragging-and-dropping a column. The leftmost column within the tree panel has some special restrictions. You cannot move the leftmost column. However, you can move the column next to the leftmost column over as the first column. Take note that when you do this, the icons you use to expand and collapse items remains in the same location in the panel (the left side of the panel). To edit columns using the drag-and-drop method: 1. From any perspective or panel, select any column heading title. 2. Drag and then drop the column to move the column around.

Home Perspective
The Home perspective is the default perspective when you launch the Infoblox GUI for the first time. For subsequent logins, the GUI displays the perspective that you last accessed. You can go back to the Home perspective by clicking . The Home perspective contains sections with buttons and links that allow you to quickly access panels and editors for viewing and managing data. You can collapse or expand each section by clicking the down arrow key next to the section title. You can refresh the Home perspective to obtain updated information about the grid or device services and the recycle bin by pressing F5 or clicking View -> Refresh. Note: The Home perspective only displays links to functions for which you have valid licenses. For information about licenses, see Managing Licenses on page 165. The Home perspective contains the following sections: Grid Status or Device Status: Displays all the relevant grid or device services and their current status. Click Manage grid services to access the Grid perspective or click Manage device services to access the Device perspective. For information, see Service Status on page 180. Recycle Bin: Displays the first eight deleted objects that are currently in the recycle bin. Click See complete list for a complete list of deleted objects in the recycle bin. For information, see Using the Recycle Bin on page 168. Manage DNS DNS Views and Zones: Manage your DNS views and zones. For information, see Configuring a DNS View on page 365. DNS Members: Manage the DNS properties of each member. For information, see Managing DNS Data on page 357. Manage AAA Note: This section is for managing RADIUS services. You must have appropriate licenses to configure RADIUS services. User Store: Add and manage users and user authentication for local database. For information, see Managing the Local User Database on page 650. Certificates: Manage the EAP certificates on the appliance. For information, see Managing Certificates on page 684. External Devices: Configure the appliance to authenticate users against an AD (Active Directory) or LDAP (Lightweight Directory Access Protocol) server. You can also configure the appliance to communicate with RADIUS authentication home servers when the correct license is installed. For information, see About Authentication on page 650.

58

Infoblox Administrator Guide (Rev. A)

NIOS 4.3r4

Understanding the GUI Components

Manage Administrators Groups: Create and manage admin groups. For information, see About Admin Groups on page 73. Local Admins: View a list of the local admin accounts and manage their properties. For information, see Creating Local Admins on page 107. Remote Admins: Configure authentication for remote admins. For information, see About Remote Admins on page 108.

Manage DHCP/IPAM DHCP Networks: Create and manage networks and network views. For information, see About Network Views on page 495. DHCP Members: Configure grid members to serve DHCP. For information, see Configuring DHCP Properties on page 526. DHCP Failover: Configure DHCP failover association. For information, see Configuring DHCP Failover on page 553. DHCP Option Spaces: Configure a variety of predefined DHCP options spaces and custom DHCP options. For information, see Configuring Advanced DHCP Options on page 536.

Manage File Distribution Directories: Create a directory structure for TFTP, FTP, and HTTP file management. For information, see Managing Files on page 668. File Distribution Members: Configure grid members for file distribution access using TFTP, HTTP, and FTP. For information, see File Distribution on page 664.

Scheduled Tasks: Displays the scheduled time, object type, and action of up to eight pending scheduled tasks with the earliest scheduled dates and times. Click See Complete List to view detailed information about the scheduled tasks in the Scheduled Tasks panel. For information, see Viewing Scheduled Tasks on page 137.

NIOS 4.3r4

Infoblox Administrator Guide (Rev. A)

59

Infoblox GUI

Using Global Search


This function allows you to search through the entire NIOS appliance database for any instances matching a specific text string. The global search option allows you to search across different perspectives and views, instead of searching under each perspective or view individually. For example, you can search for a specific host name across both the DNS perspective and DHCP perspective with a single global search, or you can search for all occurrences of a specific MAC address within the database. The Global Search perspective is located next to the other perspectives in the GUI toolbar. The Global Search perspective opens up a panel called Search Results and displays all matches within the panel. All match results are displayed with the following information: Name: Name of the matching object. Type: Object type matching the global search. For example, the Type field identifies the type of record or type of address of the matching object. Matched Attribute: Attribute of the matching object. For example, if the global search matched the address corresponding to a hostname, then field displays the address of the hostname. Matched Value: The value of the matching object. For example, if the global search matched the address of a hostname, then the field displays the hostname. Note: NIOS displays search results based upon the page size setting from the administrator settings. For information about page size configuration, see Authenticating Administrators on page 107. To search globally: 1. From the Global Search perspective, type the text string to search on the appliance database. 2. Click Search. NIOS supports regular expressions for global search. Regular expressions, commonly known as regex, are a set of key combinations that are meant to allow the user to have a variety of control over what they are searching for. Note: You cannot search zones based on the zone type. You can filter search results based on the zone type. From the Search Results panel, you can do the following: Open a panel to view the properties of a matching object. Open a panel to edit the properties of a matching object. Remove a matching object from the database. Define the administrative permissions of an object, as described in Defining Permissions for an Object on page 60.

You can perform these operations by clicking matching object -> Edit.

Defining Permissions for an Object


You can select an object in the Search Results panel and define its administrative permissions as follows: 1. Select an object from the list and click Edit -> Manage Permissions. 2. In the Manage Resource Permissions dialog box, complete the following: Admin Group: Click Add, and select an admin group in the Select Admin Group dialog box. After you click OK to close the dialog box, the appliance lists the admin group you selected. Permissions: The appliance displays the name of the object in the Resource column. Select the permission for the object by clicking Read/Write, Read Only or Deny. 3. Click OK to close the Manage Resource Permissions dialog box. For information on setting administrative permissions, see Applying Permissions and Managing Conflicts on page 79.

60

Infoblox Administrator Guide (Rev. A)

NIOS 4.3r4

Printing from the GUI

Printing from the GUI


NIOS appliance supports the ability to print the contents of the GUI from any perspective. Printing from the GUI allows you to print the contents of a view within any perspective shown on the display. All page modifications that are applied to the display contents, such as filters and sorting, affect the print output as well. You can print to the following outputs: Hard copy to the printer, or conversion to a PDF (Portable Document Format) file (see Print Hard Copy or PDF File on page 61 Text file (see Print Output to a Text File on page 62) CSV file (MS WIndows only with this feature installed) (see Exporting Data on page 64)

The amount of content printed depends on the page size configuration set by the administrator. For information on configuring the page size, see Authenticating Administrators on page 107. Note: GUI printing is supported on the Microsoft Windows operating system only.

Print Hard Copy or PDF File


To print a hard copy or PDF file from the GUI: 1. From any perspective, click File -> Print. The Print dialog box appears. 2. Set the print options you want for the print job. You can set the following print options: Selected printer Print preferences: portrait or landscape page orientation, legal or letter page size, and page margins. Print to file (for PDF generation) Page range Number of copies 3. Click Print.

NIOS 4.3r4

Infoblox Administrator Guide (Rev. A)

61

Infoblox GUI

Print Output to a Text File


To print to a text file in the Windows operating system: 1. Install a text printer on your Windows management system. 2. From any perspective, click File -> Print. The print dialog box appears. 3. Select the text printer, and then configure the print options accordingly. 4. Click Print. NIOS prints the contents of the GUI to a text file. The location of the output file depends on the printer software you use.

Accessing IP Address Manager


IP Address Manager is a web interface that provides access to your NIOS appliance for network and IP address management. It provides a number of tools that you can use to effectively manage your IP address space. For information about IP Address Manager and supported browsers, refer to the Infoblox Administrator Guide for IP Address Manager.

Logging in to IP Address Manager


To log in to IP Address Manager: 1. Open an internet browser window. 2. Start your browser and enter https://<IP address or hostname of your NIOS appliance> 3. On the Grid Manager login page, click Launch IPAM Manager. The IP Address Manager login page appears. 4. Enter your user name and password. The default user name is admin and the default password is infoblox. 5. Click Login or press Enter. IP Address Manager displays the Dashboard page. For information about the dashboard and other features of IP Address Manager, refer to the Infoblox Administrator Guide for IP Address Manager.

Multilingual Support
NIOS appliances support UTF-8 (Unicode Transformation Format-8) encoding for the following: Host names for Microsoft Windows clients that support Microsoft Windows code pages RADIUS authentication Input fields through the Infoblox GUI

UTF-8 is a variable-length character encoding standard for Unicode characters. Unicode is a code table that lists the numerous scripts used by all possible characters in all possible languages. It also has a large number of technical symbols and special characters used in publishing. UTF-8 encodes each Unicode character as a variable number of one to four octets (8-bit bytes), where the number of octets depends on the integer value assigned to the Unicode character. For information about UTF-8 encoding, refer to RFC 3629 (UTF-8, a transformation format of ISO 10646) and the ISO/IEC 10646-1:2000 Annex D. For information about Unicode, refer to The Unicode Standard. Depending on the OS (operating system) that your management system uses, you must install the appropriate language files in order to enter information in a specific language. For information about how to install language files, refer to the documentation that comes with your management system.

62

Infoblox Administrator Guide (Rev. A)

NIOS 4.3r4

Multilingual Support

Host Names Support for Microsoft Windows Code Pages


The NIOS appliance supports UTF-8 encoding of host names for Microsoft Windows clients that support Microsoft Windows code pages. When you use the appliance as a DHCP server, you can configure the DHCP service on the appliance to convert client host names that are encoded with a Microsoft code page to UTF-8 encoded characters. The appliance stores the UTF-8 encoded host names in the database. If you also configure the DHCP service on the appliance to perform DDNS updates, the appliance sends the UTF-8 encoded host names in the DDNS updates. For information about how to configure the Microsoft Windows code page for converting host names into UTF-8 characters, see Configuring DHCP Properties on page 526..

RADIUS Authentication
For RADIUS authentication, the NIOS appliance supports single-byte international character sets in the following: Microsoft Windows XP and Vista OS RADIUS and LDAP user names, passwords, and comments Replicated AD user names, passwords, and groups in all of the NIOS interfaces, except the Data Import Wizard Proxy requests if the RADIUS server that is proxied supports them

When you configure the NIOS appliance as a RADIUS server, you can enable RADIUS authentication and accounting on each grid member.. If you want the RADIUS server to support wireless supplicants on a Windows client that does not use a Latin I (1252) code page, you must change the default code page on the NIOS appliance to match the client set up. The NIOS appliance uses the code page to translate single-byte characters into UTF-8 encoded characters. For information about how to configure the code page for RADIUS authentication, see RADIUS Authentication on page 691.

UTF-8 Supported Fields


The NIOS appliance supports UTF-8 encoding in all of the comment fields and most input fields. You can enter non-English characters in these data fields through the Infoblox GUI and the Infoblox API. When you use the Infoblox API, all the non-ASCII strings must be UTF-8 encoded so that you can use Unicode characters. The NIOS appliance does not support UTF-8 encoding for data that is configurable through the Infoblox CLI commands. In general, the following items support UTF-8 encoding: In the NAC Foundation module, the following fields that you use to customize the captive portal, self service portal, and DHCP guest registration page: Company Name Welcome Message Help Desk Message All comment and custom fields Acceptable Use Policy files All the predefined and user-defined extensible attributes All the comment fields in all of the Infoblox GUI perspectives File name fields for FTP and TFTP backup and restore operations The login banner text field. When you use the serial console or SSH, the appliance cannot correctly display the UTF-8 encoded information that you enter for the login banner

Note: For data fields that do not support UTF-8 encoding, the appliance displays an error message when you use non-English languages.

NIOS 4.3r4

Infoblox Administrator Guide (Rev. A)

63

Infoblox GUI

UTF-8 Support Limitations


The NIOS appliance has the following UTF-8 support limitations: Object names that have data restrictions due to their usage outside of the Infoblox database do not support UTF-8 encoding. For example, IP addresses, DNS names, and Active Directory domain names. When importing a database, most of the ASCII control characters cannot be encoded. This might cause failures in upgrades or database restore operations. Search is based on the Unicode standard. Depending on the language, you might not be able to perform a case-sensitive search. Binary data is encoded as text. Hard-coded data in the DHCP authentication configuration remains in English. For example, the text on buttons such as Accept, Continue, or Register, as well as HTML pages such as the complete.html file that tells you your password has been successfully changed. UTF-8 encoding does not fully support regular expressions. It matches constant strings. However, It does not encode characters that are inside square brackets or followed by regular expressions such as *, ?, or +. You can use UTF-8 characters to authenticate both the User Name and Password through the Infoblox GUI, but not through the Infoblox CLI. Infoblox CLI does not not support UTF-8 encoding.

Exporting Data
You can export certain types of data from the NIOS appliance to a CSV (Comma Separated Values) file and store it in a directory on your management station. You can then use a text editor or an application, such as Microsoft Excel, to view the data in the CSV file. The default name of the CSV file reflects the type of data being exported. For example, an export of grid members data has the file name Grid.csv. You can change the file name, for example, by appending a date as in Grid022908, to maintain multiple copies of the exported files.

Exporting Data from Panels


You can export data from most panels in the Infoblox Grid or Device Manager. When you export data from panels with multiple columns, such as the Detailed Status panel in the Grid perspective and the Records panel in the DNS perspective, the exported data reflects what is displayed in the GUI. You can move, hide, and sort columns as described in Customizing Columns on page 57, to organize the data before you export it to a CSV file. Note that you cannot export data from a panel when all its columns are hidden. The following is a list of panels from which you can export data. The exported CSV files contain exactly what is displayed in the panels, except for the files exported from the grid, DNS views, networks, and directories panel. Grid Perspective You can export a list of grid members from the Grid panel. You can export the data that is displayed in the following panels: Detailed Status Recycle Bin

DNS Perspective You can export a list of views and their zones from the DNS views panel. You can export the data that is displayed in the following panels: Records Shared Record Group Associations Zone Statistics

64

Infoblox Administrator Guide (Rev. A)

NIOS 4.3r4

Exporting Data

DHCP and IPAM Perspective You can export a list of networks from the Networks panel. You can export the data that is displayed in the following panels: Ranges, Fixed Addresses and Filters Ranges and Fixed Address Templates IP Address Management DHCP Leases DHCP Lease History Network Statistic DHCP Statistics DHCP Failover Status

AAA Perspective You can export data from the User Accounts panel. File Distribution Perspective You can export a list of directories from the Directories panel and the data that is displayed in the Files panel. Global Search Perspective You can export data from any search panel that is associated with any of the perspectives and windows that you can export.

Exporting Hierarchical Data


By default, the Records panel lists DNS records individually by record name, in alphabetical order, as shown in the following figure:

Figure 2.6 Resource Records List

When you export records from the Records panel and the records are individually listed, then the exported CSV file lists all records displayed in the panel, as shown in the following figure:

Figure 2.7

Alternatively, you can click the

icon to display records hierarchically, as shown in the following figure:

NIOS 4.3r4

Infoblox Administrator Guide (Rev. A)

65

Infoblox GUI

Figure 2.8 Hierarchical View

When you export data from the Records panel and the records are listed hierarchically, then the CSV file lists only the parent records that are displayed in the Records panel, as shown in the following figure:

Figure 2.9 Hierarchical Export

Exporting Data to a CSV File


To export data to a CSV file: 1. From a panel that supports CSV file export, do one of the following: Right-click anywhere on the panel and select Export from the context menu. Select File -> Export. 2. In the save as dialog box, do the following: Select the destination directory for the file. Either use the default name or type a new name for the file. The .csv file extension is automatically applied to the filename. A CSV Export Status dialog box displays the status of the export.

Exporting Large Files


If you are exporting a file with more than 500 objects, the NIOS appliance displays a dialog box with a progress bar indicating the status of the export process. You can click one of the following: Run in Background to run the export in background mode, allowing you to complete other tasks in NIOS while the export is running Cancel to cancel the export Details to view details about the export

If you select Run In Background, the appliance displays the status of the export at the bottom of the window, as shown in the following figure:

Figure 2.10 CSV Export Status


Click to view background tasks in the Progress panel.

You can view background tasks by clicking the icon shown in Figure 2.10. The Progress panel displays the status of all the current long-running tasks. You can cancel a task by clicking the icon beside the progress bar, as shown in Figure 2.11.
66 Infoblox Administrator Guide (Rev. A) NIOS 4.3r4

Exporting Data

Figure 2.11 CSV Export Progress Panel

Click to cancel the task.

Note: If you anticipate exporting large amounts of data, consider increasing the size of your java heap.

NIOS 4.3r4

Infoblox Administrator Guide (Rev. A)

67

Infoblox GUI

68

Infoblox Administrator Guide (Rev. A)

NIOS 4.3r4

Chapter 3 Managing Administrators


This chapter describes the various tasks associated with setting up admin groups and accounts. It contains the following sections:

About Admin Accounts on page 71 About Admin Groups on page 73 Creating a Superuser Admin Group on page 73 About Limited-Access Admin Groups on page 74 About Admin Roles on page 75 Creating Limited-Access Admin Groups on page 76 Deleting Admin Roles and Groups on page 77 Viewing Admin Group Assignments on page 77 About Administrative Permissions on page 78 Applying Permissions and Managing Conflicts on page 79 Applying Permissions and Managing Conflicts on page 79 Viewing and Managing Permissions on page 85 Modifying Permissions on page 86 Removing Permissions on page 86 Administrative Permissions for Grid Members on page 89 Administrative Permissions for Scheduling Tasks on page 90 Managing DNS Resource Permissions on page 91 Administrative Permissions for DNS Views on page 92 Administrative Permissions for Zones on page 93 Administrative Permissions for Resource Records on page 94 Administrative Permissions for Shared Record Groups on page 95 Managing Administrative Permissions for DHCP Resources on page 96 Managing Administrative Permissions for DHCP Resources on page 96 Administrative Permissions for Network Views on page 97 Administrative Permissions for Networks and Shared Networks on page 98 Administrative Permissions for Fixed Addresses on page 100 Administrative Permissions for DHCP Ranges on page 101 Administrative Permissions for DHCP Templates on page 102 Administrative Permissions for MAC Address Filters on page 103

NIOS 4.3r4

Infoblox Administrator Guide (Rev. A)

69

Managing Administrators

Administrative Permissions for Network Discovery on page 103 Administrative Permissions for the DHCP Lease History on page 104

Administrative Permissions for the RADIUS Service on page 104 Administrative Permissions for File Distribution Services on page 106 Authenticating Administrators on page 107 Creating Local Admins on page 107 Modifying and Removing an Admin Account on page 108 About Remote Admins on page 108 Authenticating Using RADIUS on page 110 Remote RADIUS Authentication on page 111 Configuring RADIUS Authentication on the NIOS Appliance on page 111 Adding RADIUS Servers on page 112 Testing the RADIUS Server on page 113 Maintaining the RADIUS Admins Server List on the NIOS Appliance on page 113 Disabling a RADIUS Server on page 113 Configuring a RADIUS Server on page 114 Configuring Admin Groups on the Remote RADIUS Server on page 114 Configuring Remote Admin Accounts on the Remote RADIUS Server on page 114 Authorization Groups Using RADIUS on page 115 Accounting Activities Using RADIUS on page 115 Authenticating Admin Accounts Using Active Directory on page 116 Admin Authentication Using Active Directory on page 117 Configuring Active Directory Authentication for Admins on page 117 Defining the Admin Policy on page 118 Specifying a List of Remote Admin Groups on page 118 Configuring the Default Admin Group on page 118 Configuring a List of Authentication Methods on page 119 Changing Password Length Requirements on page 119 Notifying Administrators on page 119

70

Infoblox Administrator Guide (Rev. A)

NIOS 4.3r4

About Admin Accounts

About Admin Accounts


When an admin connects to the NIOS appliance and logs in with a user name and password, the appliance starts a 2-step process that includes both authentication and authorization. First, the appliance tries to authenticate the admin using the user name and password that were entered. Second, it determines the authorized privileges of the admin by identifying the group to which the admin belongs. It grants access to the admin only when it successfully completes this process. Infoblox uses the concept of administrator groups to which you add one or more individual administrators. The administrators inherit the permissions and properties of the group to which they belong. The NIOS appliance can authenticate users that are stored on its local database as well as users stored remotely on an Active Directory domain controller and a RADIUS server. Regardless of the location of an admin account, all administrators must belong to an admin group. In addition, the group from which the admin receives privileges and properties is stored locally. The tasks involved in storing administrator accounts locally and remotely are listed in Table 3.1.

Table 3.1 Storing Admin Accounts Locally and Remotely


NIOS appliance To store admin accounts locally Use the default admin group (admin-group) or define a new group Set the privileges and properties for the group Add admin accounts to the group Configure communication settings with a RADIUS server or an Active Directory domain controller Configure communication settings with the NIOS appliance Import Infoblox VSAs (vendor-specific attributes) (if RADIUS) Define an admin group with the same name as that on the NIOS appliance Define admin accounts and link them to an admin group Define admin accounts RADIUS server or AD Domain Controller

If you use admin groups:

If you use admin groups on the RADIUS server or Active Directory domain controller: To store admin accounts remotely Use an existing admin group or define a new one Set the privileges and properties for the group

If you do not use admin groups on the RADIUS server: Assign an admin group as the default

If you do not use admin groups:

The admin policy defines how the appliance authenticates the admin: with the local database, RADIUS, or Active Directory. You must add RADIUS or Active Directory as one of the authentication methods in the admin policy to enable that authentication method for admins. See Configuring a List of Authentication Methods on page 119for more information about configuring the admin policy.

NIOS 4.3r4

Infoblox Administrator Guide (Rev. A)

71

Managing Administrators

Figure 3.1 illustrates the relationship of local and remote admin accounts, admin policy, admin groups, and
permissions and properties.

Figure 3.1 Privileges and Properties Applied to Local and Remote Admin Accounts
NIOS appliance RADIUS or Active Directory

Admin Users

Local Admin Groups

Access permissions and properties come from local admin group definitions. Login

The NIOS appliance first checks the remote admin policy to determine which of the following authentication methods to use and where to get membership information from: local-admin database, RADIUS, or Active Directory.

Remote Admin Groups When remote admin accounts are not in an admin group (or in a group whose name does not match that of a local group), the NIOS appliance applies the default admin group permissions and properties (if configured).

Admin-Group1 Adam Login Default Admin-Group Balu Login Group names must match. Login Login

Admin-Group2 Christine

Admin-Group2

Admin-Group3 Dan Eve There can be admin accounts in a local and remote admin group with the same group name.

Admin-Group3

When admin accounts are in an admin group that matches a group configured locally, the appliance selects the first group (based on remote admin policy) and applies the permissions and properties to the admin belonging to that group.

Assigned from local admin group definitions: Admin Permissions (for resources, such as zones, networks, members and DHCP lease history) Properties (for page and tree sizes)

Note: = Admin Account

Complete the following tasks to create admin accounts: 1. Use the default admin groups or create admin groups. See About Admin Groups on page 73. 2. Define the administrative permissions of each admin group. See About Administrative Permissions on page 78. 3. Create admin accounts and assign them to the appropriate admin group. To add accounts to the local database, see Creating Local Admins on page 107. To configure the appliance to authenticate admin accounts stored remotely, see About Remote Admins on page 108.

72

Infoblox Administrator Guide (Rev. A)

NIOS 4.3r4

About Admin Groups

About Admin Groups


All administrators must belong to an admin group. The permissions and properties that you set for a group apply to the administrators that you assign to that group. There are three types of admin groups: Superuser Superuser admin groups provide their members with unlimited access and control of all the operations that a NIOS appliance performs. There is a default superuser admin group, called admin-group, with one superuser administrator, admin. You can add users to this default admin group and create additional admin groups with superuser privileges. Superusers can access the appliance through its console, GUI, and API. In addition, only superusers can create admin groups. Limited-Access Limited-access admin groups provide their members with read-only or read/write access to specific resources. These admin groups can access the appliance through the GUI, API, or both. They cannot access the appliance through the console. ALL USERS The ALL USERS group is a default group in which you define global permissions for all limited-access users. This group implicitly includes all limited-access users configured on the appliance.

Creating a Superuser Admin Group


Superusers have unlimited access to the NIOS appliance. They can perform all the operations that the appliance provides. There are some operations, such as creating admin groups and accounts, that only superusers can perform. Note that there must always be one superuser admin account stored in the local database to ensure that at least one administrator can log in to the appliance in case the NIOS appliance loses connectivity to the remote admin databases such as RADIUS servers or AD domain controllers. There is a default superuser admin group (admin-group). You can create additional superuser admin groups, as follows: 1. Log in as a superuser. 2. From the Administrators perspective, click Groups -> Edit -> Add Group. 3. In the Add Administrator Group editor, enter the following: Group Name: Enter the name for the admin group. Comment: Enter pertinent information about the group, such as location or department. The data entered here displays in the Comment column when you select the admin group name in the tree view. Superuser: Select this check box to grant the admin accounts that you assign to this group full authority to view and configure all types of data. Page Size: Enter a value for the number of lines of data that you want a single GUI list view to contain for administrators that belong to this group. When there is a lot of data, you can improve the display performance by setting a smaller page size, such as 100 instead of 1000. You can set the page size from 10 to 2000. The default page size is 100. Disable this admin group: Select this check box to retain an inactivated profile for this admin group in the configuration. For example, you might want to define a profile for recently hired administrators who have not yet started work. Then when they do start, you simply need to clear this check box to activate the profile. 4. Click the Save icon. You can do one of the following: Add local admins to the superuser group; see Creating Local Admins on page 107. Assign the superuser group to remote admins; see About Remote Admins on page 108.

NIOS 4.3r4

Infoblox Administrator Guide (Rev. A)

73

Managing Administrators

About Limited-Access Admin Groups


All admin groups, except superuser admin groups, require either read-only or read-write permission to access certain resources, such as grid members, and DNS and DHCP resources. Therefore, when you create an admin group, you must specify which resources the group is authorized to access and their level of access. There are two ways to define the permissions of an admin group. You can create the group and assign permissions directly to the group. In addition, you can create roles that contain permissions and assign the roles to the admin group. Only superusers can create admin groups and define their administrative permissions. Complete these tasks to configure an admin group: 1. If you want to use admin roles to assign permissions to admin groups, create the admin roles as described in About Admin Roles on page 75. 2. Define the permissions of the newly created admin roles, as described in Applying Permissions and Managing Conflicts on page 79. 3. Create the admin group, as described in Creating Limited-Access Admin Groups on page 76. 4. Define the administrative permissions of the admin group. Assign roles to the admin group, as described in Creating Admin Roles on page 75. Assign specific permissions as described in Applying Permissions and Managing Conflicts on page 79. 5. Assign admins to the group. For local admin groups, see Creating Local Admins on page 107. For remote admins, see About Remote Admins on page 108.

74

Infoblox Administrator Guide (Rev. A)

NIOS 4.3r4

About Limited-Access Admin Groups

About Admin Roles


A role is a group of permissions that you can apply to one or more admin groups. Roles allow you to quickly and easily apply a suite of permissions to an admin group. You can define roles once and apply them to multiple admin groups. The appliance contains the following system-defined admin roles: AAA Admin: Provides read-write access to all grid AAA properties. DHCP Admin: Provides read-write access to all DHCP MAC filters, members, networks, and shared networks, and read-only access to the DHCP templates and DHCP lease history. DNS Admin: Provides read-write access to all members, all shared record groups, and all DNS views. File Distribution Admin: Provides read-write access to all grid file distribution properties. Grid Admin: Provides read-write access to all DHCP MAC filters, DHCP templates, members, networks, shared networks, DHCP lease history, all shared record groups, all DNS views, Grid AAA properties, Grid File distribution properties.

You can assign these system-defined roles to admin groups and create additional roles based on the job functions in your organization. If you are creating a role that has similar permissions to an existing role, you can copy the role and then make the necessary modifications to the new role. Thus you do not have to create each new role from scratch. You can assign up to 20 roles to an admin group, and you can assign a role to more than one admin group. When you make a change to a role, the appliance automatically applies the change to that role in all admin groups to which the role is assigned.

Creating Admin Roles


There are two ways to create an admin role. You can create a new role and define its permissions, and you can copy an existing role. To create a new role from scratch: 1. From the Administrators perspective, click Roles -> Edit -> Add Role to display the Add Role editor. 2. Complete the following: Role Name: Enter a name for the role. Comment: Optionally, enter information about the role. 3. Click the Save icon. To copy an existing role: 1. From the Administrators perspective, click Roles -> admin_role -> Edit -> Copy Role As. 2. In the Copy Role As dialog box, enter the name of the new role you are creating. You can also enter information about the new role in the Comment field. Click OK to close the dialog box. The appliance displays the new role and its permissions. After you create roles, you can do the following: Define their permissions. For information and guidelines on defining permissions, see About Administrative Permissions on page 78. Assign roles to admin groups, as described in Creating Limited-Access Admin Groups on page 76.

NIOS 4.3r4

Infoblox Administrator Guide (Rev. A)

75

Managing Administrators

Creating Limited-Access Admin Groups


When you create a limited-access admin group, you can assign roles to it. The group then inherits the permissions of its assigned roles. In addition, you can assign permissions directly to the group, as described in Applying Permissions and Managing Conflicts on page 79. Only superusers can create admin groups. To create an admin group: 1. From the Administrators perspective, click Groups -> Edit -> Add Group to display the Add Administrator Group editor. 2. Expand the Group Properties section and enter the following: Group Name: Enter the name for the admin group. Comment: Enter pertinent information about the group, such as location or department. The data entered here displays in the Comment column when you select the admin group name in the tree view. Superuser: Clear this check box to create a limited-access admin group. Page Size: Enter a value for the number of lines of data that you want a single GUI list view to contain for administrators that belong to this group. When there is a lot of data, you can improve the display performance by setting a smaller page size, such as 100 instead of 1000. You can set the page size from 10 to 2000. The default page size is 100. Access Method: Specify whether the admin group can use the GUI and the API (application programming interface) to configure the appliance. Access through GUI: Select this check box to allow the admin group to use the GUI. Access through API: Select this check box to allow the admin group to use the API. For information about the API, see Chapter 25, Infoblox DMAPI, on page 729. Disable this admin group: Select this check box to retain an inactivated profile for this admin group in the configuration. For example, you might want to define a profile for recently hired administrators who have not yet started work. Then when they do start, you simply clear this check box to activate the profile. 3. Optionally, expand the Roles section and complete the following: Click Add. In the Select Role dialog box, select the roles you want to assign to the admin group, and then click OK. You can assign up to 20 roles to an admin group. The appliance displays the selected roles in the list box. When an admin group is assigned multiple roles, the appliance applies the permissions to the group in the order the roles are listed. Therefore if there are conflicts in the permissions among the roles, the appliance uses the permission from the role that is listed first and ignores all the others. You can reorder the list by selecting a role and clicking Move Up or Move Down. To delete a role, select it and click Delete. After you select roles, you can click Check for conflicts to check for any conflicting permissions. For information about checking conflicts, see Applying Permissions and Managing Conflicts on page 79. Click Cancel to close the dialog box. 4. Click the Save icon.

76

Infoblox Administrator Guide (Rev. A)

NIOS 4.3r4

About Limited-Access Admin Groups

Deleting Admin Roles and Groups


You can remove both system-defined and user-defined admin roles and admin groups. To delete an admin group or role: 1. Do one of the following from the Administrator perspective: To remove an admin role, click + (for Roles) -> admin_role. To remove an admin group, click + (for Groups) -> admin_group. 2. Click Edit -> Remove.

Viewing Admin Group Assignments


You can view to which admin groups a role is assigned by selecting the role and clicking View -> Admin Role Assignments.

NIOS 4.3r4

Infoblox Administrator Guide (Rev. A)

77

Managing Administrators

About Administrative Permissions


You can assign permissions to admin roles which you then assign to admin groups, or you can assign permissions directly to an admin group. The following are permissions you can grant roles and admin groups: Deny: Prevents admins from viewing, adding, modifying and deleting the resource. This is the default permission level. Read-Only: Allows admins to view and search for the resource. Admins cannot add, modify or delete the resource. Read/Write: Allows admins to view, search for, add, modify, and delete the resource.

By default, the appliance denies access to certain resources. Admin groups must have either read-only or read/write permission to access the following resources: Grid membersSee Administrative Permissions for Grid Members on page 89 Scheduling tasksSee Administrative Permissions for Scheduling Tasks on page 90 DNS resourcesSee Managing DNS Resource Permissions on page 91. DHCP resourcesSeeManaging Administrative Permissions for DHCP Resources on page 96. RADIUS resourcesSee Administrative Permissions for the RADIUS Service on page 104. File distribution resourcesSee Administrative Permissions for File Distribution Services on page 106.

You can define permissions at a global level, for example, for all DNS views or all DHCP networks in the database, and at a more granular level, such as a specific zone, network, and even an individual database object, such as a resource record or fixed address. The appliance applies permissions hierarchically in a parent-child structure. When you define a permission to a resource, the permission applies to all the other resources and objects contained within that resource. For example, if you grant an admin group read-write permission to a grid, it automatically has read-write permission to all members in the grid. However, you can override the grid-level permission by setting a different permission, read-only or deny, for a grid member. Permissions at more specific levels override those set at a higher level. When admins have permission to objects that are in a parent object, but are not given rights to the parent object, the appliance displays the parent object in the tree view, for navigational purposes only. For example, as shown in Figure 3.2, admins do not have permission to the Internal view and to corp.com, but have permission to the child zone called sales.corp.com. In this case, the admins can see the Internal view and corp.com in the tree view, but cannot see their contents. The admins can see the contents of sales.corp.com zone only.

Figure 3.2 Navigating to Objects

Admins in DNS Admins3 can navigate to sales.corp.com and create resource records, even if they have no permission to the Internal view and corp.com.

78

Infoblox Administrator Guide (Rev. A)

NIOS 4.3r4

About Administrative Permissions

Applying Permissions and Managing Conflicts


When an admin tries to access an object, the appliance checks the permissions of the group to which the admin belongs. Because permissions at more specific levels override those set at a higher level, the appliance checks object permissions hierarchicallyfrom the most to the least specific. In addition, if the admin group has permissions assigned directly to it and permissions inherited from its assigned roles, the appliance checks the permissions in the following order: 1. Permissions assigned directly to the admin group 2. Permissions inherited from admin roles in the order they are listed in the Roles section of the Administrator Group editor. 3. Permissions defined for the All Users group. For example, an admin from the DNS1 admin group tries to access the a1.test.com A record in the test.com zone in the Infoblox default view. The appliance first checks if the DNS1 admin group has a permission defined for the a1.test.com A record. If there is none, then the appliance checks the roles assigned to DNS1, and then the All Users group. If there is no permission defined for the a1.test.com A record, the appliance continues checking for permissions in the order listed in Table 3.2. The appliance uses the first permission it finds.

Table 3.2 Permission Checking


The appliance checks object permissions from the most to the least specific, as listed. 1. a1.test.com A record 2. A records in test.com 3. test.com 4. All zones in the default view 5. Default view 6. All A records 7. All zones 8. All DNS views An admin group that is assigned multiple roles and permissions can have conflicts among the different permissions. As stated earlier, the appliance uses the first permission it finds and ignores the others. For example, as shown in Table 3.3, if an admin group has read/write permission to all A records in the test.com zone and a role assigned to it is denied permission to test.com, the appliance provides read/write access to A records in the test.com zone, but denies access to the test.com zone and all its other resource records. For each object, the appliance checks permissions in the order listed. a. DNS1 admin group b. Role 1, Role, 2, Role 3 c. All Users group

Table 3.3 Directly-Assigned Permissions and Roles

Permission assigned to the admin group Permission inherited from an admin role Effective permissions

Read/Write to all A records in the test.com zone Deny to the test.com zone Deny to the test.com zone Read/Write to all A records in test.com Deny to all other resource records in test.com

NIOS 4.3r4

Infoblox Administrator Guide (Rev. A)

79

Managing Administrators

If the group has multiple roles, the appliance applies the permissions in the order the roles are listed. If there are conflicts in the permissions among the roles, the appliance uses the permission from the role that is listed first. For example, as shown in Table 3.4, the first role assigned to the admin group has read-only permission to all A records in the test.com zone and the second role has read/write permission to the same records. The appliance applies the permission from the first admin role.

Table 3.4 Multiple Roles

Role 1 permission Role 2 permission Effective permissions

Read-only to all A records in the test.com zone Read/Write to all A records in test.com Read/Write to all MX records in test.com Deny to the test.com zone Read-only to all A records in the test.com zone Read/Write to all MX records in test.com

You can check for conflicting permissions when you add permissions to roles and to admin groups, and when you assign roles to an admin group. When you use the Check for conflicts function, the appliance lists which permissions are in conflict and indicates which ones it uses and ignores, as shown in Figure 3.3. If you want to change the permission the appliance uses, you must change the order in which the roles are listed or change the permissions that are directly assigned to the admin group.

Figure 3.3 Checking for Conflicts

80

Infoblox Administrator Guide (Rev. A)

NIOS 4.3r4

About Administrative Permissions

Defining Permissions
From the Administrators perspective, you can define global permissions and object permissions for admin groups and roles. Although you can add global permissions only from the Administrators perspective, you can add permissions to specific objects from the Administrators perspective and from the object itself. You can also select multiple objects using SHIFT+click and CTRL+click when you apply permissions to specific objects. However, you cannot select multiple objects when defining global permissions. When you add permissions to objects, you can select multiple objects with the same or different object types. When you select multiple objects with the same object type, you can apply permissions not only to the selected objects, but also to the sub object types that are contained in the selected objects. As described in Figure 3.4, when you select five DNS forward-mapping authoritative zones, the appliance labels the five DNS zones collectively as Selected Objects. Since all five DNS zones are of the same object type, forward-mapping authoritative, you can also apply permissions to all the resource records in these zones. You can choose one or more of the resources to which you want to apply permissions in the Add Permissions dialog box.

Figure 3.4 Selecting Multiple Objects with the Same Object Type

You select five forward-mapping authoritative DNS zones that have resource records such as A records, Hosts, and CNAME records.

The appliance displays the following resources in the Add Permissions dialog box.

corp100.com

2 Since all DNS zones


have the same object type, you can apply object permissions to all the DNS zones as well as to all the resource records in the DNS zones.

A records in selected objects

corp200.com

Hosts in selected objects

corp300.com

<Resource records> in selected objects (for other resource records)

corp400.com

corp500.com

As shown in Figure 3.5, the appliance displays the resources in the Permissions section of the Add Permissions dialog box. You can choose Selected objects to apply permissions to all DNS zones, A records in selected objects to apply permissions to all A records in the selected DNS zones, Hosts in selected objects to apply permissions to all host records, and so on.

NIOS 4.3r4

Infoblox Administrator Guide (Rev. A)

81

Managing Administrators

Figure 3.5 Add Object Permissions for Selected Objects with the Same Object Type

When you select multiple objects with more than one object type, you can add permissions to the selected objects as well as to the sub object types that are common among the selected objects. For example, when you select three DNS forward-mapping authoritative zones and two DNS IPv4 reverse-mapping authoritative zones as illustrated in Figure 3.6, you can apply permissions to all the five DNS zones as well as to the CNAME, DNAME, and Host records in these zones because CNAME, DNAME, and Host records are the common sub object types in these zones. In another example, when you select three DNS forward-mapping authoritative zones and two networks, you can apply permissions only to the selected objects (the three DNS zones and the two networks). You cannot apply permissions to any sub object types in the selected objects because DNS zones and networks do not have any common sub object types.

Figure 3.6 Multiple Objects with Common Sub Object Types


When you select three DNS forward-mapping authoritative zones and two IPv4 reverse-mapping authoritative zones, you can apply object permissions to all the DNS zones as well as the CNAME, DNAME and Host records in these DNS zones. CNAME records in selected objects DNAME records in selected objects Hosts in selected objects

corp100.com

0.0.10.in-addr.arpa

corp200.com

0.0.127.in-addr.arpa

corp300.com

82

Infoblox Administrator Guide (Rev. A)

NIOS 4.3r4

About Administrative Permissions

To add permissions to a role or an admin group from the Administrators perspective: 1. Do one of the following from the Administrators perspective: To define the permissions of an admin role, click + (for Roles) -> + role -> Edit -> Add Permissions. or To define the permissions of an admin group, click + (for Groups) -> admin_group -> Edit -> Add Permissions. The Add Permissions dialog box appears. The dialog box does not list the existing permissions of the role or admin group. To view existing permissions, see Viewing and Managing Permissions on page 85. If you try to add permission to an object that has a conflict with an existing permission, the appliance displays an error message. 2. To define global permissions, click Add in the Add Global Permissions tab. The appliance displays the default resource, All Members in the Resource column. 3. Do one of the following: Select Read/Write, Read Only, or Deny for the All Members resource. or Click the arrow for Resource to expand the resource list, and then select the resource for which you are setting the global permission. Select Read/Write, Read Only, or Deny. Click Add again to define additional global permissions. 4. To define permissions for specific objects and resources, do the following in the Add Object Permissions tab: Click Find Object.... In the Select Object dialog box, identify the objects to which you want to add permissions, as follows: In the Text field, enter the value or partial value of an object. This field is not case-sensitive. Select the object type for which you are searching in the Type drop-down list. By default, the appliance searches all object types. You can select multiple object types using SHIFT+click for contiguous objects and CTRL+click for non-contiguous objects. Click Search. The appliance lists the objects that it finds in the Search Results section. In the Search Results section, select the objects to which you are defining permissions, and then click OK. You can select multiple objects using SHIFT+click for contiguous objects and CTRL+click for non-contiguous objects. In the Add Object Permissions tab, the appliance displays the following: Object: The name of the selected objects. When you select multiple objects, the appliance displays Multiple Objects in this field. Type: The object type of the selected objects. When you select more than one object type, the appliance displays Multiple Types in this field. To view the list of selected objects, click View Selected Objects. The appliance displays the selected objects to which you want to add permissions. 5. In the Permissions section, do the following: Click Add. In the Resource column, click the arrow to expand the resource list, and then select the resource for which you are setting the object permission. Select the appropriate permission: Read/Write, Read Only, or Deny. Click Add again if you want to define additional object permissions. 6. After you apply permissions to the selected objects, do one of the following: Click Check Conflicts to check whether the permissions that you define have conflict with other permissions. The appliance displays conflicting permissions in the Permissions Conflict dialog box. For information, see Applying Permissions and Managing Conflicts on page 79. Click Apply if you want to set permissions for additional objects. The appliance stores the permissions that you have defined and clears all the information in the Add Permissions dialog box so that you can define permissions for additional objects. Click Add to continue defining permissions for other objects. Click OK when you are finished.
NIOS 4.3r4 Infoblox Administrator Guide (Rev. A) 83

Managing Administrators

In addition, you can also set permissions for specific objects from the object itself. For example, to define permissions for a particular grid member, navigate to that grid member and define its permissions. To define the permission of a specific object: 1. Navigate to the object. For example, to define permissions for a particular grid member, do the following from the Grid perspective, click + (for grid) -> + (for Members) -> member. 2. Select the object and do one of the following: Right-click and select Manage Permissions from the context menu. Click Edit-> Manage Permissions. The appliance displays the Manage Resource Permissions dialog box. For example, Figure 3.7 shows the Manage Resource Permissions dialog box where you define permissions for the selected grid member.

Figure 3.7 Manage Permissions for a Grid Member

3. In the Manage Resource Permissions dialog box, do the following: Admin Group/Role: Click Add, and then select a role or an admin group in the Select Admin Group or Role dialog box. After you click OK to close the dialog box, the appliance lists the role or admin group you selected. Permissions: Click Add. After the appliance displays the object in the Resource column, select Read/Write, Read Only or Deny.

84

Infoblox Administrator Guide (Rev. A)

NIOS 4.3r4

About Administrative Permissions

4. Optionally, you can check whether the permission you defined conflicts with another permission. Click Check Conflicts and the appliance displays conflicting permissions in the Permissions Conflict dialog box. For information, see Applying Permissions and Managing Conflicts on page 79 5. Click OK to close the Manage Resource Permissions dialog box.

Viewing and Managing Permissions


Superusers can view the permissions of all admin groups. All other admins can view the permissions of their own admin group. To view the permissions of a role or an admin group, do one of the following: To view the permissions of an admin group, from the Administrators perspective, click + (for Groups) -> + (for admin_group) -> + (for Permissions). To view the permissions of a role, from the Administrators perspective, click + (for Roles) -> + (for admin_role). AAA Permissions DHCP Permissions DNS Permissions File Distribution Permissions Grid Permissions

The appliance lists the permission types of the selected role or group, which can be:

You can select a permission type and view its corresponding permissions in the Permissions panel. By default, the appliance displays the permissions in alphabetical order. You can display a hierarchical list by clicking the icon.

Filtering the List of Permissions


You can filter the permissions you view by selecting one of the following: Effective Permissions: Select to view only the permissions that the appliance is using for this group. The permissions that were ignored due to conflicts are not listed in this view. Direct Permissions: Select to view only the permissions that were specifically assigned to the group. Permissions that were inherited from roles are not listed in this view. Conflicting Permissions: Select to view only the permissions that are in conflict. All Permissions: Select to view all permissions.

NIOS 4.3r4

Infoblox Administrator Guide (Rev. A)

85

Managing Administrators

Modifying Permissions
You can modify the permissions of user-defined admin roles and admin groups. You cannot modify the permissions of system-defined admin roles. When you change the permissions of a role that has been assigned to multiple admin groups, the appliance automatically applies the change to the role in all admin groups to which it is assigned. To change the existing permissions of a role or an admin group: 1. Do one of the following from the Administrator perspective: To modify the permissions of an admin role, click + (for Roles) -> + (for admin_role). To modify the permissions of an admin group, click + (for Groups) -> + (for admin_group) -> + (for Permissions). 2. Select the permission type and in the Permissions panel, select the resource that you want to modify. 3. Click Edit -> Permission Properties. 4. In the Permission Properties editor, select the new permission: Read/Write, Read-Only or Deny. 5. Optionally, click Check for conflicts to view any conflicts that result from the change. For information about conflicting permissions, see Applying Permissions and Managing Conflicts. 6. To save the change, click the Save icon.

Removing Permissions
You can remove permissions from user-defined admin roles and admin groups. You cannot remove permissions from system-defined admin roles. When you remove permissions from a role, it is removed from the role in all admin groups to which the role is assigned. You can remove a permission from a group as long as it was not inherited from a role. You cannot remove permissions that were inherited from a role. To remove a permission: 1. Do one of the following from the Administrator perspective: To remove the permissions of an admin role, click + (for Roles) -> + (for admin_role). To remove the permissions of an admin group, click + (for Groups) -> + (for admin_group) -> + (for Permissions). 2. Select the permission type and in the Permissions panel, select the resource that you want to remove 3. Right-click, and then select Remove. 4. Click Yes when the confirmation dialog appears.

86

Infoblox Administrator Guide (Rev. A)

NIOS 4.3r4

Administrative Permissions for Common Tasks

Administrative Permissions for Common Tasks


The following table lists some of the common tasks admins can perform and the required permissions for each task. You can define admin roles with the required permissions, and then add the roles to admin groups. For information, see About Admin Roles on page 75.

Table 3.5 Permissions for Common Tasks


To perform the following task(s)... Assign grid members to a DNS zone Modify grid member configuration Restart services for a grid member Restart services for an entire grid Create DNS views Modify and delete a DNS view Create DNS zones Modify and delete a DNS zone Create a specific type of resource record, such as A records Admins need the following permission(s) Modify and delete a specific type of resource record, such as A records View DNS resource records Create shared record groups Modify and delete shared record groups View network properties and network statistics in a network Create network views and their associated DNS views Modify and delete network views and their associated DNS views Create networks Modify and delete networks Create fixed addresses in a network Modify and delete all fixed addresses in a network View and search for fixed addresses in a network Read/Write to the grid members Read/Write to the DNS zone Read/Write to the grid member Read/Write to the grid member Read-only to all grid members Read/Write to all DNS views Read/Write to the DNS view Read/Write to the parent zones Read/Write to the DNS zone Read/Write to the resource record type or Read/Write to the DNS zone Read/Write to the resource record type or Read/Write to the DNS zone Read-only to the resource records or Read-only to the DNS zone Read/Write to all shared record groups Read/Write to the shared record groups Read-only to the network view that contains the network Read/Write to all network views Read/Write to all DNS views Read/Write to the network views Read/Write to the DNS views Read/Write to all networks Read/Write to the networks Read/Write to the parent network Read/Write to all fixed addresses in the network Read-only to all fixed addresses in the network
Infoblox Administrator Guide (Rev. A) 87

NIOS 4.3r4

Managing Administrators

To perform the following task(s)... Create DHCP ranges Modify and delete DHCP ranges Schedule tasks for supported objects, such as adding an A record or deleting a host record

Admins need the following permission(s) Read/Write to the parent network Read/Write to the DHCP ranges in the network Read/Write to schedule tasks Read/Write to the DNS zones to which the objects belong Read/Write to the networks to which the objects belong Read/Write to network discovery Read/Write to the networks on which you want to run the discovery

Initiate and control network discoveries on a network

For information about specific tasks and their required permissions, see the following: Grid membersSee Administrative Permissions for Grid Members on page 89 Scheduling tasksSee Administrative Permissions for Scheduling Tasks on page 90 DNS resourcesSee Managing DNS Resource Permissions on page 91. DHCP resourcesSeeManaging Administrative Permissions for DHCP Resources on page 96. RADIUS resourcesSee Administrative Permissions for the RADIUS Service on page 104. File distribution resourcesSee Administrative Permissions for File Distribution Services on page 106.

88

Infoblox Administrator Guide (Rev. A)

NIOS 4.3r4

Administrative Permissions for Grid Members

Administrative Permissions for Grid Members


By default, the grid master denies access to grid members when a limited-access admin group does not have defined permissions. You can grant an admin group read-only or read/write permission, or deny access to all grid members or you can grant permission to specific grid members, as described in Applying Permissions and Managing Conflicts on page 79. Note: Only superusers can modify DNS and DHCP grid properties. The following table lists the tasks admins can perform and the required permissions for grid members.

Table 3.6 Grid Member Permissions


To perform the following tasks View DNS member properties View and download syslog View DNS cache and configuration file View DHCP member properties View network statistics and DHCP configuration file Restart grid DNS and DHCP services Assign members to networks Assign members to DHCP ranges Edit member properties Clear DNS cache Add grid members to a Match Members list of a view Delete a view with grid members in a Match Members list Assign members to DNS zones Read/Write to grid members Read-only to views Read/Write to grid members Read/Write to zones Read/Write to grid members Read/Write to networks Read/Write to DHCP ranges Read/Write to grid members Admins need the following permission(s) Read-only to grid members

NIOS 4.3r4

Infoblox Administrator Guide (Rev. A)

89

Managing Administrators

Administrative Permissions for Scheduling Tasks


You can schedule tasks, such as adding hosts or modifying fixed addresses, for a future date and time. To schedule tasks, you must first enable the scheduling feature at the grid level, and then define administrative permissions for admin groups and admin roles. For information, see Scheduling Tasks on page 136. Only superusers can enable and disable this feature and grant scheduling permissions to admin groups. Limited-access admin groups can schedule tasks only when they have scheduling permissions. Superusers can do the following: Enable and disable task scheduling at the grid level Grant and deny scheduling permissions to admin groups and admin roles Schedule tasks for all object types Reschedule and delete any scheduled task

You can set global permissions to schedule tasks as described in Defining Permissions on page 81. The following table lists the tasks admins can perform and the required permissions. Users with read/write permission to scheduling can view, reschedule, and delete their own scheduled tasks.

Table 3.7 Scheduling Task Permissions


To perform the following tasks Schedule the addition, modification, and deletion of all supported object types. View, reschedule, and delete scheduled tasks. Admins need the following permission(s) Read/Write to scheduling tasks Read/Write to all networks and DNS zones Read/Write to all shared record groups

To schedule tasks for specific resources, admins must have Read/Write permission to scheduling tasks, plus the required permissions to the supported resources. For information about permissions for specific resources, see the following: Grid membersSee Administrative Permissions for Grid Members on page 89 DNS resourcesSee Managing DNS Resource Permissions on page 91. DHCP resourcesSeeManaging Administrative Permissions for DHCP Resources on page 96.

Note that the appliance deletes all pending scheduled tasks when superusers disable task scheduling at the grid level. The appliance deletes an admins scheduled tasks when superusers do the following: Set the scheduling permission of admin groups and roles to Deny Delete or disable an admin group or an admin role Delete or disable local admins Delete the scheduling permission from any admin group or admin role that contains users with pending scheduled tasks Change the admin group of a limited-access admin

90

Infoblox Administrator Guide (Rev. A)

NIOS 4.3r4

Managing DNS Resource Permissions

Managing DNS Resource Permissions


You can grant roles and admin groups read-only or read/write permission, or deny access to the following DNS resources: DNS Views Zones A records AAAA records CNAME DNAME MX PTR SRV TXT Hosts Bulk Hosts Shared Record Groups Shared A records Shared AAAA records Shared MX records Shared SRV records Shared TXT records

The appliance applies permissions for DNS resources hierarchically. Permissions to a DNS view apply to all zones and resource records in that view. Permissions for a zone apply to all its subzones and resource records, and resource record permissions apply to those resource records only. To override permissions set at higher level, you must define permissions at a more specific level. To assign permissions, see Applying Permissions and Managing Conflicts on page 79. The following sections describe the different types of permissions that you can set for DNS resources:

Administrative Permissions for DNS Views on page 92 Administrative Permissions for Zones on page 93 Administrative Permissions for Resource Records on page 94

NIOS 4.3r4

Infoblox Administrator Guide (Rev. A)

91

Managing Administrators

Administrative Permissions for DNS Views


Limited-access admin groups can access DNS views, including the default view, only if their administrative permissions are defined. Permissions to a DNS view apply to all its zones and resource records. To override view-level permissions, you must define permissions for its zones and resource records. For example, you can grant an admin group read-only permission to a view and read/write permission to all its zones. This allows the admins to display the view properties, but not edit them, and to create, edit and delete zones in the view. You can grant read-only or read/write permission, or deny access to DNS views, as follows: All viewsGlobal permission that applies to all DNS views in the database. A specific viewApplies to its properties and its zones, if you do not define zone-level permissions. This overrides the global view permissions. All zones in a viewIf you do not define permissions for zones, they inherit the permissions of the view they are in.

For information on setting permissions for a view and its zones, see Applying Permissions and Managing Conflicts on page 79. The following table lists the tasks admins can perform and the required permissions for DNS views.

Table 3.8 Permissions for Views


To perform the following tasks Display view properties Display zones and resource records Create, modify, and delete views Create, modify, and delete all zones and resource records Modify and delete a view Create, modify, and delete zones and resource records in a view Add grid members to a Match Members list of a view Delete a view with grid members in a Match Members list Display zone properties, subzones, and resource records Create, modify, and delete zones Create, modify, and delete subzones and resource records Read/Write to grid members Read/Write to the view Read-only to all zones in a view Read/Write to all zones in a view Read/Write to the view Read/Write to all views Admins need the following permission(s) Read-only to all views

92

Infoblox Administrator Guide (Rev. A)

NIOS 4.3r4

Managing DNS Resource Permissions

Administrative Permissions for Zones


By default, zones inherit administrative permissions from the DNS view in which they reside. You can override view-level permissions by setting permissions for specific zones. Permissions set for a zone are inherited by its subzones and resource records. To override zone-level permissions, set permissions for specific subzones and resource records. For example, you can grant an admin group the following permissions: Read-only to a zone and to all its A, AAAA, and PTR records Read/Write permission to all MX and SRV records in the zone Deny to all the other resource recordsCNAME, DNAME, TXT, host, and bulk host All zones Global permission that applies to all zones in all views. All zones in a viewPermissions at this level override the global permissions. A specific zoneApplies to the zone properties and resource records, if you do not define permissions for its resource records. This overrides global and view-level permissions. If you delete a zone and reparent its subzone, the subzone inherits the permissions of the new parent zone. Each resource record type in a zoneFor example, you can define permissions for all A records and for all PTR records in a zone. if you do not define permissions for resource records, they inherit the permissions of the zone in which they reside.

You can grant read-only or read/write permission, or deny access to zones as follows:

For information on setting permissions for zones and resource records, see Applying Permissions and Managing Conflicts on page 79. The following table lists the tasks admins can perform and the required permissions for zones.

Table 3.9 DNS Zone Permissions


To perform the following tasks View zone properties, subzones, and resource records Search for a zone, its subzones, and resource records Create, modify, and delete subzones and resource records Search for zones, subzones, and resource records Create, modify, and delete all zones in a view Create, modify, and delete subzones and resource records Search for zones, subzones, and resource records Modify and delete a zone Create, modify, and delete subzones and resource records Lock and unlock a zone Search within a zone for its subzones and resource records Assign grid members to a zone Delete a zone with assigned grid members Assign a name server group to a zone Delete a zone with name server groups assigned Read/Write to the zone Read/Write to grid members Read/Write to the zone Read/Write to all grid members in the name server group Read/Write to the zone Read/Write to all zones in the view Read/Write to all zones Admins need the following permission(s) Read-only to the zone

NIOS 4.3r4

Infoblox Administrator Guide (Rev. A)

93

Managing Administrators

To perform the following tasks Assign a shared record group to a zone Copy resource records from one zone to another

Admins need the following permission(s) Read/Write to the shared record group Read-only to the source zone Read-only to resource records to be copied Read/Write to the destination zone Read/Write to all resource records in the destination zone

Source zone:

Destination zone:

Administrative Permissions for Resource Records


Resource records inherit the permissions of the zone to which they belong. You can override zone-level permissions by setting permissions for specific resource records. You can grant read-only or read/write permission, or deny access to resource records as follows: Each resource record type in all zones and in all viewsGlobal permission that applies to all resource records of the specified type; for example, all A records in the database. Each resource record type in a zone Permissions at this level override global permissions. A specific resource recordOverrides zone-level permissions.

For information on setting permissions for resource records, see Applying Permissions and Managing Conflicts on page 79. The following table lists the tasks admins can perform and the required permissions for resource records.

Table 3.10 DNS Resources


To perform the following tasks View resource records for a specified type only Search for records of a specified type Create, modify, and delete resource records for a specified type Search for records of a specified type View a resource record View, modify, and delete a resource record Read-only to the resource record Read/Write to the resource record Admins need the following permission(s) Read-only to the resource record type, such as all A records or all PTR records Read/Write to the resource record types, such as all A records or all PTR records

The following are additional guidelines: Only admins with read/write permission to bulk host records and read/write permission to reverse zones can create bulk host records and automatically add reverse-mapping zones. To create host records, admins must have read/write permission to the network and zone of the host. Admins must have read-only permission to the host records in a zone to view the Host Name Compliance Report. Admins must have read/write permission to the resource records in a zone to modify host names that do not comply with the host policy.

94

Infoblox Administrator Guide (Rev. A)

NIOS 4.3r4

Managing DNS Resource Permissions

Administrative Permissions for Shared Record Groups


By default, only superusers can add, edit, and delete shared record groups. Limited-access admin groups can access shared record groups, only if their administrative permissions are defined. You can set different permissions for a shared record group and for each type of shared resource record in the group. For example, you can grant a role or an admin group the following permissions: Read-only to a shared record group and to all its shared A and AAAA records Read/Write permission to all the shared MX and SRV records in the shared record group Deny to the TXT records All shared record groupsGlobal permission that applies to all shared record groups in the database. A specific shared record groupOverrides global permissions. Each shared record type in all shared record groups The shared resource record types include shared A records, shared AAAA records, shared MX records, shared SRV records, and shared TXT resource records. Each shared record type in a shared record group Permissions at this level override global permissions. A specific shared recordOverrides zone-level permissions. Shared record group permissions override zone permissions. Even if a zone is locked, superusers and limited-access users with read/write access can still edit or delete a shared record in the zone.

You can grant read-only or read/write permission, or deny access to shared record groups, as follows:

Note the following guidelines:

For information on setting permissions for shared record groups, see Applying Permissions and Managing Conflicts on page 79. The following table lists the tasks admins can perform and the required permissions for shared record groups.

Table 3.11 Permissions for Shared Record Groups


To perform the following tasks View a shared record group Create, modify, and delete shared record groups Modify and delete a shared record group Assign a shared record group to zones Change the zones associated with a shared record group Delete zones with a shared record group assigned. Before you delete a shared record group, you must remove all zones associated with it. View shared records for a specific type only Search for records of a specified type Create, modify, and delete shared records for a specified type View shared records for a specific type in a specified shared record group only Create, modify, and delete shared records for a specific type in a specified shared record group View a shared record View, modify, and delete a shared record Read-only to the shared record type in all shared record groups Read/Write to the shared record type in all shared record groups Read-only to the shared record type in the specific shared record group Read/Write to the shared record type in the specific shared record group Read-only to the specific shared record Read/Write to the specific shared record
Infoblox Administrator Guide (Rev. A) 95

Admins need the following permission(s) Read-only to the shared record group Read/Write to all shared record groups Read/Write to the shared record group Read/Write to the shared record group Read/Write to the target zones

NIOS 4.3r4

Managing Administrators

Managing Administrative Permissions for DHCP Resources


Limited-access admin groups can access certain DHCP resources only if their administrative permissions are defined. By default, the appliance denies access when a limited-access admin group does not have defined permissions. You can grant admin groups read-only or read/write permission, or deny access to the following DHCP resources: Network views Networks Shared networks DHCP ranges Fixed addresses MAC address filters Network templates DHCP range templates Fixed address templates DHCP lease history

You can grant an admin group broad permissions to DHCP resources, such as read/write permission to all networks and shared networks in the database. In addition, you can grant permission to specific resources, such as a specific network, a DHCP range, or an individual IP address in a network. Permissions at more specific levels override global permissions. The following sections describe the different types of permissions that you can set for DHCP resources:

Administrative Permissions for Network Views on page 97 Administrative Permissions for Networks and Shared Networks on page 98 Administrative Permissions for Fixed Addresses on page 100 Administrative Permissions for DHCP Ranges on page 101 Administrative Permissions for DHCP Templates on page 102 Administrative Permissions for MAC Address Filters on page 103 Administrative Permissions for the DHCP Lease History on page 104

96

Infoblox Administrator Guide (Rev. A)

NIOS 4.3r4

Managing Administrative Permissions for DHCP Resources

Administrative Permissions for Network Views


Limited-access admin groups can access network views, including the default network view, only if they have read-only or read/write permission to a specific network view or to all network views. Permissions granted to a network view apply to all its networks, shared networks, DHCP ranges and fixed addresses. You can grant admin groups read-only or read/write permission, or deny access to network views as follows: All network viewsGlobal permission that applies to all network views in the database. A specific network viewPermission to a specific network view applies to the properties you set in the Network View editor, and to all the networks and shared networks in the network view. This overrides the global permission to all network views. When you configure permissions for a network view, you can also set permissions for the following: All networks in the selected network viewIf you do not define permissions for networks, they inherit the permissions of their network view. All shared networks in a specific network viewIf you do not define permissions for shared networks, they inherit the permissions of their network view. Note that you can grant an admin group read-only or read/write permission to specific networks in a network view, without granting them permission to that network view. For information, see Administrative Permissions for Networks and Shared Networks on page 98. For information on how to define permissions for network views, see Applying Permissions and Managing Conflicts on page 79. The following table lists the tasks admins can perform and the required permissions for network views.

Table 3.12 Network View Permissions


To perform the following tasks View the properties of all network views View network statistics View and search for networks and shared networks View the properties of a network view View and search for networks and shared networks in a network view Create and delete network views and their associated DNS views Modify network views Create, modify, and delete networks and shared networks in a network view Expand/join networks Delete a network view and the associated DNS view Modify a network view Create, modify, and delete networks and shared networks in a network view Expand/join networks in a view View the properties of all networks in a view Search for networks in a view View network statistics Read-only to all networks in the network view Read/Write to the specific network view Read/Write to all or specific DNS views Read/Write to the specific network view Read/Write to all network views Read/Write to all DNS views Read/Write to all network views Read-only to the network view Admins need the following permission(s) Read-only to all network views

NIOS 4.3r4

Infoblox Administrator Guide (Rev. A)

97

Managing Administrators

To perform the following tasks Create, modify, and delete networks, DHCP ranges and fixed addresses in a network view Expand/join networks View the properties of all shared networks in a view Search for shared networks in a view Create, modify, and delete shared networks in a network view

Admins need the following permission(s) Read/Write to all networks in the network view Read-only to all shared networks in the network view Read/Write to all shared networks in the network view

Administrative Permissions for Networks and Shared Networks


Limited-access admin groups can access networks, including shared networks, only if their administrative permissions are defined. Permissions for a network apply to all its DHCP ranges and fixed addresses. To override network-level permissions, you must define permissions for specific DHCP ranges and fixed addresses. For example, you can grant an admin group read-only permission to a network, read/write permission to its DHCP ranges, and read-only permission to its fixed addresses. You can grant read-only or read/write permission, or deny access to networks, as follows: All networksGlobal permission that applies to all networks in the database. All shared networksGlobal permission that applies to all shared networks in the database. A specific networkNetwork permissions apply to its properties and to all DHCP ranges, fixed addresses and hosts in the network, if they do not have permissions defined. This overrides global permissions. All DHCP ranges in a networkIf you do not define permissions for DHCP ranges, they inherit the permissions of the network in which they reside. All fixed addresses in a networkIf you do not define permissions for fixed addresses, they inherit the permissions of the network in which they reside.

To define permissions for a specific network and its DHCP ranges and fixed addresses, see Applying Permissions and Managing Conflicts on page 79. The following table lists the tasks admins can perform and the required permissions for networks.

Table 3.13 Network Permissions


To perform the following tasks View the properties of all networks View network statistics View the IP Address Management panel Create, modify, and delete networks Create, modify, and delete DHCP ranges and fixed addresses Expand/join networks Create networks from templates View shared networks Create, modify, and delete shared networks Read/Write to all networks Read-only to network templates Read-only to all shared networks Read/Write to all shared networks Read-only to all networks Read-only to all DNS views Read/Write to all networks Admins need the following permission(s) Read-only to all networks

98

Infoblox Administrator Guide (Rev. A)

NIOS 4.3r4

Managing Administrative Permissions for DHCP Resources

To perform the following tasks View the properties of a network View network statistics Search for a network Modify and delete a network Create, modify, and delete DHCP ranges and fixed addresses in a network Expand/join networks, if admins have read/write permission to both networks Create/Split network and automatically create a reverse zone Assign a grid member to a network and its DHCP ranges Modify and delete a network with the assigned grid member View DHCP ranges Search for DHCP ranges Create, modify, and delete DHCP ranges View fixed addresses Search for fixed addresses Create, modify, and delete fixed addresses

Admins need the following permission(s) Read-only to the specific network

Read/Write to the specific network

Read/Write to the network Read/Write to the parent zones Read/Write to the network Read/Write to the grid member Read-only to all DHCP ranges in the network Read/Write to all DHCP ranges in the network Read-only to all fixed addresses in the network Read/Write to all fixed addresses in the network

NIOS 4.3r4

Infoblox Administrator Guide (Rev. A)

99

Managing Administrators

Administrative Permissions for Fixed Addresses


Fixed addresses inherit the permissions of the networks in which they reside. You can override network-level permissions by defining permissions for fixed addresses. You can grant read-only or read-write permission, or deny access to fixed addresses, as follows: All fixed addressesGlobal permission that applies to all fixed addresses in the database. All fixed addresses in a network Permissions at this level override global permissions. If you do not define permissions for fixed addresses, they inherit the permissions of the network in which they reside. A single fixed addressOverrides global and network-level permissions.

For information on setting permissions for fixed addresses, see Applying Permissions and Managing Conflicts on page 79. The following table lists the tasks admins can perform and the required permissions for fixed addresses.

Table 3.14 Permissions for Fixed Addresses


To perform the following tasks View fixed addresses Search for fixed addresses View fixed addresses in a network Search for fixed addresses in a network Create, modify, and delete fixed addresses Read-only to all fixed addresses in the network Read/Write to all fixed addresses Read/Write to all fixed addresses in the network Read-only to the fixed address Read/Write to the fixed address Admins need the following permission(s) Read-only to all fixed addresses

Create, modify, and delete fixed addresses in a network View a fixed address Modify and delete a fixed address

100

Infoblox Administrator Guide (Rev. A)

NIOS 4.3r4

Managing Administrative Permissions for DHCP Resources

Administrative Permissions for DHCP Ranges


DHCP ranges inherit the permissions of the networks in which they reside. You can override network-level permissions by defining permissions for DHCP ranges. You can read-only or read/write permission, or deny access to DHCP address ranges, as follows: All DHCP rangesGlobal permission that applies to all DHCP ranges in the database. All DHCP ranges in a networkPermissions at this level override global permissions. If you do not define permissions for DHCP ranges, they inherit the permissions of the network in which they reside. A single DHCP rangeOverrides global and network-level permissions.

For information on setting permissions for DHCP ranges, see Applying Permissions and Managing Conflicts on page 79. The following table lists the tasks admin can perform and the required permissions for DHCP ranges.

Table 3.15 DHCP Ranges


To perform the following tasks View DHCP ranges Search for DHCP ranges View DHCP ranges in a network Search for DHCP ranges in a network Create, modify, and delete DHCP ranges Search for DHCP ranges Create, modify, and delete DHCP ranges in a network Search for DHCP ranges in a network Modify and delete a DHCP range Apply relay agent filters and Option filters to a DHCP range Apply a MAC address filter to a DHCP range Assign a grid member to a DHCP range Modify and delete a DHCP range with an assigned grid members or DHCP failover association Read/Write to the DHCP range Read-only to the MAC address filter Read/Write to the DHCP range Read/Write to all DHCP ranges in the network Read/Write to the DHCP range Read/Write to all DHCP ranges Read-only to all DHCP ranges in the network Admins need the following permission(s) Read-only to all DHCP ranges

NIOS 4.3r4

Infoblox Administrator Guide (Rev. A)

101

Managing Administrators

Administrative Permissions for DHCP Templates


There are three types of DHCP templatesnetwork, DHCP range, and fixed address templates. To access any of these templates, a limited-access admin group must have read-only permission to the template. Limited-access admin groups cannot have read/write permission to the templates. Only superusers can create, modify and delete network, DHCP range, and fixed address templates. An admin group with read-only permission to the DHCP templates can view them and use them to create networks, DHCP ranges and fixed addresses, as long as they have read/write permissions to those DHCP resources as well. You can set global read-only permission that applies to all DHCP templates, and you can set permissions to specific templates as well. For information on setting permissions, see Applying Permissions and Managing Conflicts on page 79. The following table lists the tasks admins can perform and the required permissions for DHCP templates.

Table 3.16 Permissions for DHCP Templates


To perform the following tasks View a template Create a network from a template Create a DHCP range from a template Admins need the following permission(s) Create a fixed address from a template Read-only permission to the DHCP template Read-only permission to the DHCP template Read/Write permission to all networks Read-only permission to the DHCP template Read/Write permission to all DHCP ranges or to the network Read-only permission to the DHCP template Read/Write permission to all fixed addresses or to the network

Note the following additional guidelines: DHCP range templates and fixed address templates do not inherit their permissions from network templates. You must set permissions for each type of template. An admin group can create a network using a network template that includes a DHCP range template and a fixed address template, even if it has no permission to access the DHCP range and fixed address templates.

102

Infoblox Administrator Guide (Rev. A)

NIOS 4.3r4

Managing Administrative Permissions for DHCP Resources

Administrative Permissions for MAC Address Filters


Limited-access admin groups can access MAC address filters only if their administrative permissions are defined. The appliance denies access to MAC address filters for which an admin group does not have defined permissions. You can grant read-only or read/write permission, or deny access to MAC address filters as follows: All MAC address filters in the database A specific MAC address filter

For information on setting permissions, see Applying Permissions and Managing Conflicts on page 79. The following table lists the tasks admins can perform and the required permissions for MAC address filters.

Table 3.17 Permissions for MAC Filters


To perform the following tasks View a MAC address filter and its MAC address entries Apply a MAC address filter to a DHCP range Delete a MAC address filter from a DHCP range Create, modify, and delete MAC address filters Add and delete MAC address entries Modify and delete a MAC address filter Add, modify, and delete MAC address entries Read/Write to the MAC address filter Admins need the following permission(s) Read-only to the MAC address filter Read-only to the MAC address filter Read/Write to the DHCP range Read/Write to all MAC address filters

Administrative Permissions for Network Discovery


Limited-access admin groups can initiate a discovery and manage discovered data based on their administrative permissions. You can set global permissions for network discovery as described in Applying Permissions and Managing Conflicts on page 79. The following table lists the tasks admins can perform and the required permissions for network discovery.

Table 3.18 Permissions for Network Discovery


To perform the following tasks Initiate and control a discovery on networks with read-only permission View discovered data View discovered data. Add unmanaged data to existing hosts, and resolve conflicting IP addresses. Convert unmanaged data to a host, fixed address, reservation, A record, or PTR record Read/Write to networks selected for discovery Read/Write to networks selected for discovery Read/write to the DNS zone or specific record type Admins need the following permission(s) Read/Write to network discovery Read-only to networks selected for discovery

NIOS 4.3r4

Infoblox Administrator Guide (Rev. A)

103

Managing Administrators

Administrative Permissions for the DHCP Lease History


A limited-access admin group can view and export the DHCP lease history if it has read-only permission to the DHCP lease history. Permissions to the DHCP lease history are different from the network permissions. Therefore, an admin group can access the DHCP lease history, regardless of its network permissions. Note that only superusers can import a DHCP lease history file. To define permissions for the DHCP lease history: 1. Do one of the following from the Administrator perspective: To define the permissions of an admin role, click + (for Roles) -> + admin_role -> Edit -> Add Permissions. To define the permissions of an admin group, click + (for Groups) -> admin_group -> Edit -> Add Permissions. 2. Click Add in the Add Global Permissions tab. From the Resource drop down list, select DHCP Lease History, and then click Read Only or Deny. 3. Click OK to close the dialog box.

Administrative Permissions for the RADIUS Service


If you configured the RADIUS service on the NIOS appliance, you can restrict access to the service and its resources. By default, the appliance denies access to the resources of the RADIUS service, unless an admin group has their administrative permissions defined. You can grant read-only or read/write permission, or deny access to the following RADIUS resources: Grid AAA PropertiesApplies to the grid and its members, the local and replicated users, policies, and external services, unless permissions are defined. You can set this from the Administrators perspective only. Member AAA properties Overrides the grid-level permission for the member only. The permission you set here does not affect the permissions for the local and replicated users, policies and external services. AAA Local UsersInherits the grid permission, unless otherwise defined. AAA Replicated UsersInherits the grid permission, unless otherwise defined. AAA PoliciesInherits the grid permission, unless otherwise defined. AAA External ServicesInherits the grid permission, unless otherwise defined.

For information on setting permissions, see Applying Permissions and Managing Conflicts on page 79. The following table lists the tasks admins can perform and the required permissions for RADIUS resources.

Table 3.19 Permissions for AAA


To perform the following tasks Download CA certificates Download certificate signing request Download EAP server certificate View the AAA member properties All tasks in the AAA perspective View syslog View RADIUS configuration Export RADIUS detail file Edit member properties View local users Add, modify, and delete local users View replicated users Read/Write to AAA member properties Read-only to AAA local users Read/Write to AAA local users Read-only to AAA replicated users Read/Write to grid AAA properties Read-only to AAA member properties Admins need the following permission(s) Read-only to AAA grid properties

104

Infoblox Administrator Guide (Rev. A)

NIOS 4.3r4

Managing Administrative Permissions for DHCP Resources

Add, modify, and delete AD domains Synchronize with AD domain Delete replicated AD users and groups View RADIUS authentication and accounting home servers, network access servers, and AD, LDAP and McAfee authentication services Add, modify, and delete network access servers Add, modify, and delete RADIUS authentication home servers Add, modify, and delete RADIUS accounting home servers Add, modify, and delete AD authentication services Add, modify, and delete LDAP authentication services Add, modify, and delete McAfee validation services Associate the grid member with a NAS View policies Add, edit and delete policies

Read/Write to AAA replicated users

Read-only to external services

Read/Write to external services

Read/Write to external services Read/Write to AAA member properties Read-only to AAA policies Read/Write to AAA policies

NIOS 4.3r4

Infoblox Administrator Guide (Rev. A)

105

Managing Administrators

Administrative Permissions for File Distribution Services


You can restrict access to the TFTP, HTTP and FTP services provided by the appliance. By default, the appliance denies access to the TFTP, HTTP and FTP services, unless an admin group has their administrative permissions defined. You can grant read-only or read/write permission, or deny access to the following resources: Grid File Distribution PropertiesApplies to the grid and its members, directories, and files. You can set this from the Administrators perspective only. Member File Distribution PropertiesApplies to the grid member properties only. A specific directoryApplies to the directory and its files.

For information on setting permissions, see Applying Permissions and Managing Conflicts on page 79. The following table lists the tasks admins can perform and the required permissions for file distribution services.

Table 3.20 Permissions for File Distribution Services


To perform the following tasks View the grid and member file distribution properties, directories, and files Edit the grid and member file distribution properties Create and remove directories and files View the member file distribution properties Edit the member file distribution properties View a directory, its files, and subdirectories Remove a directory Add and remove files and subdirectories Admin need the following permission(s)... Read-only to Grid File Distribution Properties Read/Write to Grid File Distribution Properties Read-only to Member File Distribution Properties Read/Write to Member File Distribution Properties Read-only to the directory Read/Write to the directory

106

Infoblox Administrator Guide (Rev. A)

NIOS 4.3r4

Authenticating Administrators

Authenticating Administrators
The NIOS appliance supports the following authentication methods: local database, RADIUS, and Active Directory. The appliance can use any combination of these authentication methods. It authenticates admins against its local database by default. Therefore, if you want to use local authentication only, then you must configure the admin groups and add the local admin accounts, as described in Authenticating Administrators on page 107. If you want to authenticate admins using RADIUS and Active Directory in addition to local authentication, then you must define those services on the appliance and define the admin policy. For additional information, see About Remote Admins on page 108. Note: Infoblox strongly recommends that even if you are using remote authentication, you must always have at least one local admin in a local admin group to ensure connectivity to the NIOS appliance in case the remote servers become unreachable.

Creating Local Admins


When you create an admin account, you must specify the name, password, and admin group of the admin. You can optionally provide an e-mail address and specify the page size of the GUI. In addition, you can also control in which time zone the appliance displays the time in the audit log and the DHCP and IPAM perspective windows, such as the DHCP Lease History and DHCP Leases panels. The appliance can use the time zone that it automatically detects from the management system that the admin uses to log in. Alternatively, you can override the time zone auto-detection feature and specify the time zone. To create an admin account and add it to an admin group: 1. Log in using a superuser account. 2. From the Administrators perspective, click + (for Groups) -> admin_group -> Edit -> Add Local Admin. 3. Enter the following: Admin Name: Enter the name of the administrator. This is the name that the administrator uses to log in. Group: Choose the admin group of the administrator. An admin can belong to only one admin group at a time. Email Address: Enter the e-mail address for this administrator. Note that this address simply provides contact information. The NIOS appliance does not send e-mail notifications to it. You define the e-mail address for notifications on the Email section of the Device or Grid Editor. Comment: Enter pertinent information about the administrator, such as location or department. Password: Enter a password for the administrator to use when logging in. Re-Type Password: Enter the same password. Override admin group page size: Clear this check box to use the same page length specified for the admin group. Select this check box to enter a different page length. Page Size: Enter a value for the number of lines of data that you want a single GUI list view to contain for this administrator. When there is a lot of data, you can improve the display performance by setting a smaller page size, such as 100 instead of 1000. You can set the page size from 10 to 2000. The default page size is 100. Override auto-detect time zone: Select this check box if you want to specify the time zone for the administrator. Clear this check box if you want the appliance to automatically detect the time zone from the management system that the administrator uses to connect to the appliance. Time Zone: Select the time zone that the appliance uses when it displays the dates and time stamps in the audit log and the DHCP and IPAM perspective windows.

NIOS 4.3r4

Infoblox Administrator Guide (Rev. A)

107

Managing Administrators

Disable this admin: Select this check box to retain an inactive profile for this administrator in the configuration. For example, you might want to define a profile for a recently hired administrator who has not yet started work. Then when he or she does start, you simply need to clear this check box to activate the profile. 4. Click the Save icon to save your changes.

Modifying and Removing an Admin Account


You can modify and remove the admin accounts you create, but you can only partially modify the default superuser account adminand only when you are logged in as the superuser admin. Furthermore, because there must always be a superuser account on the appliance, you can only remove the default admin account after you create another superuser account.

About Remote Admins


You can configure the NIOS appliance to authenticate admins whose user credentials are stored on a RADIUS server or AD domain controller. The appliance can authenticate users against more than one authentication server, and supports remote and local authentication. To authenticate admins using RADIUS and Active Directory, you must define those services on the appliance and define the admin policy. The admin policy lists which authentication methods to use and in what order. It also lists admin groups that you have configured on the appliance and to which you can assign remote admins. An admin inherits its privileges from its admin group; therefore, all admins must be assigned to an admin group. If you configured admin groups on the remote authentication server, the group names on the remote authentication server must match the group names on the NIOS appliance so the appliance can assign an admin to the correct group. If you did not configure admin groups on the remote authentication server, you must configure a default group for remote admins on the NIOS appliance. When an admin logs in with a user name and password, the appliance uses the first method listed in the admin policy to authenticate the admin. If authentication fails, the appliance tries the next method listed. It tries each method on the list until it is successful or all methods fail. If all methods fail, then the appliance denies access to the appliance. If authentication succeeds, the NIOS appliance determines the admins privileges based on the admin group of the admin. It tries to match the admin group names in the order in which they are listed in the admin policy to any groups received from the remote server. If it finds a match, the NIOS appliance applies the privileges of that group to the admin and allows access. If the appliance does not find a match, then it applies the privileges of the default group. If no default group is defined, then the appliance denies access. Figure 3.8 illustrates the authentication and authorization process for remote admins.

108

Infoblox Administrator Guide (Rev. A)

NIOS 4.3r4

About Remote Admins

Figure 3.8 Authenticating Remote Admins


Admin NIOS appliance 2 The appliance checks the admin policy for the first authentication method, which is RADIUS. The appliance sends an Access-Request packet to the RADIUS server.

1 An admin enters his user name and password to log in to the appliance. Admin Policy

RADIUS Server

3 The RADIUS server responds with an Access-Reject package because the admins user name and password are not in its database. AD Server 4 The appliance tries the next authentication method on the list, which is Active Directory (AD). It sends a request to the AD server.

5
Remote Admin Groups Eng IT-Bldg2

The AD server finds the user name and password in its database and sends an access accept together with the admins group memberships.
User Name admin10 Member Of IT-Bldg1 IT-Bldg2

7 The appliance allows the admin to log in and applies the privileges of the IT-BLDG2

6 The appliance matches one of the admins groups with a group in the admin policy.

To configure the appliance to authenticate admins against a RADIUS server and an AD controller: Configure the RADIUS authentication service and AD authentication service. For information about the RADIUS authentication service, see Authenticating Using RADIUS. For information about the AD authentication service, see Authenticating Admin Accounts Using Active Directory on page 116. Configure admin groups that match those on the remote server. Optionally, specify a default admin group. For information about admin groups, see About Admin Groups on page 73. Configure the admin policy, as described in Defining the Admin Policy on page 118.

Note: Infoblox strongly recommends that even if you are using remote authentication, you must always have at least one local admin in a local admin group to ensure connectivity to the appliance in case the remote servers become unreachable.

NIOS 4.3r4

Infoblox Administrator Guide (Rev. A)

109

Managing Administrators

Authenticating Using RADIUS


RADIUS provides authentication, accounting, and authorization functions. The NIOS appliance supports authentication using the following RADIUS servers: RADIUSone, FreeRADIUS, Microsoft, Cisco, and Funk. You must be a superuser to configure admin accounts and RADIUS server properties on the NIOS appliance. When you configure the appliance to authenticate administrators using a RADIUS server, the appliance acts similarly to a network access server (NAS), which is a RADIUS client that sends authentication and accounting requests to the RADIUS server. Figure 3.9 illustrates the authentication process.

Figure 3.9 Authentication using a RADIUS server


Administrator NIOS appliance RADIUS Server

A user makes an HTTPS connection to the NIOS appliance and sends a user name and password.

2 policy and selects RADIUS as the


authentication method.

The appliance checks the remote admin

The appliance sends an Access-Request packet to the RADIUS

The appliance lets the user log in and applies the authorization profile.

4a If the RADIUS server authenticates the


user, it sends back an Access-Accept packet.

The appliance does not allow the user to log in.

4b If the RADIUS server rejects the

authentication request, it sends back an Access-Reject packet.

110

Infoblox Administrator Guide (Rev. A)

NIOS 4.3r4

Authenticating Using RADIUS

Remote RADIUS Authentication


When you configure the NIOS appliance for remote authentication with a RADIUS server, you must specify the authentication method of the RADIUS server. Specify PAP (Password Authentication Protocol) or CHAP (Challenge Handshake Authentication Protocol). PAP tries to establish the identity of a host using a two-way handshake. The client sends the user name and password in clear text to the NIOS appliance. The appliance uses a shared secret to encrypt the password and sends it to the RADIUS server in an Access-Request packet. The RADIUS server uses the shared secret to decrypt the password. If the decrypted password matches a password in its database, the user is successfully authenticated and allowed to log in. With CHAP, when the client tries to log in, it sends its user name and password to the NIOS appliance. The appliance then creates an MD5 hash of the password together with a random number that the appliance generates. It then sends the random number, user name, and hash to the RADIUS server in an Access-Request package. The RADIUS server takes the password that matches the user name from its database and creates its own MD5 hash of the password and random number that it received. If the hash that the RADIUS server generates matches the hash that it received from the appliance, then the user is successfully authenticated and allowed to log in. To configure the NIOS appliance to authenticate administrators using a RADIUS server, you must configure admin accounts and groups for these administrators on the RADIUS server. Then, on the NIOS appliance, you must do the following: Configure RADIUS service on the appliance. Define one or more admin groups and specify its privileges and settings. The names must match admin group names defined on the RADIUS server. The NIOS appliance applies these privileges and settings to users belonging to those groups on the RADIUS server. See About Admin Groups on page 73 for information about defining admin groups. If there are no admin groups defined on the RADIUS server, designate an admin group as the default group. See

Configuring the Default Admin Group on page 118 for information about defining a default admin group.
Add RADIUS service to the list of admin authentication methods in the admin policy to enable RADIUS authentication. See Configuring a List of Authentication Methods on page 119 for more information about configuring admin policy.

Configuring RADIUS Authentication on the NIOS Appliance


To configure RADIUS server authentication for admins: 1. From the Administrators perspective, click + (for Remote Admins) -> RADIUS Authentication Services -> RADIUS Service -> Edit -> General RADIUS Properties. 2. In the RADIUS Authentication for Administrators editor, enter the following: Use MGMT port: Select check box if the MGMT port is enabled and you want the NIOS appliance to communicate with all RADIUS servers through its MGMT port. If you clear the check box, you can still selectively use the MGMT port for one or more specific RADIUS servers (see Adding RADIUS Servers on page 112). Optionally, modify the Authentication settings. These settings apply to all RADIUS servers that you configure on the NIOS appliance. Retry Period: Specify the number of seconds that the appliance waits for a response from the RADIUS server. The default is 5. Maximum Retries: Specify how may times the appliance attempts to contact an authentication RADIUS server. The default is 6.

If you configured multiple RADIUS servers for authentication and the NIOS appliance fails to contact the first server in the list, it tries to contact the next server, and so on.

NIOS 4.3r4

Infoblox Administrator Guide (Rev. A)

111

Managing Administrators

Optionally, modify the Accounting settings. Retry Period: Specify the number of seconds that the appliance waits for a response from the RADIUS server. The default is 5. Maximum Retries: Specify how may times the appliance attempts to contact an accounting RADIUS server. The default is 1000.

If you configured multiple RADIUS servers for accounting and the NIOS appliance fails to contact the first server in the list, it tries to contact the next server, and so on. 3. Click the Save icon to save your changes.

Adding RADIUS Servers


You configure RADIUS server settings for admins at the grid level. Therefore all members in a grid use the same set of RADIUS servers. You can configure multiple RADIUS servers for redundancy. When you do, the appliance tries to connect to the first RADIUS server on the list and if the server does not respond within the maximum retransmission limit, then it tries the next RADIUS server on the list. To add and configure the properties of a RADIUS server: 1. From the Administrators perspective, click + (for Remote Admins) -> RADIUS Authentication Services -> RADIUS Service -> Edit -> General RADIUS Properties. The RADIUS Authentication for Administrators editor appears. 2. In the RADIUS Server Group section, click Add. 3. In the RADIUS Server Properties editor, enter the following: Server Name: Type a name for the RADIUS server. This name is for internal reference; for example, auth1. It does not need to be the FQDN (fully qualified domain name) of the RADIUS server. Comment: Enter additional information about the RADIUS server. Authentication Type: Specify the authentication method of the RADIUS server. You can specify either PAP (Password Authentication Protocol) or CHAP (Challenge Handshake Authentication Protocol). The default is PAP. IP Address: The IP address of the RADIUS server that is used for authentication. UDP Port: The destination port on the RADIUS server. The default is port 1812. Shared Secret: Enter the shared secret that the NIOS appliance and the RADIUS server use to encrypt and decrypt their messages. This shared secret is a value that is known only to the NIOS appliance and the RADIUS server. Enable Accounting: Select this check box to enable the accounting feature, so you can track an administrators activities during a session. IP Address: The IP address of the RADIUS server that is used for accounting. The default is the IP address of the authentication RADIUS server. UDP Port: The destination port on the RADIUS server. The default is port 1813. Shared Secret: Enter the shared secret that the appliance and the RADIUS server use to encrypt and decrypt their accounting messages. A shared secret is a value that is known only to the appliance and the RADIUS server.

Accounting

Use MGMT port: If you clear the Use MGMT port check box in the General RADIUS Properties editor and select this check box, the NIOS appliance uses the MGMT port for administrator authentication communications with just this RADIUS server. If you select the Use MGMT port check box in the General RADIUS Properties editor, this check box becomes irrelevant. Whether you select or clear it, the NIOS appliance always uses the MGMT port for communications with all RADIUS servers, including this one.

112

Infoblox Administrator Guide (Rev. A)

NIOS 4.3r4

Authenticating Using RADIUS

Disable this server: Select this check box to disable a RADIUS server if, for example, the connection to the server is down and you want to stop the NIOS appliance from trying to connect to this server. 4. Click OK. 5. Click the Save icon to save your changes.

Testing the RADIUS Server


After you add a RADIUS server to the NIOS appliance, you can validate the configuration. The appliance uses a pre-defined user name and password when it tests the connection to the RADIUS server. The pre-defined user name is infoblox_test_user and the password is infoblox_test_password. Do not use these as your administrator user name and password. To test the configuration: 1. From the Administrators perspective, click + (for Remote Admins) -> RADIUS Authentication Services -> RADIUS Service -> Edit -> General RADIUS Properties. The RADIUS Authentication for Administrators dialog box appears. 2. In the RADIUS Server Group section, select a server and click Modify. The RADIUS Server Properties dialog box appears. 3. Click Test Configuration. If the NIOS appliance connects to the RADIUS server using the configuration you entered, it displays a message confirming the configuration is valid. If it is unable to connect to the RADIUS server, the appliance displays a message indicating an error in the configuration.

Maintaining the RADIUS Admins Server List on the NIOS Appliance


When you add multiple RADIUS servers, the appliance lists the servers in the order in which you added them. This list also determines the order in which the NIOS appliance attempts to contact a RADIUS server. You can change the order of the list, as follows: 1. From the Administrators perspective, click + (for Remote Admins) -> RADIUS Authentication Services -> RADIUS Service -> Edit -> General RADIUS Properties. The RADIUS Authentication for Administrators dialog box appears. 2. The RADIUS Server Group section lists the RADIUS servers. Do the following: To move a server up on the list, select it and click Move Up. To move a server down on the list, select it and click Move Down. 3. Click the Save icon to save your changes.

Disabling a RADIUS Server


You can disable a RADIUS server if, for example, the connection to the server is down and you want to stop the NIOS appliance from trying to connect to this server. To disable a RADIUS server: 1. From the Administrators perspective, click + (for Remote Admins) -> RADIUS Authentication Services -> RADIUS Service -> Edit -> General RADIUS Properties. The RADIUS Authentication for Administrators dialog box appears. 2. In the RADIUS Server Group section, select a server and click Modify. The RADIUS Server Properties dialog box appears. 3. Click Disable this server. 4. Click OK. 5. Click the Save icon to save your changes.

NIOS 4.3r4

Infoblox Administrator Guide (Rev. A)

113

Managing Administrators

Configuring a RADIUS Server


In addition to setting up the NIOS appliance to communicate with a RADIUS server, you must also set up the remote RADIUS server to communicate with the NIOS appliance. Note: If you have two Infoblox appliances in an HA pair, enter both the members of the HA pair as separate access appliances and use the LAN IP address of both appliances (not the VIP address). Depending on your particular RADIUS server, you can configure the following RADIUS server options to enable communication with the NIOS appliance: Authentication Port Accounting Port Domain Name/IP Address of the NIOS appliance Shared Secret Password Vender Types

Configuring Admin Groups on the Remote RADIUS Server


Infoblox supports admin accounts on one or more RADIUS servers. To set up admins and associate them with an admin group on a remote RADIUS server, do the following: Import Infoblox VSAs (vendor-specific attributes) to the dictionary file on the RADIUS server For third-party RADIUS servers, import the Infoblox vendor file (the Infoblox vendor ID is 7779) Define a local admin group on the NIOS appliance (or use an existing group) Define a remote admin groupwith the same name as the group defined on the NIOS applianceon the RADIUS server Associate one or more remote admin accounts on the RADIUS server with the remote admin group

Refer to the documentation for your RADIUS server for more information.

Configuring Remote Admin Accounts on the Remote RADIUS Server


To set up remote admin accounts on a RADIUS server and apply the privileges and properties of the admin group designated as the default group on the NIOS appliance, do the following: Define an admin group on the NIOS appliance and specify it as the default group. You define admin groups for remote admins within the admin policy. See Defining the Admin Policy on page 118 for more information on configuring remote admin policies and remote admin group lists. On the RADIUS server: Create one or more admin accounts. (See RADIUSone documentation.) Add and activate a policy for the admin accounts, but do not associate the policy with a policy group that contains an infoblox-group-info attribute. When an administrator whose account is stored on a RADIUS server attempts to log in to a NIOS appliance, the NIOS appliance forwards the user name and password for authentication to the RADIUS server. When the server successfully authenticates the administrator and it responds to the NIOS appliance without specifying an admin group, the appliance applies the privileges and properties of the default admin group to that administrator. Refer to the documentation for your RADIUS server for more information.

114

Infoblox Administrator Guide (Rev. A)

NIOS 4.3r4

Authenticating Using RADIUS

Authorization Groups Using RADIUS


You can specify authorization privileges for an admin group on the NIOS appliance only. The appliance ignores authorization settings from the RADIUS server. Therefore, you must configure all admin groups on the NIOS appliance, regardless of where the admin accounts that belong to those groups are storedon the NIOS appliance or on the RADIUS server. For information about specifying superuser and limited-access authorization privileges, see Creating a Superuser Admin Group on page 73 and About Limited-Access Admin Groups on page 74.

Accounting Activities Using RADIUS


You can enable the accounting feature on the RADIUS server to track an administrators activities during a session. After an administrator successfully logs in, the appliance sends an Accounting-Start packet to the RADIUS server.

NIOS 4.3r4

Infoblox Administrator Guide (Rev. A)

115

Managing Administrators

Authenticating Admin Accounts Using Active Directory


Active Directory (AD) is a distributed directory service that is a repository for user information. The NIOS appliance can authenticate admin accounts by verifying user names and passwords against Active Directory. If the admin does not exist on the AD domain controller, or if the user name and password do not match entries on the domain controller, the NIOS appliance denies access to the admin. However, if the NIOS appliance verifies the user name and password successfully, it grants access. In addition, the NIOS appliance queries the AD domain controller for the group membership information of the admin. The appliance matches the group names from the domain controller with the admin groups on its local database. It then authorizes services and grants the admin privileges, based upon the matching admin group on the appliance. You must be logged in to the NIOS appliance as a superuser to configure the AD authentication service. Figure 3.10 illustrates the Active Directory authentication process.

Figure 3.10 Authentication Using a Domain Controller

Administrator

NIOS Appliance

Domain Controller

A user makes an HTTPS connection to the NIOS appliance and sends an account name and password.

2 The appliance checks the remote admin


authentication policy to determine which method to use to authenticate the user. The authentication policy selects AD authentication as the first method to use.

3 The appliance sends a request to the


domain controller within the network to authenticate the admin. The appliance also requests the admins group membership information.

The appliance lets the user log in and applies the authorization profile. The appliance grants all permissions specific to the administrator based on the group membership sent from the domain controller associated with the admin account. If there is no group membership information for the admin, the default group is assigned (if configured).

4a

Authentication is successful. The domain controller successfully authenticates the admin user. The group membership information for the administrator is sent to the appliance. The first group in the group list matching the groups returned by the domain controller is assigned to the admin, along with the associated permissions after that admin logs in.

4b Authentication is unsuccessful. The


The appliance does not allow the user to log in.

domain controller sends back a deny access result to the appliance. No group membership information is sent.

116

Infoblox Administrator Guide (Rev. A)

NIOS 4.3r4

Authenticating Admin Accounts Using Active Directory

Admin Authentication Using Active Directory


To configure the NIOS appliance to authenticate admins using Active Directory, you must first configure user accounts on the domain controller. Then, on the NIOS appliance, do the following: Configure an AD authentication service on the appliance and configure one or more AD domain controllers to contact. For information about configuring AD authentication service for admins, see Admin Authentication Using Active Directory on page 117. If you configured admin groups on the AD controller, you can create those same groups on the NIOS appliance and specify their privileges and settings. Note that the admin group names must match those on the AD domain controller. You can specify a default group as well. The NIOS appliance assigns admins to the default group if none of the admin groups on the NIOS appliance match the admin groups on the AD domain controller or if there are no other admin groups configured. For information about configuring group permissions and privileges, see About Admin Groups on page 73. Enable Active Directory authentication by adding Active Directory to the list of authentication methods in the admin policy. The appliance refers to this list in the admin policy to determine which authentication method to use and in what order. See Defining the Admin Policy on page 118 for more information about configuring admin policy.

Configuring Active Directory Authentication for Admins


To configure an Active Directory authentication service on the NIOS appliance: 1. From the Administrators perspective, click + (for Remote Admins) -> AD Authentication Services -> Edit -> Add AD Authentication Service. 2. In the AD Authentication Service Services editor, enter the following: Name: Enter a name for the service. Port: Enter the port number on the domain controller to which the appliance sends authentication requests. Transport Encryption: Select SSL to transmit through an SSL (Secure Sockets Layer) tunnel. Infoblox strongly recommends that you select this option to ensure the security of all communications between the NIOS appliance and the AD server. If you select this option, you must upload a CA certificate from the AD server. For information about uploading a CA certificate, see Uploading Certificates to the Appliance on page 685. Comment: Enter pertinent information about the service. Disable this AD authentication service: Select this check box to retain an inactive AD service profile. AD Domain: Enter the DNS style name of the domain in which the user credentials are located. AD Domain Controller Failover List: Enter the IP address of the domain controller to which the appliance connects. You can add multiple domain controllers for failover purposes. The NIOS appliance tries to connect with the first domain controllers on the list. If it is unable to connect, it tries the next domain controllers on the list, and so on. You can change the order in which the servers are listed by selecting a server and clicking Move up or Move down. Timeout: The number of seconds that the NIOS appliance waits for a response from the specified authentication server. 3. Click the Save icon.

NIOS 4.3r4

Infoblox Administrator Guide (Rev. A)

117

Managing Administrators

Defining the Admin Policy


After you configure the properties of each authentication service you want to use, you must then define the admin policy. The admin policy defines which authentication methods to use, and in what order. In addition, it lists admin groups for remote admins. You must define at least one admin group for remote admins. The admin group determines the privileges of the admin account.

Specifying a List of Remote Admin Groups


You can configure a list of admin groups for remote admins, and prioritize each group by moving them up or down within the list. When the appliance receives information that the admin belongs to one or more groups, the appliance selects the first group in the list that matches, and assigns that group to the admin. If no groups are returned by the domain controller or the RADIUS server, the default group is assigned (if specified). To configure the remote admin group list: 1. From the Administrators perspective, click + (for Remote Admins) -> click + (for Admin Policy) -> Policy Configuration -> Edit -> Remote Admin Policy Properties. The Policy Configuration editor appears. 2. From the Remote Admin Group Ordering section, click Add to open up the Select Admin Group dialog box and to add an admin group to the list. 3. Select an admin group from the Select Admin Group dialog box and click OK to add it to the list. 4. Select an admin group from the Remote Admin Group Ordering section and click Move down to move the group down in the ordering within the list. Select an admin group from the Remote Admin Group Ordering section and click Move up to move the group up in the ordering within the list. 5. Click the Save icon to save your changes.

Configuring the Default Admin Group


You can designate an admin group as the default group. The appliance assigns an admin to the default group if no other admin groups are defined or if it does not find a matching admin group. Note that the NIOS appliance denies access to admins if there is no matching admin group to assign and no default group configured. Even though the authentication is successful, the NIOS appliance denies access to the remote admin because there is no group to assign to the admin and therefore no permissions defined for the user. To configure the default admin group: 1. From the Administrators perspective, click + (for Remote Admins) -> click + (for Admin Policy) -> Policy Configuration -> Edit -> Remote Admin Policy Properties. The Policy Configuration editor appears. 2. Click Select Default Group to open up the Select Admin Default Group dialog box. 3. Select an admin group from the Select Admin Default Group dialog box to act as the default. Click OK. The Default Group Name field displays the selection you made. 4. Click the Save icon to save your changes.

118

Infoblox Administrator Guide (Rev. A)

NIOS 4.3r4

Changing Password Length Requirements

Configuring a List of Authentication Methods


You can configure a list of authentication methods, and prioritize each method within the list. The appliance uses the first method on the list. If unsuccessful, the appliance uses the next method on the list. Each authentication method within the list is used in order as they appear. To configure a list of authentication methods for remote admins: 1. From the Administrators perspective, click + (for Remote Admins) -> click + (for Admin Policy) -> Policy Configuration -> Edit -> Remote Admin Policy Properties. The Policy Configuration editor appears. 2. From the Admin Authentication section, click Add to open up the Select Admin Authentication Method dialog box and to add an authentication method to the list. 3. Select an authentication method from the Select Admin Authentication Method dialog box and click OK to add it to the list. 4. Select an authentication method from the Admin Authentication section and click Move down to move the method down in the ordering within the list. Select an authentication method from the Admin Authentication section and click Move up to move the method up in the ordering within the list. The first method within the list is used first. 5. Click the Save icon to save your changes.

Changing Password Length Requirements


Password length requirements control how long a password must be for a NIOS appliance admin account. Increasing this value reduces the likelihood of hackers gaining unauthorized access. To change password length requirements: 1. From the Grid perspective, click grid -> Edit -> Grid Properties. or From the Device perspective, click hostname -> Edit -> Device Properties. 2. In the Grid (or Device) editor, click Security. 3. Enter a number from 4 to 64 in the Minimum Password Length field. 4. Click the Save icon to save your changes.

Notifying Administrators
You can notify individual administrators about system status via e-mail, or notify a group of people using an alias e-mail address. If you have configured DNS resolution on your network, the E-mail relay configuration function is not required. If you did not configure the settings on the DNS Resolver section, you must enter a static IP address of the target system in the Relay Name/IP Address field. Use the Test e-mail settings button to test the E-mail settings and to verify that the recipient received the notification. In addition, the appliance sends e-mail to administrators when certain events occur. Here is a list of events that trigger e-mail notifications: Changes to link status on ports and online/offline replication status Events that generate traps, except for upgrade failures (ibUpgradeFailure). For a list of events, see Infoblox MIBs on page 205

You can define the e-mail settings at the grid and member levels.

NIOS 4.3r4

Infoblox Administrator Guide (Rev. A)

119

Managing Administrators

Grid Level
To notify an administrator of an independent appliance or a grid: 1. From the Grid perspective, click grid -> Edit -> Grid Properties. or From the Device perspective, click hostname -> Edit -> Device Properties. 2. In the Grid (or Device) editor, click Email, and then enter the following: Enable e-mail notification: Select this check box. E-mail address: Enter the e-mail address of the administrator. Use an e-mail alias to notify multiple people. Use e-mail relay: Select this check box if the NIOS appliance must send e-mail to an intermediary SMTP (Simple Mail Transfer Protocol) server that relays it to the SMTP server responsible for the domain name specified in the e-mail address. Some SMTP servers only accept e-mail from certain other SMTP servers and might not allow e-mail from the NIOS appliance. In this case, specify the DNS name or IP address of a different SMTP server that does accept e-mail from the NIOS appliance and that will then relay it to the SMTP server that can deliver it to its destination. Clear this check box if it is unnecessary to use an e-mail relay server. Relay Name/IP Address: If you have configured DNS resolution, enter the DNS name of the relay server. If DNS resolution is not configured, enter the IP address of the relay server. 3. Optionally, click Test e-mail settings to confirm this feature is operating properly. 4. Click the Save icon to save your changes.

Member Level
To define e-mail settings for a member, follow the navigational path below and override the grid-level settings. Click the Save icon to save your changes. From the Grid perspective, click Grid -> + (for grid) -> + (for Members) -> member -> Edit -> Member Properties -> Email.

120

Infoblox Administrator Guide (Rev. A)

NIOS 4.3r4

Chapter 4 Managing Appliance Operations


Managing the operations of a NIOS appliance involves defining system parameters such as time, security and port settings. This chapter describes how to set these operational parameters and how to set up a static route when the NIOS appliance can send and receive traffic through multiple gateways. The tasks covered in this chapter include:

Managing Time Settings on page 123 Changing Time and Date Settings on page 123 Changing Time Zone Settings on page 123 Monitoring Time Services on page 124 Using NTP for Time Settings on page 125 Authenticating NTP on page 126 NIOS Appliance as NTP Client on page 128 NIOS Appliance as NTP Server on page 132 Scheduling Tasks on page 136 Enabling and Disabling Task Scheduling on page 136 Scheduling a Task on page 136 Viewing Scheduled Tasks on page 137 Rescheduling and Deleting Scheduled Tasks on page 138 Guidelines for Upgrading, Backing Up, and Restoring the Database on page 138 Managing Security Operations on page 139 Enabling Support Access on page 139 Enabling Remote Console Access on page 139 Permanently Disabling Remote Console and Support Access on page 140 Restricting HTTP Access on page 140 Enabling HTTP Redirection on page 141 Modifying GUI Session Timeout Settings on page 141 Disabling the LCD Input Buttons on page 141 Modifying Security for a Grid Member on page 142 Ethernet Port Usage on page 143 Modifying Ethernet Port Settings on page 148 Using the LAN2 Port on page 149 NIC Failover on page 150 Enabling DNS on LAN2 on page 152 Enabling DHCP on LAN2 on page 151

NIOS 4.3r4

Infoblox Administrator Guide (Rev. A)

121

Managing Appliance Operations

Using the MGMT Port on page 153 Appliance Management on page 154 Grid Communications on page 156 DNS Services on page 159 Setting Static Routes on page 161 Enabling DNS Resolution on page 164 Managing Licenses on page 165 Viewing the Installed Licenses on a NIOS Appliance on page 165 Obtaining a 60-Day Temporary License on page 165 Obtaining and Adding a License on page 166 Removing Licenses on page 166 Using the Recycle Bin on page 168 Disabling the Recycle Bin on page 169 Enabling the Recycle Bin on page 169 Viewing the Recycle Bin on page 169 Restoring Objects in the Recycle Bin on page 170 Emptying the Recycle Bin on page 170 Shutting Down, Rebooting, and Resetting a NIOS Appliance on page 171 Rebooting a NIOS Appliance on page 171 Shutting Down a NIOS Appliance on page 171 Resetting a NIOS Appliance on page 171 Managing the Disk Subsystem on the Infoblox-2000 on page 173 About RAID 10 on page 173 Evaluating the Status of the Disk Subsystem on page 174 Replacing a Failed Disk Drive on page 174 Disk Array Guidelines on page 175 Restarting Services on page 176

122

Infoblox Administrator Guide (Rev. A)

NIOS 4.3r4

Managing Time Settings

Managing Time Settings


You can define the date and time settings for your NIOS appliance when it first starts, using the Infoblox Appliance Startup Wizard. Alternatively, you can set the date and time of the appliance anytime after you first configure it if you did not do so using the startup wizard or if you need to change it if, for example, you move an appliance from a location in one time zone to a location in a different time zone. To set the date and time of the appliance, you can either manually enter the values or configure the appliance to synchronize its time with a public NTP server.

Changing Time and Date Settings


You can set the date and time on grid members and on independent appliances or HA pairs. For appliances in a grid, you can set the date and time at the grid level and at the member level. Grid-level date and time settings apply to all members unless you override them at the member level. Note: You cannot manually set the date and time if you have previously enabled NTP service. To change the time and date for a grid or for an independent appliance or HA pair: 1. From the Grid or Device perspective, click Grid (or Device) -> Set Date and Time. 2. In the Date and Time dialog box, enter the date (in MM/DD/YYYY format) and time (in HH:MM format) in the appropriate fields. For PM hours, use the integers 13-24. 3. To close the Date and Time dialog box, click OK. To change the time and date for a grid member: 1. From the Grid perspective, click + (for grid) -> + (for Members) -> member -> Grid -> Set Date and Time. 2. In the Date and Time dialog box, enter the date (in MM/DD/YYYY format) and time (in HH:MM format) in the appropriate fields. For PM hours, use the integers 13-24. 3. To close the Date and Time dialog box, click OK. Note: Changing the date and time resets the application and terminates the management session.

Changing Time Zone Settings


Whether you enable NTP (Network Time Protocol) or manually configure the date and time, you must always set the time zone manually. For a grid, you can set the time zone at the grid level, which then applies to all members. If different members are in different time zones, you can choose the time zone that applies to most members at the grid level, and then override the setting at the member level for the remaining members. Note: Changing the time zone does not reset the application nor does it terminate the management session. To change the time and date for a grid or for an independent appliance or HA pair: 1. From the Grid or Device perspective, click Grid (or Device) -> Set Time Zone. 2. Choose an appropriate time zone from the drop-down list, and then click OK. To change the time zone for a grid member: 1. From the Grid perspective, click + (for grid) -> + (for Members) -> member -> Grid -> Set Member Time Zone. 2. In the Member Time Zone dialog box, enter the following: Override Grid Time Zone: Select this check box. Member Time Zone: Choose an appropriate time zone for the location of the selected member. 3. To close the Member Time Zone dialog box, click OK.

NIOS 4.3r4

Infoblox Administrator Guide (Rev. A)

123

Managing Appliance Operations

Monitoring Time Services


You can monitor the internal NTP daemon that runs within a grid to ensure the time among its members is synchronized, and if you configure the appliance as an NTP server for external clients, you can monitor this service as well. In a grid, the grid master and its members use an internal NTP daemon to synchronize their time. It is not user-configurable and functions regardless of how you set the time on the grid master. You can monitor this internal NTP service by checking the status icon and corresponding description in the Detailed Status panel. To display the Detailed Status panel, from the Grid perspective, click View -> Detailed Status. The following are descriptions of the NTP status icons in the Detailed Status panel:

Icon

Color Green Yellow Red

Meaning The NTP service is running properly. The appliance is synchronizing its time. The NTP service is not running properly. View the corresponding description for additional information.

When you enable NIOS appliances as NTP servers, you can monitor the status of the NTP service by checking the NTP status icons in the Grid panel. The following are descriptions of the NTP status icons in the Detailed Status panel. The type of information that can appear in the Description column corresponds to the SNMP trap messages. For information about the Infoblox SNMP traps, see Chapter 6, Monitoring with SNMP, on page 201.

Icon

Color Green Yellow Red Gray

Meaning The NTP service is enabled and running properly. The NTP service is enabled, and the appliance is synchronizing its time. The NTP service is enabled, but it is not running properly or is out of synchronization. The NTP service is disabled.

124

Infoblox Administrator Guide (Rev. A)

NIOS 4.3r4

Using NTP for Time Settings

Using NTP for Time Settings


Note: Cisco and Riverbed virtual grid members do not support NTP service. NTP (Network Time Protocol) is a standard protocol that system clocks use to ensure their time is always accurate. Appliances that use NTP try to get their time as close as possible to UTC (Coordinated Universal Time), the standard timescale used worldwide. NTP uses UDP (User Datagram Protocol) on port 123 for communications between clients and servers. NTP is based on a hierarchy where reference clocks are at the top. Reference clocks use different methods such as special receivers or satellite systems to synchronize their time to UTC. NTP servers on the first level of the hierarchy synchronize their time with the reference clocks, and serve time to clients as well. Each level in the hierarchy is a stratum; stratum-0 is a reference clock. Stratum-1 servers synchronize their clocks with reference clocks. Stratum-2 servers synchronize their clocks with stratum-1 servers, and so forth. The stratum number indicates the number of levels between the NTP server and the reference clock. A higher stratum number could indicate more variance between the NTP server and the reference clock. You can configure a NIOS appliance to function as an NTP client that synchronizes its clock with an NTP server. NTP clients typically use time information from at least three different sources to ensure reliability and a high degree of accuracy. There are a number of public NTP servers on the Internet with which the NIOS appliance can synchronize its clock. For a list of these servers, you can access http://www.ntp.org. In a grid, the grid master and grid members can function as NTP clients that synchronize their clocks with external NTP servers. They can in turn function as NTP servers to other appliances in the network. This allows you to deploy multiple NTP servers to ensure accurate and reliable time across the network. To configure the grid master and grid members as NTP clients, you must first enable the NTP service and configure external NTP servers at the grid level. You can then configure the grid master and grid members to override the grid-level NTP servers and use their own external NTP servers. A grid member synchronizes its clock with the grid master if you do not configure it to use external NTP servers.

NIOS 4.3r4

Infoblox Administrator Guide (Rev. A)

125

Managing Appliance Operations

Figure 4.1 Infoblox Appliances as NTP Servers


Internet Stratum-1 NTP servers use reference clocks to synchronize their time to UTC (Coordinated Universal Time). Reference Clocks

Stratum-1 NTP Servers Grid Member 2 synchronizes its clock with an external NTP server. It also functions as a stratum-2 NTP server to external devices on its network. Grid Master Grid Member 2

As an NTP client, the grid master synchronizes its time with stratum-1 NTP servers. The grid master also functions as a stratum-2 NTP server to Grid Member 1. NTP messages between the grid master and Grid Member 1 go through encrypted VPN tunnels.

As an NTP client, Grid Member 1 synchronizes its clock with the grid master. It also functions as a stratum-3 NTP server to external devices on its network.

Grid Member 1

VPN Tunnel

2 Network

1 Network

Authenticating NTP
To prevent intruders from interfering with the time services on your network, you can authenticate communications between a NIOS appliance and a public NTP server, and between a NIOS appliance and external NTP clients. NTP communications within the grid go through an encrypted VPN tunnel, so you do not have to enable authentication between members in a grid. NTP uses symmetric key cryptography, where the server and the client use the same algorithm and key to calculate and verify a MAC (message authentication code). The MAC is a digital thumbprint of the message that the receiver uses to verify the authenticity of a message. As shown in Figure 4.2, the NTP client administrator must first obtain the secret key information from the administrator of the NTP server. The server and the client must have the same key ID and data. Therefore, when you configure the NIOS appliance as an NTP client and want to use authentication, you must obtain the key information from the administrator of the external NTP server and enter the information on the NIOS appliance. When you configure a NIOS appliance as an NTP server, you must create a key and send the key information to clients in a secure manner. A key consists of the following: Key Number: A positive integer that identifies the key. Key Type: Specifies the key format and the algorithm used to calculate the MAC (message authentication code) of a message. M: The key is a 1-31 character ASCII string using MD5 (Message Digest). S: The key is a 64-bit hexadecimal number in DES (Data Encryption Standard) format. The high order 7 bits of each octet form the 56-bit key, and the low order bit of each octet is given a value so that the octet maintains odd parity. You must specify leading zeros so the key is exactly 16 hexadecimal digits long and maintains odd parity. A: The key is a DES key written as a 1-8 character ASCII string.
126 Infoblox Administrator Guide (Rev. A) NIOS 4.3r4

Using NTP for Time Settings

N: The key is a 64-bit hexadecimal number in NTP format. It is the same as the S format, but the bits in each octet have been rotated one bit right so the parity bit is in the high order bit of the octet. You must specify leading zeros and odd parity must be maintained. Key String: The key data used to calculate the MAC. The format depends on the Key Type you select. When the NTP client initiates a request for time services to the NTP server, it creates the MAC by using the agreed upon algorithm to compress the message and then encrypts the compressed message (which is also called a message digest) with the secret key. The client appends the MAC to the message it sends to the NTP server. When the NTP server receives the message from the client, it performs the same procedure on the message it compresses the message it received, encrypts it with the secret key and generates the MAC. It then compares the MAC it created with the MAC it received. If they match, the server continues to process and respond to the message. If the MACs do not match, the receiver drops the message.

Figure 4.2 NTP Client Administrator Obtaining Secret Key from NTP Server Administrator

NTP Server Secret Key Administrator Information

NTP Client Administrator

NTP Client

NTP server administrator sends the secret key information to the NTP client administrator, who adds the key to the NTP client.

Message

When the NTP client sends a request for time services to the NTP server, it uses the agreed upon algorithm and secret key to create the MAC (message authorization code). It then sends the MAC and message to the NTP server.

MD5 or DES Message Digest Message

MAC

+ MAC

Encrypted with Secret Key

MD5 or DES Message Digest

MAC Encrypted with Secret Key

NTP server uses the agreed upon algorithm and secret key to create the MAC. It compares this MAC with the MAC it received. If they match, the server responds to the request of the client for time services. If the MACs do not match, the server ignores the message from the client.

NIOS 4.3r4

Infoblox Administrator Guide (Rev. A)

127

Managing Appliance Operations

NIOS Appliance as NTP Client


You can configure an independent NIOS appliance, a grid master, or any grid member in a grid as an NTP client that synchronizes its system clock with an external NTP server. When you enable a NIOS appliance to function as an NTP client, you must specify at least one NTP server with which the appliance can synchronize its clock. If you specify multiple NTP servers, you should specify servers that synchronize their time with different reference clocks and that have different network paths. This increases stability and reduces risk in case a server fails. For a list of public NTP servers, you can access www.ntp.org. When you specify multiple NTP servers, the NTP daemon on the appliance determines the best source of time by calculating round-trip time, network delay, and other factors that affect the accuracy of the time. NTP periodically polls the servers and adjusts the time on the appliance until it matches the best source of time. If the difference between the appliance and the server is less than five minutes, the appliance adjusts the time gradually until the clock time matches the NTP server. If the difference in time is more than five minutes, the appliance immediately synchronizes its time to match that of the NTP server. To secure communications between a NIOS appliance and an NTP server, you can authenticate communications between the appliance and the NTP server. When you configure authentication, you must obtain the key information from the administrator of the NTP server and enter the key on the appliance. For information, see Authenticating NTP on page 126. In a grid, you can configure the grid master and grid members to synchronize their clocks with external NTP servers. When you enable the NTP service on the grid, the grid master automatically functions as an NTP server to the grid members. A grid member can synchronize its time with the grid master, an external NTP server, or another grid member. Like all other grid communications, the grid master and its members send NTP messages through an encrypted VPN tunnel.

Figure 4.3 Grid Master as NTP Client


NTP Server 1 NTP Server 2 NTP Server 3 NTP Server 4

Secret Keys

The grid master uses three public NTP servers to calibrate its clock to the correct time. It uses symmetric key cryptography to authenticate NTP messages. Internet The grid master serves time to Grid Member 1. All NTP communications with the grid go through encrypted VPN tunnels.

Grid Master

VPN Tunnels

Grid Member 1

Grid Member 2

Grid Member 2 synchronizes its clock with a public NTP server. The grid master serves as a backup NTP server when the member cannot reach the public NTP server.

128

Infoblox Administrator Guide (Rev. A)

NIOS 4.3r4

Using NTP for Time Settings

Configuring a NIOS Appliance as an NTP Client


In a grid, the grid master and grid members can synchronize their clocks with external NTP servers. They then forward the clock time to other appliances in the network. Likewise, in an independent HA pair, the active node communicates directly with an external NTP server. The passive node then synchronizes its clock with the active node. In a grid, you must first enable the NTP service and configure external NTP servers at the grid level before you configure the grid master and grid members as NTP clients. To configure an independent appliance, a grid master, or a grid member as an NTP client, perform the following tasks: Enable the NTP service. For information, see Enabling the NTP Service on page 129. Specify one or more external NTP servers. For information, see Specifying External NTP Servers on page 129. Optionally, enable authentication between the appliance and the NTP server if the NTP server requires authentication. For information, see Managing Authentication Keys on page 131.

Enabling the NTP Service


To enable the NTP service at the grid level: 1. For a grid: From the Grid perspective, click + (for grid ) -> + (for Services ) -> NTP -> Edit -> Service Properties. or For an independent NIOS appliance or HA pair: From the Device perspective, click + (for hostname ) -> NTP -> Edit -> Service Properties. 2. In the NTP Properties editor, select the Enable NTP check box .

Specifying External NTP Servers


To specify external NTP servers: 1. For a grid: From the Grid perspective, click + (for grid ) -> + (for Services ) -> NTP -> Edit -> Service Properties. or For an independent NIOS appliance or HA pair: From the Device perspective, click + (for hostname ) -> NTP -> Edit -> Service Properties. or For a grid master or grid member: From the Grid perspective, click + (for grid ) -> + (for Members) -> + (for Services ) -> NTP -> Edit -> Service Properties. In the Member NTP Properties editor, do the following: Enable use of external NTP server for this member: Select this check box to enable this grid member to use external NTP servers. When you select this check box, you must enter at least one external NTP server for the member. Exclude grid master as NTP server: Select this check box if you want to exclude the grid master from being one of the time sources. By default, the appliance automatically configures the grid master as the backup NTP server for a grid member. When the member cannot reach any of its configured NTP servers, it uses the grid master as the NTP server. The appliance does not display the grid master in the NTP external server list. For a grid master, this check box has no meaning. 2. Click Add in the External NTP Servers section. 3. In the NTP External Server dialog box, enter the following information, and then click OK. NTP Server Address: You can enter either the IP address or the resolvable host name of an NTP server. You can view a list of public NTP servers at ntp.isc.org. To check whether the DNS server can resolve the NTP server host name, click Resolve. You must have a DNS name resolver configured. For information, see Enabling DNS Resolution on page 164. Enable Authentication: Select this check box to enable authentication of NTP communications between the external NTP server and the NIOS appliance (the grid master or grid member in a grid, an independent NIOS appliance, or the active node in an independent HA pair).
NIOS 4.3r4 Infoblox Administrator Guide (Rev. A) 129

Managing Appliance Operations

Note: To prevent intruders from interfering with the time services on your network, you can authenticate communications between a grid member and an external NTP server, as well as between a grid member and external NTP clients. NTP communications within the grid go through an encrypted VPN tunnel, so you do not have to enable authentication between the grid master and grid members. Authentication Key: Click Select Key. In the Select NTP Authentication Key dialog box, select a key that you previously entered, and then click OK. Note that you must enter authentication keys at the grid level when you configure a grid master or grid member to use external NTP servers. For information, see Entering an NTP Authentication Key on page 130. 4. Click the Save and Restart Services icons.

Managing External NTP Servers


You can specify multiple NTP servers for failover purposes. The NIOS appliance attempts to connect to the NTP servers in the order they are listed. A grid member uses the grid master as the NTP server when it cannot reach any of its external NTP servers. You can change the order of the list by selecting an NTP server and using the Move Up and Move Down buttons. You can add and delete servers and modify their information as well.

Entering an NTP Authentication Key


To add an NTP authentication key: 1. For a grid: From the Grid perspective, click + (for grid ) -> + (for Services ) -> NTP -> Edit -> Service Properties. or For an independent NIOS appliance or HA pair: From the Device perspective, click + (for hostname ) -> NTP -> Edit -> Service Properties. or For a grid master or grid member: From the Grid perspective, click + (for grid ) -> + (for Members) -> + (for Services ) -> NTP -> Edit -> Service Properties. 2. To enter a new authentication key, click Add in the NTP Authentication Keys section. 3. In the NTP Authentication Key dialog box, enter the following information. Number: A positive integer that identifies a key. Type: Specifies the key format and the algorithm used to calculate the MAC (message authentication code) of a message. MD5 in ASCII format (M): The key is a 1-31 character ASCII string using MD5 (Message Digest). DES in hex format (S): The key is a 64-bit hexadecimal number in DES (Data Encryption Standard) format. The high order 7 bits of each octet form the 56-bit key, and the low order bit of each octet is given a value so that the octet maintains odd parity. You must specify leading zeros so the key is exactly 16 hexadecimal digits long and maintains odd parity. DES in ASCII format (A): The key is a DES key written as a 1-8 character ASCII string. DES in NTP format (N): The key is a 64-bit hexadecimal number in NTP format. It is the same as the S format, but the bits in each octet have been rotated one bit right so the parity bit is in the high order bit of the octet. You must specify leading zeros and odd parity must be maintained. String: The key data used to calculate the MAC. The format depends on the Key Type you select. 4. Click OK. Note that if you enter a new key, the appliance checks if the key already exists in the key list. If the key exists, but either the key type or key string does not match, the NIOS appliance sends an error message.

130

Infoblox Administrator Guide (Rev. A)

NIOS 4.3r4

Using NTP for Time Settings

5. Click the Save and Restart Services icons. Note: When you configure a grid master or a grid member to use external NTP servers, you cannot override the grid-level authentication keys. You must use the authentication keys that you enter at the grid level.

Managing Authentication Keys


After you enter an authentication key, you can modify or delete it. Note that you cannot delete a key that an NTP server references. You must first delete all NTP servers that reference that key and then delete the key. To delete a key from the list: 1. For a grid: From the Grid perspective, click + (for grid ) -> + (for Services ) -> NTP -> Edit -> Service Properties. or For an independent appliance or HA pair: From the Device perspective, click + (for hostname ) -> NTP -> Edit -> Service Properties. or For a grid master or grid member: From the Grid perspective, click + (for grid ) -> + (for Members) -> + (for Services ) -> NTP -> Edit -> Service Properties. 2. In the NTP Properties or the Member NTP Properties editor, select the key that you want to delete from the NTP Authentication Keys list, and then click Delete. 3. Click the Save icon.

NIOS 4.3r4

Infoblox Administrator Guide (Rev. A)

131

Managing Appliance Operations

NIOS Appliance as NTP Server


After you enable NTP on a grid, the grid membersincluding the grid mastercan function as NTP servers to clients in different segments of the network. Similarly, after you enable NTP on an independent appliance or an HA pair, and it synchronizes its time with an NTP server, you can configure it to function as an NTP server as well.

Figure 4.4 Grid Members as NTP Servers


NTP Server 1 NTP Server 2 NTP Server 3

Secret Keys The grid master uses three public NTP servers to calibrate its clock to the correct time. It uses symmetric key cryptography to secure NTP messages. The grid master serves time to the grid members. All NTP communications with the grid go through the encrypted VPN tunnels. The grid members serve time to devices on their networks. Each member uses symmetric key encryption to secure NTP messages. Each member also has an access control list that defines which appliances can access the time services. When a client that is not on the list tries to access an appliance functioning as an NTP server, the appliance ignores the message.

Internet

Grid Master Access Control List Grid Member

VPN Tunnels

Grid Member

3 Network

2 Network

To configure a NIOS appliance as an NTP server, perform the following tasks: Enable the appliance as an NTP server. Enable authentication between the appliance and its NTP clients. Optionally, specify which clients can access the NTP service of the appliance. Optionally, specify which clients can use ntpq to query the appliance.

132

Infoblox Administrator Guide (Rev. A)

NIOS 4.3r4

Using NTP for Time Settings

Configuring a NIOS Appliance as an NTP Server


You can configure a grid memberincluding the grid masteror an independent appliance or HA pair to function as an NTP server. When you enable a NIOS appliance to function as an NTP server, you can enable authentication between a NIOS appliance functioning as an NTP server and its NTP clients. When you enable authentication, you must specify the keys that the appliance and its clients must use for authentication. In a grid, you can enter NTP authentication keys at the grid level so that all the members can use them to authenticate their clients. You can also enter keys at the member level, if you want that member to use different keys from those set at the grid level. However, when you configure a grid member to use external NTP servers, you must enter keys at the grid level. After you enter the keys, you can download the key file and distribute the file to the NTP clients. To enable an appliance as an NTP server and authenticate NTP traffic between a NIOS appliance and an NTP client, perform the following tasks: Enable an appliance as an NTP server and define authentication keys. For information, see Enabling an appliance as an NTP server on page 133. Optionally, define NTP access control. For information, see Defining NTP Access Control on page 134. Optionally, define NTP query access control. For information, see Defining Query Access Control on page 134.

Enabling an appliance as an NTP server


To enable an appliance as an NTP server and add authentication keys: 1. For a grid: From the Grid perspective, click + (for grid ) -> + (for Services ) -> NTP -> Edit -> Service Properties. or For an independent appliance or HA pair: From the Device perspective, click + (for hostname ) -> NTP -> Edit -> Service Properties. or For a grid master or grid member: From the Grid perspective, click + (for grid ) -> + (for Members ) -> + (for

hostname ) -> NTP -> Edit -> Service Properties. In the Member NTP Properties editor, do the following:
Enable this member as an NTP server: Select this check box to configure a grid master or a grid member as an NTP server. Override Grid NTP authentication setting: Select this check box to enter NTP authentication keys at the member level. The member uses these keys when acting as an NTP server and authenticates requests from NTP clients. Clear the check box to use the grid-level authentication keys. Note: When you configure a grid master or a grid member to use external NTP servers, you cannot override the grid-level NTP authentication settings. You must use the grid-level authentication keys or enter keys at the grid level. 2. Click Add in the NTP Authentication Keys section. For information, see Entering an NTP Authentication Key on page 130. 3. Click the Save icon. After you enter the authentication keys, you can download the key file (usually called ntp.keys) and distribute it to the NTP clients. To copy an NTP authentication key for distribution to NTP clients: 1. For a grid: From the Grid perspective, click + (for grid ) -> + (for Services ) -> NTP -> Edit -> Service Properties. or For an independent appliance or HA pair: From the Device perspective, click + (for hostname ) -> NTP -> Edit -> Service Properties. or For a grid master or a grid member: From the Grid perspective, click + (for grid ) -> + (for Members ) -> + (for hostname ) -> NTP -> Edit -> Service Properties.
NIOS 4.3r4 Infoblox Administrator Guide (Rev. A) 133

Managing Appliance Operations

2. Choose the key in the NTP Authentication Keys list, and then click Modify. 3. Note the key number and type, and select the contents of the String field.Paste the key string in a text file and include the key number and type (M, S, A, or N) in the file. 4. Distribute this to the NTP clients using a secure transport.

Defining NTP Access Control


The NTP access control list specifies which clients can use a NIOS appliance as an NTP server. If you do not use the access control list, then the NIOS appliance does not allow access to its NTP service. To specify which clients can access the NTP service of a NIOS appliance: 1. For a grid: From the Grid perspective, click + (for grid ) -> + (for Services ) -> NTP -> Edit -> Service Properties. or For an independent appliance or HA pair: From the Device perspective, click + (for hostname ) -> NTP -> Edit -> Service Properties. or For a grid master or a grid member: From the Grid perspective, click + (for grid ) -> + (for Members ) -> + (for

hostname ) -> NTP -> Edit -> Service Properties. In the Member NTP Properties editor, do the following:
Enable this member as an NTP server: Select this check box to configure a grid master or a grid member as an NTP server. Override Grid NTP access control: Select this check box to enter IP addresses for NTP access control at the member level instead of using the grid-level list. Enter the clients that can use this member as an NTP server in the Add Access Range dialog box. Clear the check box to use the grid-level access control list. 2. Click Add in the NTP Access Control section. 3. In the Add Access Range dialog box, select one of the following in IP Address Option, and then click OK. Address: The appliance allows a client from a single IP address to use its NTP service. Enter the IP address in the Address field. Network: The appliance allows clients from a subnet to use its NTP service. Enter the network address in the Address field, and then choose an appropriate netmask from the Subnet Mask drop-down list. Any: The appliance allows clients from any address to use its NTP service. 4. Click the Save icon.

Defining Query Access Control


The NIOS appliance can accept queries from clients using ntpq, the standard utility program used to query NTP servers about their status and operational parameters. The NTP query access control list specifies from which clients the NIOS appliance is allowed to accept ntpq queries. If you do not use this list, then the appliance does not accept ntpq queries from any client. To specify from which clients a NIOS appliance can accept ntpq queries: 1. For a grid: From the Grid perspective, click + (for grid ) -> + (for Services ) -> NTP -> Edit -> Service Properties. or For an independent appliance or HA pair: From the Device perspective, click + (for hostname ) -> NTP -> Edit -> Service Properties. or For a grid master or a grid member: From the Grid perspective, click + (for grid ) -> + (for Members ) -> + (for

hostname ) -> NTP -> Edit -> Service Properties.

134

Infoblox Administrator Guide (Rev. A)

NIOS 4.3r4

Using NTP for Time Settings

In the Member NTP Properties editor. do the following: Enable this member as an NTP server: Select this check box to configure a grid master or a grid member as an NTP server. Override Grid NTP query access control: Select this check box to enter IP addresses for NTP query access control at the member level instead of using the grid-level list. Enter the clients from which this member is allowed to accept ntpq queries in the Add NTP Query Client dialog box. Clear the check box to use the grid-level query access control list. 2. In the Add NTP Query Client dialog box, select one of the following in IP Address Option, and then click OK. Address: The appliance accepts ntpq queries from specific NTP clients. Enter the IP address in the Address field. Network: The appliance accepts ntpq queries from a subnet. Enter the network address in the Address field, and then choose an appropriate netmask from the Subnet Mask drop-down list. Any: The appliance accepts ntpq queries from any address. 3. Click the Save icon.

NIOS 4.3r4

Infoblox Administrator Guide (Rev. A)

135

Managing Appliance Operations

Scheduling Tasks
You can schedule tasks, such as adding hosts or modifying fixed addresses, for a future date and time. The scheduling feature is useful when you want to add, modify, or delete specific records at a desired date and time. Using this feature, you can streamline your day-to-day operations. For example, you can schedule the deletion of records that you use for testing when the test time is up. You can also reassign an IP address to a fixed address when the location of the server to which the fixed address is assigned changes from one network to another. You can schedule the addition, modification, and deletion of the following objects: DNS resource records (except SOA records) Hosts Bulk hosts Shared records Fixed addresses

To schedule tasks and view scheduled tasks, superusers must first enable the scheduling feature at the grid level. For information, see Enabling and Disabling Task Scheduling on page 136. Only superusers can enable and disable this feature and grant scheduling permissions. When the scheduling permission is added or inherited from an admin role, limited-access admin groups can schedule tasks. They can also view, reschedule, and delete their own scheduled tasks. For information, see Administrative Permissions for Scheduling Tasks on page 90.

Enabling and Disabling Task Scheduling


You can enable and disable task scheduling at the grid level only. The scheduling feature is disabled by default. You must enable it before you can schedule tasks. Any change to the current scheduling setting takes effect in the next login. If you enable the scheduling feature when it is currently disabled, you must log out and then log back in to the appliance before you schedule any task. Superusers can do the following to enable the scheduling feature: Enable task scheduling at the grid level Grant scheduling permissions to admin groups and admin roles

To enable scheduling at the grid level: 1. From the Grid perspective, select grid -> Edit -> Grid Properties. 2. In the Grid Properties section, select the Enable task scheduling check box. 3. Click the Save icon. 4. Log out and log back in to the appliance. To grant scheduling permissions to an admin group or an admin role: 1. Follow the steps as described in Applying Permissions and Managing Conflicts on page 79. Ensure that you select Schedule Tasks in the Resource column of the Add Permissions dialog box. You can disable the scheduling feature after you enabled it by deselecting the Enable task scheduling check box in the Grid Properties section. Ensure that you click the Save icon. When you disable the scheduling feature, the appliance immediately deletes all pending scheduled tasks and you cannot schedule any task.

Scheduling a Task
After you schedule a task, administrators cannot modify the object associated with the scheduled task until after the appliance executes the task. However, the object can still be updated with DHCP leases and other auto-generated services. The appliance implements the scheduled tasks in the order of their scheduled times. You get a warning message when the scheduled time of your task coincides with that of another scheduled task. You can choose to continue with the operation or reschedule the task for a different date and time. The appliance can handle up to 500 scheduled tasks from all users.

136

Infoblox Administrator Guide (Rev. A)

NIOS 4.3r4

Scheduling Tasks

To schedule a task: 1. Add, modify, or delete a record according to the instructions for the task in this guide. 2. In the Schedule Change dialog box, do the following: Now: Select this to have the appliance perform the task now. Schedule: Select this to schedule the task for a future date and time. This is selected by default. Date: Enter the date when you want the appliance to perform the task. The appliance displays todays date. Time: Enter the time when you want the appliance to perform the task. Time Zone: Select the time zone for the scheduled date and time. Admin Local Time: The appliance displays the scheduled date and time in the admins local time zone. You cannot edit this field. 3. Click OK. The appliance executes the task at the scheduled date and time. It also displays the pending scheduled task in the Scheduled Tasks panel. For information, see Viewing Scheduled Tasks on page 137.

Viewing Scheduled Tasks


The appliance logs the scheduled tasks in the audit log and displays the pending tasks in the Scheduled Tasks panel of the Grid perspective. In the Scheduled Tasks section of the Home perspective, the appliance displays up to eight tasks with the earliest scheduled start time. You can view scheduled tasks in the following:

Scheduled Tasks section from the Home perspective. For information, see Home Perspective on page 137. Scheduled Tasks panel from the Grid perspective. For information, see Grid Perspective on page 137.

Home Perspective
The Scheduled Tasks section of the Home perspective displays the following information for each task. Scheduled Time: The date, time, and time zone of the scheduled task. Affected Object: The name of the object that is associated with the task. For example, if the task involves an A record, this field displays the domain name of the record. If it is a fixed address, it displays the IP address of the fixed address. Action: The operation the appliance performs in this task. The value can be one of the following: INSERT: Addition UPDATE: Modification DELETE: Deletion To view a complete list of scheduled tasks, click See Complete List in the Scheduled Tasks section. The appliance displays the Scheduled Tasks panel in the Grid perspective. For information, see Grid Perspective on page 137.

Grid Perspective
The Scheduled Tasks panel of the Grid perspective displays the pending scheduled tasks that the admin is allowed to view. Superusers can view all scheduled tasks, and limited-access admins can view their own scheduled tasks. To view scheduled tasks in this panel, from the Grid perspective, click grid -> View -> Scheduled Tasks. The report displays the following information for each task: ID: The task ID in chronological order based on the date, time, and time zone when the task is scheduled. Scheduled Time: The date, time, and time zone when the task will be executed. Submitted Time: The data, time, and time zone when the task was submitted. Submitter: The admin who scheduled the task. Affected Object: The name of the object that is associated with the task. For example, if the task involves an A record, this field displays the domain name of the record. If it is a fixed address, it displays the IP address of the fixed address.
Infoblox Administrator Guide (Rev. A) 137

NIOS 4.3r4

Managing Appliance Operations

Object Type: The object type. For example, the appliance can display A Record or Fixed Address. Action: The operation the appliance performs in this task. The value can be one of the following: INSERT: Addition UPDATE: Modification DELETE: Deletion

Change Audit Log: The message that appears in the audit log.

You can click any column header, except for Change Audit Log, to sort the tasks in ascending order. By default, the appliance sorts the tasks by Scheduled Time.

Rescheduling and Deleting Scheduled Tasks


Only superusers can view, reschedule, and delete all scheduled tasks. Limited-access admins can view, reschedule, and delete their own scheduled tasks. The appliance sends email notifications to local admins when email notification is enabled at the grid level and any of the following happens: A superuser scheduled a task, and another superuser reschedules or deletes the task. A limited-access admin scheduled a task, and a superuser reschedules or deletes the task. A superuser or a limited-access admin scheduled a task, and the task failed.

Remote admins and local admins without email addresses do not receive email notifications. To reschedule a task: 1. From the Grid perspective, click grid -> View -> Scheduled Tasks. 2. In the Scheduled Tasks panel, select the task that you want to reschedule. 3. Right-click the task and select Reschedule. 4. In the Schedule Change dialog box, modify the date and time when you want the appliance to execute the task. 5. Click OK. To delete a scheduled task: 1. From the Grid perspective, click grid -> View -> Scheduled Tasks. 2. In the Scheduled Tasks panel, select the task that you want to delete. You can select multiple tasks using SHIFT+click and CRTL+click. 3. Right-click the task and select Remove. 4. In the Confirm Delete Request dialog box, click Yes. The appliance deletes the scheduled task and does not perform the scheduled operation. Therefore, no change is made to any record after you delete a scheduled task.

Guidelines for Upgrading, Backing Up, and Restoring the Database


You should take into consideration the impact on scheduled tasks when you perform any of the following: Upgrade the NIOS software: In a full upgrade, all scheduled tasks are deleted. In a lite upgrade, scheduled tasks are not deleted. Back up the NIOS database: All scheduled tasks are backed up for troubleshooting purpose. Restore the database: The scheduled tasks are not restored. Promote a grid member to a grid master: All scheduled tasks are deleted. Revert the NIOS software image: All scheduled tasks are deleted.

138

Infoblox Administrator Guide (Rev. A)

NIOS 4.3r4

Managing Security Operations

Managing Security Operations


The procedures in this section apply to both independent and grid installations. You can specify these security operations:

Enabling Support Access on page 139 Enabling Remote Console Access on page 139 Permanently Disabling Remote Console and Support Access on page 140 Restricting HTTP Access on page 140 Enabling HTTP Redirection on page 141 Modifying GUI Session Timeout Settings on page 141 Disabling the LCD Input Buttons on page 141 Modifying Security for a Grid Member on page 142

Enabling Support Access


Infoblox Technical Support might need access to your NIOS appliance to troubleshoot problems. This function enables an SSH (Secure Shell) daemon that only Infoblox Technical Support can access. If you have any questions, contact Infoblox Technical Support at support@infoblox.com. By default, this option is disabled. To enable Infoblox Technical Support access: 1. From the Grid perspective, click grid -> Edit -> Grid Properties. or From the Device perspective, click hostname -> Edit -> Device Properties. 2. In the Grid (or Device) editor, click Security, and then select Enable Support access. 3. Click the Save icon. Note: When configuring grid members, you can selectively override the grid-level Support access setting at the member level.

Enabling Remote Console Access


This function makes it possible for a superuser admin to access the Infoblox CLI from a remote location using an SSH (Secure Shell) v2 client. The management system must have an SSH v2 client to use this function. After opening a remote console connection using an SSH client, log in using a superuser name and password. By default, this option is disabled. To enable remote console access: 1. From the Grid perspective, click grid -> Edit -> Grid Properties. or From the Device perspective, click hostname -> Edit -> Device Properties. 2. In the Grid (or Device) editor, click Security, and then select Enable remote console access. 3. Click the Save icon. Note: When configuring grid members, you can selectively override the grid-level remote console access setting at the member level.

NIOS 4.3r4

Infoblox Administrator Guide (Rev. A)

139

Managing Appliance Operations

Permanently Disabling Remote Console and Support Access


You can permanently disable remote console (Secure Shell v2) access for appliance administration and for Infoblox Technical Support to perform remote troubleshooting. Disabling this type of access might be required in a high-security environment. WARNING: After permanently disabling remote console and support access, you cannot re-enable them! Not even resetting an appliance to its factory default settings can re-enable them. To permanently disable remote console access and Infoblox Technical Support access: 1. From the Grid perspective, click grid -> Edit -> Grid Properties. or From the Device perspective, click hostname -> Edit -> Device Properties. 2. In the Grid (or Device) editor, click Security, and then select Permanently disable remote console and support access. 3. Click the Save icon.

Restricting HTTP Access


You can specify the IP addresses from which administrators are allowed to access the NIOS appliance. When the NIOS appliance receives a connection request, it tries to match the source IP address in the request with IP addresses in the list. If there is at least one item in the HTTP Access Control list and the source IP address in the request does not match it, the NIOS appliance ignores the request. Caution: If you specify an address or network other than the one from which you are currently accessing the appliance, when you save your configuration, you will lose your administrative session and be unable to reconnect. To restrict HTTP access to the Infoblox GUI to select addresses: 1. From the Grid perspective, click grid -> Edit -> Grid Properties. or From the Device perspective, click hostname -> Edit -> Device Properties. 2. To set restrictions on the IP addresses from which administrators can access the NIOS appliance, select Enable HTTP access restrictions in the Security section, click Add, enter the following, and then click OK: Address Type: Address: To allow administrative access to the GUI from a single IP address, select this option and enter the IP address in the Address field. Note that if you specify an address other than the one from which you are currently accessing the appliance, when you save your configuration, you will lose your administrative session and be unable to reconnect. Network: To restrict administrative access to the GUI to a subnet, select this option and enter the network address in the Address field and choose an appropriate netmask from the drop-down list. Note that if you specify a subnet other than the one from which you are currently accessing the appliance, when you save your configuration, you will lose your administrative session and be unable to reconnect. 3. Click the Save icon to save your changes. The application restarts and your management session terminates. 4. From the JWS (Java Web Start) login prompt, log back in to the appliance.

140

Infoblox Administrator Guide (Rev. A)

NIOS 4.3r4

Managing Security Operations

Enabling HTTP Redirection


You can enable the NIOS appliance to redirect administrative connection requests using HTTP to the secure HTTPS protocol. When you disable redirection, the NIOS appliance ignores any administrative connection requests not using HTTPS. By default, the NIOS appliance does not redirect HTTP connection requests to HTTPS. To enable redirection: 1. From the Grid perspective, click grid -> Edit -> Grid Properties. or From the Device perspective, click hostname -> Edit -> Device Properties. 2. In the Grid (or Device) editor, click Security, and then select Auto-Redirect HTTP -> HTTPS. 3. Click the Save icon to save your changes. The application restarts and your management session terminates. 4. From the JWS (Java Web Start) login prompt, log back in to the appliance.

Modifying GUI Session Timeout Settings


You can set the length of idle time before an administrative session to the Infoblox GUI times out. The default timeout value is 600 seconds (10 minutes). Note: If you change Session Timeout settings, you must log out of the session by selecting File -> Logout, and log back in. The setting takes effect only after you log out and log back in. To modify session timeout settings: 1. From the Grid perspective, click grid -> Edit -> Grid Properties. or From the Device perspective, click hostname -> Edit -> Device Properties. 2. Click Security n the Grid (or Device) editor and enter a number between 60 and 31536000 seconds (one minute one year) in the Session Timeout field. The default session timeout is 600 seconds (10 minutes). 3. Click the Save icon to save your changes. 4. Select File -> Logout to log out of the GUI. 5. Log back into the GUI to apply the new timeout value to the session. The GUI tracks mouse and keyboard activity. If there is no activity for the specified timeout interval, the appliance displays a message that the timeout has occurred. Click OK to restart the GUI.

Disabling the LCD Input Buttons


By default, the LCD input function is enabled, which allows you to use the LCD buttons on the front panel of a NIOS appliance to change the IP address settings of the LAN port. You can disable this function if the appliance is in a location where you cannot restrict access exclusively to NIOS appliance administrators and you do not want anyone to be able to make changes through the LCD. To disable LCD input to the appliance: 1. From the Grid perspective, click grid -> Edit -> Grid Properties. or From the Device perspective, click hostname -> Edit -> Device Properties. 2. In the Grid (or Device) editor, click Security, and then clear Enable LCD input. 3. Click the Save icon to save your changes.

NIOS 4.3r4

Infoblox Administrator Guide (Rev. A)

141

Managing Appliance Operations

Modifying Security for a Grid Member


You can override a number of grid-level security settings at the member level. Note: You can only manage session timeout settings, HTTPS redirection, HTTP access, audit log rolling, password length, and login banner text at the grid level. To enable support access for a member: 1. From the Grid perspective, click + (for grid ) -> + (for Member ) -> member -> Edit -> Member Properties. 2. In the Grid (or Device) editor, click Security, and then enter the following: To override grid-level settings for remote console access, select the Override grid remote console access setting check box, and then select or clear the Remote console access enabled check box. To override grid-level settings for Infoblox Technical Support access, select the Override grid support access setting check box, and then select or clear the Enable support access check box. To override grid-level LCD input settings, select the Override grid support LCD input setting check box, and then select or clear the Enable LCD input check box. 3. Click the Save icon to save your changes.

142

Infoblox Administrator Guide (Rev. A)

NIOS 4.3r4

Ethernet Port Usage

Ethernet Port Usage


The three Ethernet ports on a NIOS appliance perform different functions, which vary depending on deployment and configuration choices. The three Ethernet ports that transmit and receive traffic to the NIOS appliance are as follows: LAN1 port This is the default port for single independent appliances, single grid members, and passive nodes in HA pairs. All deployments use the LAN port for management services if the MGMT port is disabled. On Infoblox-500, -1000, and -1200 appliances, this port is labeled LAN. On Infoblox-250, -550, -550-A, -1050, -1050-A, -1550, -1550-A, -1552, -1552-A, and -2000 appliances, it is labeled LAN1. LAN2 port The LAN2 port is not enabled by default. By default, an appliance uses the LAN1 port (and HA port when deployed in an HA pair). To enable and configure the LAN2 port, you must have read/write permission to the grid member on which you want to enable the port. The LAN2 port is available on Infoblox-250, 550-A, -1050-A, -1550-A, -1552-A, and -2000 appliances. HA port This is the default port for the active grid master node and the active node in an independent HA pair. MGMT port If the MGMT port is enabled, the NIOS appliance uses it for many types of management services (see Table 4.3 on page 145 for specific types).

Table 4.1 displays the type of traffic per port for both grid and independent deployments. For a more detailed list of the different types of traffic, see Table 4.3 on page 145. Table 4.1 Appliance Roles and Configuration, Communication Types, and Port Usage
Appliance Role HA Grid Master HA Grid Master Single Grid Master HA Grid Member HA Grid Member Single Grid Member Independent HA Pair Independent HA Pair Single Independent HA Grid Master HA Grid Master Single Grid Master HA Grid Member HA Grid Member Single Grid Member Independent HA Pair Independent HA Pair Single Independent HA Pair Yes Yes No Yes Yes No Yes Yes No Yes Yes No Yes Yes No Yes Yes No HA Status Active Passive Active Passive Active Passive Active Passive Active Passive Active Passive MGMT Port Disabled Disabled Disabled Disabled Disabled Disabled Disabled Disabled Disabled Enabled Enabled Enabled Enabled Enabled Enabled Enabled Enabled Enabled Database Synchronization VIP on HA LAN1 LAN1 LAN1 LAN1 LAN1 VIP on HA LAN1 VIP on HA LAN1 LAN1 LAN1 or MGMT LAN1 or MGMT LAN1 or MGMT VIP on HA LAN1 Core Network Services VIP on HA LAN1 VIP on HA LAN1 VIP on HA LAN1 VIP on HA LAN1 or MGMT VIP on HA LAN1 or MGMT VIP on HA LAN1 or MGMT Management Services LAN1 LAN1 LAN1 LAN1 LAN1 LAN1 LAN1 LAN1 LAN1 MGMT MGMT MGMT MGMT MGMT MGMT MGMT MGMT MGMT GUI Access VIP on HA LAN1 VIP on HA LAN1 MGMT MGMT MGMT MGMT

NIOS 4.3r4

Infoblox Administrator Guide (Rev. A)

143

Managing Appliance Operations

Table 4.2 Appliance Roles and Configuration, Communication Types, and Port Usage for Appliances with LAN2 Ports
HA Status Active Passive Active Passive Active Passive Active Passive Database Synchronization VIP on HA LAN1 LAN1 LAN1 LAN1 LAN1 VIP on HA LAN1 VIP on HA LAN1 LAN1 Core Network Services VIP on HA LAN1 and/or LAN2 VIP on HA LAN1 and/or LAN2 VIP on HA LAN1 and/or LAN2 VIP on HA LAN1, LAN2 and/or MGMT VIP on HA LAN1, LAN2 and/or MGMT VIP on HA LAN1, LAN2 and/or MGMT Management Services LAN1 or LAN2 LAN1 or LAN2 LAN1 or LAN2 LAN1 or LAN2 LAN1 or LAN2 LAN1 or LAN2 LAN1 or LAN2 LAN1 or LAN2 LAN1 or LAN2 MGMT MGMT MGMT GUI Access VIP on HA LAN1 VIP on HA LAN1 MGMT MGMT

Appliance Role HA Grid Master HA Grid Master Single Grid Master HA Grid Member HA Grid Member Single Grid Member Independent HA Pair Independent HA Pair Single Independent HA Grid Master HA Grid Master Single Grid Master

MGMT Port Disabled Disabled Disabled Disabled Disabled Disabled Disabled Disabled Disabled Enabled Enabled Enabled

LAN2 Port Enabled Enabled Enabled Enabled Enabled Enabled Enabled Enabled Enabled Enabled Enabled Enabled

HA Grid Member HA Grid Member Single Grid Member

Active Passive

Enabled Enabled Enabled

Enabled Enabled Enabled

LAN1 or MGMT LAN1 or MGMT LAN1 or MGMT

MGMT MGMT MGMT

Independent HA Pair Independent HA Pair Single Independent

Active Passive

Enabled Enabled Enabled

Enabled Enabled Enabled

VIP on HA LAN1

MGMT MGMT MGMT

MGMT MGMT

To see the service port numbers and the source and destination locations for traffic that can go to and from a NIOS appliance, see Table 4.3. This information is particularly useful for firewall administrators so that they can set policies to allow traffic to pass through the firewall as required. Note: The colors in both tables represent a particular type of traffic and correlate with each other.

144

Infoblox Administrator Guide (Rev. A)

NIOS 4.3r4

Ethernet Port Usage

Table 4.3 Sources and Destinations for Services


Service Key Exchange VPN SRC IP LAN1 on grid member LAN1 on grid member DST IP VIP on HA grid master, or LAN1 on single master VIP on HA grid master, or LAN1 on single master Proto 17 UDP SRC Port 2114 DST Port 2114 Notes Initial key exchange for establishing VPN tunnels Required for Grid 17 UDP 1194 or 5002, or 1024 -> 63999 1194 or 5002, or 1024 -> 63999 Default VPN port 1194 for grids with new DNSone 3.2 installations and 5002 for grids upgraded to DNSone 3.2; the port number is configurable Required for Grid DHCP Client LAN1, LAN2, VIP, or broadcast on NIOS appliance Client 17 UDP 68 67 Required for DHCP service

DHCP

LAN1, LAN2 or VIP on NIOS appliance LAN1, LAN2 or VIP on Infoblox DHCP failover peer VIP on HA grid master or LAN1 or LAN2 on single master LAN1, LAN2, or VIP LAN1, LAN2 , VIP, or MGMT, or client

17 UDP

67

68

Required for DHCP service

DHCP Failover

LAN1, LAN2 or VIP on Infoblox DHCP failover peer LAN1, LAN2 or VIP on grid member in a DHCP failover pair LAN1, LAN2, or VIP LAN1, LAN2 , VIP, or MGMT

6 TCP

519

519

Required for DHCP failover

DHCP Failover

6 TCP

1024 -> 65535

7911

Informs functioning grid member in a DHCP failover pair that its partner is down Required for DHCP failover

DDNS Updates DNS Transfers

17 UDP 6 TCP

1024 -> 65535 53, or 1024 -> 65535

53 53

Required for DHCP to send DNS dynamic updates For DNS zone transfers, large client queries, and for grid members to communicate with external name servers Required for DNS For DNS queries Required for DNS

DNS Queries NTP RADIUS Authentication

Client

LAN1, LAN2, VIP, or broadcast on NIOS appliance VIP, LAN1 or LAN2 LAN1 or VIP

17 UDP

53, or 1024 -> 65535 1024 -> 65535 1024 65535

53

NTP client NAS (network access server)

17 UDP 17 UDP

123 1812

Required if the NIOS appliance is an NTP server For proxying RADIUS Authentication-Requests. The default destination port number is 1812, and can be changed to 1024 63997.

NIOS 4.3r4

Infoblox Administrator Guide (Rev. A)

145

Managing Appliance Operations

Service RADIUS Accounting

SRC IP NAS (network access server)

DST IP LAN1 or VIP

Proto 17 UDP

SRC Port 1024 65535

DST Port 1813

Notes For proxying RADIUS Accounting-Requests. The default destination port number is 1813, and can be changed to 1024 63998. Required to proxy requests from RADIUS clients to servers. The default source port number is 1814, and although it is not configurable, it is always two greater than the port number for RADIUS authentication. Required to respond to the UNIX-based traceroute tool to determine if a destination has been reached Required for response from ICMP echo request (ping) Required to send pings and respond to the Windowsbased traceroute tool Gateway sends an ICMP TTL exceeded message to a Windows client, which then records router hops along a data path Required to synchronize Grid, TSIG authentication, and DHCP failover Optional for synchronizing logs among multiple appliances

RADIUS Proxy

LAN1 or VIP

RADIUS home server

17 UDP

1814

1024 -> 63997 (auth), or 1024 -> 63998 (acct)

ICMP Dst Port Unreachable ICMP Echo Reply ICMP Echo Request ICMP TTL Exceeded

VIP, LAN1, LAN2, or MGMT, or UNIX-based client VIP, LAN1, LAN2, or MGMT, or client VIP, LAN1, LAN2, or MGMT, or client Gateway device (router or firewall)

LAN1, LAN2, or UNIX-based client VIP, LAN1, LAN2, or MGMT, or client VIP, LAN1, LAN2, or MGMT, or client Windows client

1 ICMP Type 3

1 ICMP Type 0 1 ICMP Type 8 1 ICMP Type 11

NTP

LAN1 on active node of grid master or LAN1 of independent appliance LAN1, LAN2, or VIP NMS (network management system) server VIP on grid master or HA pair, LAN1, LAN2, or MGMT of independent appliance

NTP server

17 UDP

1024 -> 65535

123

SMTP SNMP

Mail server VIP, LAN1, LAN2, or MGMT NMS server

6 TCP 17 UDP

1024 -> 65535 1024 -> 65535 1024 -> 65535

25 161

Required if SMTP alerts are enabled Required for SNMP management Required for SNMP trap management

SNMP Traps

17 UDP

162

146

Infoblox Administrator Guide (Rev. A)

NIOS 4.3r4

Ethernet Port Usage

Service SSHv2

SRC IP Client

DST IP LAN1, LAN2, VIP, or MGMT on NIOS appliance

Proto 6 TCP

SRC Port 1024 -> 65535

DST Port 22

Notes Administrators can make an SSHv2 connection to the LAN1, LAN2, VIP, or MGMT port Optional for management Required for remote syslog logging NIOS appliance responds with ICMP type code 3 (port unreachable) For contacting a TFTP server during database and configuration backup and restore operations Required if the HTTP-redirect option is set on the grid properties security page Required for administration through the GUI

Syslog

LAN1, LAN2, or MGMT of NIOS appliance LAN1, LAN2, or UNIX-based appliance LAN1 or MGMT

syslog server

17 UDP

1024 -> 65535 1024 -> 65535 1024 -> 65535

514

Traceroute

VIP, LAN1, LAN2, or MGMT, or client TFTP server

17 UDP

33000 -> 65535 69, then 1024 -> 63999 80

TFTP Data

17 UDP

HTTP

Management System Management System

VIP, LAN1, or MGMT VIP, LAN1, or MGMT

6 TCP

1024 -> 65535 1024 -> 65535

HTTPS/ SSL

6 TCP

443

NIOS 4.3r4

Infoblox Administrator Guide (Rev. A)

147

Managing Appliance Operations

Modifying Ethernet Port Settings


By default, the NIOS appliance automatically negotiates the optimal connection speed and transmission type (full or half duplex) on the physical links between the 10/100Base-T and 10/100/1000Base-T ports on the NIOS appliance and the Ethernet ports on a connecting switch. It is usually unnecessary to change the default auto-negotiation setting; however, you can manually configure connection settings for a port if necessary. Occasionally, for example, even though both the NIOS appliance and the connecting switch support 1000-Mbps (megabits per second) full-duplex connections, they might fail to auto-negotiate that speed and type, and instead connect at lower speeds of either 100 or 10 Mbps using potentially mismatched full- and half-duplex transmissions. If this occurs, first determine if there is a firmware upgrade available for the switch. If so, apply the firmware upgrade and test the connection. If that does not resolve the issue, manually set the ports on the NIOS appliance and on the switch to make 1000-Mbps full-duplex connections. To change Ethernet port settings: 1. From the Grid perspective, click + (for grid ) -> + (for Member ) -> member -> Edit -> Member Properties. or From the Device perspective, click hostname -> Edit -> Device Properties. Note: You must enable the MGMT port before modifying its port settings. See Using the MGMT Port on page 153. 2. In the Grid Member or Device editor, click LAN/HA Ports, MGMT Port, or LAN2 Port, and then enter the following for Node 1 and for Node 2, if the appliance is in an HA pair: Use Automatic [ LAN | HA | MGMT | LAN2 ] Port Settings: Clear check box. [ LAN | HA | MGMT | LAN2 ] Speed: Choose the connection speed that you want the port to use. [ LAN | HA | MGMT | LAN2 ] Duplex: Choose Full for concurrent bidirectional data transmission or Half for data transmission in one direction at a time. 3. Click the Save icon to save your changes. Note: The port settings on the connecting switch must be identical to those you set on the NIOS appliance.

148

Infoblox Administrator Guide (Rev. A)

NIOS 4.3r4

Using the LAN2 Port

Using the LAN2 Port


The LAN2 port is a 10/100/1000Base-T Ethernet connector on the front panel of Infoblox-250, 550-A, -1050-A, -1550-A, -1552-A, and -2000 appliances. The LAN2 port is not enabled by default. By default, an appliance uses the LAN1 port (and HA port when deployed in an HA pair). To enable and configure the LAN2 port, you must have read/write permission to the grid member on which you want to enable the port. When you enable the LAN2 port and SNMP, the appliance sends traps from this port for LAN2 related events. You can configure the LAN2 port in different ways. You can enable the NIC failover feature which groups the LAN1 and LAN2 ports into one logical interface. Alternatively, you can configure the LAN2 port on a different IP network than LAN1, and enable the LAN2 port to provide DNS and DHCP services. In addition, you can use the IP address of the LAN2 port as the captive portal IP address in the NAC Foundation module. For information about these features, see the following sections: For information about the NIC Failover feature, see NIC Failover on page 150. For information about configuring the LAN2 port to provide DHCP services, see Enabling DHCP on LAN2 on page 151. For information about configuring the LAN2 port to provide DNS services, see Enabling DNS on LAN2 on page 152. For information about configuring the LAN2 port as the captive portal IP address, see Configuring the Captive

Portal on page 648.


Note that you cannot use the LAN2 port to access the GUi or to connect to the grid.

NIOS 4.3r4

Infoblox Administrator Guide (Rev. A)

149

Managing Appliance Operations

NIC Failover
You can use the LAN2 port in conjunction with the NIC failover feature to provide redundancy and additional fault tolerance in your network. When you enable the NIC failover feature, the LAN1 and LAN2 ports are grouped into one logical interface. They share one IP address and appear as one interface to the network. Then, if a link to one of the ports fails or is disabled, the appliance fails over to the other port, avoiding a service disruption. You can connect the LAN1 and LAN2 ports to the same switch or to different switches, but they must be on the same VLAN. One port is active and the other port is idle at all times. The other port becomes active only when the previously active port fails. The LAN1 and LAN2 ports share the IP address of the LAN1 port; the port that is currently active owns the IP address. When you enable services on the appliance, such as DNS and DHCP, clients send their service requests to the LAN1 port IP address and receive replies from it as well. The port supports the services and features supported on the LAN1 port as listed in Table 4.2 and Table 4.3. Note that you cannot enable NIC failover, if the LAN2 port is serving DNS or DHCP. As shown in Figure 4.5, the appliance is connected to the grid through its MGMT port, and the LAN1 and LAN2 ports are connected to the same switch. NIC failover is enabled and the LAN1 and LAN2 port share the IP address of the LAN1 port, which is 1.1.1.5. In the illustration, LAN1 is the active port. You can enable NIC failover on a single independent appliance or grid member. You cannot enable this feature on an HA pair.

Figure 4.5 Using the NIC Failover Feature

Grid Master

LAN1 10.1.1.5 Private Network 10.1.1.0/24 for Grid Communications and Appliance Management MGMT 10.1.1.20 LAN1 LAN2 The LAN1 and LAN2 ports share the LAN1 IP address. Only 1 port is active at anytime. LAN1 1.1.1.5

Clients send service requests and replies to the LAN1 IP address.

Public Network 1.1.1.0/24 DNS and DHCP Services

150

Infoblox Administrator Guide (Rev. A)

NIOS 4.3r4

Using the LAN2 Port

To enable the LAN2 port and the NIC failover feature: 1. From the Grid perspective, click + (for grid ) -> + (for Member ) -> grid_member -> Edit -> Member Properties. or From the Device perspective, click hostname -> Edit -> Device Properties. 2. In the Grid Member editor, click LAN2 Port to expand the section, and then enter the following: Enable LAN2: Select this check box. Enable NIC failover for LAN1 and LAN2: Select this check box. The appliance greys out the IP address field. You cannot enter a separate IP address for the LAN2 port because the LAN1 and LAN2 ports share the IP address of the LAN1 port. 3. Click the Save and Restart Services icons. The Detailed Status panel displays the status of both the LAN1 and LAN2 ports.

Enabling DHCP on LAN2


You can configure an appliance to provide DHCP services through the LAN1 port only, the LAN2 port only, or both the LAN1 and LAN2 ports. Note that when you enable both ports, they must be connected to different subnets. To enable DHCP on LAN2: 1. From the Grid perspective, click + (for grid ) -> + (for Member ) -> grid_member -> Edit -> Member Properties. or From the Device perspective, click hostname -> Edit -> Device Properties. 2. In the Grid Member editor, click LAN2 Port to expand the section, and then enter the following: Enable LAN2: Select this check box. Configure LAN2 IP address: Select this check box and specify the following: V(IP) Address: Enter the IP address of the LAN2 port, which must be in a different subnet from that of the LAN1 port. Subnet Mask: Select the appropriate netmask. Gateway: Enter the IP address of the default gateway of the LAN2 port.

LAN2 Virtual Router ID (if HA): If the appliance is in an HA pair, enter a VRID number. 3. From the DHCP and IPAM perspective, select the DHCP Members tab, and then click + (for grid ) -> + (for Member ) -> grid_master -> Edit -> Member Properties. 4. Click General Properties to expand the section and do the following: Enable DHCP service on the LAN2 port: Select this check box. 5. Click the Save and Restart Services icons.

NIOS 4.3r4

Infoblox Administrator Guide (Rev. A)

151

Managing Appliance Operations

Enabling DNS on LAN2


If you enable DNS on an appliance, it always serves DNS on the LAN1 port. Optionally, you can configure the appliance to provide DNS services through the LAN2 port as well. For example, the appliance can provide DNS services through the LAN1 port for internal clients on a private network, and DNS services through the LAN2 port for external clients on a public network. To enable DNS on LAN2: 1. From the Grid perspective, click + (for grid ) -> + (for Member ) -> grid_member -> Edit -> Member Properties. or From the Device perspective, click hostname -> Edit -> Device Properties. 2. In the Grid Member editor, click LAN2 Port to expand the section, and then enter the following: Enable LAN2: Select this check box. Configure LAN2 IP address: Select this check box and specify the following: V(IP) Address: Enter the IP address of the LAN2 port, which must be in a different subnet from that of the LAN1 port. Subnet Mask: Select the appropriate netmask. Gateway: Enter the IP address of the default gateway of the LAN2 port.

LAN2 Virtual Router ID (if HA): If the appliance is in an HA pair, enter a VRID number. 3. From the DNS perspective, select the DNS Members tab, and then click + (for grid ) -> + (for Member ) -> grid_master -> Edit -> Member Properties. 4. Click General Properties to expand the section and do the following: Enable DNS service on the LAN2 port: Select this check box and specify the following: Automatically create glue A and PTR records for LAN2 IP: The NIOS appliance can automatically generate A (address) and PTR records for a primary name server whose host name belongs to the name space of the zone. Select this check box to enable the appliance to automatically generate an A and PTR record. Select one of the following from the Source queries, notifies, and zone transfer requests drop-down list: VIP: The appliance uses the IP address of the HA port as the source for queries, notifies, and zone transfer requests. MGMT: The appliance uses the IP address of the MGMT port as the source for queries, notifies, and zone transfer requests. LAN2: The appliance uses the IP address of the LAN2 port as the source for queries, notifies, and zone transfer requests. Any: The appliance chooses which port to use as the source for queries, notifies, and zone transfer requests. 5. Click the Save and Restart Services icons.

152

Infoblox Administrator Guide (Rev. A)

NIOS 4.3r4

Using the MGMT Port

Using the MGMT Port


Note: This feature is not supported on Cisco and Riverbed virtual grid members. The MGMT (Management) port is a 10/100Base-T Ethernet connector on the front panel of an Infoblox-500, -1000, and -1200 appliance, and a 10/100/1000Base-T Ethernet connector on the front panel of an Infoblox-250, -550, -550-A, -1050, -1050-A, -1550, -1550-A, -1552, -1552-A, and -2000 appliance. It allows you to isolate the following types of traffic from other types of traffic on the LAN and HA ports:

Appliance Management on page 154 Grid Communications on page 156 DNS Services on page 159

For information about what types of traffic qualify as appliance management, grid communications, and DNS services, see Table 4.3 on page 145. Note: The MGMT port currently does not support DHCP, NTP, NAT, RADIUS proxying, or TFTP. Some NIOS appliance deployment scenarios support more than one concurrent use of the MGMT port. The following table depicts MGMT port uses for various appliance configurations.

Table 4.4 Supported MGMT Port Uses for Various appliance Configurations
Appliance Configuration Single Independent Appliance Independent HA Pair Grid Master Grid Master Candidate HA Grid Member Single Grid Member Appliance Management Grid Communications Not Applicable Not Applicable DNS Services

* *

* Although you manage all grid members through the grid master, if you enable the MGMT port on common grid members, they can send syslog events, SNMP traps, and e-mail notifications, and receive SSH connections on that port. Infoblox does not support MGMT port usage for some appliance configurations (indicated by the symbol in Table 4.4) because it cannot provide redundancy through the use of a VIP. A grid master that is an HA pair needs the redundancy that a VIP interface on the HA port provides for grid communications. Similarly, DNS servers in an HA pair need that redundancy to answer DNS queries. Because the MGMT port does not support a VIP and thus cannot provide redundancy, grid masters (and potential grid masters) do not support grid communications on the MGMT port. In addition, NIOS appliances in an HA pair support DNS services on the active node only (indicated by the symbol in Table 4.4). Only the active node can respond to queries that it receives. If a DNS client sends a query to the MGMT port of the node that happens to be the passive node, the query can eventually time out and fail.

NIOS 4.3r4

Infoblox Administrator Guide (Rev. A)

153

Managing Appliance Operations

The MGMT port is not enabled by default. By default, a NIOS appliance uses the LAN port (and HA port when deployed in an HA pair). You must log in using a superuser account to enable and configure the MGMT port. You can enable the MGMT port through the Infoblox GUI (as explained in the following sections) or through a console connection with the following command: set interface mgmt speed auto duplex auto Note: For information about connecting Ethernet cables to the MGMT port, refer to Cabling for the MGMT Port on page 817.

Appliance Management
You can restrict administrative access to a NIOS appliance by connecting the MGMT port to a subnet containing only management systems. This approach ensures that only appliances on that subnet can access the Infoblox GUI and receive appliance management communications such as syslog events, SNMP traps, and e-mail notifications from the appliance. If you are the only administrator, you can connect your management system directly to the MGMT port. If there are several administrators, you can define a small subnetsuch as 10.1.1.0/29, which provides six host IP addresses (10.1.1.110.1.1.6) plus the network address 10.1.1.0 and the broadcast address 10.1.1.7and connect to the NIOS appliance through a dedicated switch (which is not connected to the rest of the network). Figure 4.6 shows how an independent appliance separates appliance management traffic from network protocol services. Note that the LAN port is on a different subnet from the MGMT port.

Figure 4.6 Appliance Management from One or More Management Systems


The NIOS appliance serves DNS and DHCP to the public network through the LAN port. LAN 1.1.1.5 MGMT 10.1.1.1 Ethernet Cable NIOS appliance-1 DNS and DHCP Clients LAN 1.1.1.6 MGMT 10.1.1.1 Several management systems connect to the MGMT port of the NIOS appliance through a dedicated switch. Infoblox Appliance -2 Note: Because the two private networks are used solely for appliance management and are completely isolated from the rest of the networkand therefore from each othertheir address space can overlap without causing any routing issues Ethernet Cable Dedicated Switch Management Systems 10.1.1.2 - 10.1.1.5 Private Network 10.1.1.0/29 Appliance Management A single management system connects directly to the MGMT port of the NIOS appliance through an Ethernet cable.

Public Network 1.1.1.0/24 DNS and DHCP Services

Private Network 10.1.1.0/30 Appliance Management

154

Infoblox Administrator Guide (Rev. A)

NIOS 4.3r4

Using the MGMT Port

Similarly, you can restrict management access to a grid master to only those appliances connected to the MGMT ports of the active and passive nodes of the grid master. To enable the MGMT port on an independent appliance or grid master for appliance management and then cable the MGMT port directly to your management system or to a network forwarding appliance such as a switch or router: 1. From the Grid perspective, click + (for grid ) -> + (for Member ) -> grid_master -> Edit -> Member Properties. or From the Device perspective, click hostname -> Edit -> Device Properties. Note: You must enable the MGMT port before modifying its port settings. See Using the MGMT Port on page 153. 2. In the Grid Member or Device editor, click MGMT Port, and then enter the following in Node 1 subsection for a single grid master or independent appliance, and in the Node 1 and Node 2 subsections for an HA grid master or independent HA pair: Enable management (MGMT) port: Select check box. Enable VPN services on the MGMT port: Clear check box. Restrict Support and remote console access to MGMT port: Select the check box to restrict SSH (Secure Shell) v2 access to the MGMT port only. This restricts Infoblox Technical Support and remote console connectionsboth of which use SSH v2to just the MGMT port. For an HA pair, you can make an SSH v2 connection to the MGMT port on both the active and passive nodes. Clear the check box to allow SSH v2 access to both the MGMT and LAN ports. For an HA pair, you can make an SSH v2 connection to the MGMT and LAN ports on both the active and passive nodes. IP Address: Type the IP address for the MGMT port, which must be in a different subnet from that of the LAN and HA ports. Subnet Mask: Choose an appropriate subnet mask for the number of management systems that you want to access the appliance through the MGMT port. Gateway: Type the default gateway for the MGMT port. If you need to define any static routes for traffic originating from the MGMT portsuch as SNMP traps, syslog events, and email notificationsdestined for remote subnets beyond the immediate subnet, specify the IP address of this gateway in the route. Use automatic MGMT port settings: Select the check box to instruct the NIOS appliance to negotiate the optimum port connection type (full or half duplex) and speed with the connecting switch automatically. If you clear the check box, manually configure the same settings on both the NIOS appliance and the switch. By default, the check box is selected. 3. Click the Save icon to save your settings. 4. Close the current JWS (Java Web Start) application window. 5. Cable the MGMT port to your management system or to a switch or router to which your management system can also connect. 6. If your management system is in a subnet from which it cannot reach the MGMT port, move it to a subnet from which it can. The Infoblox Grid (or Device) Manager GUI is now accessible through the MGMT port on the NIOS appliance from your management system. 7. Start a new JWS session, and then log in to the IP address of the MGMT port. 8. Check the Detailed Status and Grid panels to make sure the status icons are green.

NIOS 4.3r4

Infoblox Administrator Guide (Rev. A)

155

Managing Appliance Operations

Grid Communications
You can isolate all grid communications to a dedicated subnet as follows: For grid communications from the grid master, which can be an HA pair or a single appliance, the master uses either the VIP interface on the HA port of its active node (HA master) or its LAN port (single master). Neither a single nor HA grid master can use its MGMT port for grid communications. (This restriction applies equally to master candidates.) Common grid members connect to the grid master through their MGMT port.

This ensures that all database synchronization and grid maintenance operations are inaccessible from other network elements while the common grid members provide network protocol services on their LAN ports.

Figure 4.7 shows how grid members communicate to the master over a dedicated subnet. Figure 4.7 Grid Communications

The private network (10.1.1.0/24) is reserved for grid communications between the grid master and all grid members, and for appliance management between the management system and the grid master.

HA Grid Master HA HA VIP 10.1.1.5 HA HA

Master Candidate

The grid master and master candidate connect to the private network using a VIP on their HA ports.

VIP 10.1.1.10

Private Network 10.1.1.0/24 for Grid Communications and appliance Management Management System 10.1.1.30 MGMT 10.1.1.15 Single Member MGMT 10.1.1.20 Passive Node MGMT 10.1.1.21 Active Node HA Member HA HA LAN 1.1.1.6 The common grid members use the public network (1.1.1.0/24) for DNS and DHCP services. VIP 1.1.1.7 The common grid members connect to the private network through their MGMT ports*. They connect to the public network through their LAN and HA ports (using a VIP).

Public Network 1.1.1.0/24 DNS and DHCP Services

DNS and DHCP Clients * Only the active node of an HA member connects to the grid master. The passive node communicates just with the active node. If there is an HA failover, the newly promoted active node must first join the grid before continuing grid communications with the grid master on behalf of the HA member.

156

Infoblox Administrator Guide (Rev. A)

NIOS 4.3r4

Using the MGMT Port

Enabling Grid Communications over the MGMT Port for Existing Grid Members
To enable the MGMT port for grid communications on an existing single or HA grid member: 1. Log in to the grid master with a superuser account. 2. From the Grid perspective, click + (for grid ) -> + (for Member ) -> member -> Edit -> Member Properties. 3. In the Grid Member editor, click MGMT Port, and then enter the following for Node 1. For an HA member, enter the IP address, subnet mask, and gateway address for both Node 1 and Node 2. Enable management (MGMT) Port: Select the check box. Enable VPN services on the MGMT Port: Select the check box. Restrict Support and remote console access to MGMT port: Select the check box to restrict SSH (Secure Shell) v2 access to the MGMT port only. This restricts Infoblox Technical Support and remote console connectionsboth of which use SSH v2to just the MGMT port. For an HA pair, you can make an SSH v2 connection to the MGMT port on both the active and passive nodes. Clear the check box to allow SSH v2 access to both the MGMT and LAN ports. For an HA pair, you can make an SSH v2 connection to the MGMT and LAN ports on both the active and passive nodes. IP Address: Type the IP address of the MGMT port on the grid member, which must be in a different subnet from that of the LAN and HA ports. Subnet Mask: Choose the subnet mask for the MGMT port IP address. Gateway: Type the default gateway for the MGMT port. Use automatic MGMT port settings: Select the check box to instruct the NIOS appliance to negotiate the optimum port connection type (full or half duplex) and speed with the connecting switch automatically. If you clear the check box, manually configure the same settings on both the NIOS appliance and the switch. By default, the check box is selected. 4. If the IP addresses of the LAN and HA ports are in the same subnet as the IP address of the MGMT port, click Node Properties in the Grid Member editor, and then change the IP address of the LAN port (for a single member) and LAN and HA ports (for an HA member). 5. Click the Save icon to save your settings. The master communicates the new port settings to the member, which immediately begins using them. The member stops using its LAN port for grid communications and begins using the MGMT port. 6. To confirm that the member still has grid connectivity, check that the status icons for that member are green on the Detailed Status and Grid panels.

Enabling Grid Communications over the MGMT Port for New Grid Members
To enable the MGMT port for grid communications on a single appliance or HA pair and then join it to a grid:

Member MGMT Port Configuration on the Grid Master


1. Log in to the grid master with a superuser account. 2. From the Grid perspective, click grid -> Add Grid Member. 3. In the Grid Member editor, click Node Properties, configure the network settings for a single member or the network and HA settings for an HA member, and then clear the Master Candidate check box. Any member that is a master candidate cannot use the MGMT port for grid communications. 4. In the Grid Member editor, click MGMT Port, and then enter the following for Node 1 (for a single appliance). For an HA pair, enter the IP address, subnet mask, gateway address, and port settings for both Node 1 and Node 2. Enable management (MGMT) Port: Select the check box. Enable VPN services on the MGMT Port: (You must add the member before you can select this check box, which you do in step 7.)

NIOS 4.3r4

Infoblox Administrator Guide (Rev. A)

157

Managing Appliance Operations

Restrict Support and remote console access to MGMT port: Select the check box to restrict SSH (Secure Shell) v2 access to the MGMT port only. This restricts Infoblox Technical Support and remote console connectionsboth of which use SSH v2to just the MGMT port. For an HA member, you can make an SSH v2 connection to the MGMT port on both the active and passive nodes. Clear the check box to allow SSH v2 access to both the MGMT and LAN ports. For an HA member, you can make an SSH v2 connection to the MGMT and LAN ports on both the active and passive nodes. IP Address: Type the IP address of the MGMT port on the grid member. This is the address that you previously set when configuring the appliance. The MGMT port address cannot be in the same subnet as the addresses of the LAN and HA ports. Subnet Mask: Choose the subnet mask for the MGMT port IP address. Gateway: Type the default gateway for the MGMT port. Use automatic MGMT port settings: Select the check box to instruct the member to negotiate the optimum port connection type (full or half duplex) and speed with the connecting switch automatically. If you clear the check box, manually configure the same settings on both the NIOS appliance and the switch. By default, the check box is selected. 5. Click the Save icon to add the member. 6. In the Grid perspective, select the member you just created, click Edit -> Member Properties. 7. In the Grid Member editor, click MGMT Port, select Enable VPN services on the MGMT Port, and then click the Save icon.

MGMT Port Configuration on Appliance or HA Pair


1. Log in as a superuser to the MGMT port of the appliance or active node of the HA pair that you want to join to the grid. 2. From the Grid perspective, click + (for grid ) -> + (for Member ) -> member -> Edit -> Member Properties. 3. In the Grid Member editor, click MGMT Port, and then change the following for Node 1 (for a single appliance). For an HA pair, enter the IP address, subnet mask, and gateway address for both Node 1 and Node 2. Enable management (MGMT) Port: Select the check box. Enable VPN services on the MGMT Port: (You cannot select this because the appliance or HA pair is not yet a grid member. When the appliance or HA pair joins the grid, it receives its new configuration from the grid master, and in that configuration, this option is set.) Note: For the remainder of the MGMT port settings, configure the same settings that you previously set for the single or HA member on the grid master (see step 4 in Member MGMT Port Configuration on the Grid Master on page 157). 4. If the IP addresses of the LAN and HA ports are in the same subnet as the IP address of the MGMT port, click Node Properties in the Grid Member editor, and then change the IP address of the LAN port (for a single member) and LAN and HA ports (for an HA member). 5. Click the Save icon to save your settings. 6. From the Grid perspective, click + (for grid ) -> + (for Member ) -> member -> Edit -> Join Grid. 7. Enter the following in the Join Grid dialog box: Virtual IP of Grid Master: Type the VIP address of the grid master for the grid to which you want to add the single appliance or HA pair. Grid Name: Type the name of the grid. Grid Shared Secret: Type the shared secret of the grid. Re-type Grid Shared Secret: To ensure accuracy, retype the shared secret. Use MGMT port to join grid: Because you have already enabled the MGMT port, this option is available. Select it to connect to the grid through the MGMT port.

158

Infoblox Administrator Guide (Rev. A)

NIOS 4.3r4

Using the MGMT Port

For a single appliance, it connects to the grid master from its MGMT port. The grid master allows it to join the grid, and sends it its configuration andif the appliance is running a different software version from the rest of the gridthe software version for the grid. When an HA pair joins the grid through their MGMT ports, each node joins separately. The process occurs as follows: 1. You join the active node to the grid first (step 7) and the grid master sends it the remainder of its configuration andif the node is running a different software version from the rest of the gridthe software version for the grid. 2. The HA pair fails over. 3. You now log in to the other node, which is now active, and join it to the grid (repeat step 7). The master sends it its configuration and (if necessary) the version of software running on the grid. 4. The HA pair fails over again, so that the node that was active when you started the join operation becomes the active node again when you finish it. After an appliance or HA pair is part of the grid, you continue configuring it through the grid master.

DNS Services
You can configure a single independent appliance or single grid member to provide DNS services through the MGMT port in addition to the LAN port. For example, the appliance can provide DNS services through the MGMT port for internal clients on a private network, and DNS services through the LAN port for external clients on a public network. While providing DNS services on the MGMT port, you can still use that port simultaneously for appliance management. Figure 4.8 shows a management system communicating with a single independent appliance through its MGMT port while the appliance also provides DNS services on that port to a private network. Additionally, the appliance provides DNS services to an external network through its LAN port.

Figure 4.8 DNS Services on the LAN and MGMT Ports, and appliance Management on the MGMT Port

External DNS Client

External Network

External DNS Clients

External DNS services go through the LAN port.

LAN Port Single Independent Appliance

Appliance management and internal DNS services go through the MGMT port.

MGMT Port

Management System

Internal Network

Internal DNS Clients

Like a single independent appliance, a single grid member can also support concurrent DNS traffic on its MGMT and LAN ports. However, because you manage all grid members through the grid master, a grid member only uses an enabled MGMT port to send SNMP traps, syslog events, and email notifications, and to receive SSH connections.

NIOS 4.3r4

Infoblox Administrator Guide (Rev. A)

159

Managing Appliance Operations

In addition, the active node of an HA pair can provide DNS services through its MGMT port. To use this feature, you must enable DNS services on the MGMT ports of both nodes in the HA pair and specify the MGMT port IP addresses of both nodes on the DNS client as well, in case there is a failover and the passive node becomes active. Note that only the active node can respond to queries that it receives. If a DNS client sends a query to the MGMT port of the node that happens to be the passive node, the query can eventually time out and fail. To enable DNS services on the MGMT port of an appliance: 1. From the Grid perspective, click + (for grid ) -> + (for Member ) -> grid_master -> Edit -> Member Properties. or From the Device perspective, click hostname -> Edit -> Device Properties. 2. In the Grid Member or Device editor, click MGMT Port, and then enter the following in Node 1 subsection for a single grid master or independent appliance, and in the Node 1 and Node 2 subsections for an HA grid master or independent HA pair: Enable management (MGMT) Port: Select the check box. IP Address: Enter the IP address of the MGMT port. The MGMT port IP address must be in a different subnet from that of the LAN and HA ports. Subnet mask: Choose an appropriate subnet mask for the MGMT port. Gateway: Enter the IP address of the gateway for the MGMT port. 3. Click the Save icon to save your settings for the MGMT port. 4. From the DNS perspective of the Member DNS Properties editor, click DNS Members -> + (for grid ) -> member -> DNS -> Modify -> General. 5. In the Member DNS Properties editor, click General, and then select Enable DNS service. 6. Select the Enable DNS service on the MGMT port check box. 7. Select one of the following from the Source queries, notifies, and zone transfer requests drop-down list: VIP: The appliance uses the HA port for source queries, notifies, and zone transfer requests. MGMT: The appliance uses the MGMT port for source queries, notifies, and zone transfer requests. Any: The appliance selects the port for source queries, notifies, and zone transfer requests. This is usually the LAN port. If the LAN port is part of the MGMT port, the appliances use the MGMT port. 8. Click the Save icon to save your settings. 9. Click the Restart Services icon if it flashes. 10. To see that the appliance now also serves DNS on the MGMT port: From the DNS perspective, click DNS Members -> + (for grid ) -> member -> View -> Properties, and look in the General section. Check that the value for Enable DNS service on the MGMT Port is true. or From the DNS perspective, click DNS Members -> + (for grid ) -> member -> View -> DNS Configuration, and check that the IP address of the MGMT port appears in the address match list in the listen-on substatement.

160

Infoblox Administrator Guide (Rev. A)

NIOS 4.3r4

Setting Static Routes

Setting Static Routes


When you put the NIOS appliance on a segment of the network where there is a single path to and from it, a single default route is sufficient. For example, in Figure 4.9 on page 161, the appliance is in the DMZ behind a firewall and connects to the rest of the network through the DMZ interface on the firewall. For example, when hosts send DNS queries from the Internet and the internal network to the appliance and when the appliance replies to those hosts, the firewall takes care of all the routing. Note: This feature is not supported on Cisco virtual grid members.

Figure 4.9 Single Default Route

Internet 1.2.2.1 The default route points all traffic from the LAN or LAN1 port on the NIOS appliance to the DMZ interface (1.2.2.1) on the firewall. DMZ LAN Port Firewall NIOS appliance The appliance responds to all queries from the Internet and internal network by sending its responses to the DMZ interface (1.2.2.1) on the firewall. The appliance only needs a single default route to the firewall. The firewall then routes the traffic where it needs to go. Default route: Network: 0.0.0.0 Netmask: 0.0.0.0 Gateway: 1.2.2.1

Internal Network

When the NIOS appliance is on a segment of the network where there are multiple gateways through which traffic to and from the appliance can flow, a single default route is insufficient. For an example, see Figure 4.10.

NIOS 4.3r4

Infoblox Administrator Guide (Rev. A)

161

Managing Appliance Operations

Figure 4.10 Erroneously Routed DNS Replies

Internet

Firewall-1

1.2.2.1

The default route points all traffic from the NIOS appliance to the DMZ interface (1.2.2.1) on firewall-1.

DMZ NIOS appliance Default route: Network: 0.0.0.0 Netmask: 0.0.0.0 Gateway: 1.2.2.1 1.2.2.2 Firewall-2

Switch

DNS queries from the Internet reach the appliance through firewall-1, and the appliance sends its replies back through firewall-1. DNS queries from the internal network reach the appliance through firewall-2, but because there is only one default route, the appliance erroneously sends DNS replies to the DMZ interface (1.2.2.1) on firewall-1.

Internal Network 10.1.1.0/24

To resolve the problem illustrated in Figure 4.10 on page 162, add a second route pointing traffic destined for 10.1.1.0/24 to use the gateway with IP address 1.2.2.2 on firewall-2. This is shown in Figure 4.11.

Figure 4.11 Properly Routed DNS Replies

Internet The default route on the NIOS appliance points traffic destined for the Internet to the DMZ interface (1.2.2.1) on firewall-1.

1.2.2.1 Firewall-1 DMZ 1.2.2.0/24

NIOS appliance

Default route: Network: 0.0.0.0 Netmask: 0.0.0.0 Gateway: 1.2.2.1 Route to: Network: 10.1.1.0 Netmask: 255.255.255.0 Gateway: 1.2.2.2

Switch

1.2.2.2 Firewall-2

Internal Network 10.1.1.0/24

A second route on the appliance points traffic destined for 10.1.1.0/24 to the DMZ interface (1.2.2.2) on firewall-2.

162

Infoblox Administrator Guide (Rev. A)

NIOS 4.3r4

Setting Static Routes

Whenever you want the NIOS appliance to send traffic through a gateway other than the default gateway, you need to define a separate route. Then, when the appliance performs a route lookup, it chooses the route that most completely matches the destination IP address in the packet header. When you enable the MGMT port, the gateway you reference in a static route determines which port the NIOS appliance uses when directing traffic to a specified destination. If a route definition references a gateway that is in the same subnet as the IP and VIP addresses of the LAN (or LAN1) and HA ports, the NIOS appliance uses the LAN (or LAN1) or HA port when directing traffic to that gateway. If a route definition references a gateway that is in the same subnet as the MGMT port, the NIOS appliance uses the MGMT port when directing traffic to that gateway.

Figure 4.12 Static Routes for the LAN and MGMT Ports

Internet LAN Gateway (Firewall-1) 1.2.2.1 DMZ 1.2.2.0/24 Switch Switch LAN Gateway (Firewall-2) 1.2.2.2 10.1.1.1 Two static routes direct traffic from the NIOS appliance: From the LAN port (eth1, 1.2.2.5) through the gateway at 1.2.2.2 to the 10.1.1.0/24 subnet. Internal Network 10.1.1.0/24 Route Tables on the NIOS appliance
From LAN: 1.2.2.0/24 dev eth1 scope link 10.1.1.0/24 via 1.2.2.2 dev eth1 default via 1.2.2.1 dev eth1 From MGMT: 10.1.2.0/24 dev eth0 scope link 10.1.3.0/24 via 10.1.2.1 dev eth0 default via 10.1.2.1 dev eth0 From all: 10.1.1.0/24 via 1.2.2.2 dev eth1 10.1.3.0/24 via 10.1.2.1 dev eth0 1.2.2.0/24 dev eth1 proto kernel scope link src 1.2.2.5 10.1.2.0/24 dev eth0 proto kernel scope link src 10.1.2.5 default via 1.2.2.1 dev eth1

LAN Port 1.2.2.5

MGMT Port 10.1.2.5 NIOS appliance

10.1.2.1

10.1.3.1

Administrators

Subnet 10.1.2.0/24

MGMT Gateway

Subnet 10.1.3.0/24

From the MGMT port (eth0, 10.1.2.5) through the gateway at 10.1.2.1 to the 10.1.3.0/24 subnet.

Note: There is a route table for each port as well as a comprehensive route table. For an HA pair, the LAN port route table is duplicated for the HA port. In this illustration, the static routes are shown in green.

The need for routes can apply to any type of traffic that originates from the appliance, such as DNS replies, DHCP messages, SNMP traps, ICMP echo replies, Infoblox GUI management, and grid communications.

NIOS 4.3r4

Infoblox Administrator Guide (Rev. A)

163

Managing Appliance Operations

To set a static route, do the following: 1. For a grid member: From the Grid perspective, click + (for grid ) -> + (for Member s) -> member -> Edit -> Member Properties. or For an independent appliance or HA pair: From the Device perspective, click hostname -> Edit -> Device Properties. 2. In the Member or Device editor, click Static Routes, click Add, and then enter the following: Network Address: Type the address of the remote network to which the NIOS appliance routes traffic. Netmask: Choose the netmask that defines the remote network. Gateway Address: Type the IP address of the gateway on the local subnet through which the NIOS appliance directs traffic to reach the remote network. The gateway address must meet the following requirements: It must belong to a working gateway router or gateway switch. It must be in the same subnet as the NIOS appliance. Note: Consult your network administrator before specifying the gateway address for a static route on the appliance. Specifying an invalid gateway address can cause problems, such as packets being dropped or sent to an incorrect address. 3. Click the Save icon to save your settings.

Enabling DNS Resolution


You can specify a network server to perform domain name queries and specify up to two name servers for resolving a DNS name, plus use a search list to perform partial name resolution. If a NIOS appliance provides DHCP services only, specify a DNS name server or servers that the appliance can use for DNS lookups. You specify the IP address of a preferred name server and that of an alternate name server, plus use a search list for performing partial name resolution. To enable DNS resolution for a grid or for an independent appliance or HA pair: 1. From the Grid perspective, click grid -> Edit -> Grid Properties. or From the Device perspective, click hostname -> Edit -> Device Properties. 2. In the Grid editor, click DNS Resolver, and then enter the following: Use DNS name resolver: Select the check box to enable the NIOS appliance to send DNS queries to the preferred or alternate name servers whose IP addresses you specify in the following fields. Preferred Name Server: Type the IP address of the server to which the appliance sends queries first. Alternate Name Server: Type the IP address of the name server to which you want the NIOS appliance to send queries if it does not receive a response from the preferred name server. Search Domain Group: Define a group of domain names that the NIOS appliance can add to partial queries that do not specify a domain name. For example, if you define a RADIUS authentication home server as as1, and you list "corp100.com" and "hq.corp100.com" in the domain group list, then the NIOS appliance sends a query for "as1.corp100.com" and another query for "as1.hq.corp100.com" to the preferred or alternate name server. To add a domain name to the group, type a domain name in the Domain field, and then click Add. To remove a domain name from the group, select it, and then click Delete. 3. Click the Save icon. Note: You can override the grid-level settings at the member level.

164

Infoblox Administrator Guide (Rev. A)

NIOS 4.3r4

Managing Licenses

Managing Licenses
Licenses come pre-installed on a NIOS appliance according to the software packages you ordered at the time of purchase. If you wish to upgrade an existing appliance with the Grid license, you must contact Infoblox Technical Support and follow the procedures in Obtaining and Adding a License on page 166. There are three types of licenses: Maintenance licenses Examples: NIOS and Grid maintenance licenses. The duration of maintenance licenses are one, two, or three years. You can obtain these licenses from your Infoblox sales representative. Service licenses Examples: DNS, DHCP, Grid. These are permanent licenses. You can obtain these licenses from your Infoblox sales representative. Temporary licenses You can enable one of several sets of temporary service licenses through the CLI command set temp_license . These licenses last for 60 days.

Two weeks before a maintenance license or a temporary license expires, an expiration warning appears during the GUI login process. The warning reappears during each login until you renew the license. To do renew a license, contact your Infoblox sales representative. If you decide not to renew an expired license and want to stop the warning from reappearing, do the following: 1. Back up the configuration and database as described in Backing Up and Restoring a Configuration File on page 251. 2. Log in to the Infoblox CLI, enter the show license command, and save all the license key strings. 3. Remove all the licensesand the entire configuration and databaseby entering the reset all licenses command. For details, see Removing Licenses on page 166. 4. Add the unexpired licenses back to the appliance using either the Infoblox GUI or CLI. 5. Restore the backup file as described in Backing Up and Restoring a Configuration File on page 251.

Viewing the Installed Licenses on a NIOS Appliance


If the appliance you are identifying is part of a grid, you must log in to the master GUI for the grid to view the licenses installed. If the appliance is deployed as a single independent appliance, log in to the GUI for that appliance. To view the licenses installed on a NIOS appliance, follow these steps: 1. Log in to the Infoblox GUI using a superuser account. 2. From the Grid or Device perspective, click hostname -> View -> Properties. 3. Click the + icon beside the License section to expand it and view the licenses installed on the appliance.

Obtaining a 60-Day Temporary License


You can use the CLI command set temp_license to generate and install temporary 60-day licenses. This can provide licensed features and functionality for the interim, while you wait for your permanent license to arrive. To generate a temporary license: 1. Log in to the NIOS appliance through a remote console window. For more information on how to open a remote console window, see the User Guide for your appliance. 2. After the Infoblox command prompt, enter the following command:
set temp_license

The following options appear: 1. DNSone (DNS, DHCP) 2. DNSone with Grid (DNS, DHCP, Grid) 3. Network Services for Alcatel-Lucent VitalQIP (QIP, Grid) 4. Network Services for Voice (DHCP, Grid) 5. Network Services for Authentication (RADIUS, Grid)

NIOS 4.3r4

Infoblox Administrator Guide (Rev. A)

165

Managing Appliance Operations

6. Network Services Suite (DNS, DHCP, RADIUS, Grid) 7. Add DNS Server license 8. Add DHCP Server license 9. Add RADIUS Server license 10. Add Grid license 3. Enter the number for the license you want to install. 4. Confirm the selection when prompted, and the following message appears:
Temporary license is installed.

Obtaining and Adding a License


A valid Grid license is required for grid NIOS appliance deployments. You can upgrade existing independent appliances to use a Grid license and then add them to a grid. To upgrade your license, contact your Infoblox sales representative. To add a license: 1. Log in to the Infoblox GUI using a superuser account. 2. From the Grid or Device perspective, click hostname -> Edit -> Add License. 3. In the Add License dialog box, copy the hardware ID and serial number of your appliance and paste this information into an e-mail to Infoblox Support. 4. When you receive the license key, use the shortcut keys Ctrl-C (for copy) and Ctrl-V (for paste) to copy the license key from the response e-mail, and then paste it in the Enter license string field. 5. Click OK to close the Add License dialog box. 6. Close the browser window and log in to the Infoblox GUI. 7. If you are activating licenses for an HA pair, you must repeat this procedure for the second node.

Removing Licenses
You can remove licenses and reset a NIOS appliance to its factory default settings. For example, if you have a NIOS appliance running the DNSone package with the Grid upgrade, but you want to use it as an independent appliance and manage it through the Device Manager GUI, you can do the following: 1. Log in to the NIOS appliance CLIlocally through the Console port or remotely through an SSHv2 connection and use the show license command to view all the licenses installed on the appliance. The output of the the show license command looks similar to the following:
Infoblox > show license Version: 4.0r1 Hardware ID: ecafc0c469e8c75eb59cb7e4b5912a6 License Type: Grid Expiration Date: 11/04/2006 License String: GQAAAAOS5WYrGV/JEzH6wrHYQ8L1b25y3Y+VPPY= License Type: DNS Expiration Date: Permanent License String: EQAAAAKS4n90WFGNUSirwvyUT9/z

166

Infoblox Administrator Guide (Rev. A)

NIOS 4.3r4

Managing Licenses

License Type: DHCP Expiration Date: Permanent License String: EgAAAAKU8nMlRBzcTWX63rHYFoymOQ== License Type: Grid Maintenance Expiration Date: 11/04/2006 License String: GwAAAA2Z6HAtBkPFPyfzg/yVRsLzI2x0kYyKaPb22g== License Type: NIOS Maintenance Expiration Date: 11/04/2006 License String: GwAAAAiV/nAGGljQEDv0h/yVRsLzI2x0kYyKb/P20Q==

2. Copy the output of the show license command, and save it to a text file on your management system. 3. Reset the NIOS appliance and remove all the licenses by entering the reset all licenses command. 4. This command returns all settings to their default values and removes all licenses.
Infoblox > reset all licenses The entire system will be erased to default settings and all licenses will be removed. WARNING: THIS WILL ERASE ALL DATA AND LOG FILES THAT HAVE BEEN CREATED ON THIS SYSTEM. ARE YOU SURE YOU WANT TO PROCEED? (y or n): y

The application restarts with the default settings and no licenses. 5. Log in to the CLI through the Console port, and check that all the licenses are gone by entering the show license command.
Infoblox > show license Version: 4.0r1 Hardware ID: ecafc0c469e8c75eb59cb7e4b5912a6 Infoblox >

6. Add back only the DNS, DHCP, and NIOS Maintenance licenses by entering the set license command and then copying and pasting the text string for each license:
Infoblox > set license Enter license string: EQAAAAKS4n90WFGNUSirwvyUT9/z Install license? (y or n): y License is installed. Infoblox > set license Enter license string: EgAAAAKU8nMlRBzcTWX63rHYFoymOQ= = Install license? (y or n): y License is installed. Infoblox > set license Enter license string: GwAAAAiV/nAGGljQEDv0h/yVRsLzI2x0kYyKb/P20Q== Install license? (y or n): y License is installed.

7. To check that the licenses are now installed, enter the show license command. When you next log in to the GUI, the Infoblox Device Manager appears instead of the Infoblox Grid Manager.

NIOS 4.3r4

Infoblox Administrator Guide (Rev. A)

167

Managing Appliance Operations

Using the Recycle Bin


The recycle bin protects against unintended deletions of data. It provides a way to restore data where the deletion of the object (such as a zone) would result in a major data loss. At the grid level, you can use the recycle bin to restore or permanently remove deleted DNS and DHCP objects. In the DNS perspective, you can restore or permanently remove DNS configuration objects. In the DHCP and IPAM perspective, you can restore or permanently remove DHCP configuration objects. When you use the recycle bin, you can restore the deleted objects to the active configuration on the appliance at a later time. You can also remove the objects permanently from the recycle bin. If you do not use the recycle bin, the appliance immediately removes objects from the database when you delete the objects. You must have superuser permissions to fully manage the recycle bin. If you have non-superuser permissions, you can view, restore, and permanently remove only the objects that you delete. The appliance stores the following deleted objects in the recycle bin: DNS views DNS zones Network views Networks Shared networks DHCP ranges MAC and option 82 filters Host records Bulk host records Bulk host templates NS records for both forward-mapping and IPv4 reverse-mapping zones A records AAAA records CNAME records for both forward-mapping and IPv4 reverse-mapping zones DNAME records for both forward-mapping and IPv4 reverse-mapping zones MX records SRV Records TXT records PTR records for both IPv4 and IPv6 zones

The appliance also stores the following deleted DNS resource records:

When you delete a DNS zone that contains resource records, you cannot restore the resource records individually. You must restore the zone. When you restore the zone, all the resource records in the zone are restored accordingly. The appliance does not restore resource records that are shared or automatically generated. This section discusses the following topics:

Disabling the Recycle Bin on page 169 Enabling the Recycle Bin on page 169 Viewing the Recycle Bin on page 169 Restoring Objects in the Recycle Bin on page 170 Emptying the Recycle Bin on page 170

168

Infoblox Administrator Guide (Rev. A)

NIOS 4.3r4

Using the Recycle Bin

Disabling the Recycle Bin


The appliance enables the recycle bin by default. You can disable the recycle bin globally in the Grid perspective. If you disable the recycle bin, you cannot restore or remove objects in the recycle bin. You must have superuser permissions to disable the recycle bin. To disable the recycle bin: 1. From the Grid perspective, click id_grid -> Edit -> Grid Properties. 2. In the Grid editor, click Grid Properties, and then enter the following: Enable Recycle Bin: Deselect the check box to disable the recycle bin. When you disable the recycle bin, the appliance permanently removes an object from the database when you delete the object. You cannot restore the deleted object. 3. Click the Save icon.

Enabling the Recycle Bin


You can enable the recycle bin globally in the Grid perspective. You must enable the recycle bin before restoring and emptying the recycle bin from the corresponding perspective. The appliance enables the recycle bin by default. You must have superuser permissions to enable the recycle bin. To enable the recycle bin: 1. From the perspective, click id_grid -> Edit -> Grid Properties. 2. In the Grid editor, click Grid Properties, and then enter the following: Enable Recycle Bin: Select the check box to enable the recycle bin. When you delete objects in the GUI, the recycle bin stores the deleted objects. Enabling the recycle bin allows you to undo the deletions and to restore the deleted objects on the appliance at a later time. 3. Click the Save icon.

Viewing the Recycle Bin


The appliance displays all deleted objects in the recycle bin. You can view all deleted objects in the Recycle Bin panel. When you view the recycle bin from the Grid perspective, the appliance displays all deleted DNS and DHCP objects for the grid. When you view the recycle bin from either the DNS or the DHCP and IPAM perspective, the appliance displays all deleted objects for the corresponding perspective. By default, records are sorted by Name. To display the Recycle Bin panel and to view the deleted configuration objects in the recycle bin: 1. From the Grid perspective, click id_grid -> View -> Recycle Bin. or From the DNS perspective, click View -> Recycle Bin. or From the DHCP and IPAM perspective, click View -> Recycle Bin. The Recycle Bin panel appears. 2. Scroll through the Recycle Bin panel pages using the page arrows located on the lower-left corner of the Recycle Bin panel. The panel page length is set by the administrator. For information, see Authenticating Administrators on page 107. The panel displays the following information for each object: Name: The name of the deleted object. Object Type: The type of the deleted object. Parent/Container: The place from which the object was deleted. Admin: The role that deleted the object. Time: The date/time when the object was deleted.

NIOS 4.3r4

Infoblox Administrator Guide (Rev. A)

169

Managing Appliance Operations

Restoring Objects in the Recycle Bin


You can restore deleted objects from the recycle bin only if you enable the recycle bin, and only if you select an object in the panel. You can restore only one object at a time. Deleted objects are stored in the recycle bin until you empty the bin. To restore items from the Recycle Bin panel: 1. From the Grid perspective, click grid -> View -> Recycle Bin. The Recycle Bin panel appears. or From the DNS perspective, click View -> Recycle Bin. or From the DHCP and IPAM perspective, click View -> Recycle Bin. The Recycle Bin panel appears. 2. Select the object that you want to restore. 3. Click Edit -> Restore Selected Object or right click the object, and then select Restore Selected Object . A warning message appears prompting you to confirm that you wish to continue with the restore. 4. Click Yes. Confirm that the object is restored to the active configuration. You can do this by confirming that the object does not appear in the Recycle Bin panel any longer, and that it is reestablished in the appropriate perspective.

Emptying the Recycle Bin


You can permanently delete the contents of the recycle bin only if the recycle bin is enabled. You must have superuser permissions to empty the recycle bin. To empty the recycle bin: 1. From the Grid perspective, click grid -> View -> Recycle Bin. The Recycle Bin panel appears. or From the DNS perspective, click View -> Recycle Bin. or From the DHCP and IPAM perspective, click View -> Recycle Bin. The Recycle Bin panel appears. 2. Click Edit -> Empty Recycle Bin. A warning message appears prompting you to confirm that you wish to empty the recycle bin. 3. Click Yes. Confirm that all objects are removed from the Recycle Bin panel.

170

Infoblox Administrator Guide (Rev. A)

NIOS 4.3r4

Shutting Down, Rebooting, and Resetting a NIOS Appliance

Shutting Down, Rebooting, and Resetting a NIOS Appliance


To reboot and shut down a NIOS appliance, you can use the Infoblox Manager GUI or the Infoblox CLI. To reset a NIOS appliance, you must use the Infoblox CLI.

Rebooting a NIOS Appliance


You can reboot a single NIOS appliance, a single node in an HA pair, or both nodes in an HA pair. To reboot a single NIOS appliance or one or both nodes in an HA pair using the GUI: 1. From the Grid or Device perspective, click hostname -> Edit -> Reboot. 2. For an HA pair, choose whether to boot one node (and which one) or both nodes, and then click OK. To reboot a single NIOS appliance using the CLI: 1. Log in to the Infoblox CLI using a superuser account for the NIOS appliance that you intend to reboot. 2. Enter the following CLI command: reboot

Shutting Down a NIOS Appliance


Under normal circumstances, you do not need to turn off or shut down a NIOS appliance. It is designed to operate continuously. However, if you want to turn off a NIOS appliance and it is inconvenient to turn off the power switch, you can shut down the NIOS appliance using the GUI. Before shutting down a remote appliance, make sure you can restart it. You cannot restart the system using the GUI. Note: If there is a disruption in power when the NIOS appliance is operating, the NIOS appliance automatically reboots itself when power is restored. To shutdown a NIOS appliance using the GUI: 1. Log in to the Infoblox Manager GUI using a superuser account. 2. From the Grid or Device perspective, click hostname -> Edit -> Shutdown. 3. For an HA pair, choose whether to shut down one node (and which one) or both nodes, and then click OK. The NIOS appliance shuts down. The fans might continue to operate until the appliance cools down. To shutdown a NIOS appliance using the CLI: 1. Log in to the Infoblox CLI using a superuser account. 2. Enter the following CLI command: shutdown

Resetting a NIOS Appliance


There are three ways to reset a NIOS appliance:

Resetting the Database on page 172 Resetting a NIOS Appliance to Factory Settings on page 172 Resetting the NIOS Appliance to Factory Settings and Removing Licenses on page 172

You can perform these functions only through the CLI.

NIOS 4.3r4

Infoblox Administrator Guide (Rev. A)

171

Managing Appliance Operations

Resetting the Database


You can reset the database if you lose the administrator account and password or if you want to clear the database but preserve the log files to diagnose a problem. This function removes the configuration files, and the DNS and DHCP data from the appliance database. During this procedure, you are given the option to preserve the network settings of the appliance, which are the IP address and subnet mask, the IP address of the gateway, the host name, and the remote access setting. To reset the database: 1. Log in to the Infoblox CLI using a superuser account. 2. Enter the following CLI command: reset database The appliance then displays a message similar to the following:
The following network settings can be restored after reset: IP Address: 10.1.1.10 Subnet Mask: 255.255.255.0 Gateway: 10.1.1.1 Host Name: ns1.corp100.com Remote Console Access: true The entire database will be erased. Do you wish to preserve basic network settings? (y or n)

3. Press the Y key to preserve the network settings or the N key to return the network settings to their default values (192.168.1.2, 255.255.255.0, 192.168.1.1).

Resetting a NIOS Appliance to Factory Settings


You can reset a NIOS appliance to its original factory settings. This removes the database, network settings, logs, and configuration files. Then, it reboots with its factory settings, which are the default user name and password, and default network settings. When you perform this procedure, the appliance does not give you the option to preserve your network settings. Note: If you have previously imported HTTPS certificates, the appliance regenerates the certificates and replaces them. To reset the NIOS appliance to its factory settings: 1. Log in to the Infoblox CLI using a superuser account. 2. Enter the following CLI command: reset all

Resetting the NIOS Appliance to Factory Settings and Removing Licenses


You can also reset a NIOS appliance to its original factory settings and remove all the licenses installed on the appliance. This removes the database, network settings, logs, configuration files, and licenses. The appliance then reboots with its factory settings, which are the default user name and password, and default network settings. Note: If you have previously imported HTTPS certificates, the NIOS appliance regenerates the certificates and replaces them. To reset the NIOS appliance to its factory settings and remove all its licenses: 1. Log in to the Infoblox CLI using a superuser account. 2. Enter the following CLI command: reset all licenses

172

Infoblox Administrator Guide (Rev. A)

NIOS 4.3r4

Managing the Disk Subsystem on the Infoblox-2000

Managing the Disk Subsystem on the Infoblox-2000


Among its many features, the Infoblox-2000 uses redundant disk drives in a RAID 10 array. This configuration provides the optimum mix of performance with completely redundant data storage with recovery features in the event of disk failures. The disk array is completely self managed. There are no maintenance or special procedures required to service the disk subsystem. Caution: It is important to never remove more than one disk at a time from the array. Removing two or more disks at once can cause a failure and possibly unrecoverable condition.

About RAID 10
RAID 10 (or sometimes called RAID 1+0) is a stripe of mirrors. This means that the array combinesor stripes multiple disk drives, creating a single logical volume (RAID 0). Striping disk drives improves database write performance over a single disk drive for large databases. The disks are also mirrored (RAID 1), so that each disk in the logical volume is fully redundant. Please seeFigure 4.13.

Figure 4.13 RAID 10 Array Configuration


RAID 0

RAID 1

RAID 1

Disk 1 Primary

Disk 1 Backup

Disk 2 Primary

Disk 2 Backup

When evaluating a fault on the Infoblox-2000, it is best to think of the disk subsystem as a single, integrated unit with four components, rather than four independent disk drives.

NIOS 4.3r4

Infoblox Administrator Guide (Rev. A)

173

Managing Appliance Operations

Evaluating the Status of the Disk Subsystem


You can monitor the disk subsystem through the Infoblox GUI, the scrolling front panel LCD display, and four front panel LEDs next to the disk drives. In addition, you can monitor the disk status by using the CLI command show hardware_status. The Detailed Status panel provides a detailed status report on the appliance and service operations. To see a detailed status report, from the Grid perspective, select grid, and then click View -> Detailed Status. After displaying the Detailed Status panel, you can view the status of individual grid members and services by selecting them in the Grid panel. For more information on the Detailed Status Panel, see Viewing Detailed Status on page 180. The RAID icon indicates the status of the RAID array on the Infoblox-2000. Icon Color Green Yellow Red Meaning The RAID array is functioning properly. A new disk was inserted and the RAID array is rebuilding. The RAID array is degraded. At least one disk is not functioning properly. The GUI lists the disks that are online. Replace only the disks that are offline.

Appliance Front Panel


The disk drives are located on the right side of the appliance front panel. To the right of each drive there is an LED that displays the status of each drive.

Table 4.5 Disk Drive LEDs


LED Color Green Yellow Dark Condition Disk operating normally Disk read/write activity Disk has failed or not inserted Action None Disk is functioning normally or is synchronizing if recently inserted. Verify the failure in the GUI or CLI. Remove the disk and replace with a functional disk drive. Note that the drive rebuilds with its twin.

In addition, the front panel LCD scrolls and displays the disk array status every 20 seconds.

Replacing a Failed Disk Drive


The Infoblox-2000 was designed to provide continuous operation in the event of a failed disk. Hot-swapping a disk drive is a simple process that does not require issuing commands or a GUI operation. To replace a disk drive, follow this procedure: 1. Identify and verify the failed drive via the Grid Manager, front panel LCD, or CLI. 2. If the activity light is green or blinking yellow, make sure you have identified the correct drive. There are conditions where a drive could be in the process of failing and still be green or yellow. Note: Do not remove a correctly functioning drive 3. Push in the latch for the drive and pull the release lever out towards you. 4. When the drive disengages, slide it out of the slot.
174 Infoblox Administrator Guide (Rev. A) NIOS 4.3r4

Managing the Disk Subsystem on the Infoblox-2000

Replacement drives are shipped as a complete unit, ready to insert into the appliance. There is no preparation required. To install a replacement drive, follow this procedure: 1. Insert the replacement drive into the drive bay slot. 2. Gently slide the drive into place. When you feel the release lever engage, continue applying gentle pressure to the drive while pushing the release lever towards the appliance. 3. The release lever locks into place and the LED next to the disk drive lights up. Note that if the alarm buzzer is sounding, it automatically turns off about 20 seconds after the drive is inserted. 4. The disk drive automatically goes into rebuild mode.

Disk Array Guidelines


Infoblox has designed the disk array to be completely self managing. There are no maintenance procedures required for a normally functioning disk array. Mishandling the disk array can cause an unrecoverable error that could result in a failed appliance. Following are some guidelines for managing the disk array: Only remove one disk at a time. Never remove two or more disks from the appliance at once. This rule includes a powered down appliance. There is no way to know the arrangement of the primary and backup disk drives in the RAID 10 array. You can hot swap a drive while the appliance remains in production. There is never a condition that requires you to power down the appliance or unmount a disk drive to replace a failed unit. If you inadvertently remove the wrong disk drive, do not immediately remove the disk drive you originally intended to remove. Verify the status of the array before removing another drive. Removing a second drive could render the appliance inoperable. If a drive has failed, there is an audio alarm buzzer. The alarm automatically stops about 20 seconds after a functional disk has been inserted into the array. Only remove failed or failing disk drives. Never remove an optimally functioning drive. In the unlikely event that two disk drives fail simultaneously and the appliance is still operational, remove and replace the failed disk drives one at a time. Rebuild time can vary. The rebuild process takes approximately two hours on an idle appliance. On very busy appliances (over 90% utilization), the disk rebuild process can take as long as 40 hours. On a grid master serving a very large grid, the rebuild process could take at least 24 hours. If your acceptance procedures require a test of the RAID hot-swap features, any drive can be removed, but only one disk drive at a time should be removed. Removing two disks has a 50% probability of an appliance failure. Removing more than two disks results in an appliance failure and requires an RMA of the appliance.

NIOS 4.3r4

Infoblox Administrator Guide (Rev. A)

175

Managing Appliance Operations

Restarting Services
Whenever you make a change (such as add a zone, network, or a range) you click the Restart icon to restart services. You can restart the DNS, DHCP, RADIUS, and VitalQIP services after you make configuration changes. You can also specify a future restart time. You can restart services at the grid level or the member level as described in:

Restarting Grid Services on page 176 Restarting Member Services on page 177
You can cancel a schedule that you create to restart services. A superuser can cancel any scheduled restarts. Only a superuser or administrators with read and write permission to all of the grid members can schedule a grid restart. When a superuser schedules a grid restart, a limited-access user cannot schedule a member-level restart. Limited-access users cannot cancel a superusers scheduled changes. Limited-access users cannot create or modify a schedule for a grid member if a schedule for the member (created by another user) already exists.
USER logon_id action service restart schedule 'schedule' on grid (or member) grid name or member node id

The following rules apply to superusers and limited-access users:

The system writes every scheduled change action to the audit log as follows:

For example:
USER jdoe insert service restart schedule '02/20/2007 01:30:00' on grid Infoblox USER jdoe deleted service restart schedule '02/22/2007 01:30:00' on node id 3

For more information on the audit log, see Using the Audit Log on page 190.

Restarting Grid Services


Only a superuser or administrators with read and write permission to all grid members can schedule a grid restart. You can restart services at the grid level either simultaneously or sequentially, and also specify the restart services time. After you enter a specific date and time, the system schedules to restart services at the specified time on each grid member, one by one. To restart services at the grid level: 1. Click the Restart Services icon. The Restart Grid Services dialog box appears. 2. Enter the following in the Restart services on all members section: Simultaneously: Restarts the services on all of the members in a grid at the same time. Sequentially: This is the default option. Restarts the services on each grid member according to the number of seconds you enter in the Sequential Delay field. For example, if you enter the sequential delay as 10 seconds, the system restarts services on the first member, and 10 seconds later on the second member. 3. Select one of the following options in the Restart services time section: Immediately: Restarts services at once. Scheduled: Enter the following information to schedule all grid members to restart at a certain date and time: Date: Enter the date on which the services should restart in MM/DD/YYYY (month/day/year) format. Time: Enter the time in hh:mm:ss (hours: minutes: seconds) format. Hours must be a numeric value between 0 and 23. For example, if you make the change at 10:00 a.m. on Wednesday and want the change to occur at 10:30 p.m., enter 22:30:00.

176

Infoblox Administrator Guide (Rev. A)

NIOS 4.3r4

Restarting Services

Time Zone: Select a time zone from the drop-down menu. The drop-down menu displays the grid default time (see Changing Time Zone Settings on page 123). However, you can select a different time zone. For example, if the grid default time zone is Eastern time and you are in California, you can schedule a restart in the Pacific time zone. Enter the date and time and select the Pacific time zone and click the Save icon. When you invoke the GUI the next time, the system calculates the time difference between the two time zones and displays the scheduled time in the grid default time zone (Eastern time).

Note: The NIOS appliance converts the time zone to the grid default time zone only after you save and reinvoke the GUI. Click the Show Details button to view the following restart services details: IP address of the grid members that are restarting, services that are restarting (such as DNS, DHCP, and RADIUS), the restart date and time, and the time zone. 4. Click OK. The Restart Services icon changes from the Infoblox logo restart has been scheduled. to a clock to indicate that a

Restarting Member Services


The member restart time always supersedes the grid restart time. If the member restart time is later than the grid restart time, then the member restarts services at its scheduled time. If the member restart time is ahead of the grid restart time, then the member restarts services at its scheduled restart time, and again during the grid restart time. To restart member services: 1. Click the Restart Services icon. The Restart Member Services dialog box appears. 2. You can specify whether the member should restart services when necessary or you can force it to restart services. Select one of the following under the Restart services section: Restart services (if needed): This option restarts all active DNS, DHCP, RADIUS, and VitalQIP proxy services if there are any changes requiring a service restart. To see which services are enabled and must be restarted, click Show Details. Force restart services: This option forces all active services to restart regardless of their state. 3. Select one of the following options in the Restart services time section: Immediately: Restarts services instantly. Scheduled: Enter the date, time, and select the time zone as follows: Date: Specify the date on which the services should restart in MM/DD/YYYY (month/day/year) format. Time: Specify the time in hh:mm:ss (hours: minutes: seconds) format. Hours must be a numeric value between 0 and 23. For example, if you make the change at 10:00 a.m. on Wednesday and want the change to occur at 10:30 p.m., enter 22:30:00. Time Zone: Select a time zone from the drop-down menu. The drop-down menu displays the member default time zone (see Changing Time Zone Settings on page 123). But, you can select a different time zone when you create the schedule. For example, if the member default time zone is Eastern time and you are in California, you can schedule a restart in the Pacific time zone. Enter the date and time and select the Pacific time zone and click the Save icon. When you invoke the GUI the next time, the system calculates the time difference between the two time zones and displays the scheduled time in the member default time zone (Eastern time).

Note: The NIOS appliance converts the time zone to the grid default time zone only after you save and reinvoke the GUI.

NIOS 4.3r4

Infoblox Administrator Guide (Rev. A)

177

Managing Appliance Operations

Click the Show Details button to view the following restart services details: IP addresses of the members that are restarting, services that are restarting (such as DNS, DHCP, and RADIUS), the restart date and time, and the time zone. The Restart Services icon changes from the Infoblox logo restart has been scheduled. to a clock to indicate that a

Canceling a Scheduled Restart


Limited-access users can only cancel a schedule that they created. Superusers can cancel a schedule that any user created. You can cancel scheduled changes for the grid only from the grid level and scheduled changes for the member only from the member-level. You can cancel a scheduled restart either by using the Manage Restart Services option or by resetting the restart services time to Immediately (instead of selecting Scheduled) in the Restart Member Services dialog box. Use the following steps to cancel a scheduled restart using the Manage Restart Services option. When you use this option, the system cancels the schedule to restart services on the member or grid and does not restart services. 1. From the Grid or Device perspective, select the drop-down menu next to the clock icon in the GUI. 2. Select Manage Restart Services. The Manage Grid Services dialog box or the Manage Device Services dialog box appears. 3. Click Cancel Restart. The Cancel Schedule Warning message appears. 4. Click Yes and click OK. The Restart Services icon in the GUI changes back from the clock icon to the Infoblox logo provided there is no other scheduled restart. Use the following steps to cancel a scheduled restart by resetting the restart services time. When you use this option, the system cancels the scheduled restart and restarts the services on the member or the grid at once. 1. From the Grid or Device perspective, click the grid or the member. 2. Select the drop-down menu next to the clock icon in the GUI. 3. Select Restart Member Services or Restart Grid Services. The Restart Member Services or Restart Grid Services dialog box appears. 4. Select Immediately in the Restart services time section and click OK. The Cancel Schedule Warning message appears. 5. Click Yes and click OK. The Restart Services icon in the GUI changes back from the clock icon to the Infoblox logo provided there is no other scheduled restart.

178

Infoblox Administrator Guide (Rev. A)

NIOS 4.3r4

Chapter 5 Monitoring the Appliance


This chapter describes the status icons in the Infoblox GUI that indicate the state of appliances, services, database capacity, ethernet ports, HA, and grid replication. It also explains how to use the various logs and the traffic capture tool to monitor a NIOS appliance. You can set the monitoring parameters at the grid and member levels. The topics in this chapter include:

Viewing Detailed Status on page 180 Appliance Status on page 180 Service Status on page 180 DB Capacity Used on page 181 Disk Usage on page 181 HA, LAN1, LAN2, or MGMT Port on page 182 LCD on page 182 Memory Usage on page 182 Replication on page 183 Using a Syslog Server on page 185 Specifying Syslog Servers on page 185 Configuring Syslog for a Grid Member on page 186 Setting DNS Logging Categories on page 187 Viewing the Syslog on page 188 Searching for Text on page 188 Downloading the Syslog File on page 189 Monitoring Tools on page 190 Using the Audit Log on page 190 Using the Replication Log on page 192 Using the Traffic Capture Tool on page 193 Using the Capacity Report on page 194 Monitoring DNS Transactions on page 195

NIOS 4.3r4

Infoblox Administrator Guide (Rev. A)

179

Monitoring the Appliance

Viewing Detailed Status


The NIOS GUI changes the color of status icons to indicate the state of appliances, services, database capacity, ethernet ports, HA, and grid replication. For the Infoblox-1552 and 2000, the GUI displays status icons for the power supplies. For the Infoblox-2000, the GUI displays icons to indicate the state of the RAID array and disk controller backup battery. To see a detailed status report for a grid, from the Grid perspective, select grid, and then click View -> Detailed Status. After displaying the Detailed Status panel, you can view the status of individual grid members and services by selecting them in the Grid panel. The Detailed Status panel provides a detailed status report on the following appliance and service operations:

Appliance Status
The status icons indicate the operational status of a grid member and a general description about what it is currently doing. The appliance status icon can be one of the following colors: Icon Color Green Yellow Red Meaning The appliance is operating normally in a running state. The appliance is connecting or synchronizing with its grid master. The grid member is offline, is not licensed (that is, it does not have a DNSone license with the Grid upgrade that permits grid membership), is upgrading or downgrading, or is shutting down.

Following are some appliance descriptions that might appear in the Description column: Running, Offline, Connecting, Synchronizing, Authentication Failed, Shared secret did not match, Not Licensed, SW Revision Mismatch, Downloading Release from Master, and Shutting Down.

Service Status
After you enable DHCP, DNS, TFTP, HTTP (for file distribution), RADIUS, FTP, bloxTools Environment, VitalQIP or IPAM WinConnect services, the Infoblox GUI indicates its status with a green or red icon. Because the status icons for NTP have a different meaning, those meanings are explained in a separate table. DHCP, DNS, TFTP, HTTP (File Distribution) , RADIUS, FTP, bloxTools Environment , VitalQIP, or IPAM WinConnect Icon Color Green Red Meaning A service is enabled and running properly. A service is enabled but not running. (A red status icon can also appear temporarily when a service is enabled and begins running, but the monitoring mechanism has not yet notified the GUI engine.)

180

Infoblox Administrator Guide (Rev. A)

NIOS 4.3r4

Viewing Detailed Status

NTP Icon Color Green Yellow Red Gray Meaning The NTP service is enabled and running properly. The NTP service is enabled, and the appliance is synchronizing its time. The NTP service is enabled, but it is not running properly or is out of synchronization. The NTP service is disabled.

The type of information that can appear in the Description column for a service corresponds to the SNMP trap messages. For information about Infoblox SNMP traps, see Chapter 6, Monitoring with SNMP, on page 201.

DB Capacity Used
Status icons for DB Capacity Used indicate the current percentage of the database in use on a selected grid member. The maximum is 100%. Icon Color Green Yellow Meaning Under 85% database capacity is currently in use. Over 85% database capacity is currently in use. When the capacity exceeds 85%, the icon changes from green to yellow and the NIOS appliance sends an SNMP trap.

Disk Usage
This indicates the percentage of the data partition on the hard disk drive currently in use. Icon Color Green Yellow Red Meaning Under 85% capacity Between 85% and 95% capacity Over 95% capacity

FAN
The status icon indicates whether the fan(s) are functioning. The corresponding description displays the fan speed. Icon Color Green Red Meaning All fans are functioning properly. At least one fan is not running.

NIOS 4.3r4

Infoblox Administrator Guide (Rev. A)

181

Monitoring the Appliance

HA, LAN1, LAN2, or MGMT Port


The status icons for the HA, LAN/LAN1, LAN2 and MGMT ethernet ports indicate the state of their network connectivity. Icon Color Green Red Meaning The port is properly connected to a network. Its IP address appears in the Description column. The port is not able to make a network connection.

LCD
The LCD status icon indicates its operational status. Icon Color Green Red Meaning The LCD is functioning properly. The LCD process is not running.

Memory Usage
The status icon for memory usage indicates the current percentage of memory in use. Icon Color Green Yellow Red Meaning Under 90% capacity Between 90% and 95% capacity and increased activity Over 95% capacity and increased activity

Note: You can see more details about memory usage through the CLI command: show memory

Power Supply
The Infoblox-1552, -1552-A, and -2000 have redundant power supplies. The power supply icon indicates the operational status of the power supplies. Icon Color Green Red Meaning The power supplies are functioning properly. One power supply is not running. To find out which power supply failed, check the LEDs of the power supplies.

182

Infoblox Administrator Guide (Rev. A)

NIOS 4.3r4

Viewing Detailed Status

RAID
This icon indicates the status of the RAID array on the Infoblox-2000. Icon Color Green Yellow Red Meaning The RAID array is functioning properly. A new disk was inserted and the RAID array is rebuilding. The RAID array is degraded. At least one disk is not functioning properly. The GUI lists the disks that are online. Replace only the disks that are offline.

RAID Battery
This icon indicates the status of the disk controller backup battery on the Infoblox-2000. Icon Color Green Red Meaning The battery is charged. The description indicates the estimated number of hours of charge remaining on the battery The battery is not charged.

Temperatures
This icon is always green. The description reports the CPU and system temperatures.

Replication
The current state of replication between a grid member and master or between the passive and active nodes in an HA pair. Grid Member <> Master Icon Color Green Yellow Meaning Grid communications are operating normally and ongoing database updates are occurring. The member is synchronizing itself with the master, and either complete or partial database replication is occurring. All master candidates receive the complete database. All regular members (that is, members not configured as master candidates) receive the section of the database that applies to themselves. The member and master are not replicating the database between themselves.

Red

NIOS 4.3r4

Infoblox Administrator Guide (Rev. A)

183

Monitoring the Appliance

HA Pair Passive Node <> Active Node Icon Color Green Yellow Red Meaning HA communications are operating normally and database replication is occurring. The passive node is synchronizing itself with the active node, and database replication is occurring. The passive and active nodes are not replicating the database between themselves.

184

Infoblox Administrator Guide (Rev. A)

NIOS 4.3r4

Using a Syslog Server

Using a Syslog Server


Syslog is a widely used mechanism for logging system events. NIOS appliances generate syslog messages which you can view through the system log viewer and download to a directory on your management station. In addition, you can configure a NIOS appliance to send the messages to one or more external syslog servers for later analysis. Syslog messages provide information about appliance operations and processes. You can also include audit log messages and specific BIND messages among the messages the appliance sends to the syslog server. You can set syslog parameters at the grid and member levels. At the member level, you can override grid-level syslog settings and enable syslog proxy. The topics in this section include:

Specifying Syslog Servers on page 185 Configuring Syslog for a Grid Member on page 186 Setting DNS Logging Categories on page 187 Viewing the Syslog on page 188 Searching for Text on page 188 Downloading the Syslog File on page 189

Specifying Syslog Servers


To configure a NIOS appliance to send messages to a syslog server: 1. From the Grid perspective, click grid -> Edit -> Grid Properties. or From the Device perspective, click hostname -> Edit -> Device Properties. 2. In the Grid or Device editor, click Monitoring, and then enter the following: Syslog In addition to storing the system log on a grid member, you can configure grid to send the log to an external syslog server. Override grid syslog settings: Select this check box to override grid-level settings and apply member-level settings. Clear it to apply grid-level settings to this member. If Member Type is Riverbed, you must select this check box to override grid-level settings. The appliance automatically configures the syslog size to 20MB for Riverbed members. Syslog size (MBytes): Specify the maximum size of the syslog file. Enter a value from 10 to 300. The default is 300MB. When the syslog file reaches its maximum size, the appliance automatically writes the file into a new file by adding a .0 extension to the first file and incrementing subsequent file extensions by 1. Enable external syslog server: Select this check box to enable the NIOS appliance to send messages to a specified syslog server. Syslog Server Group: To define one or more syslog servers, click Add, enter the following, and then click OK: Server Address: Type the IP address of a syslog server. Connection Type: Specify whether the appliance uses TCP or UDP to connect to the external syslog server. Port: Specify the destination port number. Out Interface: Specify the interface through which the appliance sends syslog messages to the syslog server.

NIOS 4.3r4

Infoblox Administrator Guide (Rev. A)

185

Monitoring the Appliance

Severity Filter: Choose a filter from the drop-down list. When you choose a severity level, grid members send messages for that severity level plus all messages for all severity levels above it. The lowest severity level is debug (at the top of the drop-down list), and the highest severity level is emerg (at the bottom of the list). Accordingly, if you choose debug, grid members send all syslog messages to the server. If you choose err, grid members send messages with the severity levels err, crit, alert, and emerg. If you choose emerg, they send only emerg messages. Message Source: Specify which syslog messages the appliance sends to the external syslog server: Internal: The appliance sends syslog messages that it generates. External: The appliance sends syslog messages that it receives from other devices, such as syslog servers and routers. Any: The appliance sends both internal and external syslog messages.

Copy audit log messages to syslog: Select the check box for the NIOS appliance to include audit log messages among the messages it sends to the syslog server. This function can be helpful for monitoring administrative activity on multiple appliances from a central location. Audit Log Facility: Choose the facility where you want the syslog server to sort the audit log messages. 3. Click the Save icon to save your settings.

Configuring Syslog for a Grid Member


You can override grid-level syslog settings and enable syslog proxy for individual members. When you enable syslog proxy, the member receives syslog messages from specified devices, such as syslog servers and routers, and then forwards these messages to an external syslog server. You can also enable appliances to use TCP for sending syslog messages. TCP is more reliable than using UDP; this reliability is important for security, accounting, and auditing messages sent through syslog. To configure syslog parameters for a member: 1. From the Grid perspective, click + (for grid) -> + (for Members) -> member -> Edit -> Member Properties. 2. In the Grid Member editor, click Monitoring, and enter the following: Syslog In addition to storing the system log on a grid member, you can configure a member to send the log to a syslog server. Override grid syslog settings: Select the check box to override grid-level settings and apply member-level settings. Clear it to apply grid-level settings to this member. If Member Type is Riverbed, you must select this check box to override grid-level settings. The appliance automatically configures the syslog size to 20MB for Riverbed members. Syslog size (MBytes): Specify the maximum size of the syslog file. Enter a value from 10 to 300. The default is 300MB. When the syslog file reaches its maximum size, the appliance automatically writes the file into a new file by adding a .0 extension to the first file and incrementing subsequent file extensions by 1. Enable external syslog server: Select this check box to enable the NIOS appliance to send messages to a specified syslog server. Syslog Server Group: To define one or more syslog servers, click Add, enter the following, and then click OK: Server Address: Type the IP address of a syslog server. Connection Type: Specify whether the appliance uses TCP or UDP to connect to the external syslog server. Port: Specify the destination port number. Out Interface: Specify the interface through which the appliance sends syslog messages to the syslog server.

186

Infoblox Administrator Guide (Rev. A)

NIOS 4.3r4

Using a Syslog Server

Severity Filter: Choose a filter from the drop-down list. When you choose a severity level, the NIOS appliance sends messages for that severity level plus all messages for all severity levels above it. The lowest severity level is debug (at the top of the drop-down list), and the highest severity level is emerg (at the bottom of the list). Accordingly, if you choose debug, the single appliance or active node in an HA pair sends all syslog messages to the server. If you choose err, it sends messages with the severity levels err, crit, alert, and emerg. If you choose emerg, it sends only emerg messages. Message Source: Specify which syslog messages the appliance sends to the external syslog server: Internal: The appliance sends syslog messages that it generates. External: The appliance sends syslog messages that it receives from other devices. Any: The appliance sends both internal and external syslog messages.

Enable syslog proxy: Select this check box to enable the appliance to receive syslog messages from other devices, such as syslog servers and routers, and then forward these messages to an external syslog server. Enable listening on TCP: Select this check box if the appliance uses TCP to receive messages from other devices. Port: Enter the number of the port through which the appliance receives syslog messages from other devices. Enable listening on UDP: Select this check box if the appliance uses UDP to to receive messages from other devices. Port: Enter the number of the port through which the appliance receives syslog messages from other devices. Proxy Client Access Control: Click Add, enter the following in the Access Control Item dialog box, and then click OK: IP Address option: Select IP Address if you are adding the IP address of an appliance or select Network if you are adding the network address of a group of appliances. Address: Enter the IP address of the appliance or network. Subnet Mask: If you entered a network IP address, you must also enter its subnet mask.

3. Click the Save icon to save your settings.

Setting DNS Logging Categories


You can specify which of 14 BIND logging message categories you want syslog to capture, and furthermore, you can filter these messages by severity. For information about severity types, refer to Using a Syslog Server on page 185. To specify logging categories: 1. From the Grid perspective, click + (for grid ) -> + (for Services) -> DNS -> Service Properties. or From the Device perspective, click + (for hostname ) -> DNS -> Service Properties. 2. In the Grid DNS Properties editor, click Logging, and then enter the following: Logging Facility: Select a facility from the drop-down list. This is the location on the syslog server to which you want to sort the DNS logging messages. Select one of more of these log categories: Enable General: Records the BIND messages that are not specifically classified. Enable Config: Records the configuration file parsing messages. Enable DNSSEC: Records the DNSSEC-signed responses. Enable Network: Records the network operation messages. Enable Queries: Records the query response messages. Enable Security: Records the approved and denied requests. Enable Transfer-in: Records zone transfer messages from the remote name servers to the appliance. Enable Transfer-out: Records zone transfer messages from the NIOS appliance to remote name servers.

NIOS 4.3r4

Infoblox Administrator Guide (Rev. A)

187

Monitoring the Appliance

Enable Update: Records the dynamic update instances. Enable Resolver: Records the DNS resolution instances, including recursive queries from resolvers. Enable Notify: Records the asynchronous zone change notification messages. Enable Lame Servers: Records bad delegation instances. Enable Database: Records BINDs internal database processes. Enable Client: Records client requests. 3. Click the Save icon to save your settings. 4. Click the Restart Services icon if it flashes.

Viewing the Syslog


In addition to saving syslog messages to a remote syslog server, a NIOS appliance also stores the system messages locally. When the syslog file reaches its maximum size, which is 300 MB for Infoblox appliances and Cisco vNIOS virtual appliances, and 20 MB for Riverbed vNIOS virtual appliances, the appliance automatically writes the file into a new file by adding a .0 extension to the first file and incrementing subsequent file extensions by 1. Files are compressed during the rotation process, adding a .gz extension following the numerical increment (file.#.gz). The sequential incrementation goes from zero through nine. When the eleventh file is started, the first log file (file.0.gz) is deleted, and subsequent files are renumbered accordingly. For example, the current log file moves to file.0.gz, the previous file.0.gz moves to file.1.gz, and so on through file.9.gz. A maximum of 10 log files (0-9) are kept. To view syslog messages on a NIOS appliance: 1. From the Grid perspective, click + (for grid ) -> + (for Members) -> member -> File -> System Log -> ip_addr . or From the Device perspective, click hostname -> File -> System Log -> ip_addr . Note: You can also right-click a grid member or independent appliance or HA pair, and then select System Log -> ip_addr in the short-cut menu. The appliance displays the syslog messages for the specified member. 2. To refresh the contents in the System Log File viewer, click View -> Refresh (or press the F5 key). 3. To delete the contents in the System Log File viewer, click View -> Clear. Note that only a superuser can clear the syslog file.

Searching for Text


Instead of paging through the syslog messages to locate messages, you can limit the display to syslog messages with certain text strings. To search for specified text strings: 1. From the Grid perspective, click + (for grid ) -> + (for Members) -> member -> File -> System Log -> ip_addr . or From the Device perspective, click hostname -> File -> System Log -> ip_addr . Note: You can also right-click a grid member or independent appliance or HA pair, and then select System Log -> ip_addr in the short-cut menu. The appliance displays the syslog messages for the specified member. 2. Click the Search icon in the upper right corner of the System Log File viewer. 3. Enter the text string and then click Search. The appliance displays the results of your search in a Search Results panel.

188

Infoblox Administrator Guide (Rev. A)

NIOS 4.3r4

Using a Syslog Server

Downloading the Syslog File


You can download the syslog file to a specified directory, if you want to print and analyze it. To download a syslog file: 1. From the Grid perspective, click + (for grid ) -> + (for Members) -> member -> File -> System Log -> ip_addr . or From the Device perspective, click hostname -> File -> System Log -> ip_addr . Note: You can also right-click a grid member or independent appliance or HA pair, and then select System Log -> ip_addr in the short-cut menu. The appliance displays the syslog messages for the specified member. 2. Click the Download File icon in the upper right corner of the System Log File viewer, navigate to a directory where you want to save it, optionally change the file name (the default names are node_1_sysLog.tar.gz and node_2_sysLog.tar.gz ), and then click OK.

NIOS 4.3r4

Infoblox Administrator Guide (Rev. A)

189

Monitoring the Appliance

Monitoring Tools
You can view the audit log, the replication log, and the traffic capture tool in a grid or HA pair to monitor administrator activity, and capture traffic for diagnostic purposes. You can also use CLI commands to monitor certain DNS transactions. This section includes the following topics:

Using the Audit Log on page 190 Using the Replication Log on page 192 Using the Traffic Capture Tool on page 193 Using the Capacity Report on page 194 Monitoring DNS Transactions on page 195

Using the Audit Log


The audit log contains a record of all Infoblox administrative activity. It provides detailed information on changes such as: Date and time stamp of the change. If you have different admin accounts with different time zone settings, the appliance uses the time zone of the admin account that you use to log in to the appliance to display the date and time stamp. Administrator name Changed object name New value of the object. If you change multiple properties of an object, the audit log lists all changes in a comma-separated log entry. You can also search the audit log to find the new value of an object. Write operations such as the addition, modification, and removal of objects. System management operations such as service restarts and appliance reboots. Scheduled tasks such as adding an A record or modifying a fixed address.

The system logs the following successful operations:

When the audit log reaches it maximum size, which is 100 MB, the appliance automatically writes the file into a new file by adding a .0 extension to the first file and incrementing subsequent file extensions by 1. Files are compressed during the rotation process, adding a .gz extension following the numerical increment (file.#.gz). The sequential incrementation goes from zero through nine. When the eleventh file is started, the first log file (file.0.gz) is deleted, and subsequent files are renumbered accordingly. For example, the current log file moves to file.0.gz, the previous file.0.gz moves to file.1.gz, and so on through file.9.gz. A maximum of 10 log files (0-9) are kept. To list the audit log files and their sizes, log in to the Infoblox CLI and execute the show logfiles command. To view the audit log: From the Grid perspective, select grid -> File -> Audit Log. or From the Device perspective, select hostname -> File -> Audit Log . To refresh the audit log view, select View -> Refresh (or press the F5 key). To delete the contents of the audit log file, select View -> Clear. You can also do the following:

You can search for audit logs that pertain to particular DNS and DHCP objects. To search the audit log file: 1. Click the Search icon in the upper right corner of the Audit Log File viewer. 2. In the Search Audit Log dialog box, enter the search criteria as follows: Match Fields: In this section, you specify the fields the appliance uses to filter the Audit Log. Enter the following:

190

Infoblox Administrator Guide (Rev. A)

NIOS 4.3r4

Monitoring Tools

Admin Name: Enter the name of the administrator to view the Audit Log changes made only by a specific administrator. The name you enter in this field need not be complete. You can use regular expressions to expand your search. For example, you can just enter ad* or adm to search for the admin name administrator. Also, the data you enter is not case sensitive. Message/Value: Enter any word or sentence from the message to be searched or the value of the object that was created, modified, or deleted. The data you enter is not case sensitive. The message you enter in this field need not be complete. You can use regular expressions to expand your search. For example, to find messages with the word created, you can just enter cre or cre*. For example, if you changed the Comment field for an authoritative zone from today is tuesday to today is wednesday, the Audit Log displays this change in the Message column as follows:
comment From: today is tuesday To: today is wednesday

In this case, you can search for the string today is wednesday but you cannot search for To: today is wednesday. You can also search based on the value of the object you changed. For example, if you change the end IP address of a DHCP range from 10.0.20.0 to 10.0.30.0, you can enter 30 in the Message/Value field to find the log for this change. Object Restrictions: In this section, you can specify additional filter criteria to restrict the Audit Log search. Object Type: This drop-down list displays the different types of objects that you can select for the search. You can select No Object Type Restrictions to search all object types or you can select a specific object type. When you select a specific object type, you can enter an object name. Object Name: To restrict the search to a specific object, you can enter a name for the object type you specified. You can enter a partial name and use regular expressions as well. For example, to find a DNS object called test.com, you can just enter tes or te*. Time Range In this section, you can either select from a predefined time range or specify your own custom range. The appliance uses the time zone that it automatically detects from the management system that the admin uses to log in. Or you can override the time zone auto-detection feature at the admin and member level by specifying a time zone. For example, if you are in the Eastern Standard Time zone, then the time range section in the dialog displays the Eastern Standard Time regardless of the grid time zone setting. If you change the time zone on your computer, you must log out and then log back in to the NIOS appliance for the new time zone to take effect. Predefined range: Select one of the following predefined date and time ranges from the drop-down menu: All: Displays all audit log messages logged at all available dates and times. Last Week: Displays all audit log activity that occurred one week before the current time. Last Day: Displays audit log activity that occurred one day (24 hours) before the current time. Last 12 Hours: Displays all audit log activity that occurred 12 hours before the current time. Last 4 Hours: Displays audit log activity that occurred four hours before the current time. Last Hour: Displays all audit log activity that occurred one hour before the current time. Custom range: Click and select one of the following: From: Either select Oldest message or click Specify and then enter the start date and time in the year/month/date and hours:minutes:seconds format. To: Either select Newest message or click Specify and then enter the end date and time in the year/month/date and hours:minutes:seconds format. 3. Click Search The appliance displays the results of your search in a Search Results panel. To download the audit log file, click the Download File icon in the upper right corner of the Audit Log File viewer, navigate to a directory where you want to save it, optionally change the file name (the default name is auditLog.tar.gz ), and click OK.

NIOS 4.3r4

Infoblox Administrator Guide (Rev. A)

191

Monitoring the Appliance

Audit Log Format


The format of the audit log is similar to the syslog:
[date and time stamp] [user name]: message

For example:
[2007/05/05 11:13:54.208] [admin]: updated grid time zone

Note: The dates and timestamps in the audit log are determined by the time zone setting of the admin account that you use to log in to the NIOS appliance.

Specifying the Audit Log Type


Select either the Detailed (default) or Brief audit log type as follows: 1. Select Grid -> Edit -> Grid Properties. 2. Click the Grid Properties section to expand it. 3. Select one of the following types in the Audit Log section: Detailed: This is the default type. It is automatically selected. It provides detailed information on all administrative changes such as the date and time stamp of the change, administrator name, changed object name, and the new values of all properties. Brief: Provides information on administrative changes such as the date and time stamp of the change, administrator name, and the changed object name. It does not show the new value of the object. The following are examples of brief audit log messages:
[2007/06/08 12:36:35.768] [admin]: Modified AdminGroup test_group [2007/07/10 12:39:19.424] [admin]: Deleted AuthZone test.com view=default

Using the Replication Log


The Replication Status panel reports the status of the database replication between grid members and master. The Replication Status panel reports the status of the database replication between grid members and master, and between the two nodes in an independent HA pair. You can use this information to check the health of grid and HA pair activity. To view the replication log: From the Grid perspective, click grid -> View -> Replication Status. or From the Device perspective, click hostname -> View -> Replication Status . To refresh the contents in the Replication Log viewer, click View -> Refresh (or press the F5 key).

192

Infoblox Administrator Guide (Rev. A)

NIOS 4.3r4

Monitoring Tools

Using the Traffic Capture Tool


You can capture the traffic on one or all of the ports on a NIOS appliance, and then view it using a third-party network protocol analyzer application, such as the Ethereal Network Protocol Analyzer. The NIOS appliance saves all the traffic it captures into a .cap file and compresses it into a .tar.gz file. Your management system must have a utility that can extract the .tar file from the .gzip file, and an application that can read the .cap (capture) file format. This section explains the process of first capturing traffic, and then downloading it to your management system. After that, you can extract the traffic capture file and view it with a third-party traffic analyzer application. Note: The NIOS appliance always saves a traffic capture file as tcpdumpLog.tar.gz. If you want to download multiple traffic capture files to the same location, rename each downloaded file before downloading the next. 1. From the Grid perspective, click -> + (for grid) -> + (for Members) -> member -> Tools -> Capture Traffic. or From the Device perspective, click hostname -> Tools -> Capture Traffic. 2. In the Traffic Capture dialog box, select the port on which you want to capture traffic and specify how long the traffic capture tool must run. Note that if you enabled the NIC failover feature, the LAN and LAN2 ports generate the same output. (For information about the NIC failover feature, see NIC Failover on page 150.) : HA port: Select to capture all traffic that the HA port receives and transmits. LAN port: Select to capture all traffic that the LAN port receives and transmits. MGMT port: Select to capture all traffic that the MGMT port receives and transmits. LAN2 port: Select to capture all traffic that the LAN2 port receives and transmits. All ports (promiscuous mode not supported): Select to capture traffic addressed to all ports. Note that the NIOS appliance only captures traffic that is addressed to it. Seconds to run: Specify the number of seconds that you want the traffic capture tool to run. Note: NIOS virtual appliances support capturing traffic only on the LAN port. 3. Click Start. A message appears warning that the use of the traffic capture tool causes a decrease in network service processing and prompts you to confirm your use of the tool. 4. Click Yes. 5. When you want to view the captured traffic, click Download. 6. Another message appears stating that clicking Download causes the traffic capture operation (if it is still ongoing) to stop and asks if you want to proceed. 7. Click OK. 8. Navigate to where you want to save the file, rename it if you want, and then click OK or Save. 9. Use terminal window commands (Linux) or a software application (such as StuffIt or WinZip) to extract the contents of the .tar.gz file. 10. When you see the traffic.cap file in the directory where you extracted the .tar.gz file, open it with the third-party network protocol analyzer application.

NIOS 4.3r4

Infoblox Administrator Guide (Rev. A)

193

Monitoring the Appliance

Using the Capacity Report


You can view the capacity usage and object type information of an appliance in the Capacity Report panel. The capacity report displays capacity and object type information of an independent appliance, a grid master, or a grid member. For an HA pair, the report displays information that is on the active node. The top half of the panel displays a capacity summary, and the bottom half displays the object types that the appliance supports and the total counts for each object type. To view the capacity report: From the Grid perspective, click + (for grid) -> + (for Members) -> member -> View -> Capacity Report. or From the Device perspective, select hostname -> View -> Capacity Report. Name: The name of the appliance. Role: The role of the appliance. The value can be Grid Master, Grid Master Candidate, Grid Member, or Standalone. Hardware Type: The type of hardware. For an HA pair, the report displays the hardware type for both the active and passive nodes. Maximum Capacity: The maximum number of objects that the appliance can support. Total Objects: The total number of objects that are currently in the database. % Capacity Used: The percentage of the capacity that is in use. The capacity summary contains the following information:

The report categorizes object types that you can manage through the NIOS appliance. For objects that are only used for internal system operations, the report groups and shows them under the object type Other. The report displays the following information for object types: Object Type: The type of objects. For example, DHCP Lease, Admin Group, or PTR Record. Total: The total number of objects for a specific object type.

You can print the object type information or export it to a CSV file. For information on printing the object types, see Printing from the GUI on page 61; and for information on exporting to a CSV file, see Exporting Data on page 64.

194

Infoblox Administrator Guide (Rev. A)

NIOS 4.3r4

Monitoring Tools

Monitoring DNS Transactions


The NIOS appliance provides tools for monitoring DNS transactions and mitigating cache poisoning. Cache poisoning can occur when a DNS server accepts maliciously created unauthentic data. The DNS server ends up locally caching the incorrect entries and serving them to users that make the same DNS requests. In a maliciously created situation, the attacker can redirect Internet traffic from the legitimate host to another host that the attacker controls. You can configure the appliance to track invalid DNS responses for recursive DNS queries. The appliance tracks DNS responses that arrive on invalid ports or have invalid TXIDs (DNS transaction IDs). Both invalid ports and invalid TXIDs could be indicators of cache poisoning. An invalid port is a DNS response that arrives from UDP (User Datagram Protocol) port 53 with either one of the following conditions: There are no outstanding DNS requests from the port on which the response arrives The TXID of the DNS response matches the TXID of an outstanding request, however the request was sent from a port other than the port on which the response arrives

An invalid TXID is a DNS response that arrives from UDP port 53, and the TXID does not match the TXID of an outstanding DNS request.

Figure 5.1 illustrates how the appliance detects an invalid port and an invalid TXID. Figure 5.1 Invalid Port and Invalid TXID

A client sends a DNS request to the Infoblox DNS server


Infoblox DNS Server UDP Port 53

2 The Infoblox DNS server sends

a DNS request to an authoritative DNS server

TXID 65534

Port 10024 (Random Port)

UDP Port 53 Authoritative DNS Server

Client

Port 10024

3 DNS server sends a


Port 10028
TXID 65380

valid response to Infoblox DNS server

Malicious Source

The appliance detects an invalid port or TXID, logs the event, and sends an SNMP trap and/or e-mail when the thresholds 4 The malicious server are exceeded sends spoofed DNS responses and guesses the TXID and the UPD port

Both invalid ports and invalid TXIDs could be indicators of DNS cache poisoning, although a small number of them is considered normal in situations where valid DNS responses arrive after the DNS queries had timed out. You can configure the appliance to track these indicators, and you can view their status. You can also configure thresholds for them. When the number of invalid ports or invalid TXIDs exceeds the thresholds, the appliance logs an event in the syslog file and sends an SNMP trap and e-mail notification, if you enable them. You can then configure rate limiting rules to limit incoming traffic or completely block connections from primary sources that send the invalid DNS responses. Rate limiting is a token bucket system that accepts packets from a source based on the rate limit. You can configure the number of packets per minute that the Infoblox DNS server accepts from a specified source. You can also configure the number of packets for burst traffic, which is the maximum number of packets that the token bucket can accept. Once the bucket reaches the limit for burst traffic, it discards the packets and starts receiving new packets according to the rate limit.
NIOS 4.3r4 Infoblox Administrator Guide (Rev. A) 195

Monitoring the Appliance

The appliance monitors only UDP traffic from remote port 53 for the following reasons: The attacks that the appliance monitors do not happen over TCP. DNS responses are sent only from port 53. The appliance discards DNS responses that are sent from other ports.

To monitor invalid ports and invalid TXIDs on the Infoblox DNS server, follow these procedures: 1. Enable DNS network monitoring and DNS alert monitoring. For information, see Enabling and Disabling DNS Alert Monitoring on page 196. 2. Configure the thresholds for DNS alert indicators. For information, see Configuring DNS Alert Thresholds on page 197. 3. Enable SNMP traps and e-mail notifications. For information, see Configuring SNMP on page 247. 4. Review the DNS alert status. For information, see Viewing DNS Alert Indicator Status on page 197. 5. Identify the source of the attack by reviewing the DNS alert status, syslog file, and SNMP traps. For information on SNMP traps for DNS alerts, see Threshold Crossing Traps on page 222. To mitigate cache poisoning, you can limit incoming traffic or completely block connections from specific sources, as follows: Enable rate limiting on the DNS server. For information, see Enabling and Disabling Rate Limiting from External Sources on page 198. Configure rate limit traffic rules from specific sources. For information, see Configuring Rate Limiting Rules on page 199.

You can verify the rate limiting rules after you configure them. For information, see Viewing Rate Limiting Rules on page 200.

Enabling and Disabling DNS Alert Monitoring


The appliance monitors only UDP traffic on port 53 for recursive queries, and then reports invalid DNS responses. DNS alert monitoring is disabled by default. For an HA pair, you must enable DNS alert monitoring on both the active and passive nodes. To enable DNS network monitoring and DNS alert monitoring: 1. Log in to the Infoblox CLI as a superuser account. 2. Enter the following CLI command:
set monitor dns on

The appliance displays the following:


Turning on DNS Network Monitoring...

3. Enter the following command:


set monitor dns alert on

When you enable DNS alert monitoring and DNS network monitoring is disabled, the appliance automatically enables DNS network monitoring and displays the following:
DNS Network Monitoring is disabled. It must be enabled for alerting to function. Enable DNS Monitoring now? (y or n):

You can also disable DNS network monitoring and DNS alert monitoring using the following commands:
set monitor dns off set monitor dns alert off

Note: When you restart DNS network monitoring, you also reset the SNMP counters for DNS alerts. You can then view the alert status to identify the primary source of invalid DNS responses. For information, see Viewing DNS Alert Indicator Status on page 197.

196

Infoblox Administrator Guide (Rev. A)

NIOS 4.3r4

Monitoring Tools

Viewing DNS Alert Indicator Status


To view DNS alert indicator status: 1. Log in to the Infoblox CLI as a superuser account. 2. Enter the following CLI command:
show monitor dns alert status

The appliance displays historical alert counts and up to five primary sources that generate invalid DNS responses, as shown in the following example:
Data last updated: Mon Oct 6 14:47:12 2008 DNS Alert1m5m15m60m24hEver ============================================ port8 txid8 12 12121212 12 12121212

There were 80 DNS responses seen in the last minute. 10% were to an invalid port. 10% had an invalid TXID.

Primary sources of invalid responses: 4.4.4.4 (unknown) sent 4 2.2.2.2 (unknown) sent 3 7.7.7.7 (unknown) sent 1

The appliance attempts to resolve the host names of the sources that sent invalid responses. If the appliance cannot resolve a host name, it displays unknown as the host name of the invalid response.

Configuring DNS Alert Thresholds


You can configure thresholds for DNS alerts to control when the appliance tracks DNS attacks and issues SNMP traps and e-mail notifications. Note: Ensure that you enable SNMP traps and e-mail notifications. For information, see Configuring SNMP on page 247. You can configure thresholds for both invalid ports and invalid TXIDs. The default thresholds for both invalid ports and TXIDs are 50%. When the number of invalid ports or invalid TXIDs exceeds the thresholds, the appliance logs the event and sends SNMP traps and notifications. You can configure the thresholds either as absolute packet counts or as percentages of the total traffic during a one minute time interval.

NIOS 4.3r4

Infoblox Administrator Guide (Rev. A)

197

Monitoring the Appliance

To configure DNS alert thresholds: 1. Log in to the Infoblox CLI as a superuser account. 2. Enter the following CLI command:
set monitor dns alert modify port | txid over threshold_value packets | percent

where
port | txid = Enter port to set the threshold for invalid ports, or enter txid to set the threshold for invalid

TXIDs.
threshold_value = Enter the number of packets or percentage for the threshold. packets | percent = Enter packets if you want to track the total packet count, or enter percentage if you

want to track a percentage of the total traffic. For a percentage-based threshold, the appliance does not generate a threshold crossing event if the traffic level is less than 100 packets per minute. For example, if you want the appliance to send a DNS alert when the percentage of DNS responses arriving on invalid ports from UDP port 53 exceeds 70% per minute, you can enter the following command:
set monitor dns alert modify port over 70 percent

If you want the appliance to send a DNS alert when the total number of packets with invalid TXIDs from UDP port 53 is over 100 packets per minute, you can enter the following command:
set monitor dns alert modify txid over 100 packets

When there is a DNS alert, the appliance logs an event in the syslog file and sends an SNMP trap and e-mail notification if enabled.

Viewing DNS Alert Thresholds


You can view the DNS alert thresholds. The appliance displays the current thresholds. If you have not configured new thresholds, the appliance displays the default thresholds, which are 50% for both invalid port and TXID. To view the DNS alert thresholds: 1. Log in to the Infoblox CLI as a supreuser account. 2. Enter the following CLI command:
show monitor dns alert

The appliance displays the threshold information as shown in the following example:
DNS Network Monitoring is enabled. Alerting is enabled. DNS Alert Threshold (per minute)

=========================================== port txid over 70% of packets over 100 packets

Enabling and Disabling Rate Limiting from External Sources


You can mitigate cache poisoning on your DNS server by limiting the traffic or blocking connections from external sources. To enable rate limiting from sources: 1. Log in to the Infoblox CLI as a superuser account. 2. Enter the following CLI command:
set ip_rate_limit on

The appliance displays the following:


Enabling rate limiting will discard packets and may degrade performance. Are you sure? (y or n):

198

Infoblox Administrator Guide (Rev. A)

NIOS 4.3r4

Monitoring Tools

Note: When you enable rate limiting, the appliance discards packets based on the configured rate limiting rules. This might affect the DNS performance when the appliance discards valid DNS responses. 3. Enter y to enable rate limiting. When you enable rate limiting, the appliance applies the rate limiting rules that you configured. You might want to configure the rate limiting rules before enabling rate limiting. For information on how to configure rate limiting rules, see Configuring Rate Limiting Rules on page 199. You can also disable rate limiting by entering the following command:
set ip_rate_limit off

When you disable rate limiting, the appliance stops applying the rate limiting rules.

Configuring Rate Limiting Rules


You configure rate limiting rules to limit access or block connections from external sources. The rules take effect when you enable rate limiting. When adding rules, ensure that you do not include an IP address that matches the IP address of either the grid master or grid member. Doing this could affect VPN connectivity. To configure rate limiting rules: 1. Log in to the Infoblox CLI as a superuser account. 2. Enter the following CLI command:
set ip_rate_limit add source all | ip_address [/mask] limit packets/m [burst burst_packets]

where
all | ip_address = Enter all or 0.0.0.0 if you want to limit all traffic from all sources, or enter the IP

address from which you want to limit the traffic.


[/mask] = Optionally, enter the netmask of the host from which you want to limit the traffic. packets = Enter the number of packets per minute that you want to receive from the source. [burst burst_packets] = Optionally, enter burst and the number of packets for burst traffic. This is the maximum number of packets accepted.

The following are sample commands and descriptions for rate limiting rules: To block all traffic from host 10.10.1.1, enter the following command:
set ip_rate_limit add source 10.10.1.1 limit 0

To limit traffic to five packets per minute from host 10.10.1.2, enter the following command:
set ip_rate_limit add source 10.10.1.2 limit 5/m

To limit the traffic to five packets per minute from host 10.10.2.1/24 with an allowance for burst traffic of 10 packets, enter the following command:
set ip_rate_limit add source 10.10.2.1/24 limit 5/m burst 10

To limit the traffic to 5000 packets per minute from all sources, enter the following command:
set ip_rate_limit add source all limit 5000/m

NIOS 4.3r4

Infoblox Administrator Guide (Rev. A)

199

Monitoring the Appliance

Removing Rate Limiting Rules


You can remove the existing rate limiting rules. To remove all the existing rules: 1. Log in to the Infoblox CLI as a superuser account. 2. Enter the following CLI command: To remove the rate limiting rule that limits traffic from all sources, enter:
set ip_rate_limit remove source all

or To remove all of the rate limiting rules from all sources, enter:
set ip_rate_limit remove all

To remove one of the existing rules for an existing host: 1. Log in to the Infoblox CLI as a superuser account. 2. Enter the following CLI command:
set ip_rate_limit remove source ip-address[/mask]

Viewing Rate Limiting Rules


You can view the existing rate limiting rules at any time. To view rate limiting rules: 1. Log in to the Infoblox CLI as a superuser account. 2. Enter the following CLI command:
show ip_rate_limit

The appliance displays the rules, as shown in the following example:


IP rate limiting is enabled. Source Limit Burst ============================================ 10.10.1.1 0 packets/minute 0 packets 10.10.1.2 5 packets/minute 5 packets 10.10.2.1/24 5 packets/minute 10 packets all 5000packets/minute 5000 packets

200

Infoblox Administrator Guide (Rev. A)

NIOS 4.3r4

Chapter 6 Monitoring with SNMP


This chapter describes how you can use SNMP (Simple Network Management Protocol) to monitor NIOS appliances in your network. It contains the following topics:

Understanding SNMP on page 202 SNMP MIB Hierarchy on page 203 MIB Objects on page 204 Infoblox MIBs on page 205 Loading the Infoblox MIBs on page 205 ibTrap MIB on page 206 ibPlatformOne MIB on page 229 ibDNSOne MIB on page 240 ibIPWC MIB on page 242 Configuring SNMP on page 247 Accepting SNMP Queries on page 247 Setting System Information on page 247 Adding SNMP Trap Receivers on page 248 Configuring SNMP for a Grid Member on page 248

NIOS 4.3r4

Infoblox Administrator Guide (Rev. A)

201

Monitoring with SNMP

Understanding SNMP
You can use SNMP (Simple Network Management Protocol) to manage network devices and monitor their processes. An SNMP-managed device, such as a NIOS appliance, has an SNMP agent that collects data and stores them as objects in MIBs (Management Information Bases). The SNMP agent can also send traps (or notifications) to alert you when certain events occur within the appliance or on the network. You can view data in the SNMP MIBs and receive SNMP traps on a management system running an SNMP management application, such as HP OpenView, IBM Tivoli NetView, or any of the freely available or commercial SNMP management applications on the Internet.

Figure 6.1 SNMP Overview

Traps Queries NIOS Appliance SNMP Management System

MIB MIB MIB MIB

Agent MIB

You can configure a NIOS appliance as an SNMP-managed device. NIOS appliances support SNMP versions 1 and 2, and adhere to the following RFCs:

RFC 3411, An Architecture for Describing Simple Network Management Protocol (SNMP) Management Frameworks RFC 3412, Message Processing and Dispatching for the Simple Network Management Protocol (SNMP) RFC 3413, Simple Network Management Protocol (SNMP) Applications RFC 3416, Version 2 of the Protocol Operations for the Simple Network Management Protocol (SNMP) RFC 3418, Management Information Base (MIB) for the Simple Network Management Protocol (SNMP) RFC 1155, Structure and identification of Management information for TCP/IP-based internets RFC 1213, Management Information Base for Network Management of TCP/IP-based internets:MIB-II

202

Infoblox Administrator Guide (Rev. A)

NIOS 4.3r4

SNMP MIB Hierarchy

SNMP MIB Hierarchy


Infoblox supports the standard MIBs defined in RFC-1213, Management Information Base for Network Management of TCP/IP-based internets: MIB-II, in addition to implementing its own enterprise MIBs. The Infoblox MIBs are part of a universal hierarchical structure, usually referred to as the MIB tree. The MIB tree has an unlabeled root with three subtrees. Figure 6.2 illustrates the branch of the MIB tree that leads to the Infoblox enterprise MIBs. Each object in the MIB tree has a label that consists of a textual description and an OID (object identifier). An OID is a unique dotted-decimal number that identifies the location of the object in the MIB tree. Note that all OIDs begin with a dot (.) to indicate the root of the MIB tree. As shown in Figure 6.2, Infoblox is a branch of the Enterprise subtree. IANA (Internet Assigned Numbers Authority) administers the Enterprise subtree, which is designated specifically for vendors who define their own MIBs. The IANA-assigned enterprise number of Infoblox is 7779; therefore, the OIDs of all Infoblox MIB objects begin with the prefix .1.3.6.1.4.1.7779. The Infoblox SNMP subtree branches down through two levels, ibProduct and ibOne, to the Infoblox MIBs: ibTrap, ibPlatformOne, ibDNSone, and ibDHCPOne. The ibTrap MIB defines the traps that NIOS appliances send, and the ibPlatformOne, ibDNSone, and ibDHCPOne MIBs provide information about the appliance. For detailed information about these MIBS, see Infoblox MIBs on page 205.

Figure 6.2 MIB Hierarchy

(.0) International Telegraph and Telephone Consultative Committee (CCITT)

(.1) International Organization for Standardization (ISO) (.1.3) ORG (.1.3.6) U.S. Department of Defense (DOD) (.1.3.6.1) Internet (.1.3.6.1.4) Private (.1.3.6.1.4.1) Enterprise (.1.3.6.1.4.1.7779) Infoblox (.1.3.6.1.4.1.7779.3) Infoblox SNMP Tree (.1.3.6.1.4.1.7779.3.1) ibProduct (.1.3.6.1.4.1.7779.3.1.1) ibOne

(.0) CCITT and ISO

(.1.3.6.1.4.1.7779.3.1.1.1) (.1.3.6.1.4.1.7779.3.1.12) (.1.3.6.1.4.1.7779.3.1.1.3) (.1.3.6.1.4.1.7779.3.1.1.4) ibTrap ibPlatformOne ibDNSOne ibDHCPOne

NIOS 4.3r4

Infoblox Administrator Guide (Rev. A)

203

Monitoring with SNMP

MIB Objects
The Infoblox MIB objects were implemented according to the guidelines in RFCs 1155 and 2578. They specify two types of macros for defining MIB objects: OBJECT-TYPE and NOTIFICATION-TYPE. These macros contain clauses that describe the characteristics of an object, such as its syntax and its status. OBJECT-TYPE macros describe MIB objects, and NOTIFICATION-TYPE macros describe objects used in SNMP traps. Each object in the ibPlatformOne, ibDNSone, and ibDHCPOne MIBs contains the following clauses from the OBJECT-TYPE macro: OBJECT-TYPE: Provides the administratively-assigned name of the object. SYNTAX: Identifies the data structure of the object, such as integers, counters, and octet strings. MAX-ACCESS: Identifies the type of access that a management station has to the object. All Infoblox MIB objects provide read-only access. STATUS: Identifies the status of the object. Values are current, obsolete, and deprecated. DESCRIPTION: Provides a textual description of the object. INDEX or AUGMENTS: An object that represents a conceptual row must have either an INDEX or AUGMENTS clause that defines a key for selecting a row in a table. OID: The dotted decimal object identifier that defines the location of the object in the universal MIB tree.

The ibTrap MIB defines the SNMP traps that a NIOS appliance can send. Each object in the ibTrap MIB contains the following clauses from the NOTIFICATION-TYPE macro: NOTIFICATION-TYPE: Provides the administratively-assigned name of the object. OBJECTS: Provides an ordered list of MIB objects that are in the trap. STATUS: Identifies the status of the object. Values are current, obsolete, and deprecated. DESCRIPTION: Provides the notification information.

204

Infoblox Administrator Guide (Rev. A)

NIOS 4.3r4

Infoblox MIBs

Infoblox MIBs
You can configure a NIOS appliance as an SNMP-managed device so that an SNMP management station can send queries to the appliance and retrieve information from its MIBs. Perform the following tasks to access the Infoblox MIBs: 1. Configure a NIOS appliance to accept queries, as described in Accepting SNMP Queries on page 247. 2. Load the MIB files onto the management system. To obtain the latest Infoblox MIB files: a. c. From the Grid Perspective, select id_grid -> Tools -> Download SNMP MIBs. Click Save. b. In the Save As dialog box, navigate to a directory to which you want to save the MIBs. 3. Use a MIB browser or SNMP management application to query the objects in each MIB. The NIOS appliance allows read-only access to the MIBs. This is equivalent to the Get and Get Next operations in SNMP.

Loading the Infoblox MIBs


If you are using an SNMP manager toolkit with strict dependency checking, you must download the following Infoblox MIBs in the order they are listed: 1. IB-SMI-MIB.txt 2. IB-TRAP-MIB.txt 3. IB-PLATFORMONE-MIB.txt 4. IB-DNSONE-MIB.txt 5. IB-DHCPONE-MIB.txt 6. IB-IPWC-MIB.txt (if you use the Infoblox IPAM WinConnect service) In addition, if the SNMP manager toolkit the you use requires a different MIB file naming convention, you can rename the MIB files accordingly.

NET-SNMP MIBs
NIOS appliances support NET-SNMP (formerly UCD-SNMP), a collection of applications used to implement the SNMP protocol. When you download the Infoblox MIBs from the Infoblox Support site, you can download some of the NET-SNMP MIBs and load them onto your SNMP management system. The NET-SNMP MIBs provide the top-level infrastructure for the SNMP MIB tree. They define, among other things, the objects in the SNMP traps that the agent sends when the SNMP engine starts and stops. For additional information on NET-SNMP and the MIB files distributed with NET-SNMP, refer to http://net-snmp.sourceforge.net/.

RADIUS MIBs
The NIOS appliance supports the RADIUS-ACC-SERVER-MIB and RADIUS-AUTH-SERVER-MIB. You can download these MIBs along with the Infoblox enterprise MIBs. When you install the RADIUS server license on the appliance and configure RADIUS services, the appliance responds to queries for data from the RADIUS MIBs, if configured to do so. For information on these MIBs, refer to RFC 2619, RADIUS Authentication Server MIB and RFC 2621, RADIUS Accounting Server MIB.

NIOS 4.3r4

Infoblox Administrator Guide (Rev. A)

205

Monitoring with SNMP

ibTrap MIB
NIOS appliances send SNMP traps when events, internal process failures, or critical service failures occur. The ibTrap MIB defines the types of traps that a NIOS appliance sends and the value that each MIB object represents. The Infoblox SNMP traps report objects which the ibTrap MIB defines. Figure 6.3 illustrates the ibTrap MIB structure. It provides the OID and textual description for each object. Note: OIDs shown in the illustrations and tables in this section do not include the prefix .1.3.6.1.4.1.7779. The ibTrap MIB comprises two trees, ibTrapOneModule and ibNotificationVarBind. The ibTraponeModule tree contains objects for the types of traps that a NIOS appliance sends. The ibNotificationVarBind tree contains objects that the Infoblox SNMP traps report. You cannot send queries for the objects in this MIB module. The objects are used only in the SNMP traps.

Figure 6.3 ibTrapOne MIB Structure


(3.1.1.1) ibTrap MIB

(3.1.1.1.1) ibTrapOneModule (3.1.1.1.1.1.0) ibEquipmentFailureTrap (3.1.1.1.1.2.0) ibProcessingFailureTrap (3.1.1.1.1.3.0) ibThresholdCrossingEvent (3.1.1.1.1.4.0) ibStateChangeEvent (3.1.1.1.1.5.0) ibProcStartStopTrap

(3.1.1.1.2) ibNotificationVarBind (3.1.1.1.2.1.0) ibNodeName (3.1.1.1.2.2.0) ibTrapSeverity (3.1.1.1.2.3.0) ibObjectName (3.1.1.1.2.4.0) ibProbableCause (3.1.1.1.2.5.0) ibSubsystemName (3.1.1.1.2.6.0) ibCurThresholdValue (3.1.1.1.2.7.0) ibThresholdHigh (3.1.1.1.2.8.0) ibThresholdLow (3.1.1.1.2.9.0) ibPreviousState (3.1.1.1.2.10.0) ibCurrentState (3.1.1.1.2.11.0) ibTrapDesc

206

Infoblox Administrator Guide (Rev. A)

NIOS 4.3r4

Infoblox MIBs

Interpreting Infoblox SNMP traps


Depending on the SNMP management application that your management system uses, the SNMP traps that you receive might list the OIDs for all relevant MIB objects from both the ibTrapOneModule and ibNotificationVarBind trees. For OIDs that have string values, the trap lists the text. For OIDs that contain integers, you can use the tables in this section to find out the values. Some SNMP management applications list only the object name and the corresponding values in the SNMP trap. Whether your SNMP management application lists OIDs or not, you can use the tables in this section to find out the corresponding values and definitions for each MIB object. The following is a sample trap that a NIOS appliance sends:
418:Jan 31 18:52:26 (none) snmptrapd[6087]: 2008-01-31 18:52:26 10.35.1.156 [UDP: [10.35.1.156]:32772]: DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (1080) 0:00:10.80 SNMPv2-MIB::snmpTrapOID.0 = OID: SNMPv2-SMI::enterprises.7779.3.1.1.1.1.4.0 SNMPv2-SMI::enterprises.7779.3.1.1.1.2.1.0 = STRING: "10.35.1.156" SNMPv2-SMI::enterprises. 7779.3.1.1.1.2.3.0 = STRING: "ntp_sync" SNMPv2-SMI::enterprises.7779.3.1.1.1.2.9.0 = INTEGER: 15 SNMPv2-SMI::enterprises.7779.3.1.1.1.2.10.0 = INTEGER: 16 SNMPv2-SMI::enterprises.7779.3.1.1.1.2.11.0 = STRING: "The NTP service is out of synchronization."

The sample trap lists the OIDs and their corresponding values that can help you identify the cause of the event or problem. You can find the definition for each OID or object and its value using the tables in this section. To identify possible cause and recommended actions for the trap, use the ibTrapDesc tables. For information, see ibTrapDesc (OID 3.1.1.1.2.11.0) on page 216. You can interpret the sample trap as follows: Using the ibTrapOneModule table, you find out that OID 7779.3.1.1.1.1.4.0 represents an Object State Change trap. This type of trap includes the following objects. For each object, the trap displays the OID and its corresponding value. The following is how you can interpret the rest of the trap: ibNodeName (OID 7779.3.1.1.1.2.1.0) Using the ibNotificationVarBind (OID 3.1.1.1.2) table, you find out that OID 7779.3.1.1.1.2.1.0 represents the MIB object ibNodeName, which is the IP address of the appliance on which the trap occurred. Therefore, the statement 7779.3.1.1.1.2.1.0 = STRING: "10.35.1.156" SNMPv2-SMI::enterprises. tells you that the IP address of the appliance on which the trap occurred has an IP address of 10.35.1.156. The statement 7779.3.1.1.1.2.3.0 = STRING: "ntp_sync" SNMPv2-SMI::enterprises. tells you that the MIB object ibOjectName, which is the name of the object for which the trap was generated, has a value of ntp_sync, which represents NTP synchronization issues. ibPreviousState (OID 7779.3.1.1.1.2.9.0) The statement 7779.3.1.1.1.2.9.0 = INTEGER: 15 SNMPv2-SMI::enterprises. tells you that the MIB object ibPreviousState, which indicates the previous state of the appliance, has a value of 15. Using the ibPreviousState and ibCurrentState Values table, you know that 15 represents ntp-sync-up, which means that the NTP server was up and running. The statement 7779.3.1.1.1.2.10.0 = INTEGER: 16 SNMPv2-SMI::enterprises. tells you that the MIB object ibCurrentState, which indicates the current state of the appliance, has a value of 16. Using the ibPreviousState and ibCurrentState Values table, you know that 16 represents ntp-sync-down, which means that the NTP server is now out of sync. The last statement 7779.3.1.1.1.2.11.0 = STRING: "The NTP service is out of synchronization." states the description of the trap. Using the Object State Change Traps table for ibTrapDesc, you can find out the details of the trap description and recommended actions for this problem.

ibObjectName (OID 7779.3.1.1.1.2.3.0)

ibCurrentState (OID 7779.3.1.1.1.2.10.0)

ibTrapDesc (OID 7779.3.1.1.1.2.11.0)

NIOS 4.3r4

Infoblox Administrator Guide (Rev. A)

207

Monitoring with SNMP

Types of Traps (OID 3.1.1.1.1)


ibTrapOneModule defines the types of traps that the NIOS appliance can send. There are five types of SNMP traps. Table 6.1 describe the types of traps and their objects in the ibTrapOneModule tree.

Table 6.1 ibTrapOneModule


OID 3.1.1.1.1.1.0 Trap Type Equipment Failure MIB Object ibEquipmentFailureTrap Description The NIOS appliance generates this trap when a hardware failure occurs. This trap includes the following objects: ibNodeName ibTrapSevertiy ibObjectName (equipment name) ibProbableCause ibTrapDesc

For a list of trap descriptions, see Equipment Failure Traps on page 216. 3.1.1.1.1.2.0 Processing and Software Failure ibProcessingFailureTrap The NIOS appliance generates this trap when a failure occurs in one of the software processes. This trap includes the following objects: ibNodeName ibTrapSeverity ibSubsystemName ibProbableCause ibTrapDesc

For a list of trap descriptions, see Processing and Software Failure Traps on page 217.

208

Infoblox Administrator Guide (Rev. A)

NIOS 4.3r4

Infoblox MIBs

OID 3.1.1.1.1.3.0

Trap Type Threshold Crossing

MIB Object ibThresholdCrossingEvent

Description The NIOS appliance generates this trap when any of the following events occur: System memory or disk usage exceeds 90%. A problem occurs when the grid master replicates its database to its grid members. DHCP address usage crosses a watermark threshold. For more information about tracking IP address usage, see Chapter 18, Managing IP Data IPAM, on page 617. The number or percentage of the DNS security alerts exceeds the thresholds of the DNS security alert triggers. ibNodeName ibObjectName (threshold name) ibCurThresholdvalue ibThresholdHigh ibThresholdLow ibTrapDesc

This trap can include the following objects:

For a list of trap descriptions, see Threshold

Crossing Traps on page 222.


3.1.1.1.1.4.0 Object State Change ibStateChangeEvent The NIOS appliance generates this trap when there is a change in its state, such as: The link to one of the configured ports goes down, and then goes back up again. A failover occurs in an HA (high availability) pair configuration. A member connects to the grid master. An appliance in a grid goes offline. ibNodeName ibObjectName ibPreviousState ibCurrentState ibTrapDesc

This trap includes the following objects:

For a list of possible trap descriptions, see Object

State Change Traps on page 227.

NIOS 4.3r4

Infoblox Administrator Guide (Rev. A)

209

Monitoring with SNMP

OID 3.1.1.1.1.5.0

Trap Type Process Started and Stopped

MIB Object ibProcStartStopTrap

Description The NIOS appliance generates this type of trap when any of the following events occur: When you enable HTTP redirection. When you change the HTTP access setting. When you change the HTTP session time out setting. When a failover occurs in an HA pair configuration. ibNodeName ibSubsystemName ibTrapDesc

This trap includes the following objects:

For a list of possible trap descriptions, see Process Started and Stopped Traps on page 228.

210

Infoblox Administrator Guide (Rev. A)

NIOS 4.3r4

Infoblox MIBs

Trap Binding Variables (OID 3.1.1.1.2)


Each SNMP trap contains information about the event or the problem. The Infoblox SNMP traps include MIB objects and their corresponding values from the ibNotificationVarBind module. Table 6.2 describes the objects in the ibNotificationVarBind module.

Table 6.2 ibNotificationVarBind (OID 3.1.1.1.2)


Note: The OIDs shown in the following table do not include the prefix .1.3.6.1.4.1.7779.. OID 3.1.1.1.2.1.0 Description The IP address of the appliance on which the trap occurs. This may or may not be the same as the appliance that sends the trap. This object is used in all types of traps. The severity of the trap. There are five levels of severity. See Trap Severity (OID 3.1.1.1.2.2.0) on page 212 for details. The name of the object for which the trap was generated. This is used in the Equipment Failure traps, Threshold Crossing Event traps, and the Object State Change traps. The following shows what this object represents depending on the type of traps: 3.1.1.1.2.4.0 3.1.1.1.2.5.0 ibProbableCause ibSubsystemName Equipment Failure traps: The equipment name. Threshold Crossing Event traps: The object name of the trap. State Change traps: The object that changes state.

MIB Object ibNodeName

3.1.1.1.2.2.0 3.1.1.1.2.3.0

ibTrapSeverity ibObjectName

The probable cause of the trap. See ibProbableCause Values on page 213 for the definitions of each value. The subsystem for which the trap was generated, such as NTP or SNMP. This object is used in the Processing and Software Failure traps and the Process Start and Stop traps. See ibSubsystemName Values (OID 3.1.1.1.2.9.0) on page 214 for definitions of each value. The current value of the threshold counter. This object is used in the Threshold Crossing traps. The value for the high watermark. This only applies when the appliance sends a trap to indicate that DHCP address usage is above the configured high watermark value for a DHCP address range. This object is used in Threshold Crossing traps. For additional information, see Setting Watermark Properties on page 627. The value for the low watermark. This only applies when the appliance sends a trap to indicate that DHCP address usage went below the configured low watermark value for a DHCP address range. This object is used in Threshold Crossing traps. For additional information, see Setting Watermark Properties on page 627. The previous state of the appliance. This object is used in the Object State Change traps. See ibPreviousState (OID 3.1.1.1.2.9.0) and ibCurrentState (OID 3.1.1.1.2.10.0) on page 215 for definitions of each value.

3.1.1.1.2.6.0 3.1.1.1.2.7.0

ibCurThresholdValue ibThresholdHigh

3.1.1.1.2.8.0

ibThresholdLow

3.1.1.1.2.9.0

ibPreviousState

NIOS 4.3r4

Infoblox Administrator Guide (Rev. A)

211

Monitoring with SNMP

OID 3.1.1.1.2.10.0

MIB Object ibCurrentState

Description The current state of the appliance. This object is used in the Object State Change traps. See ibPreviousState (OID 3.1.1.1.2.9.0) and ibCurrentState (OID 3.1.1.1.2.10.0) on page 215 for the definition of each value. The description of the trap. This object is used in all types of traps. See ibTrapDesc (OID 3.1.1.1.2.11.0) on page 216 for the description, possible cause, and recommended actions for each Infoblox SNMP trap.

3.1.1.1.2.11.0

ibTrapDesc

Trap Severity (OID 3.1.1.1.2.2.0)


The object ibTrapSeverity defines the severity level for each Infoblox SNMP trap. There are five levels of severity. Value 1 2 3 4 Description Undetermined Informational: Event that requires no further action. Minor: Event that does not require user intervention. Major: Event that requires user intervention and assistance from Infoblox Technical Support. Critical: Problem that affects services and system operations, and requires assistance from Infoblox Technical Support.

212

Infoblox Administrator Guide (Rev. A)

NIOS 4.3r4

Infoblox MIBs

ibProbableCause Values (OID 3.1.1.1.2.4.0)


Table 6.4 lists the values that are associated with the object ibProbableCause (OID 3.1.1.1.2.4.0). These values
provide information about the events, such as software failures, that trigger traps.

Table 6.3 ibProbableCause Values


Value 0 1 2 3 4 5 6 7 11 12 13 15 16 17 18 19 20 23 24 25 26 27 28 29 30 31 32 33 34 OID 3.1.1.2.4.0 ibProbableCause ibClear ibUnknown ibPrimaryDiskFailure ibFanFailure-old ibPowerSupplyFailure ibDBFailure ibApacheSoftwareFailure ibSerialConsoleFailure ibControldSoftwareFailure ibUpgradeFailure ibSNMPDFailure ibSSHDSoftwareFailure ibNTPDSoftwareFailure ibClusterdSoftwareFailure ibLCDSoftwareFailure ibDHCPdSoftwareFailure ibNamedSoftwareFailure ibRadiusdSoftwareFailure ibNTLMSoftwareFailure ibNetBIOSDaemonFailure ibWindowBindDaemonFailure ibTFTPDSoftwareFailure ibQIPRemoteServerSoftwareFailure ibBackupSoftwareFailure ibBackupDatabaseSoftwareFailure ibBackupModuleSoftwareFailure ibBackupSizeSoftwareFailure ibBackupLockSoftwareFailure ibHTTPFileDistSoftwareFailure

NIOS 4.3r4

Infoblox Administrator Guide (Rev. A)

213

Monitoring with SNMP

Value 35 36 37 38 39 40 41 42 43 44 46 47 48 3001 3002 3003 3004 3005 3006

OID 3.1.1.2.4.0 ibProbableCause ibOSPFSoftwareFailure ibAuthDHCPNamedSoftwareFailure ibFan1Failure ibFan2Failure ibFan3Failure ibFan1OK ibFan2OK ibFan3OK ibIPWCSoftwareFailure ibFTPDSoftwareFailure ibPowerSupplyOK ibWebUISoftwareFailure ibQIPRemoteServerStopped ibRAIDIsOptimal ibRAIDIsDegraded ibRAIDIsRebuilding ibRAIDStatusUnknown ibRAIDBatteryIsOK ibRAIDBatteryFailed

ibSubsystemName Values (OID 3.1.1.1.2.9.0)


Table 6.4 lists the values that are associated with the object ibSubsystemName (OID 3.1.1.1.2.9.0). These values
provide information about the subsystems that trigger the traps.

Table 6.4 ibSubsystemName Values


OID 3.1.1.1.2.9.0 ibSubsystemName Uses the original ibObjectName and ibSubsystemName when the trap is cleared. N/A N/A N/A N/A Db_jnld

Value 0 1 2 3 4 5

214

Infoblox Administrator Guide (Rev. A)

NIOS 4.3r4

Infoblox MIBs

Value 6 7 11 12 13 15 16 17 18 19 20 23 24 25 26 27 28 29 30 31 32 33 34 35

OID 3.1.1.1.2.9.0 ibSubsystemName httpd serial_console controld N/A Snmpd Sshd Ntpd Clusterd Lcd Dhcpd Named Radiusd NTLM Netbiosd Winbindd Tftpd QIP N/A N/A N/A N/A N/A HTTPd OSPF

ibPreviousState (OID 3.1.1.1.2.9.0) and ibCurrentState (OID 3.1.1.1.2.10.0)


The ibPreviousState object indicates the state of the appliance before the event triggered the trap. The ibCurrentState object indicates the current state of the appliance. Table 6.5 shows the message and description for each state.

Table 6.5 ibPreviousState and ibCurrentState Values


Value 1 2 3 Description ha-active ha-passive ha-initial Definition The HA pair is in ACTIVE state. The HA pair is in PASSIVE state. The HA pair is in INITIAL state.

NIOS 4.3r4

Infoblox Administrator Guide (Rev. A)

215

Monitoring with SNMP

Value 4 5 6 7 8 9 10 11 12 13 14 15 16

Description grid-connected grid-disconnected enet-link-up enet-link-down replication-online replication-offline replication-snapshotting service-up service-down ha-replication-online ha-replication-offline ntp-syn-up ntp-syn-down

Definition The appliance is connected to the grid. The appliance is not connected to the grid. The ethernet port link is active. The ethernet port link is inactive. The replication is online. The replication is offline. The replication is snapshotting. The service is up. The service is down. The HA pair replication is online. The HA pair replication is offline. The NTP server is synchronizing. The NTP server is out of sync.

ibTrapDesc (OID 3.1.1.1.2.11.0)


The ibTrapDesc object lists the trap messages of all Infoblox SNMP traps. This section lists all the SNMP traps by their trap types. Each trap table describes the trap message, severity, cause, and recommended actions. Note: Contact Infoblox Technical Support for assistance when the recommended actions do not resolve the problems.

Equipment Failure Traps


ibTrapDesc OID 3.1.1.1.2.11.0 Primary Drive Full Primary drive is full. Fan Monitoring Fan <n> failure has occurred. Fan <n> is OK. Minor The specified fan failed. The fan number <n> can be 1, 2, or 3. The specified fan is functioning properly. The fan number <n> can be 1, 2, or 3. Inspect the specified fan for mechanical or electrical problems. No action is required. Major The primary disk drive reached 100% of usage. Review the syslog file to identify the possible cause of this problem. ibTrapServerity OID 3.1.1.1.2.2

Description/Cause

Recommended Actions

Informational

Power Supply Failure: monitored at 1 minute A power supply failure has occurred. Major The power supply failed. Inspect the power supply for the possible cause of the failure.

216

Infoblox Administrator Guide (Rev. A)

NIOS 4.3r4

Infoblox MIBs

ibTrapDesc OID 3.1.1.1.2.11.0

ibTrapServerity OID 3.1.1.1.2.2

Description/Cause

Recommended Actions

RAID monitoring, at 1 minute interval A RAID battery failure has occurred. The systems RAID battery is OK. Major The system RAID battery failed. The alert light is red. The system RAID battery is charging and functioning properly. The alert light changed from red to green. The appliance failed to retrieve the RAID array state. The alert light is red. The RAID system is functioning at an optimal state. The RAID system is degrading. The RAID system is rebuilding. Inspect the battery for the possible cause of the failure. No action is required.

Informational

Unable to retrieve RAID array state!

Undetermined

Review the syslog file to identify the possible cause of this problem.

The systems RAID array is now running in an optimal state. The systems RAID array is in a degraded state. The systems RAID array is rebuilding.

Informational

No action is required.

Major

Review the syslog file to identify the possible cause of this problem. No action is required.

Minor

Processing and Software Failure Traps


ibTrapDesc OID 3.1.1.1.2.11.0 Named Daemon Failure A named daemon monitoring failure has occurred. DHCP Daemon Failure A DHCP daemon monitoring failure has occurred. Critical The dhcpd process failed. Review the syslog file to identify the possible cause of this problem. Critical The named process failed. Review the syslog file to identify the possible cause of this problem. ibTrapServerity OID 3.1.1.1.2.2

Description/Cause

Recommended Actions

NIOS 4.3r4

Infoblox Administrator Guide (Rev. A)

217

Monitoring with SNMP

ibTrapDesc OID 3.1.1.1.2.11.0

ibTrapServerity OID 3.1.1.1.2.2

Description/Cause

Recommended Actions

VitalQIP Remote Server Failure A VitalQIP remote server failure has occurred. Critical The qip-msgd or the qip-rmtd process failed. Review the syslog file to identify the possible cause of this problem.

VitalQIP Remote Server Stopped VitalQIP DNS manually stopped. Critical The VitalQIP DNS service was manually stopped. To start the DNS service, use the
start_service or restart_service

command in the VitalQIP chroot environment. VitalQIP DHCP manually stopped. Critical The VitalQIP DHCP service was manually stopped. To start the DHCP service, use the
start_service or restart_service

command in the VitalQIP chroot environment. VitalQIP DNS and DHCP manually stopped. SSH Daemon Failure An SSH daemon failure has occurred. Major The sshd process failed. Review the syslog file to identify the possible cause of this problem. Critical Both the VitalQIP DNS and DHCP services were manually stopped. To start the DNS and DHCP services, use the start_service command in the VitalQIP chroot environment.

NTP Daemon Failure, monitored every 10 minutes An NTP daemon failure has occurred. Cluster Daemon Failure A cluster daemon failure has occurred. LCD Daemon Failure An LCD daemon failure has occurred. Major The LCD process failed. The alert light is yellow. 1. Inspect the LCD panel for the possible cause of this problem. 2. Review the syslog file to identify the possible cause of this problem. Apache Software httpd failure, monitored every 2 minutes An Apache software failure has occurred. Serial Console Failure An Infoblox serial console software failure has occurred. Major The Infoblox serial console failed. Review the syslog file to identify the possible cause of this problem. Critical The request to monitor the Apache server failed. Review the syslog file to identify the possible cause of this problem. Critical The clusterd process failed. Review the syslog file to identify the possible cause of this problem. Major The ntpd process failed. Review the syslog file to identify the possible cause of this problem.

218

Infoblox Administrator Guide (Rev. A)

NIOS 4.3r4

Infoblox MIBs

ibTrapDesc OID 3.1.1.1.2.11.0

ibTrapServerity OID 3.1.1.1.2.2

Description/Cause

Recommended Actions

Controld Software Failure A controld failure has occurred. Critical The controld process failed. Review the syslog file to identify the possible cause of this problem.

SNMP Sub-agent Failure An SNMP server failure has occurred. TFTPD and FTPD Failure A TFTPD daemon failure has occurred. An FTPD daemon failure has occurred. Critical Critical The tftpd process failed. The ftpd process failed. Review the syslog file to identify the possible cause of this problem. Review the syslog file to identify the possible cause of this problem. Major The one-subagent process failed. Review the syslog file to identify the possible cause of this problem.

HTTP File Distribution, monitored at 10 second intervals An HTTP file distribution daemon failure has occurred. Critical The HTTP file distribution process failed. Review the syslog file to identify the possible cause of this problem.

auth_named Process Failure An auth named server failure has occurred. Critical The auth_named server failed. Review the syslog file to identify the possible cause of this problem.

IPWC Processes, monitored at 30 second intervals for IB-250 and 10 second intervals for other appliances An IPAM WinConnect server failure has occurred. Critical The IPWC (IPAM WinConnect) 6server failed. Review the syslog file to identify the possible cause of this problem.

DNS ONE quagga Processes (zebra & ospfd) An OSPF routing daemon failure has occurred. Critical Either the zebra process or the ospfd process failed. Review the syslog file to identify the possible cause of this problem.

NIOS 4.3r4

Infoblox Administrator Guide (Rev. A)

219

Monitoring with SNMP

ibTrapDesc OID 3.1.1.1.2.11.0 radiusd Monitoring A RADIUS daemon monitoring failure has occurred. Backup Failure Backup failed.

ibTrapServerity OID 3.1.1.1.2.2

Description/Cause

Recommended Actions

Critical

The radiusd process failed.

Review the syslog file to identify the possible cause of this problem.

Not implemented.

The backup failed. One of the following could be the cause of the failure: The appliance could not access a backup directory. The IPAM WinConnect backup failed. The backup was interrupted by one of the following signals: SIGINT, SIGHUP, or SIGTERM. Incorrect login or connection failure in an FTP backup. The backup failed to create temporary files.

Review the syslog file to identify the possible cause of this problem.

Database Backup Failure Database backup failed. Backup Module Failure Module backup failed. Not implemented. The backup of productspecific files failed. Review the syslog file to identify the possible cause of this problem. Not implemented. The db_dump process failed. Review the syslog file to identify the possible cause of this problem.

220

Infoblox Administrator Guide (Rev. A)

NIOS 4.3r4

Infoblox MIBs

ibTrapDesc OID 3.1.1.1.2.11.0

ibTrapServerity OID 3.1.1.1.2.2

Description/Cause

Recommended Actions

Backup File Size Exceeded File size exceeded the quota. Backup failed. Another backup is in progress. Backup will not be performed. Not implemented. The backup failed because the file size exceeded the limit of 5GB. The backup failed because of an attempt to back up or merge files while another backup or restore was in progress. Limit the size of the backup file to less than 5GB.

Not implemented.

Wait until the backup or restore is complete before starting another backup.

Watchdog Process Monitoring WATCHDOG: Critical

<registered client name> failed on <server IP address>

The watchdog process detected a registered client failure on a specific server. The <registered client name> could be one of the following: Clusterd timeout thread DB Sentinel run_server loop Process manager main loop Clusterd monitor Disk monitor

Review the syslog file to identify the possible cause of this problem.

NIOS 4.3r4

Infoblox Administrator Guide (Rev. A)

221

Monitoring with SNMP

Threshold Crossing Traps

ibTrapDesc OID 3.1.1.1.2.11.0

ibTrapServerity OID 3.1.1.1.2.2

Description/Cause

Recommended Actions

System Memory Usage System has run out of memory. Major The appliance ran out of memory. The appliance encountered this problem when one of the following occurred: The total free memory on the appliance was less than or equal to 0%. The total physical memory was less than the total free memory. The percentage of free memory compared to the total physical memory was less than 5%, and the free swap percentage was less than 80%. The percentage of free memory compared to the total physical memory was less than 5%, plus the numbers of both swap INs and swap OUTs were greater than or equal to 3,200. The percentage of free memory compared to the total physical memory was between 5% and 10%, the free swap percentage was greater than or equal to 80%, plus the numbers of both swap INs and swap OUTs were greater than or equal to 3,200. The percentage of free memory compared to the total physical memory was greater than 10%, the free swap percentage was less than 80%, plus the numbers of both swap INs and swap OUTs were greater than or equal to 3,200. Review the syslog file to identify the possible cause of this problem.

Note: Free memory = free physical RAM + free cache buffers. The high threshold for swap pages is 3,200.

222

Infoblox Administrator Guide (Rev. A)

NIOS 4.3r4

Infoblox MIBs

ibTrapDesc OID 3.1.1.1.2.11.0 System memory usage is over 90%.

ibTrapServerity OID 3.1.1.1.2.2 Minor

Description/Cause The memory usage on the appliance exceeded 90%. The appliance encountered this problem when one of the following occurred: The percentage of free memory compared to the total physical memory was less than 5%, and the free swap percentage was less than 90%. The percentage of free memory compared to the total physical memory was less than 5%, plus the number of swap INs was less than 3,200 and the number of swap OUTs was greater than or equal to 3,200. The percentage of free memory compared to the total physical memory was between 5% and 10%, and the free swap percentage was less than 80%. The percentage of free memory compared to the total physical memory was greater than 5%, plus the number of swap INs was less than 3,200 and the number of swap OUTs was greater than or equal to 3,200.

Recommended Actions Review the syslog file to identify the possible cause of this problem.

Note: Free memory = free physical RAM + free cache buffers. The high threshold for swap pages is 3,200.

System memory is OK.

Minor

The memory usage on the system is back to normal from the previous state.

No action is required.

NIOS 4.3r4

Infoblox Administrator Guide (Rev. A)

223

Monitoring with SNMP

ibTrapDesc OID 3.1.1.1.2.11.0

ibTrapServerity OID 3.1.1.1.2.2

Description/Cause

Recommended Actions

Primary Hard Drive Usage (monitored every 30 seconds) System primary hard disk usage is over 90%. Minor The primary hard disk usage exceeded 90%. The alert light is yellow. The primary hard disk usage exceeded 95%. The alert light is red. The primary hard disk usage is 85% or lower. The alert light is green. Review the syslog file to identify the possible cause of this problem. Review the syslog file to identify the possible cause of this problem. No action is required.

Primary drive is full. Major

Primary drive usage is OK.

Minor

Replication Statistics Monitoring Grid queue replication problem. Not implemented. The system encountered this problem when all of the following conditions occurred: The node was online. The number of the replication queue being sent from the master column was greater than 0, or the number of the queue received was greater than 0. It was more than 10 minutes since the last replication queue was sent and monitored. Review the syslog file to identify the possible cause of this problem.

224

Infoblox Administrator Guide (Rev. A)

NIOS 4.3r4

Infoblox MIBs

ibTrapDesc OID 3.1.1.1.2.11.0

ibTrapServerity OID 3.1.1.1.2.2

Description/Cause

Recommended Actions

DHCP Range Threshold Crossing DHCP threshold crossed: Member: Not implemented. The system encountered this problem when one of the following conditions occurred: The address usage in the DHCP range was greater than the high watermark. The address usage in the DHCP range was less than the low watermark. Review the syslog file to identify the possible cause of this problem.

<DHCP server node VIP>


Network:

<network>/ <network view> Range: <DHCP range>/ <network view>


High Watermark:

<high watermark percentage> (95%


by default) Low Watermark:

<low watermark percentage> (0% by


default) Current Usage:

<current usage percentage>


Active Leases:

<number of active leases>


Available Leases:

<number of available leases>


Total Addresses:

<total addresses>
DHCP DDNS Updates Deferred DHCP DNS updates deferred: Retried at least once: <number of Not implemented. The DNS updates were deferred because of DDNS update errors. Review the syslog file to identify the possible cause of this problem.

retries>
Maximum number of deferred updates since start of problem episode (or restart): <max

number>

NIOS 4.3r4

Infoblox Administrator Guide (Rev. A)

225

Monitoring with SNMP

ibTrapDesc OID 3.1.1.1.2.11.0

ibTrapServerity OID 3.1.1.1.2.2

Description/Cause

Recommended Actions

Database Capacity Usage Over 85% database capacity used. Database capacity used is OK. DNS Monitor DNS Monitor Major DNS security alert. There were actual DNS responses to {invalid ports | with invalid TXID} in the last minute, comprising percent% of all responses. Primary sources: ip_address sent count, ip_address sent count. where 1. Review the following: DNS alert status syslog file 2. Limit access or block connections from the primary sources. For information, see Minor The appliance database usage exceeded 85%. The appliance database usage is less than 85%. Increase the database capacity.

Minor

No action is required.

actual is the total number of


DNS responses arrive on invalid ports or have invalid TXIDs.

Configuring Rate Limiting Rules on page 199.

percent% is the percentage of invalid DNS responses over the total number of DNS responses. ip_address is the IP address of the primary source that generated the invalid DNS responses. count is the number of invalid responses generated by the specified IP address.

Example: DNS security alert. There were 1072 DNS responses to invalid ports in the last minute, comprising 92% of all responses. Primary sources: 10.0.0.0 sent 1058, 2.2.2.2 sent 14.

226

Infoblox Administrator Guide (Rev. A)

NIOS 4.3r4

Infoblox MIBs

Object State Change Traps

ibTrapDesc OID 3.1.1.1.2.11.0 Service Shutdown Shutting down services due to database snapshot.

ibTrapServerity OID 3.1.1.1.2.2

Description/Cause

Recommended Actions

Not implemented.

The appliance is shutting down its services while synchronizing the database with the grid master. The appliance is shutting down its services while synchronizing the database with the grid master.

No action is required.

Shutting down services due to database snapshot.

Not implemented.

No action is required.

Network Interfaces Monitoring LAN port link is down. Please check the connection. HA port link is down. Please check the connection. MGMT port link is down. Please check the connection. LAN port link is up. HA port link is up. MGMT port link is up. Major The LAN port is up, but the link is down. The HA port is up, but the link is down. The MGMT port is enabled, but the link is down. The LAN port link is up and running. The HA port link is up and running. The MGMT port link is up and running. Check the LAN link connection.

Major

Check the HA link connection.

Major

Check the MGMT link connection.

Major Major Major

No action is required. No action is required. No action is required.

HA State Change from Initial to Active The node has become ACTIVE. Not implemented. A node in an HA pair becomes active. The HA pair starts up. No action is required.

HA State Change from Passive to Active The node has become ACTIVE. Not implemented. The node changed from a passive to an active node. No action is required.

HA State Change from Initial to Passive

NIOS 4.3r4

Infoblox Administrator Guide (Rev. A)

227

Monitoring with SNMP

ibTrapDesc OID 3.1.1.1.2.11.0 The node has become PASSIVE.

ibTrapServerity OID 3.1.1.1.2.2 Not implemented.

Description/Cause A node in an HA pair becomes passive. The HA pair starts up, and the node is not a grid master candidate.

Recommended Actions No action is required.

Node Connected to Grid The grid member is connected to the grid master. Not implemented. The grid member joined the grid, and it is not a grid master candidate. No action is required.

Node Disconnected to Grid The grid member is not connected to the grid master. Not implemented. The grid member lost its connection to the grid master. No action is required.

Replication State Monitoring HA replication online. HA replication offline. Not implemented. Not implemented. The replication queue is online. The replication queue is offline. No action is required. No action is required.

NTP is out of sync, monitored every 30 seconds The NTP server is out of synchronization. Major The Infoblox NTP server and the external NTP server are not synchronized. Review the syslog file to identify the possible cause of this problem.

Replication State Monitoring Replication queue is offline. Not implemented. The replication queue is offline. No action is required.

Process Started and Stopped Traps


ibTrapDesc OID 3.1.1.1.2.11.0 Httpd Start The process started normally. Httpd Stop The process stopped normally. Informational The httpd process stopped. No action is required. Informational The httpd process started. No action is required. ibTrapServerity OID 3.1.1.1.2.2

Description/Cause

Recommended Actions

228

Infoblox Administrator Guide (Rev. A)

NIOS 4.3r4

Infoblox MIBs

ibPlatformOne MIB
The ibPlatformOne MIB provides information about the CPU temperature of the appliance, the replication status, the average latency of DNS requests, and DNS security alerts. Figure 6.4 illustrates the structure of the PlatformOne MIB. (Note that the OIDs in the illustration do not include the prefix .1.3.6.1.4.1.7779.) The ibPlatformOne MIB branches out into six subtrees: ibCPUTemperature tracks the CPU temperature of the appliance ibClusterReplicationStatusTable provides information in tabular format about the replication status of the appliance. See ibClusterReplicationStatusTable on page 231 for more information. ibNetworkMonitor provides information about the average latency of authoritative and nonauthoritative replies to DNS queries for different time intervals. It also provides information about invalid DNS responses that arrive on invalid ports or have invalid DNS transaction IDs. See ibNetwork Monitor on page 231 for more information. ibHardwareType provides information about the hardware platform. For an Infoblox appliance, it provides the model number of the Infoblox hardware platform. For virtual appliances, it identifies whether the hardware platform is a Riverbed or Cisco device. For Riverbed devices, it displays the model number as well. ibHardwareId provides the hardware iD of the NIOS appliance. ibSerialNumber provides the serial number of the Infoblox hardware platform.

NIOS 4.3r4

Infoblox Administrator Guide (Rev. A)

229

Monitoring with SNMP

Figure 6.4 PlatformOneMIB Structure


(3.1.1.2) ibPlatformOne MIB (3.1.1.2.1) ibPlatformOneModule (3.1.1.2.1.1) (3.1.1.2.1.2) bCPUTemperature ibClusterReplicationStatusTable (3.1.1.2.1.2.1) ibClusterReplicationStatusEntry (3.1.1.2.1.3) ibNetworkMonitor (3.1.1.2.1.3.1) ibNetworkMonitorDNS (3.1.1.2.1.3.1.1) ibNetworkMonitorDNSActive (3.1.1.2.1.3.1.2) ibNetworkMonitorDNSNonAA (3.1.1.2.1.3.1.3) ibNetworkMonitorDNSAA (3.1.1.2.1.3.1.4) ibNetworkMonitorDNSSecurity (3.1.1.2.1.3.1.4.1) ibNetworkMonitorDNSSecurityInvalidPort (3.1.1.2.1.3.1.4.2) ibNetworkMonitorDNSSecurityInvalidTxid (3.1.1.2.1.3.1.4.3) ibNetworkMonitorDNSSecurityInvalidPortOnly (3.1.1.2.1.3.1.4.4) ibNetworkMonitorDNSSecurityInvalidTxidOnly (3.1.1.2.1.3.1.4.5) ibNetworkMonitorDNSSecurityInvalidTxidAndPort (3.1.1.2.1.4) ibHardwareType (3.1.1.2.1.5) ibHardwareId (3.1.1.2.1.6) ibSerialNumber

(3.1.1.2.1.2.1.1) ibNodeIPAddress (3.1.1.2.1.2.1.2) ibNodeReplicationStatus (3.1.1.2.1.2.1.3) ibNodeQueueFromMaster (3.1.1.2.1.2.1.4) ibNodeLastRepTimeFromMaster (3.1.1.2.1.2.1.5) ibNodeQueueToMaster (3.1.1.2.1.2.1.6) ibNodeLastRepTimeToMaster

230

Infoblox Administrator Guide (Rev. A)

NIOS 4.3r4

Infoblox MIBs

ibClusterReplicationStatusTable
This table provides information about the grid replication status.

Table 6.6 ibClusterReplicationStatusTable Objects


Object ibClusterReplicationStatusEntry ibNodeIPAddress ibNodeReplicationStatus ibNodeQueueFromMaster ibNodeLastRepTimeFromMaster ibNodeQueueToMaster ibNodeLastRepTimeToMaster Description A conceptual row that provides information about the grid replication status. IP address of a grid member Replication status of the grid member Sent queue size from master Last sent time from master Receive queue size from master Last receive time from master

ibNetwork Monitor
As shown in Figure 6.4, the ibNetwork Monitor has one subtree, ibNetworkMonitorDNS, that branches out into the following: ibNetworkMonitorDNSActive reports on whether DNS latency monitoring is enabled. This is the only object in this branch. When you send a query for this object, the appliance responds with either active or nonactive. ibNetworkMonitorDNSNonAA provides information about the average latency of nonauthoritative replies to DNS queries for 1-, 5-, 15-, and 60-minute intervals. ibNetworkMonitorDNSAA provides information about the average latency of authoritative replies to DNS queries for 1-, 5-, 15-, and 60-minute intervals. ibNetworkMonitorDNSSecurity provides information about the invalid DNS responses that arrive on invalid ports or have invalid DNS transaction IDs. ibNetworkMonitorDNSSecurity branches out into the following: ibNetworkMonitorDNSSecurityInvalidPort ibNetworkMonitorDNSSecurityInvalidTxid ibNetworkMonitorDNSSecurityInvalidPortOnly ibNetworkMonitorDNSSecurityInvalidTxidOnly ibNetworkMonitorDNSSecurityInvalidTxidAndPort For information, see Table 6.9 on page 235.

NIOS 4.3r4

Infoblox Administrator Guide (Rev. A)

231

Monitoring with SNMP

Figure 6.5 ibNetworkMonitorDNSNonAA and ibNetworkMonitorDNSAA Subtrees


(3.1.1.2.1.3.1.2) ibNetworkMonitorDNSNonAA (3.1.1.2.1.3.1.2.1) ibNetworkMonitorDNSNonAAT1 (3.1.1.2.1.3.1.2.1.1) ibNetworkMonitorDNSNonAAT1AvgLatency (3.1.1.2.1.3.1.2.1.2) ibNetworkMonitorDNSNonAAT1Count (3.1.1.2.1.3.1.2.2) ibNetworkMonitorDNSNonAAT5 (3.1.1.2.1.3.1.2.2.1) ibNetworkMonitorDNSNonAAT5AvgLatency (3.1.1.2.1.3.1.2.2.2) ibNetworkMonitorDNSNonAAT5Count (3.1.1.2.1.3.1.2.3) ibNetworkMonitorDNSNonAAT15 (3.1.1.2.1.3.1.2.3.1) ibNetworkMonitorDNSNonAAT15AvgLatency (3.1.1.2.1.3.1.2.3.2) ibNetworkMonitorDNSNonAAT15Count (3.1.1.2.1.3.1.2.4) ibNetworkMonitorDNSNonAAT60 (3.1.1.2.1.3.1.2.4.1) ibNetworkMonitorDNSNonAAT60AvgLatency (3.1.1.2.1.3.1.2.4.2) ibNetworkMonitorDNSNonAAT60Count (3.1.1.2.1.3.1.2.5) ibNetworkMonitorDNSNonAAT1440 (3.1.1.2.1.3.1.2.5.1) ibNetworkMonitorDNSNonAAT1440AvgLatency (3.1.1.2.1.3.1.2.5.2) ibNetworkMonitorDNSNonAAT1440Count (3.1.1.2.1.3.1.3) ibNetworkMonitorDNSAA (3.1.1.2.1.3.1.3.1) ibNetworkMonitorDNSAAT1 (3.1.1.2.1.3.1.3.1.1) ibNetworkMonitorDNSAAT1AvgLatency (3.1.1.2.1.3.1.3.1.2) ibNetworkMonitorDNSAAT1Count (3.1.1.2.1.3.1.3.2) ibNetworkMonitorDNSNonAAT5 (3.1.1.2.1.3.1.3.2.1) ibNetworkMonitorDNSAAT5AvgLatency (3.1.1.2.1.3.1.3.2.2) ibNetworkMonitorDNSAAT5Count (3.1.1.2.1.3.1.3.3) ibNetworkMonitorDNSAAT15 (3.1.1.2.1.3.1.3.3.1) ibNetworkMonitorDNSAAT15AvgLatency (3.1.1.2.1.3.1.3.3.2) ibNetworkMonitorDNSAAT15Count (3.1.1.2.1.3.1.3.4) ibNetworkMonitorDNSAAT60 (3.1.1.2.1.3.1.3.4.1) ibNetworkMonitorDNSAAT60AvgLatency (3.1.1.2.1.3.1.3.4.2) ibNetworkMonitorDNSAAT60Count (3.1.1.2.1.3.1.3.5) ibNetworkMonitorDNSAAT1440 (3.1.1.2.1.3.1.3.5.1) ibNetworkMonitorDNSAAT1440AvgLatency (3.1.1.2.1.3.1.3.5.2) ibNetworkMonitorDNSAAT1440Count

232

Infoblox Administrator Guide (Rev. A)

NIOS 4.3r4

Infoblox MIBs

Table 6.7 describes the objects in ibNetworkMonitorDNSNonAA. You can send queries to retrieve values for these
objects.

Table 6.7 ibNetworkMonitorDNSNonAA Objects


Object ibNetworkMonitorDNSNonAAT1 ibNetworkMonitorDNSNonAAT1AvgLatency ibNetworkMonitorDNSNonAAT1Count ibNetworkMonitorDNSNonAAT5 Description File that contains the objects for monitoring the average latency of nonauthoritative replies to queries during the last minute. Indicates the average latency in microseconds of nonauthoritative replies to queries during the last minute. Indicates the number of queries used to calculate the average latency of nonauthoritative replies during the last minute. File that contains the objects for monitoring the average latency of nonauthoritative replies to queries during the last five minutes. Indicates the average latency in microseconds of nonauthoritative replies to queries during the last five minutes. Indicates the number of queries used to calculate the average latency of nonauthoritative replies during the last five minutes. File that contains the objects for monitoring the average latency of nonauthoritative replies to queries during the last 15 minutes. Indicates the average latency in microseconds of nonauthoritative replies to queries during the last 15 minutes. Indicates the number of queries used to calculate the average latency of nonauthoritative replies during the last 15 minutes. File that contains the objects for monitoring the average latency of nonauthoritative replies to queries during the last 60 minutes. Indicates the average latency in microseconds of nonauthoritative replies to queries during the last 60 minutes. Indicates the number of queries used to calculate the average latency of nonauthoritative replies during the last 60 minutes. File that contains the objects for monitoring the average latency of nonauthoritative replies to queries during the last 1440 minutes. Indicates the average latency in microseconds of nonauthoritative replies to queries during the last 1440 minutes. Indicates the number of queries used to calculate the average latency of nonauthoritative replies during the last 1440 minutes.

ibNetworkMonitorDNSNonAAT5AvgLatency ibNetworkMonitorDNSNonAAT5Count ibNetworkMonitorDNSNonAAT15 ibNetworkMonitorDNSNonAAT15AvgLatency ibNetworkMonitorDNSNonAAT15Count ibNetworkMonitorDNSNonAAT60 ibNetworkMonitorDNSNonAAT60AvgLatency ibNetworkMonitorDNSNonAAT60Count ibNetworkMonitorDNSNonAAT1440

ibNetworkMonitorDNSNonAAT1440AvgLatency ibNetworkMonitorDNSNonAAT1440Count

NIOS 4.3r4

Infoblox Administrator Guide (Rev. A)

233

Monitoring with SNMP

Table 6.8 describes the objects in ibNetworkMonitorDNSAA. You can send queries to retrieve values for these
objects.

Table 6.8 ibNetworkMonitorDNSAA Objects


Object ibNetworkMonitorDNSAAT1 ibNetworkMonitorDNSAAT1AvgLatency ibNetworkMonitorDNSAAT1Count ibNetworkMonitorDNSAAT5 ibNetworkMonitorDNSAAT5AvgLatency ibNetworkMonitorDNSAAT5Count ibNetworkMonitorDNSAAT15 ibNetworkMonitorDNSAAT15AvgLatency ibNetworkMonitorDNSAAT15Count ibNetworkMonitorDNSAAT60 ibNetworkMonitorDNSAAT60AvgLatency ibNetworkMonitorDNSAAT60Count ibNetworkMonitorDNSAAT1440 ibNetworkMonitorDNSAAT1440AvgLatency ibNetworkMonitorDNSAAT1440Count Description File that contains the objects for monitoring the average latency of authoritative replies to queries during the last minute. Indicates the average latency in microseconds of authoritative replies to queries during the last minute. Indicates the number of queries used to calculate the average latency of authoritative replies during the last minute. File that contains the objects for monitoring the average latency of authoritative replies to queries during the last five minutes. Indicates the average latency in microseconds of authoritative replies to queries during the last five minutes. Indicates the number of queries used to calculate the average latency of authoritative replies during the last five minutes. File that contains the objects for monitoring the average latency of authoritative replies to queries during the last 15 minutes. Indicates the average latency in microseconds of authoritative replies to queries during the last 15 minutes. Indicates the number of queries used to calculate the average latency of authoritative replies during the last 15 minutes. File that contains the objects for monitoring the average latency of authoritative replies to queries during the last 60 minutes. Indicates the average latency in microseconds of authoritative replies to queries during the last 60 minutes. Indicates the number of queries used to calculate the average latency of authoritative replies during the last 60 minutes. File that contains the objects for monitoring the average latency of authoritative replies to queries during the last 1440 minutes. Indicates the average latency in microseconds of authoritative replies to queries during the last 1440 minutes. Indicates the number of queries used to calculate the average latency of authoritative replies during the last 1440 minutes.

234

Infoblox Administrator Guide (Rev. A)

NIOS 4.3r4

Infoblox MIBs

Table 6.9 describes the objects in ibNetworkMonitorDNSSecurity. You receive SNMP traps with these objects when
you enable the following: SNMP traps DNS network monitoring DNS alert monitoring

Table 6.9 ibNetworkMonitorDNSSecurity Objects


Object ibNetworkMonitorDNSSecurityInvalidPort Description Tracks the number of invalid DNS responses that arrive on invalid ports. For information about invalid ports, see Monitoring DNS Transactions on page 195. This object contains a subtree with six objects that track invalid ports within a certain time interval. For information, see Table 6.10. ibNetworkMonitorDNSSecurityInvalidTxid Tracks the number of invalid TXIDs (DNS transaction IDs). For information about invalid TXIDs, see Monitoring DNS Transactions on page 195. This object contains a subtree with six objects that track invalid TXIDs within a certain time interval. For information, see Table 6.11. ibNetworkMonitorDNSSecurityInvalidPortOnly Tracks the number of DNS responses with both of the following conditions: ibNetworkMonitorDNSSecurityInvalidTxidOnly Arrive on invalid ports Have valid TXIDs

Tracks the number of DNS responses with both of the following conditions: Arrive on valid ports Have Invalid TXIDs

ibNetworkMonitorDNSSecurityInvalidTxidAndPort

Tracks the number of DNS responses with both of the following conditions: Arrive on invalid ports Have invalid TXIDs

NIOS 4.3r4

Infoblox Administrator Guide (Rev. A)

235

Monitoring with SNMP

Table 6.10 describes the objects in ibNetworkMonitorDNSSecurityInvalidPort. Table 6.10 ibNetworkMonitorDNSSecurityInvalidPort Objects
Object ibNetworkMonitorDNSSecurityInvalidPort1 ibNetworkMonitorDNSSecurityInvalidPort5 ibNetworkMonitorDNSSecurityInvalidPort15 ibNetworkMonitorDNSSecurityInvalidPort60 ibNetworkMonitorDNSSecurityInvalidPort1440 ibNetworkMonitorDNSSecurityInvalidPortCount Description Tracks the number of invalid DNS responses that arrive on invalid ports in the last one minute. Tracks the number of invalid DNS responses that arrive on invalid ports in the last five minutes. Tracks the number of invalid DNS responses that arrive on invalid ports in the last 15minutes. Tracks the number of invalid DNS responses that arrive on invalid ports in the last 60 minutes. Tracks the number of invalid DNS responses that arrive on invalid ports in the last 24 hours. Tracks the total number of invalid DNS responses that arrive on invalid ports.

Table 6.11 describes the objects in ibNetworkMonitorDNSSecurityInvalidTxid. Table 6.11 ibNetworkMonitorDNSSecurityInvalidTxidObjects


Object ibNetworkMonitorDNSSecurityInvalidTxid1 ibNetworkMonitorDNSSecurityInvalidTxid5 ibNetworkMonitorDNSSecurityInvalidTxid15 ibNetworkMonitorDNSSecurityInvalidTxid60 ibNetworkMonitorDNSSecurityInvalidTxid1440 ibNetworkMonitorDNSSecurityInvalidTxidCount Description Tracks the number of DNS responses that have invalid DNS transaction IDs in the last one minute. Tracks the number of DNS responses that have invalid DNS transaction IDs in the last five minutes. Tracks the number of DNS responses that have invalid DNS transaction IDs in the last 15 minutes. Tracks the number of DNS responses that have invalid DNS transaction IDs in the last 60 minutes. Tracks the number of DNS responses that have invalid DNS transaction IDs in the last 24 hours. Tracks the total number of DNS responses that have invalid DNS transaction IDs.

236

Infoblox Administrator Guide (Rev. A)

NIOS 4.3r4

Infoblox MIBs

ibDHCPOne MIB
The ibDHCPOne MIB provides information about address usage within a subnet, DHCP lease statistics, and DHCP packet counts. Figure 6.6 illustrates the structure of the ibDHCPOne MIB. (Note that the OIDs shown in the illustration do not include the prefix .1.3.6.1.4.1.7779.) It has three subtrees: ibDHCPSubnetTable, ibDHCPLeaseTable, and ibDHCP Statistics.

Figure 6.6 DHCPone MIB


(3.1.1.4) ibDHCPOne MIB (3.1.1.4.1) ibDHCPModule (3.1.1.4.1.1) ibDHCPSubnetTable (3.1.1.4.1.1.1) ibDHCPSubnetEntry (3.1.1.4.1.1.1.1) ibDHCPSubnetNetworkAddress (3.1.1.4.1.1.1.2) ibDHCPSubnetNetworkMask (3.1.1.4.1.1.1.3) ibDHCPSubnetPercentUsed (3.1.1.4.1.2) ibDHCPLeaseTable (3.1.1.4.1.2.1) ibDHCPLeaseEntry (3.1.1.4.1.2.1.1) ibDHCPLeaseAddress (3.1.1.4.1.2.1.2) ibDHCPLeaseMACAddress (3.1.1.4.1.2.1.3) ibDHCPLeaseStart (3.1.1.4.1.2.1.4) ibDHCPLeaseEnd (3.1.1.4.1.2.1.5) ibDHCPLeaseBindState (3.1.1.4.1.2.1.6) ibDHCPLeaseNextBindState (3.1.1.4.1.2.1.7) ibDHCPLeaseClientHostName (3.1.1.4.1.2.1.8) ibDHCPLeaseUID (3.1.1.4.1.3) ibDHCPStatistics (3.1.1.4.1.3.1) ibDhcpTotalNoOfDiscovers (3.1.1.4.1.3.2) ibDhcpTotalNoOfRequests (3.1.1.4.1.3.3) ibDhcpTotalNoOfReleases (3.1.1.4.1.3.4) ibDhcpTotalNoOfOffers (3.1.1.4.1.3.5) ibDhcpTotalNoOfAcks (3.1.1.4.1.3.6) ibDhcpTotalNoOfNacks (3.1.1.4.1.3.7) ibDhcpTotalNoOfDeclines (3.1.1.4.1.3.8) ibDhcpTotalNoOfInforms (3.1.1.4.1.3.9) ibDhcpTotalNoOthers

NIOS 4.3r4

Infoblox Administrator Guide (Rev. A)

237

Monitoring with SNMP

The ibDHCPSubnetTable provides statistical data about the DHCP operations of the appliance. It contains the following objects:

Table 6.12 ibDHCPSubnetTable


Object ibDHCPSubnet Entry ibDHCPSubnetNetworkAddress ibDHCPSubnetNetworkMask ibDHCPSubnetPercentUsed Description File that contains the objects for monitoring DHCP operations on the appliance. The subnetworks, in IP address format, that have IP addresses for lease. A subnetwork may have many address ranges for lease. The subnet mask in dotted decimal format. The percentage of dynamic DHCP addresses leased out at this time for each subnet. Fixed addresses are always counted as leased for this calculation, if the fixed addresses are within a leased address range.

Following is an example of the table as viewed through a MIB browser:

Figure 6.7 MIB Browser View 1

The ibDHCPLeaseTable provides statistics about the DHCP leases. It contains the following objects:

Table 6.13 ibDHCPLeaseTable


Object ibDHCPLeaseEntry ibDHCPLeaseAddress ibDHCPLeaseMACAddress ibDHCPLeaseStart ibDHCPLeaseEnd ibDHCPLeaseBindState Description File that contains the objects that provide information about DHCP leases. The IP address issued by DHCP. The MAC Address of the DHCP client. The start time of the DHCP lease. The end time of the DHCP lease. The IP address binding state of the DHCP lease. The binding state is used by the DHCP failover protocol and indicates, among other things, whether an IP address is in use, has been released, or is available for allocation. Next Binding state of DHCP lease.

ibDHCPLeaseNextBindState

238

Infoblox Administrator Guide (Rev. A)

NIOS 4.3r4

Infoblox MIBs

Object ibDHCPLeaseClientHostName ibDHCPLeaseUID

Description Client provided host name during DHCP registration. Client provided UID during DHCP registration. (The UID is a number that uniquely identifies the client machine.)

ibDHCP Statistics maintains counters for different types of packets. The counters always start with zero when you enable DHCP. Therefore the numbers reflect the total number of packets received since DHCP was enabled on the NIOS appliance. The ibDHCPStatistics module contains the following objects:

Table 6.14 ibDHCPStatistics


Object ibDhcpTotalNoOfDiscovers Description The number of DHCPDISCOVER messages that the appliance received. Clients broadcast DHCPDISCOVER messages when they need an IP address and network configuration information. The number of DHCPREQUEST messages that the appliance received. A client sends a DHCPREQUEST message requesting configuration information, after it receives the DHCPOFFER message. The number of DHCPRELEASE messages that the appliance received from its clients. A client sends a DHCP release when it terminates its lease on an IP address. The number of DHCPOFFER messages that the appliance has sent to clients. The appliance sends a DHCPOFFER message to a client. It contains an IP address and configuration information. The number of DHCPACK messages that the appliance sent to clients. It sends a DHCPACK message to a client to confirm that the IP address offered is still available. The number of DHCPNACK messages that the appliance sent to clients. It sends a DHCPNACK message to withdraw its offer of an IP address. The number of DHCPDECLINE messages that the appliance received. A client sends a DHCPDECLINE message if it determines that an offered IP address is already in use. The number of DHCPINFORM messages that the appliance received. A client sends a DHCPINFORM message when it has an IP address but needs information about the network. The total number of DHCP messages other than those used in negotiation, such as DHCPFORCERENEW, DHCPKNOWN, and DHCPLEASEQUERY.

ibDhcpTotalNoOfRequests

ibDhcpTotalNoOfReleases

ibDhcpTotalNoOfOffers

ibDhcpTotalNoOfAcks

ibDhcpTotalNoOfNacks ibDhcpTotalNoOfDeclines

ibDhcpTotalNoOfInforms

ibDhcpTotalNoOfOthers

NIOS 4.3r4

Infoblox Administrator Guide (Rev. A)

239

Monitoring with SNMP

ibDNSOne MIB
The ibDNSOne MIB provides statistical information about the DNS processes and about the views and zones in the database. Figure 6.7 illustrates the structure of the ibDNSOne MIB. (Note that the OIDs shown in the illustration do not include the prefix 1.3.6.1.4.1.7779.) The ibDNSOne MIB contains two subtrees, ibZoneStatisticsTable and the ibZonePlusViewStatisticsTable.

Figure 6.8 ibDNSOne MIB


(3.1.1.3) ibDNSOne MIB (3.1.1.3.1) ibDnsModule (3.1.1.3.1.1) ibZoneStatisticsTable (3.1.1.3.1.1.1) ibZoneStatisticsEntry (3.1.1.3.1.1.1.1) ibBindZoneName (3.1.1.3.1.1.1.2) ibBindZoneSuccess (3.1.1.3.1.1.1.3) ibBindZoneReferral (3.1.1.3.1.1.1.4) ibBindZoneNxRRset (3.1.1.3.1.1.1.5) ibBindZoneNxDomain (3.1.1.3.1.1.1.6) ibBindZoneRecursion (3.1.1.3.1.1.1.7) ibBindZoneFailure (3.1.1.3.1.2) ibZonePlusViewStatisticsTable (3.1.1.3.1.2.1) ibZonePlusViewStatisticsEntry (3.1.1.3.1.2.1.1) ibZonePlusViewName (3.1.1.3.1.2.1.2) ibZonePlusViewSuccess (3.1.1.3.1.2.1.3) ibZonePlusViewReferral (3.1.1.3.1.2.1.4) ibZonePlusViewNxRRset (3.1.1.3.1.2.1.5) ibZonePlusViewNxDomain (3.1.1.3.1.2.1.6) ibZonePlusViewRecursion (3.1.1.4.1.2.1.7) ibZonePlusViewFailure (3.1.1.4.1.2.1.8) ibBindViewName

The ibZoneStatisticsTable provides statistical data about the DNS operations on the appliance. The following lists the OIDs and the objects in the table:

Table 6.15 ibZoneStatisticsTable


Object ibBindZoneName ibBindZoneSuccess ibBindZoneReferral ibBindZoneNxRRset ibBindZoneNxDomain Description DNS Zone name. The number of successful responses since the DNS process started. The number of DNS referrals since the DNS process started. The number of DNS queries received for non-existent records. The number of DNS queries received for non-existent domains.

240

Infoblox Administrator Guide (Rev. A)

NIOS 4.3r4

Infoblox MIBs

Object ibBindZoneRecursion ibBindZoneFailure

Description The number of queries received using recursion since the DNS process started. The number of failed queries since the DNS process started.

The ibZonePlusViewStatisticsTable provides statistical data about DNS views and their zones. The following table lists the objects and their OIDS:

Table 6.16 ibZonePlusViewStatisticsTable


Object ibZonePlusViewName ibZonePlusViewSuccess ibZonePlusViewReferral ibZonePlusViewNxRRset ibZonePlusViewNxDomain ibZonePlusViewRecursion ibZonePlusViewFailure ibBindViewName Description The zone name. The first one in the default view is the global summary statistics. Index name for global statistics is summary. Number of successful responses since the DNS process started. Number of DNS referrals Number of DNS queries received for non-existent records. Number of DNS queries received for non-existent domains. Number of DNS recursive queries received Number of failed queries View name. This is blank for default view

Following is an example of the table as viewed through a MIB browser:

Figure 6.9 MIB Browser View 2

NIOS 4.3r4

Infoblox Administrator Guide (Rev. A)

241

Monitoring with SNMP

ibIPWC MIB
The ibIPWC MIB defines the objects in the WinConnect MIB module as well as the types of traps that an IPAM WinConnect server sends. If you use the Infoblox IPAM WinConnect service, you must download the ibIPWC MIB. (For information about IPAM WinConnect, see Chapter 22, IPAM WinConnect, on page 701.) Figure 6.10 illustrates the structure of the IPWC MiB. The OIDs in the illustration do not include the prefix 1.3.6.4.1.25558. where 25558 is the IANA-assigned enterprise number for Ipanto. (Note that Ipanto is the former name of WinConnect.) The ibIPWC MIB branches out into two subtrees: ssp: The ssp tree contains objects that provide information about the WinConnect server and its client. ssp branches out into two subtrees, sipd and aipd. See tables 6.18 to 6.23 for information about the objects and their definitions in the sipd and aipd trees. traps: The traps tree provides information about the SNMP traps that the IPAM WinConnect server sends. See Table 6.23 for a list of traps that the WinConnect server generates.

Figure 6.10 ibIPWC MIB structure


ibIPWC MIB ipanto (1) ssp (1.1) sipd (1.1.1) process (1.1.1.1) port (1.1.1.2) sslPort (1.1.1.3) uid (1.1.1.4) suid (1.1.2) license (1.1.2.1) date (1.1.2.2) hostcount (1.1.3) client (1.1.3.1) ipSrc (1.1.3.2) user (1.1.3.3) agent (1.1.4) db (1.1.5) error (1.1.6) job (1.1.7) backup (1.2) aipd (1.2.1) type (1.2.2) name (2) traps See Table 6.24 for details of the traps and descriptions.

See Table 6.21 for details of the agent tree.

See Tables 6.22 and 6.23 for details of the db tree and its subtrees.

242

Infoblox Administrator Guide (Rev. A)

NIOS 4.3r4

Infoblox MIBs

The sipd tree contains objects that provide information about the WinConnect server and its client. Table 6.17 lists the objects and their descriptions in the sipd tree.

Table 6.17 sipd


Object process Description Contains objects that provide information about the WinConnect server process. This subtree contains four objects: license port: The server port of the WinConnect server. sslPort: The SSL port of the WinConnect server. uid: The WinConnect server process ID. suid: The unique ID of the WinConnect server.

Contains objects that provide licensing information about the WinConnect server. This subtree contains two objects: date: DEPRECATED. hostCount: The number of licensed hosts.

client db error

Contains objects that provide information about the WinConnect client. See Table 6.19 for details. Contains objects that provide information about the WinConnect database. See Table 6.21 for details. Contains objects that provide information about the error messages that the WinConnect server generates. This subtree contains two objects: description: The error description. code: The error code. name: The scheduled job name. date: The date of the last WinConnect server backup.

job backup

Contains one object: Contains one object:

The aipd tree contains information about objects that provide information about the WinConnect connector. Table 6.18 lists the objects and their descriptions in the aipd tree.

Table 6.18 aipd


Object type name Description The WinConnect connector type. The WinConnect connector name.

NIOS 4.3r4

Infoblox Administrator Guide (Rev. A)

243

Monitoring with SNMP

The client tree under sipd contains objects that provide information about the WinConnect client. Table 6.19 lists the objects and their descriptions in the client tree.

Table 6.19 client


Object ipSrc user Description The IP address of the client server. Contains two objects: agent name: The WinConnect user name. sessionType: The user session type.

Contains objects that provide information about the WinConnect connector. See Table 6.20 for details.

The agent tree under client contains objects that provide information about the WinConnect connector. Table 6.20 lists the objects and their descriptions in the agent tree.

Table 6.20 agent


Object type name service Description The WinConnect connector type. The WinConnect connector name. Contains three objects: type: The managed service type. name: The managed service name. access: The managed service access.

The db tree under sipd contains objects that provide information about the WinConnect database. Table 6.21 lists the objects and their descriptions in the db tree.

Table 6.21 db
Object organization dhcp dns Description The organization that owns the object in the WinConnect database. Contains objects that provide information about the IP addresses in the database. See Table 6.22 for details. Contains one object: subnet zone: The DNS zone. Contains one object: name: The zone name in the WinConnect database. Contains three objects: clockskew address: The subnet address. mask: The subnet mask. rate: The occupation rate of the subnet.

DEPRECATED.

244

Infoblox Administrator Guide (Rev. A)

NIOS 4.3r4

Infoblox MIBs

The dhcp tree under db contains objects that provide information about the IP addresses in the WinConnect database. Table 6.22 lists the objects and their descriptions in the dhcp tree.

Table 6.22 dhcp


Object host Description Contains two objects: pool activeCount: The number of active hosts in the WinConnect database. totalCount: The total number of hosts in the WinConnect database. start: The start IP address of the address pool. end: The end IP address of the address pool. rate: The occupation rate of the address pool.

Contains three objects:

The WinConnect server generates traps to notify the SNMP monitoring device of events. Table 6.23 lists the types of traps that the WinConnect server sends.

Table 6.23 traps


Object start stop licenseInvalid licenseDateExpired licenseDateWarning licenseHostExceeded licenseHostWarning clockSkewWarning clockSkewExceeded clockSkewError dbIntegrityError userlogin userlogout userAuthFailed agentLogin agentAuthFailed userAuthFailureExceeded synchroStartMaster synchroStartSlave Description WinConnect is ready to reply to client requests. WinConnect cannot accept client requests or connections. DEPRECATED. DEPRECATED. DEPRECATED. The maximum number of host licenses has been reached. 90% of the host licenses have been assigned. DEPRECATED. WinConnect detected a clock skew error. DEPRECATED. WinConnect detected that the database is corrupted, or WinConnect cannot determine the integrity of the database. A user started a session. A user ended a session. WinConnect failed to authenticate the user. The WinConnect connector connected to WinConnect. The WinConnect connector failed to connect to WinConnect. The maximum number of user authentication has been reached. DEPRECATED. DEPRECATED.

NIOS 4.3r4

Infoblox Administrator Guide (Rev. A)

245

Monitoring with SNMP

Object sychroSuccess synchroFailed serviceStarted serviceStopped controlStart controlStop controlRestart controlReload unreachable poolCapacityWarning poolCapacityFull subnetCapacityWarning subnetCapacityFull jobErrorGeneration jobWarningGeneration jobErrorExecution discoverWarning restoreError restoreSuccess backupError backupSuccess cwServerSynchro applySubnetTemplateSuccess applySubnetTemplateFailure

Description DEPRECATED. DEPRECATED. The WinConnect connector informed WinConnect that the current service status is running. The WinConnect connector informed WinConnect that the current service status is stopped. A user requested to start a specific service. A user requested to stop a specific service. A user requested to restart a specific service. A user requested to reload a DNS zone. WinConnect could not contact the WinConnect connector. Over 90% of the IP addresses in the address pool have been assigned. 100% of the IP addresses in the address pool have been assigned. Over 90% of the subnet has been assigned. 100% of the subnet has been assigned. The command for a scheduled job failed and generated an error. Check the logs on the WinConnect server for the error. A scheduled job completed with warning. Check the logs on the WinConnect server for the warning. A scheduled job execution failed. The command for network discovery completed with a warning. Check the logs on the WinConnect server for the warning. The restore process completed with errors. Check the logs on the WinConnect server for the errors. The restore process completed successfully. The backup process completed with errors. Check the logs on the WinConnect server for the errors. The backup process completed successfully. The synchronization process with the CiscoWorks server is starting. WinConnect successfully applied the subnet template. WinConnect failed to apply the subnet template.

246

Infoblox Administrator Guide (Rev. A)

NIOS 4.3r4

Configuring SNMP

Configuring SNMP
Perform the following tasks to configure SNMP on the NIOS appliance: Enable the NIOS appliance to accept queries and define the community string that management systems must specify when they send queries to the appliance. Specify the management systems to which the appliance sends traps.

For a grid, you can perform these tasks at the grid level and at the member level. You can define SNMP settings for an entire grid, and when necessary, define different SNMP settings for a member. SNMP settings for a member override SNMP settings for a grid. You can also set up SNMP on an independent appliance or HA pair.

Accepting SNMP Queries


You can allow specific management systems to send queries to a NIOS appliance. When you do, you must specify a community string. The appliance accepts queries only from management systems that provide the correct community string. To configure a grid or an independent NIOS appliance or HA pair to accept SNMP queries: 1. From the Grid perspective, click + (for grid) -> + (for Members) -> member -> Edit -> Member Properties. or From the Device perspective, click Device -> host_name -> Edit -> Device Properties. 2. In the Grid or Device editor, click Monitoring, and then enter the following: Enable queries: Select this check box for grid members or an independent appliance or HA pair to accept queries from SNMP management systems. Community String: Enter a text string that the management system must send together with its queries to the grid or the independent appliance or HA pair. A community string is similar to a password in that the appliance accepts queries only from management systems that send the correct community string. Note that this community string must match exactly what you enter in the management system. 3. Click the Save icon to save your settings.

Setting System Information


You can enter values for the following managed objects in MIB-II, the standard MIB defined in RFC 1213: sysContact sysLocation sysName sysDescr

After you enter these values on the appliance, administrators can send queries for these values from management systems that are allowed to send queries to the appliance. To enter system information: 1. From the Grid perspective, click + (for grid) -> + (for Members) -> member -> Edit -> Member Properties. or From the Device perspective, click Device -> host_name -> Edit -> Device Properties. 2. In the Grid or Device editor, click Monitoring, and then enter the following: Set objects: Select check box. sysContact: Enter the name of the contact person for the appliance. sysLocation: Enter the physical location of the appliance.

NIOS 4.3r4

Infoblox Administrator Guide (Rev. A)

247

Monitoring with SNMP

sysName: Enter the fully qualified domain name of the appliance. sysDescr: Enter useful information about the appliance, such as the software version it is running. 3. Click the Save icon to save your settings.

Adding SNMP Trap Receivers


You can enable a NIOS appliance to send traps to specific management systems or trap receivers. It sends traps whenever certain events occur, as described in ibTrap MIB on page 206. To configure an SNMP trap receiver for a grid or an independent appliance or HA pair: 1. From the Grid perspective, click + (for grid) -> + (for Members) -> member -> Edit -> Member Properties. or From the Device perspective, click Device -> host_name -> Edit -> Device Properties. 2. In the Grid or Device editor, click Monitoring, and then enter the following: Enable traps: Select the check box to enable grid members or an independent appliance or HA pair to send traps to specified SNMP management systems. Community String: Enter a text string that the NIOS appliance sends to the management system together with its traps. Note that this community string must match exactly what you enter in the management system. Trap Receiver Group: Type an address of an SNMP management system to which you want the SNMP agent on grid members and independent appliances to send traps in the IP Address field, and then click Add. (You can enter more than one trap receiver.) To remove an IP address from the list, select the address, and then click Delete. 3. Click the Save icon to save your settings.

Configuring SNMP for a Grid Member


You can override grid-level SNMP settings for individual members. To modify the SNMP settings for a grid member: 1. From the Grid perspective, click + (for grid) -> + (for Members) -> member -> Edit -> Member Properties. 2. In the Grid Member editor, click Monitoring, and then enter the following: Override grid SNMP settings: Select the check box to override grid-level SNMP settings and apply member-level settings. Enable queries: Select the check box for the member to accept queries from SNMP management systems. Clear the check box to disable the member from accepting SNMP queries. Community String: Type a community stringwhich is very much like a passwordthat SNMP management systems must send when querying the member.

Enable traps: Select the check box to enable the grid member to send traps to specified SNMP management systems. Clear the check box to disable the member from sending SNMP traps. Community String: Type a community stringwhich is very much like a passwordthat the grid member must include when sending traps to the specified SNMP management systems. Trap Receiver Group: Type the IP address of an SNMP management system to which you want the grid member to send traps in the IP Address field, and then click Add. To remove an IP address from the list, select the address, and then click Delete. sysContact: Enter the name of the contact person for the appliance. sysLocation: Enter the physical location of the appliance. sysName: Enter the fully qualified domain name of the appliance. sysDescr: Enter useful information about the appliance, such as the software version it is running.

Set objects: Select this check box.

3. Click the Save icon to save your settings.

248

Infoblox Administrator Guide (Rev. A)

NIOS 4.3r4

Chapter 7 Changing Software and Merging Files


You can perform software upgrades and downgrades for your NIOS appliance. You can also merge data files from previous versions of the DNSone module to a NIOS appliance running DNSone 3.2 or later. This chapter explains how to perform these procedures:

Upgrading NIOS Software on page 250 Downgrading Software on page 250 Reverting to the Previously Running Software Version on page 250 Backing Up and Restoring a Configuration File on page 251 Backing Up Files on page 251 Automatically Backing Up a Data File on page 252 Downloading a Backup File on page 253 Restoring a Configuration File on page 255 Loading a Configuration File on a Different Appliance on page 256 Downloading a Support Bundle on page 257

NIOS 4.3r4

Infoblox Administrator Guide (Rev. A)

249

Changing Software and Merging Files

Upgrading NIOS Software


Infoblox frequently releases updated NIOS software. Contact Infoblox Support to learn what file name to use when downloading the new upgrade file, or watch your e-mail for periodic notifications that a new software upgrade is available. To get the latest upgrades, your local network must be capable of downloading a file from the Internet. To upgrade an independent appliance or HA pair, see Upgrading Software on an Independent Appliance or HA Pair on page 295. To upgrade a grid, see Upgrading NIOS Software on a Grid on page 339.

Downgrading Software
Each Infoblox appliance model has a minimum required release of Infoblox software. Before downgrading an appliance, refer to the document, Minimum Required Release Software for Hardware Platforms, that was shipped with your product. The downgrade procedure is for single independent appliances only. Infoblox does not support software downgrades for grid members, but you can revert to the last grid upgrade file (see the next section) on a grid master. Caution: Although the downgrade process preserves license information and basic network settings, it does not preserve data. After you complete the downgrade procedure, all data in the database is lost. To downgrade software on a single independent appliance running NIOS 4.0 or later: 1. For an appliance running DNSone with Grid: From the Grid perspective, click Grid -> Downgrade. or For an appliance running DNSone: From the Device perspective, click Device -> Downgrade. 2. Read the warning carefully, and then click OK to confirm your decision to downgrade. 3. Navigate to the downgrade image file, and then click OK. 4. Clear the Java cache on your system. 5. Close the browser, open another browser instance, and then log back in.

Reverting to the Previously Running Software Version


You can revert to the previous version of software that was running on your NIOS appliance. The NIOS appliance stores the previous version in its backup software partition. You can see if there is a software version to which you can revert and what that version is in the Alternate Revision column in the Upgrade Status viewer. From the Grid or Device perspective, click View -> Upgrade Status. Be aware that when you revert to this software, any configurations made to the currently running software are lost. So that you can later determine what configuration changes are missing, you can back up the current data before you revert. To revert to a version of software running previously on a grid or on an independent appliance or HA pair: 1. From the Grid or Device perspective, click Grid or Device -> Revert. 2. Read the warning carefully, and then click OK to confirm your decision to revert. 3. Close the Java application and restart it. Clearing the Java cache is unnecessary because JWS automatically updates its cache with the application for the currently running version of software. 4. Log back in to the grid master, independent appliance, or independent HA pair.

250

Infoblox Administrator Guide (Rev. A)

NIOS 4.3r4

Backing Up and Restoring a Configuration File

Backing Up and Restoring a Configuration File


You can back up your system files locally on the appliance or use TFTP (Trivial File Transfer Protocol), FTP (File Transfer Protocol), or SCP (Secure Copy ) to back them up to a remote server. The backup file is a .tar.gz file that contains the configuration settings, data set, and TFTP files. For information about the TFTP feature, see Chapter 20, File Distribution Services, on page 663. These sections describe how to use the backup and restore functions:

Backing Up Files on page 251 Automatically Backing Up a Data File on page 252 Downloading a Backup File on page 253 Restoring a Configuration File on page 255 Loading a Configuration File on a Different Appliance on page 256

Note: Infoblox highly recommends you always back up the current configuration file before upgrading, restoring, or reverting the software on the appliance.

Backing Up Files
You can back up system files periodically and on demand. You can then restore the files on the same appliance or on a different appliance. For information about restoring files, see Restoring a Configuration File on page 255. You can configure the appliance to automatically back up the files on a weekly, daily, or hourly basis. Infoblox recommends that you back up the system files during off-hours to minimize any effect on network services. By default, the automatic backup function is turned off. You must log in with a superuser account to back up files. You can back up system files as follows: To a local directory or the management system used to operate the appliance To a TFTP server To an FTP server. This option requires that you have a valid user name and password for the server prior to attempting to back up. To an SSH server that supports SCP. This option requires that you have a valid user name and password for the server prior to attempting to back up.

Local Backup
When you back up the system files locally, the appliance uses the following format to name the file: year_month_day_time. For example, 2008_11_30_23_00 translates to November 30th, 2008 at 11:00 PM. The appliance saves up to 20 configuration files, regardless of how often files are saved (weekly, hourly, or daily. The size of the configuration file should be factored because the storage limit on an appliance is 5 Gb (gigabytes). If your configuration file is 500 Mb (megabytes), then the appliance stores 10 configuration files. When uploading configuration files on to a TFTP, FTP, or SCP server, you must consider the file size on that server as well.

Using TFTP
TFTP is a client-server protocol that uses UDP as its transport protocol. It does not provide authentication or encryption, therefore it does not require a user name or password. When you back up the system files to a TFTP server, you merely have to select the backup file you want to download, enter the name that it is stored under on the FTP server and the server IP address.

NIOS 4.3r4

Infoblox Administrator Guide (Rev. A)

251

Changing Software and Merging Files

Using FTP
FTP is a client-server protocol used to exchange files over TCP-based networks. The appliance, as the FTP client, connects to a remote FTP server that you identify. When you use FTP to back up the system files, the password and file contents are transmitted in clear text and may be intercepted by other users. When you back up the system files to an FTP server, the appliance, as the FTP client, logs on to the FTP server. You must specify the user name and password the appliance uses to log on to the FTP server. The user account must have write permission to the directory to which the appliance uploads the backup file.

Using SCP
SCP is more secure than TFTP and FTP. It uses the SSH protocol to provide authentication and security. You can use SCP to back up the NIOS system files to a server running SSHv2. When you use SCP to back up the system files to an SSH server, you must specify the user name and password the appliance uses to log on to the server. The user account must have write permission to the directory to which the appliance uploads the backup file. In addition, make sure that you enter the correct IP address of the SSH server; the appliance does not check the credentials of the SSH server to which it connects.

Automatically Backing Up a Data File


Infoblox recommends that you back up your configuration files regularly, and the easiest way to accomplish this task is to configure the appliance to back up the configuration file automatically. You can choose when and how often files are backed up: weekly, daily, or hourly. When you automatically back up a configuration file on the appliance, the file is named with the format: year_month_day_time. The default time for an automatic backup is 3:00 AM. Configuration files should be backed up during the slowest period of network activity. To automatically back up a database file on an independent appliance or grid master: 1. From the Grid perspective, click grid -> Edit -> Grid Properties. or From the Device perspective, click hostname -> Edit -> Device Properties. 2. In the Grid (or Device) editor, click Scheduled Backups. 3. In the Scheduled Backups section, enter the following information: Backup: Choose the destination of the backup file from the first drop-down list (LOCAL, TFTP, FTP, SCP) and how often to back up the file from the second drop-down list (Weekly, Daily, Hourly). By default, a grid master generates a backup file and saves it locally in its own storage daily at 3:00 AM. Be aware that backing up the grid and saving it locally on an hourly basis increases the turnover of files stored on the grid master. Backing it up hourly to a remote server increases the overall amount of traffic on your network. Weekday: (Weekly Only) Choose a day from the Weekday drop-down list, an hour from the Hours drop-down list, and a minute from the Minutes drop-down list. The grid master then creates a backup file at that time and day every week. Hours [0-23]: (Weekly and Daily) Type the hour when you want the grid master to create a backup file. Minutes [0-59]: (Weekly, Daily, Hourly) Type the minute when you want the grid master to create a backup file. User Name: (FTP and SCP) Type the user name for your FTP or SCP account. Password: (FTP and SCP) Type the password for your FTP or SCP account. Retype Password: (FTP and SCP) Type the password for your FTP or SCP account again to confirm its accuracy. Backup Host IP: (FTP, TFTP, and SCP) Type the IP address of the FTP or TFTP or SCP server where you want the grid master to send the backup file.

252

Infoblox Administrator Guide (Rev. A)

NIOS 4.3r4

Backing Up and Restoring a Configuration File

Directory Path: Type a directory path, for example: /archive/backups. The directory and file names cannot have spaces. The directory path must contain forward slashes (/). The folder or directory you type must already exist on the specified server. Disable schedule backups: Select this check box if you want to disable automatic backups from occurring, but want to save the settings for future use. 4. Click the Save icon.

Downloading a Backup File


You can save an existing backup file, or create and save a new one to your local management system, TFTP server, FTP server, or SCP server. To back up a grid or an independent appliance or HA pair to your management system: 1. For a grid: From the Grid perspective, click Grid -> Backup -> to Local File. or For an independent appliance or HA pair: From the Device perspective, click Device -> Backup -> to Local File. 2. To back up the current configuration and data set, choose None, and then click OK. To download a previously made backup file (automatically created through the scheduled backup feature), choose the backup file name, and then click OK. 3. Navigate to the directory on your local management system where you want to save the backup file, rename the file if you like (by default, it is named databse.tar.gz), and then click Save or OK. To back up a grid or an independent appliance or HA pair to a TFTP server: From the Grid perspective, click Grid -> Backup -> to TFTP Server. or From the Device perspective, click Device -> Backup -> to TFTP Server. 1. Enter the following in the TFTP Backup dialog box: Existing backup files: To back up the current configuration and data set, choose None. To download a previously made backup file (made using the scheduled backup feature), choose the backup file name. File name on TFTP server: You can enter a file name or leave this field blank if you are downloading a previously made backup file and want to use that name. A NIOS appliance names backup files by concatenating the grid name or hostname with the date and time it creates the file. If you enter a file name, it cannot contain spaces. IP address of TFTP Server: Type the IP address of the TFTP server. 2. To download the specified backup file to the specified TFTP server, click OK. To back up a grid or an independent appliance or HA pair to an FTP server: 1. From the Grid perspective, click Grid -> Backup -> to FTP Server. or From the Device perspective, click Device -> Backup -> to FTP Server. 2. Enter the following in the FTP Backup dialog box: Existing backup files: To back up the current configuration and data set, choose None. To download a previously made backup file (made using the scheduled backup feature), choose the backup file name. File name on FTP server: You can enter the directory path and name for the backup file. If you enter a directory path and file name, the directory and file names must not contain spaces and you must use forward slashes; for example, archive/backup. If you do not specify a directory path, the appliance uploads the backup file to the root directory. You can leave this field blank if you are downloading a previously generated backup file and want to use that name. A NIOS appliance names backup files by concatenating the grid name or host name with the date and time it creates the file. IP address of FTP server: Type the IP address of the FTP server.

NIOS 4.3r4

Infoblox Administrator Guide (Rev. A)

253

Changing Software and Merging Files

Username on FTP server: Type the user name for your FTP account. This account must have write permission to the directory to which the appliance uploads the backup file. Password on FTP server: Type the password for your FTP account in this field and in the Re-type Password on FTP server field. 3. To download the specified backup file to the specified FTP server, click OK. To backup a grid or an independent appliance or HA pair to an SCP server: 1. From the Grid perspective, click Grid -> Backup -> to SCP Server. or From the Device perspective, click Device -> Backup -> to SCP Server. 2. Enter the following in the SCP Backup dialog box: Existing backup files: To back up the current configuration and data set, choose None. To download a previously made backup file (made using the scheduled backup feature), choose the backup file name. File name on SCP server: You can enter the directory path and name for the backup file. If you enter a directory path and file name, the directory and file names must not contain spaces and you must use forward slashes; for example, archive/backup. If you do not specify a directory path, the appliance uploads the backup file to the root directory. You can leave this field blank if you are downloading a previously made backup file and want to use that name. A NIOS appliance names backup files by concatenating the grid name or hostname with the date and time it creates the file. IP address of SCP server: Type the IP address of the SCP server. Username on SCP server: Type the user name for your SCP account. This account must have write permission to the directory to which the appliance uploads the backup file. Password on SCP server: Type the password for your SCP account in this field and in the Re-type Password on SCP server field. 3. To download the specified backup file to the specified SCP server, click OK.

254

Infoblox Administrator Guide (Rev. A)

NIOS 4.3r4

Backing Up and Restoring a Configuration File

Restoring a Configuration File


You can restore a configuration file from an appliance running software modules v.3.1r4 or later, or v3.2, to an appliance running software modules v3.2.x and later. You can restore an existing configuration file on the appliance from which it originated, or restore a configuration file from a different appliance (referred to as a forced restore). The procedure presented below allows you to restore a configuration file from the same appliance it was originally backed up. To load a configuration file backed up from a different appliance, see Loading a Configuration File on a Different Appliance on page 256. You must log in with a superuser account to back up and restore files. There are three ways to restore a configuration file: From a local directory or the management system used to operate the appliance. From a TFTP server. From a remote server using FTP. This option requires that you have a valid user name and password for the FTP server prior to attempting to back up or restore.

To restore a configuration file to the same independent appliance or grid master: 1. From the Grid perspective, click Grid -> Restore Grid -> From Local File or From TFTP Server or From FTP Server or From Grid Master. or From the Device perspective, click Device -> Restore Device -> From Local File or From TFTP Server or From FTP Server or From Grid. 2. Do one of the following: From Local File: Navigate to the location of the configuration file, select the file, and then click OK. or From TFTP Server: In the Restore Grid From TFTP dialog box, enter the following, and then click OK: or From FTP Server: In the Restore Grid From FTP dialog box, enter the following, and then click OK: or From Grid Master: Select a configuration file from the drop-down list, and then click OK. 3. When the Confirm Grid Restore message appears, click OK to load the configuration file. After the file loads, the appliance reboots. 4. Close your current browser window or JWS (Java Web Start) application, wait a few minutes, and then reconnect to the NIOS appliance. FTP Server IP address: Type the IP address of the FTP server in whose root directory the backup file is stored. File Name: Type the name of the backup file. Do not include .tar.gz at the end of the file name. User Name: Type the name of the FTP server account. Password: Type the password of the FTP server account. Retype Password: To ensure accuracy, type the account password again. File Path: Type the directory path to where the backup file is stored. TFTP Server IP Address: Type the IP address of the TFTP server in whose root directory the backup file is stored. File Name: Type the name of the backup file. (Because the file must be in .tar.gz format, the file type is included as a read-only extension of the file name.) File Path: Type the directory path to where the backup file is stored.

NIOS 4.3r4

Infoblox Administrator Guide (Rev. A)

255

Changing Software and Merging Files

Loading a Configuration File on a Different Appliance


When you force restore a NIOS appliance, you load a configuration file saved from one appliance onto a different appliance. To restore a configuration file to the same appliance or grid master, use the Restore function explained in Restoring a Configuration File on page 255. To load a configuration file from one appliance onto a different appliance: 1. From the Grid perspective, click Grid -> Force Restore Grid -> From Local File or From TFTP Server or From FTP Server or From Grid Master. or From the Device perspective, click Device -> Force Restore Device -> From Local File or From TFTP Server or From FTP Server or From Grid. 2. Do one of the following: From Local File: In the Force Restore Grid From Local File dialog box, indicate whether you want the appliance to keep its current grid master IP settings or to obtain its IP settings from the backup, and then click OK. Navigate to the location of the configuration file, select the file, and then click OK. or From TFTP Server: In the Force Restore Grid From TFTP dialog box, enter the following, and then click OK: or From FTP Server: In the Force Restore Grid From FTP dialog box, enter the following, and then click OK: or From grid: In the Force Restore From Grid Master dialog box, enter the following, and then click OK: Select a backup file from the drop-down list, and then click OK. Grid Master IP Address Option: Indicate whether you want the appliance to keep its current grid master IP settings or to obtain its IP settings from the backup. FTP Server IP address: Type the IP address of the FTP server in whose root directory the backup file is stored. File Name: Type the name of the backup file. Do not include .tar.gz at the end of the file name. User Name: Type the name of the FTP server account. Password: Type the password of the FTP server account. Retype Password: To ensure accuracy, type the account password again. File Path: Type the directory path to where the backup file is stored. Grid Master IP Address Option: Indicate whether you want the appliance to keep its current grid master IP settings or to obtain its IP settings from the backup. TFTP Server IP Address: Type the IP address of the TFTP server in whose root directory the backup file is stored. File Name: Type the name of the backup file. (Because the file must be in .tar.gz format, the file type is included as a read-only extension of the file name.) File Path: Type the directory path to where the backup file is stored. Grid Master IP Address Option: Indicate whether you want the appliance to keep its current grid master IP settings or to obtain its IP settings from the backup.

3. When the Confirm Grid Restore confirmation message appears, click OK to load the backup file. After the file loads, the appliance reboots. 4. Close your current browser window or JWS (Java Web Start) application, wait a few minutes, and then reconnect to the NIOS appliance.

256

Infoblox Administrator Guide (Rev. A)

NIOS 4.3r4

Downloading a Support Bundle

Downloading a Support Bundle


When you need assistance troubleshooting a NIOS appliance, you can log in to the appliance as a superuser, download the support bundle of the appliance and send it to Infoblox Support for analysis. A support bundle is a tar.gz file that contains configuration files and the appliance system files. You can download a support bundle for an independent appliance and for each member in a grid. When you download a support bundle for an HA pair, it includes the files of both nodes in the HA pair. By default, the appliance includes the following files in the support bundle: core files, log files, VitalQIP files (if a VitalQIP license is installed on the appliance). Because core files can be quite large and take a significant amount of time to download, Infoblox recommends that you include core files in the support bundle only when requested by Infoblox Support. To download a support bundle: 1. From the Grid perspective, click + (for grid ) -> + (for Members ) -> grid_member -> Tools -> Download Support Bundle. or From the Device perspective, click hostname -> Tools -> Download Support Bundle. 2. In the Download Support Bundle dialog box, select which files you would like to include in the support bundle, and then click OK: Core Files: Infoblox recommends that you include these files only when requested by Infoblox Support. Log Files: Infoblox recommends that you always include these files in the support bundle. QIP: If a VitalQIP license is installed on the appliance, include the VitalQIP files in the support bundle. 3. In the Save as... dialog box, navigate to where you want to save the file and change the file name. Do not change the .tar.gz file extension in the file name. 4. Send this file to Support in an e-mail message.

NIOS 4.3r4

Infoblox Administrator Guide (Rev. A)

257

Changing Software and Merging Files

258

Infoblox Administrator Guide (Rev. A)

NIOS 4.3r4

Part 2 Appliance Deployment


This section provides information about deploying and managing independent appliances and grids. It includes the following chapters: Chapter 8, "Deploying Independent Appliances", on page 261 Chapter 9, "Deploying a Grid", on page 297

NIOS 4.3r4

Infoblox Administrator Guide (Rev. A)

259

260

Infoblox Administrator Guide (Rev. A)

NIOS 4.3r4

Chapter 8 Deploying Independent Appliances


This chapter explains how to deploy single independent appliances and independent HA pairs. Independent appliances run NIOS without the Grid upgrade and are deployed independently from a grid. The user guide or installation guide that ships with your product explains how to connect ethernet cables and power cords before configuring a NIOS appliance as a single independent appliance and an independent HA pair. Refer to these guides when necessary as you read this chapter. There is also cabling information for Infoblox-500, -1000, and -1200 appliances in Connecting the Ethernet Cables on page 815. The topics in this chapter include:

Independent Deployment Overview on page 262 Deploying a Single Independent Appliance on page 263 Method 1 Using the LCD on page 264 Method 2 Using the CLI on page 264 Method 3 Using the Infoblox NIOS Startup Wizard on page 266 Method 4 Using the GUI on page 267 Configuration Example: Deploying a NIOS Appliance for External DNS on page 268 Deploying an Independent HA Pair on page 275 Method 1 Using the Infoblox NIOS Startup Wizard on page 277 Method 2 Using the GUI on page 279 Configuration Example: Configuring an HA Pair for Internal DNS and DHCP on page 281 Verifying the Deployment on page 293 Single Independent Appliance on page 293 Independent HA Pair on page 293 Forcing an HA Failover on page 293 Infoblox Tools for Migrating Data on page 294 Upgrading Software on an Independent Appliance or HA Pair on page 295 Acquiring Software Upgrade Files on page 295 Distributing Software Upgrade Files on page 295 Running the Software Upgrade on page 295

NIOS 4.3r4

Infoblox Administrator Guide (Rev. A)

261

Deploying Independent Appliances

Independent Deployment Overview


You can deploy NIOS appliances collectively in a grid or independently (in what is sometimes referred to as a stand-alone deployment). Although grids offer many advantages for large organizations, an independent deployment might be sufficient for smaller sites. For example, if your ISP hosts one name server to respond to external DNS queries, it might be enough to deploy a single independent NIOS appliance as the other name server, as shown in Figure 8.1. Note: You cannot deploy a NIOS virtual appliance as a single, independent appliance.

Figure 8.1 Single Independent Appliance as an External DNS Server


The primary and secondary name servers provide DNS protocol redundancy. If one of them cannot respond to a query for the corp100.com domain, the other can.

Internet ISP Site

The ISP hosts a secondary DNS server for the corp100.com domain.

A NIOS appliance is the primary DNS server for the corp100.com domain. It answers queries from the Internet for public-facing servers in the DMZ network. Firewall

DMZ

Switch Internal Network LAN or LAN1 Port Servers for Public Access

domain name = corp100.com

Using primary and secondary name servers provides DNS protocol redundancy and configuring two DHCP servers as DHCP failover peers provides DHCP protocol redundancy. However, you can only have hardware redundancy if you deploy appliances in an HA (high availability) pair. Should the active node in an HA pair fail, the passive node becomes active and begins serving data, as shown in Figure 8.2.

Figure 8.2 Independent HA Pair


Internet ISP Site Secondary DNS Server Firewall Active Node Switch Internal Network LAN (LAN1) and HA Ports Passive Node Servers for Public Access If the active node fails, the passive node becomes active and continues serving DNS. This is the same situation as that in Figure 8.1, but the primary DNS server is an independent HA pair to provide hardware redundancy.

LAN (LAN1) and HA Ports

Primary DNS Server (Independent HA Pair)

DMZ

The following sections describe the procedures for deploying independent appliances singly and in HA pairs.

262

Infoblox Administrator Guide (Rev. A)

NIOS 4.3r4

Deploying a Single Independent Appliance

Deploying a Single Independent Appliance


To deploy a single independent NIOS appliance, you cable its LAN or LAN1 port to the network and change its default IP settings so that it can connect to its surrounding IP address space. The default LAN settings are as follows: IP address: 192.168.1.2 Netmask: 255.255.255.0 Gateway: 192.168.1.1

Note: On Infoblox-500, -1000, and -1200 appliances, the LAN port is labeled LAN. On Infoblox-250, -550, -550-A, -1050, -1050-A, -1550, -1550-A, -1552, -1552-A, and -2000 appliances, use the port labeled LAN1. Infoblox provides the following methods for performing a basic configuration to deploy a single independent appliance:

Method 1 Using the LCD


Requirements: Physical access to a powered up NIOS appliance Advantage: You do not need any other equipment.

Method 2 Using the CLI


Requirements: A serial connection from your management system to the console port on the NIOS appliance (You can also enable remote console access so that you can use the CLI over a network connection. For information, see Enabling Remote Console Access on page 139.) Advantage: You do not have to change the IP address of the management system to connect to the NIOS appliance.

Method 3 Using the Infoblox NIOS Startup Wizard


Requirements: An HTTPS connection from your management system to the LAN or LAN1 port on the NIOS appliance Advantage: The wizard provides step-by-step guidance for changing not only IP settings for the LAN or LAN1 port, but also changing the appliance host name and admin password, setting the system clock, andif using NTP (Network Time Protocol)enabling the NIOS appliance to be an NTP server.

Method 4 Using the GUI


Requirements: An HTTPS connection from your management system to the LAN or LAN1 port on the NIOS appliance Advantage: If you have logged in previously and disabled the startup wizard, you can still use the GUI to configure the LAN network settings.

These methods are explained in the following subsections. After you set the network settings, you can then migrate data and settings from legacy DNS and DHCP servers to the NIOS appliances. Several tools and methods are available for migrating data and configuration settings. For a list of the available options, see Infoblox Tools for Migrating Data on page 294.

NIOS 4.3r4

Infoblox Administrator Guide (Rev. A)

263

Deploying Independent Appliances

Method 1 Using the LCD


NIOS appliances have an LCD and navigation buttons on the front panel that allow you to view system status and license information as well as configure network settings for the LAN or LAN1 port.

Figure 8.3 Infoblox LCD and Navigation Buttons


The LCD panel is on the front of a NIOS appliance.

Infoblox
LCD Navigation Buttons

You can deploy a single independent NIOS appliance by setting its LAN or LAN1 port IP address, netmask, and gateway through the LCD. This is the simplest method because you do not need anything other than physical access to the appliance to complete the initial configuration. 1. Connect the power cable from the NIOS appliance to a power source and turn on the power. At startup, the Infoblox logo appears in the LCD on the front panel of the appliance. Then the LCD scrolls repeatedly through a series of display screens. 2. To change the network settings for the LAN or LAN1 port, press one of the navigation buttons. The LCD immediately goes into input mode, in which you can enter the IP address, netmask, and gateway for the LAN or LAN1 port. 3. Use the navigation buttons to enter an IP address, netmask, and gateway address for the LAN or LAN1 port. 4. Cable the LAN or LAN1 port of the NIOS appliance to a network as described in Independent Appliance Cabling Using the LAN or Serial Port on page 815.

Method 2 Using the CLI


The Infoblox CLI allows you to make an initial network configuration through the set network command. To access the CLI, make a direct serial connection from your management system. Note: You can also access the CLI from a remote location using an SSHv2 client. By default, remote console access that is, SSHv2 (Secure Shell version 2) accessis disabled. You must first enable remote console access through the GUI or CLI, and then you can make an SSHv2 connection to the appliance. 1. Connect a console cable from the console port on your workstation to the male DB-9 console port on the NIOS appliance. The DB-9 pin assignments follow the EIA232 standard. You can use the RJ-45 rollover cable and two female RJ-45-to-female DB-9 adapters that ship with the appliance, or a female DB-9-to-female DB-9 null modem cable.

264

Infoblox Administrator Guide (Rev. A)

NIOS 4.3r4

Deploying a Single Independent Appliance

Figure 8.4 Console Connection


Male DB-9 Console Port Management System RJ-45 Rollover Cable with Two RJ-45-to-Female DB-9 Adapters (Ships with Every Appliance) or Female DB-9-to-Female DB-9 Null Modem Cable Male DB-9 Console Port NIOS appliance To Power Source

2. Using a serial terminal emulation program such as Hilgraeve Hyperterminal (provided with Windows operating systems), launch a session. The connection settings are: Bits per second: 9600 Data bits: 8 Parity: None Stop bits: 1 Flow control: Xon/Xoff 3. Log in using the default user name and password admin and infoblox . User names and passwords are case-sensitive. 4. To change the network settings from the default, enter the set network command. Then enter information as prompted to change the IP address, netmask, and gateway for the LAN or LAN1 port. Note: In the following commands, the variable ip_addr1 is the IP address of the LAN or LAN1 port and ip_addr2 is the IP address of the gateway for the subnet on which you set the ip_addr1 address.
Infoblox > set network NOTICE: All HA configuration is performed from the GUI. This interface is used only to configure a standalone node or to join a grid. Enter IP address: ip_addr1 Enter netmask: [Default: 255.255.255.0]: netmask Enter gateway address [Default: n.n.n.1]: ip_addr2 Become grid member? (y or n): n

After you confirm your network settings, the Infoblox application automatically restarts. 5. Cable the LAN or LAN1 port to a network as described in Independent Appliance Cabling Using the LAN or Serial Port on page 815.

NIOS 4.3r4

Infoblox Administrator Guide (Rev. A)

265

Deploying Independent Appliances

Method 3 Using the Infoblox NIOS Startup Wizard


When you first make an HTTPS connection to a NIOS appliance, the Infoblox NIOS Startup Wizard appears. To ease the initial configuration process, the wizard guides you through various deployment options and basic network settings, and presents opportunities for changing the password of the superuser admin and for setting the system clock. To make an HTTPS connection to the appliance, you must be able to reach its IP address from your management system. Note: If you have already set the IP address of the LAN or LAN1 port through the LCD or CLI so that you can reach it over the networkand you have already cabled the appliance to the networkyou can skip the first step. 1. If you have not changed the default IP address (192.168.1.2/24) of the LAN or LAN1 port through the LCD or CLI and the subnet to which you connect the appliance does not happen to be 192.168.1.0/24put your management system in the 192.168.1.0/24 subnet and connect an ethernet cable between your management system and the NIOS appliance. 2. Open a web browser and make an HTTPS connection to the IP address of the LAN or LAN1 port. (To reach the default IP address, enter: https://192.168.1.2) Several certificate warnings appear during the login process. This is normal because the preloaded certificate is self-signed (and, therefore, is not in the trusted certificate stores in your browser, Java application, and Java Web Start application) and has the hostname www.infoblox.com, which does not match the destination IP address you entered in step 1. To stop the warning messages from occurring each time you log in to the GUI, you can generate a new self-signed certificate or import a third-party certificate with a common name that matches the FQDN (fully qualified domain name) of the appliance. This is a very simple process. For information about certificates, see Managing Certificates on page 51. 3. Click LAUNCH DEVICE MANAGER. 4. Log in to the NIOS appliance. The default login name and password are admin and infoblox. For detailed information about logging in to the GUI, see Accessing the Infoblox GUI on page 41. The Infoblox NIOS Startup Wizard appears. The first screen provides basic information about the wizard, and the second screen displays license agreement information. 5. Beginning on the third screen, enter the following, where ip_addr1 and netmask are the IP address and netmask of the LAN or LAN1 port ip_addr2 is the IP address of the gateway for the subnet on which the LAN or LAN1 port is set hostname is a valid domain name for the appliance string is a single alphanumeric string (no spaces) for a password that is at least four characters long ip_addr3 is the IP address of an NTP server: Wizard Screen Deployment Type Independent Device Deployment Type Network Settings Enter or Select Independent Device or HA Pair Independent Device IP Address: ip_addr1 Netmask: netmask Gateway: ip_addr2 Host Name: hostname Admin Account Password Change Admin Password: (select), string

266

Infoblox Administrator Guide (Rev. A)

NIOS 4.3r4

Deploying a Single Independent Appliance

Wizard Screen Time Settings

Enter or Select Enable NTP: (select) NTP Server List: ip_addr3 (click Add) Time zone: (choose the time zone for the location of the appliance)

Note: The startup wizard provides options such as not changing the default password and manually entering the time and date. However, changing the password and using an NTP server provide increased security and accuracy (respectively), and so these choices are presented above. The last screen of the startup wizard states that the changed settings require the application to restart. When you click Finish, it restarts. 6. Open a new web browser instance and make an HTTPS connection to the new IP address of the LAN or LAN1 port. 7. Log back in using the default user name (admin ) and your new password. When you log in the second time, you access the Infoblox GUI application. For system requirements to use the GUI, see Management System Requirements on page 41.

Method 4 Using the GUI


To deploy a single independent appliance through the GUI, make an HTTPS connection to the appliance and then bypass the startup wizard. (The following procedure assumes that the appliance has the DNSone package installed.) 1. If you have not changed the default IP address (192.168.1.2/24) of the LAN or LAN1 port through the LCD or CLI and the subnet to which you connect the appliance does not happen to be 192.168.1.0/24put your management system in the 192.168.1.0/24 subnet and connect an ethernet cable between your management system and the NIOS appliance. Note: The ethernet ports on the Infoblox-250, -550, -550-A, -1050, -1050-A, -1550, -1550-A, -1552, -1552-A, and -2000 appliances are autosensing, so you can use either a straight-through or cross-over ethernet cable for this connection. For the Infoblox-500, -1000, and -1200 appliances, use a cross-over ethernet cable to connect the appliance to your management system and a straight-through ethernet cable to connect the appliance to a switch. 2. Open a web browser and make an HTTPS connection to the IP address of the LAN or LAN1 port. To reach the default IP address, enter: https://192.168.1.2 . For detailed information on logging in to the GUI, see Accessing the Infoblox GUI on page 41. 3. Click LAUNCH DEVICE MANAGER. 4. Log in using the default user name (admin ) and password (infoblox ). The Infoblox NIOS Startup Wizard appears. 5. To bypass the wizard, click Cancel or the Close button (). 6. From the Device perspective, click infoblox.localdomain -> Edit -> Device Properties. 7. In the Device editor, click Device Properties, and then enter the following network settings: Host Name: Type the FQDN (fully qualified domain name) of the appliance. (V)IP Address: Type the IP address of the LAN or LAN1 port. Subnet Mask: Choose the netmask for the subnet to which the LAN or LAN1 port connects. Gateway: Type the IP address of the default gateway of the subnet to which the LAN or LAN1 port connects. Comment: Enter information about the appliance, such as its location. 8. Click Save, and then close the management window. 9. Initiate a new management session, and log in to the appliance using its new IP address.
NIOS 4.3r4 Infoblox Administrator Guide (Rev. A) 267

Deploying Independent Appliances

Configuration Example: Deploying a NIOS Appliance for External DNS


In this example, you configure the NIOS appliance as the external primary DNS server for corp100.com. Its FQDN (fully-qualified domain name) is ns1.corp100.com. The interface IP address of the LAN1 port is 10.1.5.2/24. Because this is a private IP address, you must also configure the firewall to perform NAT (network address translation), mapping the public IP address 1.1.1.2 to 10.1.5.2. Using its public IP address, ns1 can communicate with appliances on the public network. The FQDN and IP address of the external secondary DNS server are ns2.corp100.com and 2.2.2.2. The ISP hosts this server. The primary and secondary servers answer queries for the following public-facing servers in the DMZ: www.corp100.com mail.corp100.com ftp.corp100.com

When you create the corp100.com zone on the NIOS appliance, you import zone data from the legacy DNS server at 10.1.5.3.

Figure 8.5 Example 1 Network Diagram


NTP Server 3.3.3.3 The device is in the Pacific time zone (UMT-8:00) External Secondary DNS Server ns2: 2.2.2.2 NAT on Firewall 1.1.1.2 > 10.1.5.2 1.1.1.5 > 10.1.5.5 1.1.1.6 > 10.1.5.6 1.1.1.7 > 10.1.5.7

Internet ISP

ethernet1 1.1.1.1/24 Firewall

ethernet2 10.1.5.1/24 NIOS appliance External Primary DNS Server ns1: 10.1.5.2 Switch Legacy Primary DNS Server ns1: 10.1.5.3 (Replaced by the NIOS appliance)

www 10.1.5.5

ftp 10.1.5.7

DMZ Network 10.1.5.0/24

To Internal Network

mail 10.1.5.6

The NIOS appliance is the external primary DNS server for the corp100.com domain. It answers queries from the Internet for the three public-facing servers in the DMZ network:

www.corp100.com mail.corp100.com ftp.corp100.com

268

Infoblox Administrator Guide (Rev. A)

NIOS 4.3r4

Configuration Example: Deploying a NIOS Appliance for External DNS

Cable the Appliance to the Network and Turn On Power


Connect an ethernet cable from the LAN1 port of the NIOS appliance to a switch in the DMZ network and turn on the power. For information about installing and cabling the appliance, refer to the user guide or installation guide that ships with the product.

Specify Initial Network Settings


Before you can configure the NIOS appliance through the GUI, you must be able to make a network connection to it. The default network settings of the LAN1 port are 192.168.1.2/24 with a gateway at 192.168.1.1 (the HA and MGMT ports do not have default network settings). To change these settings to suit your network, use either the LCD or the console port. In this example, you change the IP address/netmask of the LAN1 port to 10.1.5.2/24, and the gateway to 10.1.5.1.

LCD
The NIOS appliance has an LCD and navigation buttons on its front panel. At startup, the Infoblox logo appears in the LCD on the front panel of the appliance. Then the LCD scrolls repeatedly through a series of display screens. 1. To change the network settings from the default, press one of the navigation buttons. The LCD immediately goes into input mode, in which you can enter the IP address, netmask, and gateway for the LAN1 port. 2. Use the navigation buttons to enter the following information: IP Address: 10.1.5.2 Netmask: 255.255.255.0 Gateway: 10.1.5.1

Console Port
The NIOS appliance has a male DB-9 console port on the front panel. You can log in to the appliance through this port and specify initial network settings using the Infoblox CLI. 1. Connect a console cable from the console port of the management system to the console port of the NIOS appliance. 2. Access the Infoblox CLI. For more information about the Infoblox CLI, refer to the Infoblox CLI Guide. 3. To change the network settings from the default, enter the set network command. Then enter information as prompted to change the IP address, netmask, and gateway for the LAN1 port.
Infoblox > set network NOTICE: All HA configuration is performed from the GUI. This interface is used only to configure a standalone node or to join a grid. Enter IP address: 10.1.5.2 Enter netmask: [Default: 255.255.255.0]: Enter gateway address [Default: 10.1.5.1]: Become grid member? (y or n): n

After you confirm your network settings, the appliance automatically restarts.

NIOS 4.3r4

Infoblox Administrator Guide (Rev. A)

269

Deploying Independent Appliances

Specify Appliance Settings


When you make the initial HTTPS connection to the NIOS appliance, you see the Appliance Startup Wizard, which guides you through the basic deployment of the appliance on your network. Use the wizard to enter the following information: Deployment: single independent appliance Host name: ns1.corp100.com Password: SnD34n534 NTP (Network Time Protocol) server: 3.3.3.3; time zone: (UMT 8:00 Pacific Time (US and Canada), Tijuana

1. Open a browser window and enter https://10.1.5.2. 2. Accept the certificate when prompted. Several certificate warnings appear during the login process. This is normal because the preloaded certificate is self-signed (and, therefore, is not in the trusted certificate stores in your browser, Java application, and Java Web Start application) and has the hostname www.infoblox.com, which does not match the destination IP address you entered in step 1. To stop the warning messages from occurring each time you log in to the GUI, you can generate a new self-signed certificate or import a third-party certificate with a common name that matches the FQDN (fully-qualified domain name) of the appliance. This is a very simple process. For information about certificates, see Managing Certificates on page 51. 3. Click LAUNCH DEVICE MANAGER. 4. If the browser prompts you for an application to use, see Accessing the Infoblox GUI on page 41. 5. Log in using the default user name and password admin and infoblox. Note: User names and passwords are case-sensitive. 6. The Infoblox Appliance Startup Wizard opens with a splash screen that provides basic information about the wizard, and then displays license agreement information. Beginning on the third screen, enter the following: Wizard Screen Deployment type Node type Node information Default password Time settings Enter or Select Standalone Standalone appliance Host name: ns1.corp100.com Change admins password: (select), SnD34n534 Enable NTP: (select) NTP Server: 3.3.3.3 (click Add) Time zone: (UMT 8:00 Pacific Time (US and Canada), Tijuana

The last screen of the wizard states that the changed settings require the application to restart. When you click Finish, the Infoblox GUI application restarts. 7. Log back in to the appliance. When you log in the second time, you access the Infoblox GUI application. For system requirements to use the GUI, see Management System Requirements on page 41.

270

Infoblox Administrator Guide (Rev. A)

NIOS 4.3r4

Configuration Example: Deploying a NIOS Appliance for External DNS

Define a NAT Address


Because the firewall translates the public IP address 1.1.1.2 to the interface IP address 10.1.5.2, all DNS queries originating outside the firewall use 1.1.1.2 (not 10.1.5.2) to reach the NIOS appliance. Accordingly, you must configure the appliance to indicate to other external DNS servers that its address is 1.1.1.2. 1. From the Device perspective, click ns1.corp100.com -> Edit -> Device Properties. 2. In the Device editor, click NAT and enter the following: Enable NAT compatibility: Select check box. Group: None NAT (V)IP Address: 1.1.1.2 3. Click the Save icon. The glue record is an A record for a name server. The appliance automatically generates the A record for ns1.corp100.com using either the interface address or NAT address (if configured). To verify that the A record uses the NAT address (1.1.1.2) instead of the interface address (10.1.5.2): 1. Click DNS to open the DNS perspective, and then click DNS Members -> + (for Infoblox) -> ns1.corp100.com -> Edit -> Member DNS Properties. 2. In the Member DNS Properties editor, click General. 3. In the table labelled Possible views for member, select the default view and click Modify. 4. In the Select Member Address dialog box, select NAT IP address. 5. Click the Save and Restart Services icons.

Enable Zone Transfers on the Legacy Name Server


To allow the appliance to import zone data from the legacy server at 10.1.5.3, you must configure the legacy server to allow zone transfers to the appliance at 10.1.5.2.

Legacy BIND Server


1. Open the named.conf file using a text editor and change the allow-transfer statement as shown below: For All Zones To set the allow-transfer statement as a global statement in the named.conf file for all zones:
options { zone-statistics yes; directory "/var/named/named_conf"; version ""; recursion yes; listen-on { 127.0.0.1; 10.1.5.3; }; allow-transfer {10.1.5.2; }; transfer-format many-answers; };

For a Single Zone To set the allow-transfer statement in the named.conf file for the corp100.com zone:
zone "corp100.com" in { type master; allow-transfer {10.1.5.2;}; notify yes; };

2. After editing the named.conf file, restart DNS service for the change to take effect.

NIOS 4.3r4

Infoblox Administrator Guide (Rev. A)

271

Deploying Independent Appliances

Legacy Windows 2000/2003 Server


1. Click Start -> All Programs -> Administrative Tools -> DNS. 2. Click + (for ns1) -> + (for Forward Lookup Zones) -> corp100.com. 3. Right-click corp100.com, and then select Properties -> Zone Transfers. 4. On the Zone Transfers page in the corp100.com Properties dialog box, enter the following: 5. Allow zone transfers: Select check box. 6. Only to the following servers: Select. 7. IP address: Enter 10.1.5.2, and then click Add. 8. To save the configuration change and close the corp100.com Properties dialog box, click OK.

Import Zone Data


You can import zone data from a legacy server or manually enter it. When you import both forward- and reverse-mapping zone data, the NIOS appliance automatically creates Infoblox host records if corresponding A and PTR records are present. You can then modify the host records to add MAC addresses. However, if you only import forward-mapping zone data, the NIOS appliance cannot create host records from just the A records. In that case, because you cannot later convert A records to host records, it is more efficient to create the corp100.com zone, and define host records manually. Infoblox host records are data models that represent IP devices within the Infoblox semantic database. The NIOS appliance uses a host object to define A, PTR, and CNAME resource records in a single object as well as a DHCP fixed address if you include a MAC address in the host object definition. The host object prevents costly errors because you only maintain a single object for multiple DNS records and a DHCP fixed address. Therefore, it is advantageous to use host records instead of separate A, PTR, and CNAME records. Note: If you only have forward-mapping zones on your legacy servers and you want to add reverse-mapping zones and automatically convert A records to host records in the imported forward-mapping zones and create reverse host records in corresponding reverse-mapping zones, create the reverse-mapping zones on the NIOS appliance and then import the forward-mapping zones data. The NIOS appliance automatically converts the imported A records to host records in the forward-mapping zones and creates reverse host records in the reverse-mapping zones. You also have the option of using the Data Import Wizard for loading DNS and DHCP configurations and data. For large data sets, this option is an efficient approach. To download the Data Import Wizard, visit www.infoblox.com/support, log in with your support account, and then click the Data Import Wizard hyperlink in the DNSone section. In this example, when you create the corp100.com forward-mapping zone, you import zone data for the existing corp100.com zone from the legacy server at 10.1.5.3. When you create the 1.1.1.0/24 reverse-mapping zone, you also import the reverse-mapping zone records from the legacy server. After the appliance has both the forward- and reverse-mapping zone data, it converts the A and PTR records to Infoblox host records. 1. Open a browser window, and log in to the appliance at https://10.1.5.2, using the user name admin and the password SnD34n534. 2. From the DNS perspective, click the DNS Views tab -> + (for DNS Views) -> + (for default) -> Forward Mapping Zones -> Edit -> Add Forward Mapping Zone -> Authoritative. 3. In the Authoritative Zone Properties section of the Add Forward Authoritative Zone editor, enter the following: Name: corp100.com Comment: External DNS zone 4. In the Primary Server Assignment section, click Select Member to open the Select Grid Member dialog box. 5. Select ns1.corp100.com, and then click OK to close the dialog box. 6. In the Secondary Server Assignment section, click Add in the External Secondaries table to open the Zone External Secondary Server Item dialog box.

272

Infoblox Administrator Guide (Rev. A)

NIOS 4.3r4

Configuration Example: Deploying a NIOS Appliance for External DNS

7. Enter the following information, and then click OK to close the dialog box: Name: ns2.corp100.com IP Address: 2.2.2.2 Stealth: Clear check box. 8. Click the Save and Restart Services icons. 9. Edit the zone that you just created as follows: in the DNS Views panel of the DNS perspective, click + (for Forward Mapping Zones) -> corp100.com -> Edit -> Authoritative Zone Properties. Note: To import zone data, you must first create a zone, save it, and then edit it. 10. In the Forward Authoritative Zone editor, click Settings and enter the following: E-mail address: admin@corp100.com Import zone from: Select check box, and enter 10.1.5.3 in the adjacent text field. 11. Click the Save icon. 12. After successfully importing the zone data, click corp100.com in the DNS Views panel. You can see all the imported forward-mapping zone data in the Records panel. Because you have not yet imported the reverse-mapping zone data, most of the records appear as A records. 13. From the DNS perspective, click DNS Views -> + (for DNS Views) -> + (for default) -> Reverse Mapping Zones -> Edit -> Add Reverse Mapping Zone -> Authoritative. 14. In the Authoritative Zone Properties section of the Add Reverse Authoritative Zone editor, enter the following: Network Address: 1.1.1.0 Subnet Mask: /24 (255.255.255.0) Comment: External DNS zone 15. In the Primary Server Assignment section, click Select Member to open the Select Grid Member dialog box. 16. Select ns1.corp100.com, and then click OK to close the dialog box. 17. In the Secondary Server Assignment section, click Add in the External Secondaries table to open the Zone External Secondary Server dialog box. 18. Enter the following information, and then click OK to close the dialog box: Name: ns2.corp100.com IP Address: 2.2.2.2 Stealth: Clear check box. 19. Click the Save icon. 20. In the DNS Views panel of the DNS perspective, click + (for Reverse Mapping Zones) -> 1.1.1.in-addr.arpa -> Edit -> Authoritative Zone Properties. 21. In the Authoritative Reverse Zone editor, click Settings and enter the following: E-mail address: admin@corp100.com Import zone from: Select check box, and enter 10.1.5.3 in the adjacent text field. 22. Click the Save and Restart Services icons. 23. Click 1.1.1.in-addr.arpa -> View -> Records. You can see all the imported reverse-mapping zone data in the Records panel. 24. Click corp100.com in the Forward Mapping Zones list. Because you have now imported both the forward- and reverse-mapping zone data, most of the records appear as host records. 25. Finally, you must remove the ns1 host record for the legacy server (value 1.1.1.3). To remove it, select ns1 (the host record for 1.1.1.3), and then click Edit -> Remove.

NIOS 4.3r4

Infoblox Administrator Guide (Rev. A)

273

Deploying Independent Appliances

Designate the New Primary on the Secondary Name Server (at the ISP Site)
In this example, the external secondary name server is maintained by an ISP, so you must contact your ISP administrator to change the IP address of the primary (or master) name server. (If you have administrative access to the secondary name server, you can make this change yourself.) Because a firewall performing NAT exists between the secondary and primary name servers, specify the NAT address 1.1.1.2 for the primary name server instead of 10.1.5.2.

Secondary BIND Server


1. Open the named.conf file using a text editor and set ns1 (with NAT address 1.1.1.2) as the primary (or master) from which ns2 receives zone transfers in the named.conf file for the corp100.com zone:
zone "corp100.com" in { type slave; masters {1.1.1.2;}; notify yes; file /var/named/db.corp100.com; };

2. After editing the named.conf file, restart DNS service for the change to take effect.

Secondary Windows 2000/2003 Server


1. Click Start -> All Programs -> Administrative Tools -> DNS. 2. Click + (for ns2) -> + (for Forward Lookup Zones) -> corp100.com. 3. Right-click corp100.com, and then select Properties -> General. 4. On the General page in the corp100.com Properties dialog box, enter the following: Zone file name: corp100.com.dns IP address: Enter 1.1.1.2, and then click Add. In the IP Address field, select 1.1.1.3 (the NAT IP address of the legacy DNS server), and then click Remove. 5. To save the configuration change and close the corp100.com Properties dialog box, click OK.

Configure NAT and Policies on the Firewall


Change the NAT and policy settings on the firewall to allow bidirectional DNS traffic to and from ns1.corp100.com and NTP traffic from ns1.corp100.com to the NTP server at 3.3.3.3. For example, enter the following commands on a Juniper firewall running ScreenOS 4.x or later:
set set set set set set address dmz ns1 10.1.5.2/32 address untrust ntp_server 3.3.3.3/32 interface ethernet1 mip 1.1.1.2 host 10.1.5.2 policy from dmz to untrust ns1 any dns permit policy from untrust to dmz any mip(1.1.1.2) dns permit policy from dmz to untrust ns1 ntp_server ntp permit

At this point, the new DNS server can take over DNS service from the legacy server. You can remove the legacy server and unset any firewall policies permitting traffic to and from 10.1.5.3.

274

Infoblox Administrator Guide (Rev. A)

NIOS 4.3r4

Deploying an Independent HA Pair

Deploying an Independent HA Pair


An independent HA (high availability) pair provides hardware redundancy for the source of your network identity services. The two nodes that form an HA pairidentified as Node 1 and Node 2are in an active/passive configuration. The active node receives, processes, and responds to all service requests. The passive node constantly keeps its database synchronized with that of the active node, so it can take over service if a failover occurs. (A failover is basically the reversal of the active/passive roles of each node; that is, when a failover occurs, the previously active node becomes passive and the previously passive node becomes active.) Events can trigger a failover or you can deliberately force it to happen (see Forcing an HA Failover on page 293). So that the two physical nodes can appear as a single entity on the network, they share a single VIP (virtual IP) address and virtual MAC address. The VIP and virtual MAC addresses link to the HA port on each node. Whichever node is currently active is the one whose HA port owns the VIP and virtual MAC addresses. If a failover occurs, these addresses shift from the HA port of the previous active node to the HA port of the new active node (see Figure 8.6).

Figure 8.6 VIP Address and Virtual MAC Address and HA Failover
Infoblox HA Pair bloxSYNC Node 1 Active HA Port VIP and Virtual MAC Address Encrypted VPN Tunnel Node 2 Passive HA Port

The clients always make service requests toand receive replies fromthe VIP and virtual MAC address.

The HA ports on each node of an HA pair share the VIP (virtual IP) address and virtual MAC address. Because Node 1 is currently active, it owns these addresses.

Network Clients

After an HA Failover
Node 1 Passive HA Port VIP and Virtual MAC Address Node 2 Active HA Port

The clients still make service requests toand receive replies fromthe same VIP and virtual MAC address.

After an HA failover occurs, Node 2 becomes the active node. Because Node 2 is now active, it now owns the VIP address and virtual MAC address.

Network Clients

NIOS 4.3r4

Infoblox Administrator Guide (Rev. A)

275

Deploying Independent Appliances

The two nodes in an HA pair include a VRID (virtual router ID) in all VRRP advertisements and use it to recognize VRRP advertisements intended just for themselves. Only another appliance on the same subnet configured to use the same VRID responds to the announcements. The VRID must be a unique number between 1 and 255 for the subnet on which the HA pair is located. (There is no default VRID number.) For more information, see RFC 3768, Virtual Router Redundancy Protocol (VRRP), and also VRRP Advertisements on page 309.

Figure 8.7 VRRP Advertisements with a Unique VRID


After you finish configuring Node 1 of the HA pair to use VRID 10a number that is unique for this subnetit starts listening for VRRP advertisements with that VRID. When it does not receive any for three seconds, it becomes the active node in the HA pair and begins multicasting VRRP advertisements with a VRID 10 from its HA port. VRRP Advertisements After you finish configuring Node 2 to join the HA pair, it initiates a connection with Node 1. The two appliances establish a VPN tunnel between themselves, using the HA connection name and shared secret to authenticate each other. Node 2 downloads the database from Node 1 and learns its VRID. Node 2 then begins listening for VRRP advertisements on its HA port. When it receives an advertisement from Node 1, Node 2 recognizes it and becomes the passive node.

Any device on that subnet that is not configured to listen for VRRP advertisements with VRID 10 drops the packet.

Node 1 (Active) Switch

MATCH! Node 2 (Passive)

Subnet

To deploy an independent HA pair, you cable the HA and LAN (or LAN1) or LAN2 ports to the network and configure the IP settings for these ports and the VIP address within the same subnet. Note: On Infoblox-500, -1000, and -1200 appliances, the LAN port is labeled LAN . On Infoblox-250, -550, -550-A, -1050, -1050-A, -1550, -1550-A, -1552, -1552-A, and -2000 appliances, use the port labeled LAN1. The default LAN or LAN2 settings are as follows: IP address: 192.168.1.2 Netmask: 255.255.255.0 Gateway: 192.168.1.1.

Infoblox provides two methods for configuring an HA pair:

Method 1 Using the Infoblox NIOS Startup Wizard


Requirements: HTTPS connections from your management system to the ethernet ports on the two appliances Advantage: The startup wizard provides step-by-step guidance for configuring the network settings of the VIP address and HA and LAN (or LAN1) ports on both nodes, for setting the host name, admin password, and system clock, andif using NTP (Network Time Protocol)for enabling the HA pair as an NTP server.

Method 2 Using the GUI


Requirements: HTTPS connections from your management system to the ethernet ports on the two appliances Advantage: If you have logged in previously and disabled the startup wizard, you can still use the GUI to configure an independent HA pair.

These methods are explained in the following subsections.


276 Infoblox Administrator Guide (Rev. A) NIOS 4.3r4

Deploying an Independent HA Pair

Method 1 Using the Infoblox NIOS Startup Wizard


When you first make an HTTPS connection to the NIOS appliance, the Infoblox NIOS Startup Wizard appears. To ease the initial configuration process, the wizard guides you through various deployment options, basic network settings, and opportunities for changing the password of the superuser admin and for setting the system clock.

Configuring the Connecting Switch


To ensure that VRRP (Virtual Router Redundancy Protocol) works properly, configure the following settings on the network switch to which you cable the two nodes: Portfast: enable Trunking: disable Port list: disable Port channeling: disable

Note: By default, a NIOS appliance automatically negotiates the optimal connection speed and transmission type (full or half duplex) on the physical links between its LAN (or LAN1), HA, and MGMT ports and the ethernet ports on the connecting switch. If the two appliances fail to auto-negotiate the optimal settings, see Modifying Ethernet Port Settings on page 148 for steps you can take to resolve the problem.

Putting Both Nodes on the Network


1. Use one of the methods described in Deploying a Single Independent Appliance on page 263 to configure the network settings of the LAN or LAN1 port of each node so that they are on the same subnet and you can reach them across the network. 2. Cable the LAN (or LAN1) port and the HA port on each node to the network switch. Note: The ethernet ports on the Infoblox-250, -550, -550-A, -1050, -1050-A, -1550, -1550-A, -1552, -1552-A, and -2000 appliances are autosensing, so you can use either a straight-through or cross-over ethernet cable for these connections. For the Infoblox-500, -1000, and -1200 appliances, use straight-through ethernet cables to connect an appliance to a switch. 3. Cable your management system to the network switch.

Configuring Node 1
1. Open a web browser and make an HTTPS connection to the IP address of the LAN or LAN1 port of Node 1. Several certificate warnings appear during the login process. This is normal because the preloaded certificate is self-signed (and, therefore, is not in the trusted certificate stores in your browser, Java application, and Java Web Start application) and has the hostname www.infoblox.com, which does not match the destination IP address you entered in step 1. To stop the warning messages from occurring each time you log in to the GUI, you can generate a new self-signed certificate or import a third-party certificate with a common name that matches the FQDN (fully qualified domain name) of the appliance. This is a very simple process. For information about certificates, see Managing Certificates on page 51. 2. Click LAUNCH DEVICE MANAGER. 3. Log in to Node 1. For detailed information about logging in to the GUI, see Accessing the Infoblox GUI on page 41. The Infoblox NIOS Startup Wizard appears. The first screen provides basic information about the wizard, and the second screen displays license agreement information. 4. Beginning on the third screen, enter the following, where string1 is a text string that the two nodes use to authenticate each other when establishing a VPN tunnel for ensuing bloxSYNC traffic. (The default grid name is Infoblox.) string2 is a text string that both nodes use as a shared secret to authenticate each other when establishing a VPN tunnel for ensuing bloxSYNC traffic. (The default shared secret is test.)
NIOS 4.3r4 Infoblox Administrator Guide (Rev. A) 277

Deploying Independent Appliances

vip_addr and netmask are the VIP (virtual IP) address and its netmask. ip_addr1 is the IP address of the gateway for the subnet on which the LAN or LAN1 port is set. hostname is a valid domain name for the appliance. ip_addr2-5 are the IP addresses of the LAN and HA ports for Nodes 1 and 2. number is the VRID (virtual router ID). This must be a unique VRID numberfrom 1 to 255for this subnet. string3 is a single alphanumeric string (no spaces) for a password that is at least four characters long. ip_addr6 is the IP address of an NTP (Network Time Protocol) server. Wizard Screen Deployment Type Independent Device Deployment Type HA Pair Settings Node 1 Network Settings Enter or Select Independent Device or HA Pair HA Node 1 HA Pair Name: string1 Shared Secret: string2 VIP Address: vip_addr Netmask: netmask Gateway: ip_addr1 Host Name: hostname Node 1: LAN/LAN1 Address: ip_addr2 HA Address: ip_addr3 Node 2: LAN/LAN1 Address: ip_addr4 HA Address: ip_addr5 Virtual Router ID: number Admin Account Password Time Settings Change Admin Password: (select), string3 Enable NTP: (select) NTP Server List: ip_addr6 (click Add) Time zone: (choose the time zone for the location of the appliance)

Note: The startup wizard provides options such as not changing the default password and manually entering the time and date. However, changing the password and using an NTP server improve security and accuracy (respectively), and so these choices are presented above. The last screen of the startup wizard states that the changed settings require the appliance to restart. When you click Finish, the appliance restarts.

278

Infoblox Administrator Guide (Rev. A)

NIOS 4.3r4

Deploying an Independent HA Pair

Configuring Node 2
1. Open a new browser instance and make an HTTPS connection to the IP address of the LAN or LAN1 port of Node 2. 2. The Infoblox NIOS Startup Wizard opens with a splash screen that provides basic information about the wizard, and then displays license agreement information. Beginning on the third wizard screen, enter the following to set up Node 2 (the variables are explained in the previous section for Node 1): Wizard Screen Deployment Type Independent Device Deployment Type Node 2 Network Settings Enter or Select Independent Device or HA Pair HA Node 2 IP Address: ip_addr4 Netmask: netmask Gateway: ip_addr1 HA Pair Properties Virtual IP Address: vip_addr HA Pair Name: string1 Shared Secret: string2 The setup of the HA pair is complete. When you next make an HTTPS connection to the HA pair, use the VIP address.

Method 2 Using the GUI


To deploy an independent HA pair through the GUI, you need to make an HTTPS connection to each appliance and then bypass the startup wizard. (The following procedure assumes that the appliance has the DNSone package installed.)

Configuring the Connecting Switch


To ensure that VRRP (Virtual Router Redundancy Protocol) works properly, configure the following settings on the network switch to which you cable the two nodes: Portfast: enable Trunking: disable Port list: disable Port channeling: disable

Note: By default, a NIOS appliance automatically negotiates the optimal connection speed and transmission type (full or half duplex) on the physical links between its LAN (or LAN1), HA, and MGMT ports and the ethernet ports on the connecting switch. If the two appliances fail to auto-negotiate the optimal settings, see Modifying Ethernet Port Settings on page 148 for steps you can take to resolve the problem.

Putting Both Nodes on the Network


1. Use one of the methods described in Deploying a Single Independent Appliance on page 263 to configure the network settings of the LAN/LAN1 or LAN2 port of each node so that they are on the same subnet and you can reach them across the network. 2. Cable the LAN (or LAN1) or LAN2 port and the HA port on each node to a switch on the network. Note: The ethernet ports on a NIOS appliance are autosensing, so you can use either a straight-through or cross-over ethernet cable for these connections. For the Infoblox-500, -1000, and -1200 appliances, use straight-through ethernet cables to connect an appliance to a switch. 3. Connect your management system to the network.
NIOS 4.3r4 Infoblox Administrator Guide (Rev. A) 279

Deploying Independent Appliances

Configuring Node 1
1. Open a web browser and make an HTTPS connection to the IP address of the LAN or LAN1 port of Node 1. 2. Click LAUNCH DEVICE MANAGER. 3. Log in to Node 1. For detailed information about logging in to the GUI, see Accessing the Infoblox GUI on page 41. The Infoblox NIOS Startup Wizard appears. 4. To bypass the wizard and access the Device Manager GUI, click Cancel or the Close button (). 5. From the Device perspective, click hostname -> Edit -> Device Properties. Note: (For the DNSone with Grid package) From the Grid perspective, click + (for Infoblox) -> + (for Members) -> hostname -> Edit -> Member Properties. 6. In the Device editor, click Device Properties, and then enter the following network settings: Host Name: Type the FQDN (fully qualified domain name) for the HA pair. (V)IP Address: Type the VIP (virtual IP) address for the HA pair. Subnet Mask: Choose the netmask for the subnet to which the VIP address connects. Gateway: Type the IP address of the default gateway of the subnet to which the VIP address connects. Comment: Type a comment that provides some useful information about the HA pair, such as its location. High-availability Pair: (select) Virtual Router ID: Enter a unique VRID numberfrom 1 to 255for the local subnet. Note: The VIP address and the IP addresses for all the following ports must be in the same subnet. Node #1: LAN Address: Enter an IP address for the LAN (or LAN1) port of Node 1. HA Address: Enter an IP address for the HA port of Node 1. LAN Address: Enter an IP address for the LAN (or LAN1) port of Node 2. HA Address: Enter an IP address for the HA port of Node 2.

Node #2:

7. In the Device editor, click High Availability Connection, and then enter the following settings: Name: Type a name for the HA pair. (The default name is Infoblox.) Shared Secret: Type the shared secret that both nodes use to authenticate each other when establishing a VPN tunnel for ensuing bloxSYNC traffic. (The default shared secret is test.) Retype Shared Secret: Retype the shared secret you entered in the Shared Secret field. VPN Port Number: Leave as the default number (1194), or enter a different number for the two nodes to use when building a VPN tunnel between themselves. 8. Click Save. The management window closes.

280

Infoblox Administrator Guide (Rev. A)

NIOS 4.3r4

Configuration Example: Configuring an HA Pair for Internal DNS and DHCP

Configuring Node 2
1. Open a web browser and make an HTTPS connection to the IP address of the LAN or LAN1 port of Node 2. 2. Click LAUNCH DEVICE MANAGER. 3. Log in to Node 2. The Infoblox NIOS Startup Wizard appears. 4. To bypass the wizard, click Cancel or the Close button (). 5. From the Device perspective, click hostname -> Edit -> Join HA Pair. Note: For the DNSone with Grid package, from the Grid perspective, click + (for Infoblox) -> + (for Members) -> hostname -> Edit -> Join Grid. 6. In the Join HA Pair dialog box, enter the following network settings: Virtual IP of HA Pair: Type the VIP (virtual IP) address for the HA pair. HA Connection Name: Type the same text string that you typed in the Name field in the High Availability Connection section of the Device editor on Node 1. The default HA connection name is Infoblox. Shared Secret: Type the shared secret that both nodes use to authenticate each other when establishing a VPN tunnel for ensuing bloxSYNC traffic. The default shared secret is test. Retype Shared Secret: Retype the shared secret you entered in the Shared Secret field. VPN Port Number: Leave as the default number (1194), or enter a different number for the two nodes to use when building a VPN tunnel between themselves. 7. Click Save. The management window closes.

Configuration Example: Configuring an HA Pair for Internal DNS and DHCP


In this example, you set up an HA pair of NIOS appliances to provide internal DNS and DHCP services. The HA pair answers internal queries for all hosts in its domain (corp100.com). It forwards internal queries for external sites to ns1.corp100.com at 10.1.5.2 and ns2.corp100.com at 2.2.2.2. It also uses DHCP to provide dynamic and fixed addresses. The HA pair consists of two appliances (nodes). The IP addresses of the VIP (virtual IP) address of the HA pair and the HA and LAN1 ports on each node, are as follows: HA Pair IP Addresses VIP 10.1.4.10 (the address that the active node of the HA pair uses) Node 1 LAN1 10.1.4.6 HA 10.1.4.7 Node 2 LAN1 10.1.4.8 HA 10.1.4.9

The virtual router ID number for the HA pair is 150. The ID number must be unique for this network segment. When you create the corp100.com zone on the HA pair, you import DNS data from the legacy server at 10.1.4.11.

NIOS 4.3r4

Infoblox Administrator Guide (Rev. A)

281

Deploying Independent Appliances

Figure 8.8 Example 2 Network Diagram

Internet ISP NOTE: The first six hexadecimal characters of all MAC addresses in the example are 00:00:00:00. Only the last six hexadecimal characters are shown here. External Secondary DNS Server ns2: 2.2.2.2 ethernet2 10.1.5.1/24 ethernet3 10.1.6.2/24

www 10.1.5.5 55:55:55:55 DMZ Network 10.1.5.0/24

ftp 10.1.5.7 77:77:77:77

ethernet1 1.1.1.1/24 Firewall Relay Agent on e2 interface)

External Primary DNS Server ns1: 10.1.5.2

mail 10.1.5.6 66:66:66:66

MGT Network 10.1.1.0/24 10.1.1.10 10.1.1.50 Address Range printer1 10.1.1.2 aa:aa:aa ethernet0 10.1.6.1/24 ethernet1 10.1.1.1/24 HA Pair Internal Primary DNS Server DHCP, IPAM ns3 VIP: 10.1.4.10 ethernet4 10.1.4.1/24 Server Network 10.1.4.0/24

Dev Network 10.1.2.0/24 10.1.2.10 10.1.2.50 printer2 10.1.2.2 bb:bb:bb

ethernet2 10.1.2.1/24

storage1 proxymail 10.1.4.2 10.1.4.f dd:dd:dd:dd ff:ff:ff:ff storage2 proxyweb 10.1.4.3 10.1.4.5 ee:ee:ee:ee 11:11:11:11 An HA pair of NIOS appliances provides internal DNS services. It answers internal queries for all hosts in its domain. It forwards internal queries for external sites to ns1 and ns2. It also serves DHCP, providing both dynamic and fixed addresses. For information on configuring the NIOS appliance external primary DNS server, see Configuration Example: Deploying a NIOS Appliance for External DNS on page 268. Address Range

Legacy Primary DNS Server ns3: 10.1.4.11 (Replaced by the HA Pair)

Cable Appliances to the Network and Turn On Power


Connect ethernet cables from the LAN1 and HA ports on both NIOS appliances to a switch in the Server network and turn on the power for both appliances. For information about installing and cabling the appliance, refer to the user guide or installation guide that ships with the product.

282

Infoblox Administrator Guide (Rev. A)

NIOS 4.3r4

Configuration Example: Configuring an HA Pair for Internal DNS and DHCP

Specify Initial Network Settings


Before you can configure the appliances through the GUI, you must be able to make a network connection to them. The default network settings of the LAN1 port are 192.168.1.2/24 with a gateway at 192.168.1.1 (the HA and MGMT ports do not have default network settings). To change these settings, you can use the LCD or make a console connection to each appliance.

Node 1
Using the LCD or console port on one of the appliances, enter the following information: IP Address: 10.1.4.6 (for the LAN1 port) Netmask: 255.255.255.0 Gateway: 10.1.4.1

Node 2
Using the LCD or console port on the other appliance, enter the following information: IP Address: 10.1.4.8 (for the LAN1 port) Netmask: 255.255.255.0 Gateway: 10.1.4.1 After you confirm your network settings, the Infoblox GUI application automatically restarts.

Specify Appliance Settings


When you make the initial HTTPS connection to a NIOS appliance, you see the Infoblox Appliance Startup Wizard, which guides you through the basic deployment of the appliance on your network. To set up an HA pair, you must connect to and configure each appliance individually.

Node 1
1. Open a browser window and connect to https://10.1.4.6. Note: For details about making an HTTPS connection to a NIOS appliance, see Specify Appliance Settings on page 270. 2. Log in using the default user name and password admin and infoblox. Note: User names and passwords are case-sensitive. 3. The Infoblox Appliance Startup Wizard opens with a splash screen that provides basic information about the wizard, and then displays license agreement information. Beginning on the third wizard screen, enter or select the following to set up node 1 of the HA pair: Wizard Screen Deployment type Node type Grid information Enter Stand alone First HA node Grid Name: Infoblox Shared Secret: 37eeT1d (Note: The nodes use the shared secret to form an encrypted VPN tunnel between themselves. They synchronize the shared database through this tunnel.)

NIOS 4.3r4

Infoblox Administrator Guide (Rev. A)

283

Deploying Independent Appliances

Wizard Screen Node information

Enter Virtual IP: 10.1.4.10 Subnet Mask: 255.255.255.0 Gateway: 10.1.4.1 Host Name: ns3.corp100.com Node 1: LAN1 Address: 10.1.4.6 HA Address: 10.1.4.7 Node 2: LAN1 Address: 10.1.4.8 HA Address: 10.1.4.9 Virtual Router ID: 150 New admin password: SnD34n534 Enable NTP: Select check box. IP address: 3.3.3.3 Time zone: (UMT 8:00 Pacific Time (US and Canada), Tijuana

Default password Time settings

The last screen of the wizard states that the changed settings require the application to restart. When you click Finish, the Infoblox GUI application restarts.

Node 2
1. In the JWS (Java Web Start) login window, type 10.1.4.8 in the Hostname field. When you enter the IP address, JWS queries the appliance at that address, checking for a login banner. The following default Infoblox banner appears above the Hostname field: Restricted Access Login Required. 2. Log in using the default user name and password admin and infoblox. Note: User names and passwords are case-sensitive. 3. The Infoblox Appliance Startup Wizard opens with a splash screen that provides basic information about the wizard, and then displays license agreement information. Beginning on the third wizard screen, enter or select the following to set up node 2 of the HA pair: Wizard Screen Deployment type Node type Node information Enter or Select Stand alone Second HA node IP Address: 10.1.4.8 Subnet Mask: 255.255.255.0 Gateway: 10.1.4.1 Masters Virtual IP: 10.1.4.10 Grid Name: Infoblox Shared Secret: 37eeT1d

Node provisioning

On the last screen of the wizard, click Finish. The Infoblox GUI application terminates. The setup of the HA pair is complete. From now on, when you make an HTTPS connection to the HA pair, use the VIP address 10.1.4.10.

284

Infoblox Administrator Guide (Rev. A)

NIOS 4.3r4

Configuration Example: Configuring an HA Pair for Internal DNS and DHCP

Enable Zone Transfers on the Legacy Name Server


To allow the NIOS appliance to import zone data from the legacy server at 10.1.4.11, you must configure the legacy server to allow zone transfers to the appliance at 10.1.4.10.

Legacy BIND Server


1. Open the named.conf file using a text editor and change the allow-transfer statement to allow zone transfers to the appliance at 10.1.4.10. For a sample of the required changes to the named.conf file, see Legacy BIND Server on page 271. 2. After editing the named.conf file, restart DNS service for the change to take effect.

Legacy Windows 2000/2003 Server


Navigate to the corp100.com Properties dialog box, and add 10.1.4.10 to the list of IP addresses to which you want to allow zone transfers. For more detailed navigation and configuration instructions, see Legacy Windows 2000/2003 Server on page 272.

Import Zone Data


You can import zone data from a legacy server or manually enter it. When you import both forward- and reverse-mapping zone data, the NIOS appliance automatically creates Infoblox host records if corresponding A and PTR records are present. You can then modify the host records to add MAC addresses. However, if you only import forward-mapping zone data, the NIOS appliance cannot create host records from just the A records. In that case, because you cannot later convert A records to host records, it is more efficient to create the corp100.com zone, and define host records manually. Infoblox host records are data models that represent IP devices within the Infoblox semantic database. The NIOS appliance uses a host object to define A, PTR, and CNAME resource records in a single object as well as a DHCP fixed address if you include a MAC address in the host object definition. The host object prevents costly errors because you only maintain a single object for multiple DNS records and a DHCP fixed address. Therefore, it is advantageous to use host records instead of separate A, PTR, and CNAME records. Note: If you only have forward-mapping zones defined on your legacy servers and you want to add reverse-mapping zones and automatically create host records in the imported forward-mapping zones and reverse host records in corresponding reverse-mapping zones, create the reverse-mapping zones and then import the forward-mapping zones data. The NIOS appliance automatically converts the imported A records to host records in the forward-mapping zones and creates the necessary reverse host records in the reverse-mapping zones. You also have the option of using the Data Import Wizard for loading DNS and DHCP configurations and data. For large data sets, this option is an efficient approach. To download the Data Import Wizard, visit www.infoblox.com/support, log in with your support account, and then click the Data Import Wizard hyperlink in the DNSone section. In this example, when you create the corp100.com forward-mapping zone, you import zone data for the existing corp100.com zone from the legacy server at 10.1.4.11. When you create the 1.10.in-addr.arpa reverse-mapping zone, you also import the zone records for the existing 1.10.in-addr.arpa zone from the legacy server. After the appliance has both the forward- and reverse-mapping zone data, it converts the A and PTR records to Infoblox host records. 1. Open a browser window, and log in to the HA pair at https://10.1.4.10, using the user name admin and the password SnD34n534. 2. To check that the HA pair is set up and functioning properly, from the Device perspective, click ns3.corp100.com and check that the status indicators are all green. 3. Click DNS to open the DNS perspective, and then click DNS Views -> + (for DNS Views) -> + (for default) -> Forward Mapping Zones -> Edit -> Add Forward Mapping Zone -> Authoritative.

NIOS 4.3r4

Infoblox Administrator Guide (Rev. A)

285

Deploying Independent Appliances

4. In the Authoritative Zone Properties section of the Add Forward Authoritative Zone editor, enter the following: Name: corp100.com Comment: Internal DNS zone 5. In the Primary Server Assignment section, click Select Member to open the Select Grid Member dialog box. 6. Select ns3.corp100.com, and then click OK to close the dialog box. 7. Click the Save icon. 8. In the DNS Views panel of the DNS perspective, click + (for Forward Mapping Zones) -> corp100.com -> Edit -> Authoritative Zone Properties. 9. In the Forward Authoritative Zone editor, click Settings and enter the following: E-mail address: admin@corp100.com Import zone from: Select this check box, and enter 10.1.4.11 in the adjacent text field. 10. Click the Save icon. 11. After successfully importing the zone data, click corp100.com in the DNS Views panel. You can see all the imported forward-mapping zone data in the Records panel. Because you have not yet imported the reverse-mapping zone data, most of the records appear as A records. 12. From the DNS perspective, click DNS Views -> + (for DNS Views) -> + (for default) -> Reverse Mapping Zones -> Edit -> Add Reverse Mapping Zone -> Authoritative. 13. In the Authoritative Zone Properties section of the Add Reverse Authoritative Zone editor, enter the following: Network Address: 10.1.0.0 Subnet Mask: 255.255.0.0 Comment: Internal DNS zone 14. In the Primary Server Assignment section, click Select Member to open the Select Grid Member dialog box. 15. Select ns3.corp100.com, and then click OK to close the dialog box. 16. Click the Save icon. 17. In the DNS Views panel of the DNS perspective, click + (for Reverse Mapping Zones) -> 1.1.1.in-addr.arpa -> Edit -> Authoritative Zone Properties. 18. In the Authoritative Reverse Zone editor, click Settings and enter the following: E-mail address: admin@corp100.com Import zone from: Select this check box, and enter 10.1.4.11 in the adjacent text field. 19. Click the Save and Restart Services icons. 20. Click 1.1.1.in-addr.arpa -> View -> Records. You can see all the imported reverse-mapping zone data in the Records panel. 21. Click corp100.com in the DNS Views panel. Because you have now imported both the forward- and reverse-mapping zone data, most of the records appear as host records. 22. Finally, you must remove the ns1 host record for the legacy server (value 10.1.4.11). To remove it, select ns3, and then click Edit -> Remove.

286

Infoblox Administrator Guide (Rev. A)

NIOS 4.3r4

Configuration Example: Configuring an HA Pair for Internal DNS and DHCP

Define Networks, Reverse-Mapping Zones, DHCP Ranges, and Infoblox Hosts


In this task, you enter data manually because the configuration is fairly simple. For large data sets, you have the option of using the Data Import Wizard for loading DNS and DHCP configurations and data to make the process more efficient. To download the Data Import Wizard, visit www.infoblox.com/support, log in with your support account, and then click the Data Import Wizard hyperlink in the DNSone section.

Networks
You can create all the subnetworks individually (which in this example are 10.1.1.0/24, 10.1.2.0/24, 10.1.4.0/24, and 10.1.5.0/24), or you can create a parent network (10.1.0.0/16) that encompasses all the subnetworks and then use the Infoblox split network feature to create the individual subnetworks automatically. The split network feature accomplishes this by using the IP addresses that exist in the forward-mapping zones to determine which subnets it needs to create. This example uses the split network feature. For information about creating networks, see Configuring a DHCP Network on page 497. 1. From the DHCP and IPAM perspective, click Networks -> Edit -> Add Network -> Network. 2. In the Network Properties section of the Add Configure Network editor, enter the following: Network Address: 10.1.0.0 Netmask: /16 (255.255.0.0) 3. Click Member Assignment -> Add to open the Select Grid Members dialog box. 4. Select ns3.corp100.com, and then click OK to close the dialog box. 5. Click the Save icon. 6. Click + (for Networks) -> 10.1.0.0/16 -> Edit -> Split Network. Subnetworks: Move the slider to 24. Immediately add only networks with ranges and fixed addresses: Select this check box. The appliance immediately creates the following 24-bit subnets for the imported Infoblox hosts: 10.1.1.0/24 10.1.2.0/24 10.1.4.0/24 10.1.5.0/24 7. Click -> + (for Networks) -> + (for 10.1.0.0/16) -> 10.1.1.0/24 -> Edit -> Network Properties. 8. In the Configure Network editor, enter information in the following sections:

Network Properties
Comment: MGT

Member Assignment
Members: ns3.corp100.com 9. Click the Save icon. 10. To modify the other networks, repeat steps #8 10 for each network and use the following information: 10.1.2.0/24 Network: Comment: Dev Members: ns3.corp100.com 10.1.4.0/24 Network: Comment: Server Members: ns3.corp100.com 10.1.5.0/24 Network: Comment: DMZ Members: ns3.corp100.com

NIOS 4.3r4

Infoblox Administrator Guide (Rev. A)

287

Deploying Independent Appliances

Reverse-Mapping Zones
When you create a network, the appliance automatically creates a corresponding reverse-mapping zone and reparents the relevant resource records from the parent zone (10.1.0.0/16) to that zone. To enable DNS service for the new zone, you need to assign ns3.corp100.com as the primary DNS server for each zone. In this example, the appliance creates four reverse-mapping zones. You must modify each zone by assigning ns3.corp100.com as its primary DNS server. 1. From the DNS perspective, click DNS Views -> + (for DNS Views) -> + (for default) -> + (for Reverse Mapping Zones) -> + (for 1.10.in-addr.arpa) -> 1.1.10.in-addr.arpa -> Edit -> Authoritative Zone Properties. 2. In the Primary Server Assignment section, click Select Member to open the Select Grid Member dialog box. 3. Select ns3.corp100.com, and then click OK to close the dialog box. 4. Click the Save icon. 5. Repeat steps #14 for the 2.1.10.in-addr.arpa, 4.1.10.in-addr.arpa, and 5.1.10.in-addr.arpa reverse-mapping zones.

DHCP Ranges
1. From the DHCP and IPAM Perspective, select Networks -> + (for Networks) -> + (for 10.1.0.0/16) -> 10.1.1.0/24 -> Edit -> Add DHCP Range. 2. In the DHCP Range section, enter the following: Start Address: 10.1.1.10 End Address: 10.1.1.50 3. In the Member Assignment section, select ns3.corp100.com from the Grid Member drop-down list. 4. Click the Save icon. 5. From the DHCP and IPAM Perspective, select Networks -> + (for Networks) -> + (for 10.1.0.0/16) -> 10.1.2.0/24 -> Edit -> Add DHCP Range. 6. In the DHCP Range section, enter the following: Start Address: 10.1.2.10 End Address: 10.1.2.100 7. In the Member Assignment section, select ns3.corp100.com from the Grid Member drop-down list. 8. Click the Save icon.

Infoblox Hosts
Defining both a MAC and IP address for an Infoblox host definition creates a DHCP host entrylike a fixed address that you can manage through the host object. To add a MAC address to each host record that the appliance created when you imported forward- and reverse-mapping zone records, you must first delete the IP address for that host, and then add the same IP address with the MAC address. 1. From the DNS perspective, click DNS Views -> + (for DNS Views) -> + (for default) -> + (for Forward Mapping Zones) -> + (for corp100.com). 2. Double-click 10.1.1.2 to open the Host editor. 3. In the Host Record Properties section, select 10.1.1.2, and then click Remove. 4. Click Add next to the IP Address field to open the Host Address dialog box. 5. Enter the following, and then click OK to close the dialog box: IP Address: 10.1.1.2 MAC Address: 00:00:00:aa:aa:aa 6. Click the Save icon.

288

Infoblox Administrator Guide (Rev. A)

NIOS 4.3r4

Configuration Example: Configuring an HA Pair for Internal DNS and DHCP

7. Follow steps 1 6 to modify hosts with the following information: printer2 IP Address: 10.1.2.2 MAC Address: 00:00:00:bb:bb:bb storage1 IP Address: 10.1.4.2 MAC Address: 00:00:00:dd:dd:dd storage2 IP Address: 10.1.4.3 MAC Address: 00:00:00:ee:ee:ee proxymail IP Address: 10.1.4.4 MAC Address: 00:00:00:ff:ff:ff proxyweb IP Address: 10.1.4.5 MAC Address: 00:00:00:11:11:11 www IP Address: 10.1.5.5 MAC Address: 00:00:00:55:55:55 mail IP Address: 10.1.5.6 MAC Address: 00:00:00:66:66:66 ftp IP Address: 10.1.5.7 MAC Address: 00:00:00:77:77:77

Define Multiple Forwarders


Because ns3.corp100.com is an internal DNS server, you configure it to forward DNS queries for external DNS name resolution to the primary and secondary DNS serversns1.corp100.com at 10.1.5.2 and ns2.corp100.com at 2.2.2.2. 1. From the DNS perspective, click DNS Members -> Infoblox -> Edit -> Grid DNS Properties. 2. In the Grid DNS Properties editor, click Forwarders, and then enter the following: IP Address: Type 2.2.2.2, and then click Add. IP Address: Type 10.1.5.2, and then click Add. Use Forwarders Only: Clear the check box. 3. Click the Save icon. The NIOS appliance initially sends outbound queries to forwarders in the order that they appear in the Forwarders list, starting from the top of the list. If the first forwarder does not reply, the appliance tries the second one. The appliance keeps track of the response time of both forwarders and uses the quicker one for future queries. If the quicker forwarder does not respond, the appliance then uses the other one.

NIOS 4.3r4

Infoblox Administrator Guide (Rev. A)

289

Deploying Independent Appliances

Enable Recursion on External DNS Servers


Because the HA pair forwards outbound queries to the two external DNS servers ns1.corp100.com (10.1.5.2) and ns2.corp100.com (2.2.2.2) for resolution, you must enable recursion on those servers. When a DNS server employs recursion, it queries other DNS servers for a domain name until it either receives the requested data or an error that the requested data cannot be found. It then reports the result back to the server that queriedin this case, the internal DNS server ns3.corp100.com (10.1.4.10), which in turn reports back to the DNS client.

Infoblox Server in the DMZ Network (ns1.corp100.com, 10.1.5.2)


1. Log in to ns1.corp100.com at 10.1.5.2. 2. From the DNS perspective, click DNS Members -> Infoblox -> Edit -> Grid DNS Properties. 3. In the Grid DNS Properties editor, click Queries, and then select the Allow Recursion check box. 4. Click the Save icon.

BIND Server at ISP Site (ns2.corp100.com, 2.2.2.2)


1. Open the named.conf file using a text editor and change the recursion and allow-recursion statements to allow recursive queries from 1.1.1.8 (the NAT address of ns3).
options { zone-statistics yes; directory "/var/named/named_conf"; version ""; recursion yes; listen-on { 127.0.0.1; 2.2.2.2; }; allow-recursion {1.1.1.8;}; transfer-format many-answers; };

2. After editing the named.conf file, restart DNS service for the change to take effect.

Windows 2000/2003 Server at ISP Site (ns2.corp100.com, 2.2.2.2)


1. Click Start -> All Programs -> Administrative Tools -> DNS. 2. Right-click ns3, and then select Properties -> Advanced. 3. On the Advanced page in the ns3 Properties dialog box, clear the Disable recursion check box. 4. To save the configuration change and close the ns3 Properties dialog box, click OK.

Modify the Firewall and Router Configurations


Configure the firewall and router in your internal network to allow the following DHCP, DNS, and NTP traffic: To allow messages to pass from the DHCP clients in the DMZthe web, mail, and FTP serversto ns3 in the Server network, configure policies and DHCP relay agent settings on the firewall. To forward DHCP messages from DHCP clients in the MGT and Dev networks to ns3 in the Server network, configure relay agent settings on the router. To translate the private IP address of ns3 (10.1.4.10) to the public IP address (1.1.1.8) when forwarding DNS queries from ns3 to ns2, set a MIP (mapped IP) address on the firewall. To allow DNS queries from ns3 to ns1 and ns2 and NTP traffic from ns3 to the NTP server, configure firewall policies.

290

Infoblox Administrator Guide (Rev. A)

NIOS 4.3r4

Configuration Example: Configuring an HA Pair for Internal DNS and DHCP

Firewall
For example, enter the following commands on a Juniper firewall running ScreenOS 4.x or later: DHCP Relay Configuration
set address trust ns3 10.1.4.10/32 set interface ethernet2 dhcp relay server-name 10.1.4.10 set policy from dmz to trust ns1 ns3 DHCP-Relay permit

DNS Forwarding
set interface ethernet1 mip 1.1.1.8 host 10.1.4.10 set policy from trust to untrust ns3 ns2 dns permit set policy from trust to dmz ns3 ns1 dns permit

NTP
set policy from dmz to untrust ns1 ntp_server ntp permit

Router
For example, enter the following commands on a Cisco router running IOS for release 12.x or later: DHCP Relay Configuration
interface ethernet1 ip helper-address 10.1.4.10 interface ethernet2 ip helper-address 10.1.4.10

Enable DHCP and Switch Service to the NIOS Appliance


With the Infoblox in place and the firewall and router configured for relaying DHCP messages, you can switch DHCP service from the legacy DHCP server at 10.1.4.11 to the HA pair at 10.1.4.10 (VIP address). Tip: To minimize the chance of duplicate IP address assignments during the transition from the legacy DHCP server to the appliance, shorten all lease times to a one-hour length in advance of the DHCP server switch. Then, when you take the legacy DHCP server offline, the DHCP clients quickly move to the new server when their lease renewal efforts fail and they broadcast DHCPDISCOVER messages. To determine how far in advance you need to shorten the lease length, find the longest lease time (for example, it might be two days). Then change the lease length to one hour at a slightly greater interval of time before you plan to switch DNS service to the appliance (for example, three days before the switch over). By changing the lease length this far in advance, you can be sure that all DHCP leases will be one-hour leases at the time of the switch-over. If the longest lease length is longersuch as five daysand you want to avoid the increased amount of traffic caused by more frequent lease renewals over a six-day period, you can also employ a stepped approach: Six days before the switch-over, change the lease lengths to one-day leases. Then two days before the switch-over, change them to one-hour leases. 1. Open a browser window, and log in to the HA pair at https://10.1.4.10, using the user name admin and the password SnD34n534. 2. From the DHCP and IPAM Perspective, select DHCP Members -> + (for Infoblox) -> ns3.corp100.com -> Edit -> Member DHCP Properties. 3. In the Member DHCP Properties editor, click General Properties and select Enable DHCP Server. 4. Click the Save and Restart Services icons. The HA pair is ready to provide DHCP service to the network. 5. Take the legacy DHCP server at 10.1.4.11 offline. When the DHCP clients are unable to renew their leases from the legacy DHCP server, they broadcast DHCPDISCOVER messages to which the new DHCP server responds.

NIOS 4.3r4

Infoblox Administrator Guide (Rev. A)

291

Deploying Independent Appliances

Manage and Monitor


Infoblox provides tools for managing IP address usage and several types of logs to view events of interest and DHCP and DNS data. After configuring the appliance, you can use the following resources to manage and monitor IP address usage, DNS and DHCP data, and administrator and appliance activity.

IPAM (IP Address Management)


IPAM offers the following services: Simple IP address modification Within a single IP address-centric data set, you can modify the Infoblox host, DHCP, and DNS settings associated with that IP address. Address type conversion Through IPAM functionality, you can make the following conversions: Currently active dynamic addresses -> fixed addresses, reserved addresses, or Infoblox hosts Fixed addresses -> reserved addresses or hosts Reserved addresses -> hosts Device classification You can make detailed descriptions of appliances in DHCP ranges and appliances defined as Infoblox hosts and as fixed addresses. Three distinct views of IP address usage To monitor the usage of IP addresses on your network, you can see the following different views: High-level overall network view: From the DHCP and IPAM perspective, click DHCP Members -> + (for Infoblox) -> 10.1.4.10 -> View -> DHCP Statistics. Run-time view that allows you to zoom in and out to varying levels of detail: From the DHCP and IPAM perspective, click Networks -> network -> View -> IP Address Management -> ip_addr -> View -> Properties. DHCP lease history records: From the DHCP and IPAM perspective, click View -> DHCP Lease History.

Logs
The following are some useful logs: Logs Audit Log Contains administrator-initiated events System Log Contains events related to hardware and software operations DNS DNS Cache Contains cached DNS-to-IP address mappings DNS Configuration Contains DNS server settings for the Infoblox DNS server Zone Statistics Contains a record of the results of all DNS queries per zone DHCP DHCP Configuration Contains DHCP server settings and network, DHCP range, and host settings for the Infoblox DHCP server DHCP Leases Contains a real-time record of DHCP leases DHCP Lease History Contains an historical record of DHCP leases DHCP Statistics Contains the number of currently assigned static and dynamic addresses, and the high and low watermarks per network Network Statistics Contains the number of static hosts, dynamic hosts, and available hosts per network

292

Infoblox Administrator Guide (Rev. A)

NIOS 4.3r4

Verifying the Deployment

Verifying the Deployment


After you deploy a single independent appliance or HA pair, you can make an HTTPS connection to it, log in, and check its status.

Single Independent Appliance


From the Device perspective, check the Status column in the Device panel. If the Status icon is green, the appliance has a network connection and is operating properly. If the Status icon is red, there is a problem. To determine what it is, look at the system log file for this appliance by clicking device_name -> File -> System Log -> Node 1.

Independent HA Pair
1. Make an HTTPS connection to the VIP address of the HA pair, log in, and check the status of both nodes. 2. From the Device perspective, check the Status column in the Device panel. If the Status icon is green, both nodes have connectivity with each other and are operating properly. If the Status icon is yellow, the two nodes are in the process of forming an HA pair. If the Status icon is red, the passive node is offline or there is a problem. To determine what it is, look at the system log file for each node by clicking host_name -> File -> System Log -> Node 1 or Node 2. You can also gather information from the Detailed Status viewer. Click host_name -> View -> Detailed Status. You can also check the status of each node in the Information section in the Device Properties viewer: 1. From the Device perspective, click View -> Properties -> + (for Information) -> + (for Node #1) and + (for Node #2). 2. Check the value in the Status row for each node. The three status values are: Active: The node is functioning properly as the active node in the HA pair. Passive: The node is functioning properly as the passive node in the HA pair. Offline: The active node cannot make a network connection to this node.

Forcing an HA Failover
If you want to change which node in an HA pair is active and which is passive, you can force a failover to occur. You might want to do this if you need to move or perform maintenance on a currently active node. Within five seconds after initiating a failover, the previously passive node becomes active and assumes ownership of the VIP address. To force an HA failover: 1. Log in as a superuser. 2. From Device perspective, click ha_pair -> Edit -> Force Failover. 3. A message appears, prompting you to confirm the failover operation and noting that a forced failover causes a temporary service disruption. 4. To proceed with the forced failover, click OK. 5. Close the management window, and then log back in. 6. To confirm that the two nodes have reversed their rolesthat is, the previously passive node is now active, and the previously active node is now passivefrom the Device perspective, click hostname -> View -> Detailed Status.

NIOS 4.3r4

Infoblox Administrator Guide (Rev. A)

293

Deploying Independent Appliances

Infoblox Tools for Migrating Data


Typically, the next step after cabling a single independent appliance to a network and configuring its network settingsor cabling two independent appliances to a network and configuring them as an HA pairis to import data from legacy DNS, DHCP, and TFTP servers. Infoblox provides several tools to accomplish this: The Infoblox Data Import Wizard is a useful tool that simplifies the importation of DNS, DHCP and IPAM (IP address management), and TFTP settings and data into a NIOS appliance. For large data sets, this option is an efficient approach. To download the Data Import Wizard, visit www.infoblox.com/support, log in with your support account, and then click the Data Import Wizard hyperlink in the DNSone section. For guidance in selecting and using the different options in the wizard, refer to the online Help that accompanies it. You can use prewritten Infoblox Perl API scripts or write your own scripts to ease the execution of large and repetitive operations such as importing data for large numbers of networks and zones. To download script packs, log in to www.infoblox.com/support, and navigate to the Downloads section. Each script has a corresponding HTML Help file. For a more general introduction to using the Infoblox API, see the Infoblox API Reference Guide, which is available in the Technical Library section of the Infoblox Support site. For smaller DNS data sets, you can use the zone import feature, which allows you to import data on a per-zone basis (seeImporting Zone Data on page 386). You can also manually enter the settings and data for network identity services. For information, see the relevant service-specific chapters in this guide.

294

Infoblox Administrator Guide (Rev. A)

NIOS 4.3r4

Upgrading Software on an Independent Appliance or HA Pair

Upgrading Software on an Independent Appliance or HA Pair


Upgrading an independent appliance or HA pair involves three steps: Downloading the software upgrade files to a local system (Acquiring Software Upgrade Files on this page) Distributing the software upgrade files (Distributing Software Upgrade Files on this page) Running the software upgradewhich involves rebooting the appliances and then running the new software (Running the Software Upgrade on page 295)

Note: You cannot upgrade directly to NIOS 4.2 from certain DNS releases, such as DNS 3.1 and 3.2, and NIOS releases, such as 4.0r1. Refer to the release notes for the appropriate upgrade and revert paths.

Acquiring Software Upgrade Files


Infoblox frequently releases updated NIOS software. Contact Infoblox Technical Support to learn about new software upgrades, or watch your e-mail for periodic notifications that a new software upgrade is available. After you have the new upgrade file stored on your local network, proceed to the next section.

Distributing Software Upgrade Files


Software distribution varies depending on how appliances are deployed: The active node of an independent HA pair distributes the software to the passive node and to itself. A single independent appliance distributes the software to itself.

To distribute the latest software: 1. From the Device perspective, click Device -> Distribute -> Upload NIOS Software. When you perform a distribution, the NIOS appliance uploads the file to a backup partition and unpacks the contents, which overwrites any existing backup software that might have been there. 2. Navigate to the .bin file that you want to upload, select it, and then click Open or OK. 3. To view the file distribution status, look at the Upgrade Status panel. From the Device perspective, click View -> Upgrade Status. The process takes a few minutes and is complete when the Upgrade Status panel displays file distribution as complete and all files unpacked. The new software is now staged and is ready for use.

Running the Software Upgrade


After you successfully distribute (stage) the software upgrade, you can then run it. Essentially, each appliance is going to switch between the two software partitions on its system, activating the staged software and saving the previously active software and database as backup. Note: Before you upgrade the software, Infoblox recommends backing up the current configuration and database. To run the software upgrade: 1. From the Device perspective, click Device -> Upgrade. The upgrade process begins immediately. Due to the nature of the upgrade sequence, HA pairs fail over during the upgrade. Therefore, be aware that the active and passive nodes reverse roles. The GUI session terminates when the independent HA pair fails over from Node 1 to Node 2, or when the single independent appliance reboots and goes offline. 2. Log back in and check the status of each upgraded appliance in the Detailed Status panels. From the Device perspective, click hostname -> View -> Detailed Status.)

NIOS 4.3r4

Infoblox Administrator Guide (Rev. A)

295

Deploying Independent Appliances

296

Infoblox Administrator Guide (Rev. A)

NIOS 4.3r4

Chapter 9 Deploying a Grid


To deploy a grid, it is important to understand what a grid is, how to create a grid master and add members, and how to manage the grid. This chapter explains these tasks in the following sections:

Introduction to Grids on page 298 Grid Communications on page 299 NAT Groups on page 300 Automatic Software Version Coordination on page 303 Grid Bandwidth Considerations on page 305 Creating a Grid Master on page 307 VRRP Advertisements on page 309 Port Numbers for Grid Communication on page 310 Creating an HA Grid Master on page 311 Creating a Single Grid Master on page 313 Adding Grid Members on page 317 Adding a Single Member on page 317 Adding an HA Member on page 318 Configuration Example: Configuring a Grid on page 320 Enabling IPv6 On a Grid Member on page 333 Managing a Grid on page 337 Changing Grid Properties on page 337 Setting the MTU for VPN Tunnels on page 337 Removing a Grid Member on page 338 Promoting a Master Candidate on page 338 Upgrading NIOS Software on a Grid on page 339 Lite Upgrades on page 339 Uploading NIOS Software on page 340 About Upgrade Groups on page 340 Distributing Software Upgrade Files on page 341 Testing a Software Upgrade on page 345 Performing a Software Upgrade on page 346 Monitoring Distribution and Upgrade Status on page 350

NIOS 4.3r4

Infoblox Administrator Guide (Rev. A)

297

Deploying a Grid

Introduction to Grids
A grid is a group of two or more NIOS appliances that share sections of a common, distributed, built-in database and which you configure and monitor through a single, secure point of access: the grid master. A grid can include Infoblox appliances and NIOS virtual appliances. A NIOS virtual appliance is a non-Infoblox hardware platform running the vNIOS software package. (Supported platforms are Riverbed Steelhead appliances running the Riverbed Services Platforms and Cisco AXP service modules in Integrated Services Routers.) You can configure Infoblox appliances as a grid master, grid master candidate, or grid members, but you can configure NIOS virtual appliances only as grid members. Figure 9.1 shows the basic concept of a grid and database distribution (or replication).

Figure 9.1 Grid and Partitioned Database Replication


The administrator makes a secure connection to the grid master to configure and manage all grid members. VPN Tunnel

Grid Master Database

Master Candidate

The grid master replicates the section of the database that applies to each member Administrator

and it replicates the entire database to the master candidate.

Grid Riverbed vNIOS Virtual Appliance HA Member Note: In addition to the VPN tunnel securing administrative traffic to the grid master, all grid communications between the grid master and grid members pass through encrypted VPN tunnels (not shown). Cisco vNIOS Virtual Appliance

The grid master can be either an HA master or a single master; that is, an HA (high availability) pair or a single appliance. Similarly, a grid member can be either a single member or an HA member. The grid master communicates with every grid member in a hub-and-spoke configuration. For an HA member, the grid master communicates with the active node, which in turn communicates with the passive node, as shown in Figure 9.2.

298

Infoblox Administrator Guide (Rev. A)

NIOS 4.3r4

Introduction to Grids

Figure 9.2 Grid Communications to an HA Member

1
Grid Master

The grid master communicates with the active node of the HA member. VPN Tunnel

HA Member Node 1 Active VIP (on HA Port) VPN Tunnel

VIP (on HA Port)

LAN Port

The active node communicates with the passive node.

LAN Port Node 2 Passive

Although you can configure a NIOS virtual appliance as a grid member, you cannot configure it as an HA member. When adding NIOS virtual appliances to a grid, you centralize the management of core network services of the virtual appliances through the grid master. NIOS virtual appliances support most of the features of the Infoblox NIOS software, with some limitations as described in vNIOS Appliance Limitations on page 823. For additional information specific to each platform, refer to the Quick Start Guide for Installing NIOS Software on Cisco Application eXtension Platforms and the Quick Start Guide for Installing NIOS Software on Riverbed Services Platforms. By default, grid communications use the UDP transport with a source and destination port of 1194. This port number is configurable, but for a port change to take effect, the HA master must fail over or the single master must reboot. After adding an appliance or HA pair to a grid, you no longer access the Infoblox GUI on that appliance. Instead, you access the GUI running on the grid master. Although you can create multiple administrator accounts to manage different services on various grid members, all administrative access is through the grid master. So even if someone has administrative privileges to a single grid member, that administrator must access the GUI running on the grid master to manage that member. You can access the Infoblox GUI through an HTTPS connection to one of the following IP addresses and ports on the grid master: The VIP address, which links to the HA port on the active node of an HA grid master The IP address of the LAN port on a single grid master The IP address of the MGMT port (if enabled) of the active node of an HA or single grid master. See Using the MGMT Port on page 153.

Grid Communications
The grid master synchronizes data among all grid members using bloxSync through encrypted VPN tunnels. The default source and destination UDP port number for VPN tunnels is 1194. You can continue using the default port number or change it. For example, if you have multiple grids, you might want each grid to use a different port so that you can set different firewall rules for each. Whatever port number you choose to use for the VPN tunnels in a grid, all the tunnels in that grid use that single port number. Before an appliance or HA pair forms a tunnel with the master, they first authenticate each other using the Challenge-Response Authentication Mechanism (CRAM). The source and destination port number for this traffic is 2114. During the CRAM handshake, the master tells the appliance or HA pair what port number to use when building the subsequent VPN tunnel.

NIOS 4.3r4

Infoblox Administrator Guide (Rev. A)

299

Deploying a Grid

Figure 9.3 VPN Tunnels within a Grid


If the grid master is a single appliance, it communicates with the grid members from its LAN port. Single Member Grid

HA Grid Master Node 1 (Active) Node 2 (Passive) VIP 10.1.1.11 (on Active Node) Encrypted VPN Tunnels HA 10.1.1.13 HA 10.1.1.15 HA Member LAN 10.1.1.18 (on Active Node of HA Member) Node 1 (Active) Node 2 (Passive) VIP 10.1.1.22 (on Active Node) LAN 10.1.1.16

HA 10.1.1.19 HA 10.1.1.21 LAN 10.1.1.14 (on Passive Node of Grid Master) Note: The default source and destination UDP ports for all VPN tunnels in a grid is 1194. LAN 10.1.1.20 (on Passive Node of HA Member) If you enable grid communications on the MGMT port of an HA member, the active node communicates from its MGMT port to the grid master and the passive node communicates from its MGMT port to the VIP on the HA port on the active node.

Another type of traffic, which flows outside the tunnels, is the VRRP (Virtual Router Redundancy Protocol) advertisements that pass between the active and passive nodes in an HA pair. The VRRP advertisements act like heartbeats that convey the status of each node in an HA pair. If the active node fails, the passive node can become active. The VIP (virtual IP) address for that pair then shifts from the previously active node to the currently active node.

NAT Groups
NAT groups are necessary if the grid master is behind a NAT appliance and there are members on both sides of that NAT appliance. Any members on the same side as the master go into the same NAT group as the master and use their interface addresses for grid communications with each other. Grid members on the other side of that NAT appliance do not go in the same NAT group as the master and use the master's NAT address for grid communications. These other members outside the NAT appliance canbut do not always need to bein a different NAT group. To see when NAT groups become necessary for grid communications, compare Figure 9.4 below with Figure 9.5 and Figure 9.6 on page 302.

300

Infoblox Administrator Guide (Rev. A)

NIOS 4.3r4

Introduction to Grids

Figure 9.4 NAT without NAT Groups


The grid members use the addresses in bold for grid communications through their LAN ports. Member 1 (Grid Master) Interface 10.1.1.10 NAT 1.1.1.10 Network Member 2 Interface 1.2.2.20 NAT

Grid

Member 3 (Master Candidate) Interface 192.168.1.30 NAT 1.3.3.30

In this case, there is no need for NAT groups. The master (Member 1) always uses its NAT address (1.1.1.10) when communicating with the grid members. Also, if you ever promote Member 3 to master, it only has to use its NAT address (1.3.3.30) to communicate with the other grid members. Whichever appliance is master, there is no other member behind the same NAT appliance with which it needs to use its interface

Member 4 Interface 10.1.0.40 NAT 1.4.4.40 Member 5 Interface 10.1.0.50 NAT 1.4.4.50

Note: A single or HA member using its MGMT port for grid communications cannot be separated from the grid master behind a NAT appliance. For more information, see Using the MGMT Port on page 153.

Figure 9.5 Grid Master in NAT Group


Members 2 5 use the addresses in black bold for grid communications. Members 1 and 6 use their interface addresses in underlined blue bold. Member 2 Interface 1.2.2.20 NAT

NAT Group 1 Member 1 (Grid Master) Interface 10.1.1.10 NAT 1.1.1.10 Member 6 Interface 10.1.1.60 NAT 1.1.1.60 Grid

Network

Member 3 (Master Candidate) Interface 192.168.1.30 NAT 1.3.3.30 Member 4 Interface 10.1.0.40 NAT 1.4.4.40 Member 5 Interface 10.1.0.50 NAT 1.4.4.50

The master (Member 1) uses its interface address (10.1.1.10) for grid communications with Member 6 and its NAT address (1.1.1.10) when communicating with the other grid members. Member 6 uses its interface address (10.1.1.60) when communicating with the master. If Member 3 (a master candidate) ever became the grid master, then both Members 1 and 6 would use their NAT addresses when communicating with it.

NIOS 4.3r4

Infoblox Administrator Guide (Rev. A)

301

Deploying a Grid

The same use of NAT groups that applies to a grid master also applies to master candidates. If there are no other members behind the same NAT appliance as a master candidate, then the master candidate does not need to be in a NAT group. It always uses its NAT address for grid communications. If another member is behind the same NAT appliance as the master candidate, then both the candidate and that member need to be in the same NAT group so thatif the candidate becomes masterthey can use their interface addresses to communicate with each other (see Figure 9.6 ).

Figure 9.6 Grid Master and Master Candidate in NAT Groups


Members 1 5 use the addresses in black bold for grid communications. Members 1 and 6 use their interface addresses in underlined blue bold. If Member 4 became master, it would use its interface address in double underlined green bold to communicate with Member 5, and its NAT address to communicate with all other members. NAT Group 1 Member 1 (Grid Master) Interface 10.1.1.10 NAT 1.1.1.10 Member 6 Interface 10.1.1.60 NAT 1.1.1.60 Grid Members 3 and 4 are master candidates. Because Member 3 is alone behind a NAT appliance, it does not need to be in a NAT group. It always uses its NAT address for grid communications. However, Member 4 is behind the same NAT appliance as Member 5, so they are put in the same NAT group. If Member 4 ever became the grid master, it would use its interface address to communicate with Member 5 and its NAT address to communicate with all other members. Network Member 2 Interface 1.2.2.20 NAT

NAT Group 2

Member 3 (Master Candidate) Interface 192.168.1.30 NAT 1.3.3.30

Member 4 Interface 10.1.0.40 NAT 1.4.4.40 Member 5 Interface 10.1.0.50 NAT 1.4.4.50

Although some members might not need to be in a NAT group, it is good practice to put all members in NAT groups in anticipation of adding or rearranging grid members within the network. For example, in Figure 9.4 Figure 9.6, Member 4 did not need to be in a NAT group until it became configured as a master candidate in Figure 9.6 . At that point, because Member 5 is also behind the same NAT appliance, it became necessary to create NAT Group 2 and add Members 4 and 5 to it. Similarly, if you add another member behind the NAT appliance in front of Member 3, then you must create a new NAT group and add Member 3 and the new member to it. Always using NAT groups can simplify such changes to the grid and ensure that NAT appliances never interrupt grid communications. To create a NAT group: 1. From the Grid perspective, click id_grid -> Edit -> Grid Properties -> NAT Groups. 2. In the NAT Groups section of the Grid editor, click Add. 3. In the NAT Group dialog box, enter a name in the Group Name field and a useful comment in the Comment field, and then click OK. 4. Click the Save icon. To add members to the NAT group: 1. In the Grid perspective, click + (for id_grid) -> + (for Members) -> member -> Edit -> Member Properties -> NAT. 2. In the NAT section of the Grid Member editor, enter the following: Enable NAT compatibility: (select) Group: From the drop-down list, select the NAT group you previously created.

302

Infoblox Administrator Guide (Rev. A)

NIOS 4.3r4

Introduction to Grids

NAT (V)IP Address: For a single grid master or member, enter the address configured on the NAT appliance that maps to the interface address of the LAN port. A single master or member that serves DNS uses this NAT address for grid communications andif it serves DNSfor its NS records. For an HA grid master or member, enter the address configured on the NAT appliance that maps to its VIP address. An HA master uses its VIP NAT address when communicating with grid members. An HA member that serves DNS uses its VIP NAT address for its NS records. It uses its LAN port NAT address for grid communications. Node 1 (if HA) NAT IP Address: Enter the address configured on the NAT appliance that maps to the interface address of the LAN port on Node 1. When Node 1 of an HA member is active, it uses its NAT address for grid communications. NAT IP Address: Enter the address configured on the NAT appliance that maps to the interface address of the LAN port on Node 2. When Node 2 of an HA member is active, it uses its NAT address for grid communications.

Node 2 (if HA)

3. Click the Save icon.

Automatic Software Version Coordination


When you add an appliance or HA pair to a grid as a new member, it is important that it is running the same version of software as the other members in the grid. Infoblox provides two methods for coordinating the software version: Manual Upgrade and Downgrade: Before adding an appliance or HA pair to a grid, you can manually upgrade or downgrade the software on the appliance or HA pair to the version used by the rest of the grid. Automatic Upgrade and Downgrade: The grid master automatically compares the software version of each appliance attempting to enter a grid with that in use by the rest of grid. If the versions do not match, the grid master downloads the correct version to the new appliance or HA pair. Note: The grid master checks the software version every time an appliance or HA pair joins the grid. The software version check occurs during the initial join operation and when a member goes offline and then rejoins the grid.

NIOS 4.3r4

Infoblox Administrator Guide (Rev. A)

303

Deploying a Grid

Figure 9.7 Automatic Upgrade of an appliance Joining a Grid

Grid (NIOS 4.0r1)

Grid Master The grid master synchronizes configuration and data changes with grid members through VPN tunnels

Single Grid Member

HA Grid Member

NIOS 4.0r1 Software Download

When an appliance with a different version of NIOS attempts to join the grid, the grid master sends the software that the rest of the grid is using to the appliance through a tunnel. Appliance Joining the Grid (DNSone 3.2r10 -> NIOS 4.0r1)

The appliance loads the NIOS software that it receives from the grid master, reboots, and reestablishes a tunnel with the grid master. Thenassuming everything else is in orderthe appliance successfully joins the grid.

When a single appliance attempts to join the grid for the first time, the following series of events takes place: 1. The appliance establishes an encrypted VPN tunnel with the grid master. 2. The master detects that the software version on the appliance is different from that in the rest of the grid. For example, the appliance is running DNSone 3.2r10 software but the rest of the grid is running NIOS 4.0r1 software. 3. The grid master sends the NIOS 4.0r1 software through the tunnel to the appliance, which loads it. 4. After the upgrade is complete, the NIOS application automatically restarts. 5. After the appliance reboots, it again contacts the grid master and step 1 is repeated. Because the software versions now match, the appliance can complete its attempt to join the grid. When an HA pair attempts to join the grid for the first time, the following series of events takes place: 1. The active node of the HA pair establishes an encrypted VPN tunnel with the grid master. 2. The master detects that the software version on the node is different from that in the rest of the grid. For example, the active node is running DNSone 3.2r10 software but the rest of the grid is running NIOS 4.0r1 software. 3. The grid master sends the NIOS 4.0r1 software through the tunnel to the active node, which loads it. 4. After the upgrade is complete, the NIOS application on the active node automatically restarts. This causes an HA failover. 5. The new active node (which was previously the passive node) attempts to join the grid, repeating steps 1 4. 6. When the NIOS application on the currently active node restarts, there is another failover, and the currently passive node becomes active again. 7. The active node again contacts the grid master and step 1 is repeated. Because the software versions now match, it can complete its attempt to join the grid.

304

Infoblox Administrator Guide (Rev. A)

NIOS 4.3r4

Introduction to Grids

Grid Bandwidth Considerations


Infoblox grid technology relies upon database replication for its core functionality. When designing a grid, it is important to consider the amount of traffic generated by this replication and the overall number of grid members. Other communication between grid members (such as log retrieval and monitoring functions) occurs as well. All of this traffic is securely communicated between the grid master and grid members through encrypted VPN tunnels. One component of the traffic through the tunnels is database replication traffic. There are three types to consider: 1. Complete database replication to a master candidate Occurs when a master candidate joins or rejoins a grid. The grid master sends the complete database to a master candidate so that it has all the data it needs if it ever becomes promoted from member to master. 2. Partial database replication Occurs when an appliance or HA pair joins or rejoins the grid as a regular member (which is not configured as a master candidate). The grid master sends it the section of the database that mainly applies just to the member. 3. Ongoing database updates Occurs as changes are made to the grid configuration and data. The grid master sends all ongoing database updates to master candidates and individual member-specific updates to regular members. If there are no or very few DNS dynamic updates, and no or very few DHCP lease offers and renewals issued, then this type of replication traffic is minimal. If there are many DDNS (dynamic DNS) updates (many per second) and/or many DHCP lease offers and renewals (many per second), then the replication traffic is the largest component of the VPN traffic among grid members. Note: A grid master replicates data to single members and to the active node of HA members. The active node then replicates the data to the passive node in the HA pair. At a minimum, there must be 256 Kbps (kilobits per second) bandwidth between the grid master and each member, with a maximum round-trip delay of 500 milliseconds. For ongoing database updates, the amount of data sent or received is 15 Kb for every DDNS update, and 10 Kb for every DHCP lease -offer/renew. The baseline amount for heartbeat and other maintenance traffic for each member is 2 Kbps. Measure the peak DNS and DHCP traffic you see in your network to determine the bandwidth needed between the grid master and its members for this activity. For example, you might decide to place your grid members in the locations shown in Figure 9.6 on page 302.

NIOS 4.3r4

Infoblox Administrator Guide (Rev. A)

305

Deploying a Grid

Figure 9.8 Grid Deployment


Large Branch West Network Diagram East Site

Data Center West

Data Center East

East Site

West Site

East Site

West Site

Large Branch Central

East Site

In this example, the grid master is optimally placed in the Data Center West. There are a total of seven members: the HA grid master, three HA members, and three single members. If all the members are master candidates, the grid master replicates all changes to the other six members. Assuming that the master receives 20 dynamic updates per minute and 40 DHCP lease renews per minute, the calculation for grid bandwidth is: 20 DDNS updates/minute/60 secs = 0.333 DDNS updates/sec * 15 Kb = 5 Kbps *6 members 40 DHCP leases/minute/60 secs = 0.666 DHCP leases/sec * 10 Kb = 6.7 Kbps * 6 members 2 Kbps of grid maintenance traffic * 6 members Total = 30 Kbps = 40.2 Kbps = 12 Kbps 82.2 Kbps

Another component is the upgrade process. See Upgrading NIOS Software on a Grid on page 339 for more information. Bandwidth requirements, database size, and update rate determine the maximum size of the grid you can deploy. Based on the various factors discussed above, you can determine the amount of bandwidth your grid needs. If your calculations exceed the available bandwidth, then you might need to modify your deployment strategy, perhaps by splitting one large grid into two or more smaller ones. Note: This calculation does not take into account existing traffic other than DNS and DHCP services, so factor and adjust accordingly. For international networks, because of bandwidth and delay requirements, a geographical grouping of grid members might be the best approach. For example, if you have a global presence, it may make the most sense to have a North American grid, a South American grid, a European grid, and an Asia/Pacific grid.

306

Infoblox Administrator Guide (Rev. A)

NIOS 4.3r4

Creating a Grid Master

Creating a Grid Master


To create a grid, you first create a grid master and then add members. Although the grid master can be a single appliance (a single master), a more resilient design is to use an HA pair (an HA master) to provide hardware redundancy. The basic procedure for forming two appliances into an HA master is shown in Figure 9.9. Note: You cannot configure a NIOS virtual appliance as a grid master, a grid master candidate, or an HA pair.

Figure 9.9 Initially Configuring a Pair of Appliances as a Grid Master


1 Connect your management system to a switch and set its IP address to 192.168.1.3. Node 1 Management System

To Network Node 2

Switch 2 Connect Node 1 to the switch, log in to its default IP address (192.168.1.2), check that a Grid license is installed, and configure the following: 4 Connect Node 2 to the switch, log in to its default IP address (192.168.1.2), check that a Grid license is installed, and configure the following:

VIP address, netmask, gateway Hostname HA and LAN addresses of Node 1 HA and LAN addresses of Node 2 VRID (virtual router ID) NTP settings Grid name Shared secret

VIP address (for Node 1) LAN address, netmask, gateway Hostname Grid name Shared secret

After you configure Node 1, it listens for three seconds for VRRP advertisements containing its VRID number. When it does not receive any, it assumes the active role in the HA pair and starts sending advertisements.

Note: Because you do not set the VRID for Node 2, it cannot listen for VRRP advertisements yet. It learns its VRID after it joins the grid and downloads the database from Node 1. Then, when Node 2 receives an advertisement containing its VRID from Node 1, it assumes the passive role in the HA pair. 5 After you configure Node 2, it contacts the VIP address on Node 1 and initiates a key exchange using the shared secret. The nodes then construct an encrypted VPN tunnel to secure grid communications.

Note: For more information about VRRP advertisements, see VRRP Advertisements on page 309.

After the two nodes form an HA pair, Node 2 initiates a key exchange and creates an encrypted VPN tunnel with Node 1. The two nodes communicate between the VIP interface linked to the HA port on Node 1 and the LAN port on Node 2. The initialization of VPN communications between the two nodes is shown in Figure 9.10 on page 308.

NIOS 4.3r4

Infoblox Administrator Guide (Rev. A)

307

Deploying a Grid

Figure 9.10 Establishing a VPN Tunnel for Grid Communications


Node 1 Node 2

VIP Key Exchange

Switch

LAN

Source and Destination Port Numbers: 2114 (nonconfigurable)

The two nodes authenticate each other and perform a VPN key exchange. VPN Tunnel The passive node establishes an encrypted VPN tunnel with the active node.

1194 default VPN port number (configurable)

Tunnel Established

After the nodes establish a VPN tunnel between themselves, Node 1 sends Node 2 its entire database (its configuration settings and service data). Because the configuration contains the VRID (virtual router ID) for the HA pair, Node 2 starts listening for VRRP advertisements containing that VRID number. Because Node 1 is already sending such advertisements, Node 2 receives one and assumes the passive role in the HA pair. After the initial transmission of its database, Node 1 continues to send Node 2 real-time database updates using an Infoblox proprietary mechanism called bloxSYNC through the VPN tunnel. Node 1 maintains the synchronization of the database throughout the gridwhich, at this point, has no other memberssends VRRP advertisements indicating its physical and network health, andif configured to do so provides network services. Node 2 maintains a state of readiness to assume mastership in the event of a failover. You can see the flow of HA- and grid-related traffic from ports on the active node to ports on the passive node in Figure 9.11. This illustration also shows the ports that you can use for management traffic and network service.

Figure 9.11 Traffic and Ports that an HA Grid Master Uses


HA Master VIP is a logical interface linking to the HA port on the active node of the HA pair. VIP bloxSYNC inside VPN Tunnel HA VRRP Advertisements SSHv2 / CLI SSHv2 / CLI Management System HA Active To Network Passive Note: If you enable the MGMT port, you can only make an HTTPS connection to the IP address of the active node. If you try to connect to the IP address of the passive node, the appliance redirects your browser to the IP address of the active node. SSHv2, however, behaves differently from HTTPS. If you enable the MGMT port and define its network settings for both nodes in the HA pair, you can make an SSHv2 connection to the IP addresses of the LAN and MGMT ports on both the active and passive nodes.

Node 1

Switch

Node 2

LAN

LAN

HTTPS / GUI

308

Infoblox Administrator Guide (Rev. A)

NIOS 4.3r4

Creating a Grid Master

From the management system, you can manage the active node of the HA master by making an HTTPS connection to the VIP interface and using the GUI, and by making an SSHv2 connection to the LAN port (and MGMT port, if enabled) and using the CLI. If you enable the MGMT port on an HA pair, you can make an HTTPS connection through the MGMT port on the active node, and you can make an SSHv2 connection through the LAN or MGMT port on the active and passive nodes. Note: For information about enabling and using the MGMT port, the Infoblox GUI, and SSH, see Using the MGMT Port on page 153, Accessing the Infoblox GUI on page 41, and Enabling Remote Console Access on page 139.

VRRP Advertisements
VRRP advertisements are periodic announcements of the availability of the HA node linked to the VIP. The active node in an HA pair sends advertisements as multicast datagrams every second. It sends them from its HA port using the source IP address of the HA port (not from the VIP address) and the source MAC address 00:00:5e:00:01:vrrp_id . The last two hexadecimal numbers in the source MAC address indicate the VRID (virtual router ID) number for this HA pair. For example, if the VRID number is 143, then the source MAC address is 00:00:5e:00:01:8f (8f in hexadecimal notation = 143 in decimal notation). The destination MAC and IP addresses for all VRRP advertisements are 01:00:5e:00:00:12 and 224.0.0.18. Because a VRRP advertisement is a multicast datagram that can only be sent within the immediate logical broadcast domain, the nodes in an HA pair must be in the same subnet together. Only an appliance configured to listen for VRRP advertisements with the same VRID number processes the datagrams, while all other appliances ignore them. The passive node in an Infoblox HA pair listens for these on its HA port and the active node listens on its LAN port. If the passive node does not receive three consecutive advertisements or if it receives an advertisement with the priority set to 0 (which occurs when you manually perform a forced failover), it changes to the active state and assumes ownership of the VIP address and virtual MAC address. If both nodes go offline, the one that comes online first becomes the active node. If they both come online simultaneously, or if they enter a dual-active statethat is, a condition arises in which both appliances assume an active role and send VRRP advertisements, possibly because of network issuesthen the nodes apply the following rules to resolve their roles: The appliance with the numerically higher VRRP priority becomes the active node. In NIOS, a node receives the priority value 30 when it first becomes active. If that node sends an advertisement from its HA port but does not receive it on its own LAN port, it lowers its priority value by one to 29. If it does not receive the next advertisement, it lowers the priority value to 28. This can continue until the priority reaches 10, at which point the decrementation process stops. (Because the active node in an HA pair can function without its LAN port, the decrementation process stops before the priority value reaches zero, which would cause an appliance failover.) If the node starts receiving its own advertisements again, it starts increasing its priority value by one for each received advertisement, stopping the incrementation process when it returns to 30. If both nodes have the same priority, then the appliance whose HA port has a numerically higher IP address becomes the active node. For example, if the IP address of the HA port on Node 1 is 10.1.1.80 and the IP address of the HA port on Node 2 is 10.1.1.20, then Node 1 becomes the active node.

The basic decision tree that a NIOS appliance configured as a node in an HA node uses to determine if it is the active or passive node is shown in Figure 9.12 on page 310.

NIOS 4.3r4

Infoblox Administrator Guide (Rev. A)

309

Deploying a Grid

Figure 9.12 Using VRRP Advertisements to Determine the Active Node in an HA Pair

A VRRP-enabled appliance comes online

Does an advertisement with its VRID arrive within 3 secs? No

Yes

Enter passive state

Become the active node and start sending VRRP advertisements. If another VRRP-enabled appliance sends VRRP advertisements with the same VRID

Enter passive state

Does Yes other appliance Same have higher priority? No

Does other appliance Yes have higher IP address? No

Enter passive state

Remain active

Remain active

Port Numbers for Grid Communication


If connectivity between grid members must pass through a firewall, the firewall policies must allow the initial key exchange and subsequent VPN traffic to pass. The key exchange uses UDP with a source and destination port of 2114. VPN traffic uses UDP with a default source and destination port of 1194. The VPN port number is configurable. From the Grid perspective on the grid master, click id_grid -> Edit -> Grid Properties -> Grid Properties, type a new port number in the VPN Port Number field, and then click the Save icon. After changing the port number, you must reboot the single master or the active node of an HA master (which forces an HA failover). From the Grid perspective, click + (for id_grid) -> + (for Members) -> master -> Edit -> Reboot. A member and master first perform a handshake to authenticate each other and exchange encryption keys. Then they build an encrypted VPN tunnel between themselves. The member typically initiates both of these connections. The master only initiates a key exchange if you manually promote a member to the role of master (see Promoting a Master Candidate on page 338). Figure 9.10 on page 308 shows the typical connection exchange and default port usage not only between the two nodes forming an HA pair but also between a member and master when the member joins a grid. The member and master key exchange occurs when an appliance joins a grid, during master promotion, and when a member reconnects to a grid after becoming disconnected. At all other times, grid-related communications occur through encrypted VPN tunnels.

310

Infoblox Administrator Guide (Rev. A)

NIOS 4.3r4

Creating a Grid Master

Creating an HA Grid Master


To create a grid, you first create a grid master and then add members. Although you can define a single appliance as a grid master, using an HA pair provides hardware redundancy for this vital component of a grid. The following procedure explains how to put two NIOS appliances on the network and use the Infoblox NIOS Startup Wizard to configure them as Nodes 1 and 2 to form an HA grid master. You cannot configure a NIOS virtual appliance as an HA grid master. To create an HA grid master using the Infoblox NIOS Startup Wizard:

Configuring the Connecting Switch


To ensure that VRRP (Virtual Router Redundancy Protocol) works properly, configure the following settings on the network switch to which you cable the two nodes: Portfast: enable Trunking: disable Port list: disable Port channeling: disable

Note: By default, a NIOS appliance automatically negotiates the optimal connection speed and transmission type (full or half duplex) on the physical links between its LAN (or LAN1), HA, and MGMT ports and the ethernet ports on the connecting switch. If the two appliances fail to auto-negotiate the optimal settings, see Modifying Ethernet Port Settings on page 148 for steps you can take to resolve the problem.

Putting Both Appliances on the Network


1. Connect the power cable from each NIOS appliance to a power source and turn on the power. If possible, connect the appliances to separate power circuits. If one power circuit fails, the other might still be operative. 2. Connect ethernet cables from the LAN (or LAN1) port and the HA port on each appliance to a switch on the network. Note: The ethernet ports on the Infoblox-250, -550, -550-A, -1050, -1050-A, -1550, -1550-A, -1552, -1552-A, and -2000 appliances are autosensing, so you can use either a straight-through or cross-over ethernet cable for these connections. For the Infoblox-500, -1000, and -1200 appliances, use straight-through ethernet cables. 3. Use the LCD on one appliance or make a console connection to it, and configure the network settings of its LAN or LAN1 port so that it is on the local subnet and you can reach it on the network. Note: For details about using the LCD and console, see Using the LCD Panel on page 813 and Using the Serial Console on page 813. 4. Similarly, configure the LAN or LAN1 port on the other appliance so that it is in the same subnet as the first appliance. 5. Connect your management system to the network so that it can reach the IP addresses of the LAN or LAN1 ports.

HA Master Node 1
1. On your management system, open a browser window, and connect to https://ip_addr, where ip_addr is the address of the LAN or LAN1 port on Node 1. 2. Click LAUNCH GRID MANAGER. 3. Log in using the default user name and password admin and infoblox. For detailed information about logging in to the GUI, see Accessing the Infoblox GUI on page 41.

NIOS 4.3r4

Infoblox Administrator Guide (Rev. A)

311

Deploying a Grid

The Infoblox NIOS Startup Wizard appears. The first screen provides basic information about the wizard, and the second screen displays license agreement information. 4. Beginning on the third screen, enter the following, where string1 is a text string that the two appliances use to authenticate each other when establishing a VPN tunnel for ensuing bloxSYNC traffic. (The default grid name is Infoblox.) string2 is a text string that both appliances use as a shared secret to authenticate each other when establishing a VPN tunnel for ensuing bloxSYNC traffic. (The default shared secret is test.) vip_addr and netmask are the VIP (virtual IP) address and its netmask. ip_addr1 is the IP address of the gateway for the subnet on which the ports are set. hostname is a valid domain name for the appliance. ip_addr2-5 are the IP addresses of the LAN and HA ports for Nodes 1 and 2. number is the VRID (virtual router ID). This must be a unique VRID numberfrom 1 to 255for this subnet. string3 is a single hexadecimal string (no spaces) for a password that is at least four characters long. ip_addr6 is the IP address of an NTP (Network Time Protocol) server. You can enter IP addresses for multiple NTP servers. Wizard Screen Deployment Type License Validation Grid Master or Member Single or HA Grid Master HA Pair Settings HA Pair Network Settings Enter or Select Grid Master or Member Check that a Grid license is installed. Grid Master HA Grid Master; Node 1 HA Pair Name: string1 Shared Secret: string2 VIP Address: vip_addr Netmask: netmask Gateway: ip_addr1 Host Name: hostname Node 1: LAN/LAN1 Address: ip_addr2 HA Address: ip_addr3 Node 2: LAN/LAN1 Address: ip_addr4 HA Address: ip_addr5 Virtual Router ID: number Admin Account Password Time Settings Change Admin Password: (select), string3 Enable NTP: (select) NTP Server List: ip_addr6 (click Add) Time zone: (choose the time zone for the location of the appliance)

312

Infoblox Administrator Guide (Rev. A)

NIOS 4.3r4

Creating a Grid Master

Note: The startup wizard provides options such as not changing the default password and manually entering the time and date. However, changing the password and using an NTP server improve security and accuracy (respectively), and so these choices are presented here. The last screen of the startup wizard states that the changed time settings require the application to restart. When you click Finish, the application restarts. 5. Close the management window. The configuration for Node 1 is complete.

HA Master Node 2
1. On your management system, open a new browser window, and connect to https://ip_addr, where ip_addr is the address of the LAN or LAN1 port on Node 2. 2. Log in using the default user name and password admin and infoblox. The Infoblox NIOS Startup Wizard appears. 3. Beginning on the third wizard screen, enter the following to set up Node 2 (the variables are explained in the previous section for Node 1): Wizard Screen Deployment Type License Validation Grid Master or Member Single or HA Grid Master Node 2 Network Settings Enter or Select Grid Master or Member Check that a Grid license is installed. Grid Master HA Grid Master; Node 2 IP Address: ip_addr4 Netmask: netmask Gateway: ip_addr1 Grid Properties Masters IP Address: vip_addr Grid Name: string1 Shared Secret: string2 4. After completing the wizard, close the management window. The setup of the HA master is complete. From now on, when you make an HTTPS connection to the HA pair, use the VIP address.

Creating a Single Grid Master


Although using an HA master is ideal because of the hardware redundancy it provides, you can also use a single appliance as the grid master. You cannot configure a NIOS virtual appliance as a grid master. Setting up an appliance as a single grid master is very easy. If the appliance has the DNSone package with the Grid upgrade, it is already a grid master. You simply need to define the network settings for its LAN or LAN1 port. The various procedures for defining the network settings for the LAN or LAN1 port of a single independent appliance apply here as well; that is, you can use any of the following procedures to define the network settings for the LAN or LAN1 port of the appliance that you want to make a single grid master: LCD See Method 1 Using the LCD on page 264. Console port Method 2 Using the CLI on page 264.

NIOS 4.3r4

Infoblox Administrator Guide (Rev. A)

313

Deploying a Grid

You can also use the Infoblox NIOS Startup Wizard and the Infoblox Grid Manager to create a single grid master. In addition to providing a simple method accompanied by helpful information, the startup wizard allows you to change the admin password and configure time settings for the appliance. Through the GUI, you can configure other settings (although the configuration presented here covers just the basics): Infoblox NIOS Startup Wizard See Using the Startup Wizard on page 314. Infoblox Grid Manager See Using the Infoblox GUI on page 315.

Using the Startup Wizard


To create a single grid master using the Infoblox NIOS Startup Wizard: 1. Connect the power cable from the NIOS appliance to a power source and turn on the power. 2. Connect an ethernet cable from the LAN (or LAN1) port on the appliance to a switch on the network. Note: The ethernet ports on the Infoblox-250, -550, -550-A, -1050, -1050-A, -1550, -1550-A, -1552, -1552-A, and -2000 appliances are autosensing, so you can use either a straight-through or cross-over ethernet cable for this connection. For the Infoblox-500, -1000, and -1200 appliances, use a straight-through ethernet cable. 3. If you have not changed the default IP address (192.168.1.2/24) of the LAN or LAN1 port through the LCD or CLI and the subnet to which you connect the appliance does not happen to be 192.168.1.0/24put your management system in the 192.168.1.0/24 subnet and connect an ethernet cable between your management system and the NIOS appliance. 4. Open a web browser and make an HTTPS connection to the IP address of the LAN or LAN1 port. To reach the default IP address, enter: https://192.168.1.2 . Several certificate warnings appear during the login process. This is normal because the preloaded certificate is self-signed (and, therefore, is not in the trusted certificate stores in your browser, Java application, and Java Web Start application) and has the hostname www.infoblox.com, which does not match the destination IP address you entered in step 3. To stop the warning messages from occurring each time you log in to the GUI, you can generate a new self-signed certificate or import a third-party certificate with a common name that matches the FQDN (fully qualified domain name) of the appliance. This is a very simple process. For information about certificates, see Managing Certificates on page 51. 5. Click LAUNCH GRID MANAGER. 6. Log in to the NIOS appliance. The default login name and password are admin and infoblox. For detailed information about logging in to the GUI, see Accessing the Infoblox GUI on page 41. The Infoblox NIOS Startup Wizard appears. The first screen provides basic information about the wizard, and the second screen displays license agreement information. 7. Beginning on the third screen, enter the following, where string1 is a text string that the grid master and appliances joining the grid use to authenticate each other when establishing a VPN tunnel for ensuing bloxSYNC traffic. (The default grid name is Infoblox.) string2 is a text string that the grid master and appliances joining the grid use as a shared secret to authenticate each other when establishing a VPN tunnel for ensuing bloxSYNC traffic. (The default shared secret is test.) ip_addr1 and netmask are the IP address and netmask for the LAN or LAN1 port. ip_addr2 is the IP address of the gateway for the subnet on which the LAN or LAN1 port is set. hostname is a valid domain name for the appliance. string3 is a single alphanumeric string (no spaces) for a password that is at least four characters long. ip_addr3 is the IP address of an NTP (Network Time Protocol) server.

314

Infoblox Administrator Guide (Rev. A)

NIOS 4.3r4

Creating a Grid Master

Wizard Screen Deployment Type License Validation Grid Master or Member Single or HA Grid Master Grid Settings Network Settings

Enter or Select Grid Master or Member Check that a Grid license is installed. Grid Master Single Grid Master Grid Name: string1 Shared Secret: string2 IP Address: ip_addr1 Netmask: netmask Gateway: ip_addr2 Host name: hostname

Admin Account Password Time Settings

Change Admin Password: (select), string3 Enable NTP: (select) NTP Server List: ip_addr3 (click Add) Time zone: (choose the time zone for the location of the appliance)

Note: The startup wizard provides options such as not changing the default password and manually entering the time and date. However, changing the password and using an NTP server improve security and accuracy (respectively), and so these choices are presented above. Record and retain this information in a safe place. If you forget the shared secret, you need to contact Infoblox Technical Support for help. When you add an appliance to the grid, you must configure it with the same grid name, shared secret, and VPN port number that you configure on the grid master. The last screen of the startup wizard states that the changed settings require the appliance to restart. When you click Finish, the appliance restarts. The setup of the single master is complete. From now on, when you make an HTTPS connection to the appliance, use its new IP address.

Using the Infoblox GUI


To create a single grid master using the Infoblox Grid Manager GUI: 1. Connect the power cable from a NIOS appliance to a power source and turn on the power. 2. Connect ethernet cables from the LAN (or LAN1) port and the HA port on the appliance to a switch on the network. Note: The ethernet ports on the Infoblox-250, -550, -550-A, -1050, -1050-A, -1550, -1550-A, -1552, -1552-A, and -2000 appliances are autosensing, so you can use either a straight-through or cross-over ethernet cable for this connection. For the Infoblox-500, -1000, and -1200 appliances, use a straight-through ethernet cable. 3. If you have not changed the default IP address (192.168.1.2/24) of the LAN or LAN1 port through the LCD or CLI and the subnet to which you connect the appliance does not happen to be 192.168.1.0/24put your management system in the 192.168.1.0/24 subnet and connect an ethernet cable between your management system and the NIOS appliance.

NIOS 4.3r4

Infoblox Administrator Guide (Rev. A)

315

Deploying a Grid

4. Open a web browser and make an HTTPS connection to the IP address of the LAN or LAN1 port. To reach the default IP address, enter: https://192.168.1.2 . Several certificate warnings appear during the login process. This is normal because the preloaded certificate is self-signed (and, therefore, is not in the trusted certificate stores in your browser, Java application, and Java Web Start application) and has the hostname www.infoblox.com, which does not match the destination IP address you entered in step 3. To stop the warning messages from occurring each time you log in, generate a new self-signed certificate or import a third-party certificate with a common name that matches the FQDN of the appliance. For information about certificates, see Managing Certificates on page 51. 5. Click LAUNCH GRID MANAGER. 6. Log in to the NIOS appliance. The default login name and password are admin and infoblox. For detailed information about logging in to the GUI, see Accessing the Infoblox GUI on page 41. The Infoblox NIOS Startup Wizard appears. 7. To bypass the wizard and access the Infoblox Grid Manager GUI, click Cancel or the Close button. 8. From the Grid perspective, click + (for Infoblox) -> + (for Members) -> infoblox.localdomain -> Edit -> Member Properties. 9. In the Grid Member editor, click Node Properties, and then enter the following: Member Type: Choose the type of appliance for the grid member. The default is Infoblox. Note: You can configure a NIOS virtual appliance only as a grid member, not a grid master. Host Name: Type the FQDN (fully qualified domain name) of the appliance. (V)IP Address: Type the IP address of the LAN or LAN1 port. Subnet Mask: Choose the netmask for the subnet to which the LAN or LAN1 port connects. Gateway: Type the IP address of the default gateway of the subnet to which the LAN or LAN1 port connects. Comment: Enter information about the appliance, such as its location. 10. Click Save, and then close the management window. 11. Initiate a new management session, and log in to the appliance using its new IP address. 12. From the Grid perspective, click + (for Infoblox) -> Edit -> Grid Properties. 13. In the Grid editor, click Grid Properties, and then enter the following information: Name: Type the name of the grid. The default name is Infoblox. Shared Secret: Type a shared secret that all appliances must use to authenticate themselves when joining the grid. The default shared secret is test. Retype Shared Secret: Type the shared secret again to confirm its accuracy. VPN Port Number: Type the port number that the grid members use when communicating with the grid master through encrypted VPN tunnels. The default port number is 1194. After changing the port number, you must reboot the single master or the active node of an HA master (which forces an HA failover). From the Grid perspective, click + (for id_grid) -> + (for Members) -> master -> Edit -> Reboot. For more information, see Port Numbers for Grid Communication on page 310. Enable Recycle Bin: Select the check box to enable the recycle bin feature. This option is supported only for superusers. The recycle bin stores the deleted items when the user deletes grid, DNS, or DHCP configuration items in the GUI for the grid member. Enabling the recycle bin allows you to undo the deletions and to restore the items on the appliance at a later time. If you do not enable the recycle bin feature, deleted items from the GUI are permanently removed from the database. Note: Record and retain this information in a safe place. If you forget the shared secret, you need to contact Infoblox Technical Support for help. When you add an appliance to the grid, you must configure it with the same grid name, shared secret, and VPN port number that you configure on the grid master. The setup of the single master is complete. From now on, when you make an HTTPS connection to the appliance, use its new IP address.
316 Infoblox Administrator Guide (Rev. A) NIOS 4.3r4

Adding Grid Members

Adding Grid Members


You can add single appliances and HA pairs to a grid, forming single members and HA members respectively. A single grid member can be either an Infoblox appliance or a NIOS virtual appliance. NIOS virtual appliances do not support configuration as an HA pair, a grid master, or a grid master candidate. You can also define an HA member on the grid master and then add two individual appliances to the grid as Node 1 and Node 2 to complete the HA member you defined on the master. The process for adding either a single appliance or HA pair to a grid involves two steps: 1. Configuring the member on the grid master. In addition to defining the network and appliance settings for a member, you can also configure service settings before you join the appliance or HA pair to the grid. 2. Defining the VIP or IP address of the grid master, the grid name, and the shared secret on the single appliance or HA pair. 3. Joining the appliance or HA pair to the grid. If an appliance or HA pair cannot join the grid because of MTU (maximum transmission unit) limitations on its network link, you can reduce the MTU that the master uses when communicating with it. See Setting the MTU for VPN Tunnels on page 337. Note: New members inherit all settings that you create at the grid level unless you override them at the member level. If you want to preserve some or all of the configuration and data on an appliance or HA pair after you join it to a grid, you can use the merge function. For information about merging data from an appliance or HA pair to a grid, see Backing Up and Restoring a Configuration File on page 251.

Adding a Single Member


The basic steps necessary to add a single member are as follows: 1. Define the network settings of the LAN port of the single appliance on the grid master. 2. Define the VIP or IP address of the grid master, the grid name, and the shared secret on the single appliance. 3. Initiate the join grid operation. In addition, you can configure on the grid master the service settings such as DNS zones and records, DHCP networks and address ranges, and so on for a member before or after you join the appliance to the grid. The basic steps for adding a single member are presented below. For information on how to configure a NIOS virtual appliance as a grid member, refer to the Quick Start Guide for Installing NIOS Software on Riverbed Services Platforms and the Quick Start Guide for Installing NIOS Software on Cisco Application eXtension Platforms.

Configuring the Single Member on the Grid Master


1. Log in to the grid master as a superuser. 2. From the Grid perspective, click id_grid -> Edit -> Add Grid Member. 3. In the Add Grid Member editor, click Node Properties, and then enter the following: Host Name: Type the FQDN (fully qualified domain name) of the appliance. (V)IP Address: Type the IP address of the LAN or LAN1 port. Subnet Mask: Choose the netmask for the subnet to which the LAN or LAN1 port connects. Gateway: Type the IP address of the default gateway of the subnet to which the LAN or LAN1 port connects. Comment: Type a comment that provides some useful information about the appliance, such as its location. 4. Click the Save icon to add the single member to the grid.

NIOS 4.3r4

Infoblox Administrator Guide (Rev. A)

317

Deploying a Grid

Joining an Appliance to a Grid


1. Log in to the appliance that you want to add to the grid. The appliance must be online and able to reach the grid master. 2. From the Grid perspective, click + (for id_grid) -> + (for Members) -> hostname -> Edit -> Join Grid. 3. In the Join Grid dialog box, enter the following: Virtual IP of Grid Master: Type the VIP address of the HA grid master or the LAN address of the single grid master for the grid to which you want to add the appliance. Grid Name: Type the name of the grid. Grid Shared Secret: Type the shared secret of the grid. Retype Grid Shared Secret: To ensure accuracy, retype the shared secret. Use MGMT port to join grid: If you have already enabled the MGMT port (see Grid Communications on page 156), this option becomes available. Select it to connect to the grid through the MGMT port. 4. Click OK to begin the join operation. 5. To confirm that the appliance has successfully joined the grid, log in to the grid master and from the Grid perspective, click + (for id_grid) -> + (for Members), and check the icon in the Status column (green = the appliance has joined the grid and is functioning properly; yellow = the appliance is in the process of joining the grid; red = the appliance has not joined the grid). Also, select the member, and then click View -> Detailed Status. Note: You can also use the set network command to join an appliance to a grid.

Adding an HA Member
Note: You cannot add a NIOS virtual appliance as an HA member. The basic steps necessary to add an HA member are as follows: 1. Define the network settings of the HA pair on the grid master. 2. Define the VIP or IP address of the grid master, the grid name, and the shared secret on the HA pair. 3. Initiate the join grid operation. In addition, on the grid master you can configure the service settings such as DNS zones and records, DHCP networks and address ranges, and so on for a member before or after you join the HA pair to the grid. The basic steps for adding an HA member are presented below. Note: The procedure for adding an HA pair to a grid when it uses the MGMT port of the active node for grid communications differs slightly from that described below. See Grid Communications on page 156.

Configuring the HA Member on the Grid Master


1. Log in to the grid master as a superuser. 2. From the Grid perspective, click id_grid -> Edit -> Add Grid Member. 3. In the Add Grid Member editor, click Node Properties, and then enter the following: Host Name: Type the FQDN (fully qualified domain name) for the HA member. (V)IP Address: Type the VIP (virtual IP) address for the HA member. Subnet Mask: Choose the netmask for the subnet to which the VIP address connects. Gateway: Type the IP address of the default gateway of the subnet to which the VIP address connects. Comment: Type a comment that provides some useful information about the HA member, such as its location. HA Pair: (select)

318

Infoblox Administrator Guide (Rev. A)

NIOS 4.3r4

Adding Grid Members

Virtual Router ID: Enter a unique VRID numberfrom 1 to 255for the local subnet. Master Candidate: Select the check box if you want to be able to promote the HA member to that of grid master (see Promoting a Master Candidate on page 338). Clear the check box if you want the HA member to be a regular member (that is, a member that is not and cannot be a grid master). If you want the HA member to use the MGMT port of its active node for grid communications, it cannot be a master or master candidate. Note: The VIP address and the IP addresses for all the following ports must be in the same subnet. Node #1: LAN Address: Enter an IP address for the LAN (or LAN1) port of Node 1. HA Address: Enter an IP address for the HA port of Node 1. LAN Address: Enter an IP address for the LAN (or LAN1) port of Node 2. HA Address: Enter an IP address for the HA port of Node 2.

Node #2:

4. Click the Save icon to add the HA member to the grid.

Joining an HA Pair to a Grid


1. Log in to the HA pair that you want to add to the grid. The HA pair must be online and able to reach the grid master. 2. From the Grid perspective, click + (for id_grid) -> + (for Members) -> hostname -> Edit -> Join Grid. 3. In the Join Grid dialog box, enter the following: Virtual IP of Grid Master: Type the VIP address of the HA grid master or the LAN address of the single grid master for the grid to which you want to add the HA pair. Grid Name: Type the name of the grid. Grid Shared Secret: Type the shared secret of the grid. Retype Grid Shared Secret: To ensure accuracy, retype the shared secret. Use MGMT port to join grid: If you have already enabled the MGMT port (see Grid Communications on page 156), this option becomes available. Select it to connect to the grid through the MGMT port of the active node of the HA pair. 4. Click OK to begin the join operation. 5. To confirm that the HA pair has successfully joined the grid, log in to the grid master and from the Grid perspective, click + (for id_grid) -> + (for Members), and check the icon in the Status column (green = the HA pair has joined the grid and is functioning properly; yellow = the HA pair is in the process of joining the grid; red = the HA pair has not joined the grid). Also, select the member, and then click View -> Detailed Status.

NIOS 4.3r4

Infoblox Administrator Guide (Rev. A)

319

Deploying a Grid

Configuration Example: Configuring a Grid


In this example, you configure seven NIOS appliances in a grid serving internal DHCP and DNS for an enterprise with the domain name corp100.com. There are four sites: HQ and three branch offices. A hub-and-spoke VPN tunnel system connects the sites, with HQ at the hub. The distribution and roles of the NIOS appliances at the four sites are as follows: HQ site (four appliances in two HA pairs): HA grid master hidden primary DNS server HA member secondary DNS server and DHCP server for HQ Site 1 (two appliances in an HA pair): HA member secondary DNS server and DHCP server for Site 1 Site 2(one appliance): single member secondary DNS server and DHCP server for Site 2

Note: When adding an Infoblox appliance to an existing grid, you must first check whether the grid is running the minimum required software release of the appliance. For information, refer to the document, Minimum Required Release Software for Hardware Platforms, that was shipped with your product. To create a grid, you first create a grid master and then add members. The process involves these three steps: 1. Configuring two appliances at HQ as the grid master. See Create the Grid Master on page 322. 2. Logging in to the grid master and defining the members that you want to add to the grid; that is, you configure grid member settings on the grid master in anticipation of later joining those appliances to the grid. See Define Members on the Grid Master on page 324. 3. Logging in to the individual appliances and configuring them so that they can reach the grid master over the network and join the grid. See Join Appliances to the Grid on page 325. After creating the grid and adding members, you use the Data Import Wizard to import DHCP and DNS data from legacy servers. See Import DHCP Data on page 327 and Import DNS Data on page 328. Finally, you transition DHCP and DNS service from the legacy servers to the Infoblox grid members. See Enable DHCP and Switch Service to the Grid on page 332.

320

Infoblox Administrator Guide (Rev. A)

NIOS 4.3r4

Configuration Example: Configuring a Grid

Figure 9.13 Network Diagram

HQ Site Zone: corp100.com

...
Network: 10.0.1.0/24 Address Range:10.0.1.50 - 10.0.1.200

Zone: lab.corp100.com

...
Network: 10.0.15.0/24 Address Range:10.0.15.50 - 10.0.15.200 Grid Master ns1.corp100.com VIP: 10.0.1.10 VRID: 143 Hidden Primary HA Grid Member ns2.corp100.com VIP: 10.0.2.10 VRID: 210 Secondary DNS Server DHCP Server Legacy Secondary DNS Server ns2.corp100.com; 10.0.2.5 and DHCP server 10.0.2.20

NTP Server 3.3.3.3 All Infoblox appliances are in the Pacific time zone

DNS Server
Legacy Hidden Primary DNS Server ns1.corp100.com; 10.0.1.5 VPN Tunnel Internet

Firewalls

...
Zone: site1.corp100.com Network: 10.1.1.0/24 Address Range:10.1.1.50 - 10.1.1.200

HA Grid Member ns3.site1.corp100.com VIP: 10.1.1.10 VRID: 111 Secondary DNS Server DHCP Server

Single Grid Member ns4.site2.corp100.com LAN: 10.2.1.10 Secondary DNS Server DHCP Server

...
Zone: site2.corp100.com Network: 10.2.1.0/24 Address Range:10.2.1.50 - 10.1.1.200

Legacy Secondary DNS Server ns3.site1.corp100.com; 10.1.1.5 and DHCP server 10.1.1.20 Branch Office: Site 1

Legacy Secondary DNS Server ns4.site2.corp100.com; 10.2.1.5 and DHCP server 10.2.1.20 Branch Office: Site 2

Cable All Appliances to the Network and Turn On Power


Cable the NIOS appliances to network switches. After cabling each appliance to a switch and connecting it to a power source, turn on the power. For information about installing and cabling the appliance, refer to the user guide or installation guide that ships with the product. 1. At HQ and Site 1, connect ethernet cables from the LAN1 and HA ports on the appliances in each HA pair to a switch, connect the appliances to power sources, and turn on the power for each appliance. Note: When connecting the nodes of an HA pair to a power source, connect each node to a different power source if possible. If one power source fails, the other might still be operative.

NIOS 4.3r4

Infoblox Administrator Guide (Rev. A)

321

Deploying a Grid

2. At Site 2, connect an ethernet cable from the LAN1 port on the single appliance to a switch, connect the appliance to a power source, and turn on the power for that appliance.

Create the Grid Master


Configure two appliances at HQ to be the two nodes that make up the HA pair forming the grid master.

Grid Master Node 1


1. By using the LCD or by making a console connection to the appliance that you want to make Node 1 of the HA pair for the grid master, change the default network settings of its LAN1 port to the following: IP Address: 10.0.1.6 Netmask: 255.255.255.0 Gateway: 10.0.1.1 2. Connect your management system to the HQ network, open a browser window, and connect to https://10.0.1.6. 3. Log in using the default user name and password admin and infoblox. The Infoblox Appliance Startup Wizard opens. 4. Enter the following to set up Node 1 of the HA pair: Wizard Screen Deployment type License validation Grid type HA node type Grid information Node information Enter Grid master/member Check that a Grid license is installed. Grid master First HA node Grid Name: corp100 Shared Secret: Mg1kW17d Virtual IP: 10.0.1.10 Subnet Mask: 255.255.255.0 Gateway: 10.0.1.1 Host Name: ns1.corp100.com Node 1: Default password Time settings LAN1 Address: 10.0.1.6 HA Address: 10.0.1.7 LAN1 Address: 10.0.1.8 HA Address: 10.0.1.9

Node 2:

Virtual Router ID: 143 New admin password: 1n85w2IF Enable NTP: Select check box. IP address: 3.3.3.3 Time zone: (UMT 8:00 Pacific Time (US and Canada), Tijuana

When you click Finish, the Infoblox GUI application restarts. Close the browser window, leaving the JWS (Java Web Start) login window open.
322 Infoblox Administrator Guide (Rev. A) NIOS 4.3r4

Configuration Example: Configuring a Grid

Grid Master Node 2


1. By using the LCD or by making a console connection to the appliance that you want to make Node 2 of the HA pair for the grid master, change the default network settings of its LAN1 port to the following: IP Address: 10.0.1.8 Netmask: 255.255.255.0 Gateway: 10.0.1.1 2. In the JWS login window, type 10.0.1.8 in the Hostname field. 3. Log in using the default user name and password admin and infoblox. 4. When the Infoblox Appliance Startup Wizard opens, enter the following to set up Node 2 of the HA pair: Wizard Screen Deployment type License validation Grid node type HA node type Node information Enter Grid master/member Check that a Grid license is installed. Grid master Second HA node IP Address: 10.0.1.8 Subnet Mask: 255.255.255.0 Gateway: 10.0.1.1 Node provisioning Masters Virtual IP: 10.0.1.10 Grid Name: corp100 Shared Secret: Mg1kW17d

5. Confirm the configuration, and then on the last screen of the wizard, click Finish. The HTTPS session terminates, but the JWS login window remains open. 6. In the JWS login window, type 10.0.1.10 (the VIP address for the grid master) in the Hostname field. 7. Log in using the default user name admin and the password 1n85w2IF. 8. To check the status of the two nodes forming the grid master, from the Grid perspective, click + (for corp100) -> + (for Members) -> 10.0.1.10. Check that the status indicators are all green in the Detailed Status panel. During the joining process, an appliance passes through the following four phases: 1. Offline the state when a grid memberin this case, the second node of the HA pair composing the grid master is not in contact with the active node of the master 2. Connecting the state when an appliance matching a member configuration contacts the master to join the grid and negotiates secure communications and grid membership 3. Synchronizing the master transmits its entire database to the member 4. Running the state when a member is in contact with the master and is functioning properly Note: Depending on the network connection speed and the amount of data that the master needs to synchronize with the member, the process can take from several seconds to several minutes to complete.

NIOS 4.3r4

Infoblox Administrator Guide (Rev. A)

323

Deploying a Grid

Define Members on the Grid Master


Before logging in to and configuring the individual appliances that you want to add to the grid, define them first on the grid master.

HQ Site HA Member
1. On the grid master, open the Grid perspective, and then click corp100 -> Edit -> Add Grid Member. 2. In the Add Grid Member editor, click Node Properties, and then enter the following: Host Name: ns2.corp100.com (V)IP Address: 10.0.2.10 Subnet Mask: /24 (255.255.255.0) Gateway: 10.0.2.1 Comment: HQ Site - ns2.corp100.com HA Pair: Select check box. Virtual Router ID: 210 Node 1: LAN Address: 10.0.2.6 HA Address: 10.0.2.7 Node 2: LAN Address: 10.0.2.8 HA Address: 10.0.2.9 3. Click the Save icon.

Site 1 HA Member
1. On the grid master, open the Grid perspective, and then click corp100 -> Edit -> Add Grid Member. 2. In the Add Grid Member editor, click Node Properties, and then enter the following: Host Name: ns3.site1.corp100.com (V)IP Address: 10.1.1.10 Subnet Mask: 255.255.255.0 Gateway: 10.1.1.1 Comment: Site 1 - ns3.site1.corp100.com HA Pair: Select check box. Virtual Router ID: 111 Node 1: LAN Address: 10.1.1.6 HA Address: 10.1.1.7 Node 2: LAN Address: 10.1.1.8 HA Address: 10.1.1.9 3. Click the Save icon.

324

Infoblox Administrator Guide (Rev. A)

NIOS 4.3r4

Configuration Example: Configuring a Grid

Site 2 Single Member


1. On the grid master, open the Grid perspective, and then click corp100 -> Edit -> Add Grid Member. 2. In the Add Grid Member editor, click Node Properties, and then enter the following: Host Name: ns4.site2.corp100.com (V)IP Address: 10.2.1.10 Subnet Mask: 255.255.255.0 Gateway: 10.2.1.1 Comment: Site 2- ns4.site2.corp100.com 3. Click the Save icon. 4. Log out from the grid master by clicking File -> Logout.

Join Appliances to the Grid


To complete the process of adding appliances to the grid, log in to and configure each individual appliance so that it can contact the grid master.

HQ Site HA Grid Member (Node 1)


Make a console connection to the appliance that you want to make Node 1 in the HA pair, and enter the following:
Infoblox > set network NOTICE: All HA configuration is performed from the GUI. This interface is used only to configure a standalone node or to join a grid. Enter IP address: 10.0.2.6 Enter netmask [Default: 255.255.255.0]: Enter gateway address [Default: 10.0.2.1]: Become grid member? (y or n): y Enter Grid Master VIP: 10.0.1.10 Enter Grid Name: corp100 Enter Grid Shared Secret: Mg1kW17d New Network Settings: IP address: 10.0.2.6 Netmask: 255.255.255.0 Gateway address: 10.0.2.1 Join grid as member with attributes: Grid Master VIP: 10.0.1.10 Grid Name: corp100 Grid Shared Secret: Mg1kW17d WARNING: Joining a grid will replace all the data on this node! Is this correct? (y or n): y Are you sure? (y or n): y

The Infoblox application restarts. After restarting, the appliance contacts the grid master and joins the grid as Node 1.

NIOS 4.3r4

Infoblox Administrator Guide (Rev. A)

325

Deploying a Grid

HQ Site HA Member (Node 2)


Make a console connection to the appliance that you want to make Node 2 in the HA pair, and enter exactly the same data you entered for Node 1 except that the IP address is 10.0.2.8. After the application restarts, the appliance contacts the grid master and joins the grid as Node 2, completing the HA member configuration for the HQ site.

Site 1 HA Grid Member (Node 1)


network

Make a console connection to the appliance that you want to make Node 1 in the HA pair at Site 1, and use the set command to configure its basic network and grid settings. Use the following data: IP Address: 10.1.1.6 Netmask: 255.255.255.0 Gateway: 10.1.1.1 Grid Master VIP: 10.0.1.10 Grid Name: corp100 Grid shared secret: Mg1kW17d The Infoblox application restarts. After restarting, the appliance contacts the grid master and joins the grid as Node 1.

Site 1 HA Grid Member (Node 2)


Make a console connection to the appliance that you want to make Node 2 in the HA pair at Site 1, and enter exactly the same data you entered for Node 1 except that the IP address is 10.1.1.8. After the application restarts, the appliance contacts the grid master and joins the grid as Node 2, completing the HA member configuration for Site 1.

Site 2 Single Grid Member


Make a console connection to the appliance that you want to make Node 1 in the HA pair at Site 1, and use the set
network command to configure its basic network and grid settings. Use the following data:

IP Address: 10.2.1.10 Netmask: 255.255.255.0 Gateway: 10.2.1.1 Grid Master VIP: 10.0.1.10 Grid name: corp100 Grid shared secret: Mg1kW17d The Infoblox application restarts. After restarting, the appliance contacts the grid master and joins the grid. To check the status of all the grid members, log in to the grid master at 10.0.1.10, and from the Grid perspective, click + (for corp100) -> + (for Members) -> 10.0.1.10. Check that the status indicators are all green in the Detailed Status panel. As an appliance joins a grid, it passes through the following phases: Offline, Connecting, (Downloading Release from Master), Synchronizing, and Running.) Note: Depending on the network connection speed and the amount of data that the master needs to synchronize with the member, the process of joining a grid can take from several seconds to several minutes to complete. The grid setup is complete.

326

Infoblox Administrator Guide (Rev. A)

NIOS 4.3r4

Configuration Example: Configuring a Grid

Import DHCP Data


The Data Import Wizard is a software tool that you can download from the Infoblox Support site to your management system. With it, you can import data from legacy DHCP and DNS servers to NIOS appliances. In this example, you use it to import both DHCP and DNS data to the grid master at 10.0.1.10, which then uses the database replication mechanism to send the imported data to other grid members. In the wizard, you also specify which grid members serve the imported data. The wizard supports various types of DHCP formats, such as the following: ISC DHCP Lucent VitalQIP Microsoft Nortel NetID CSV (comma-separated values); you can also import IPAM data in CSV format

In this example, all the DHCP data is in standard ISC DHCP format. Note: Before using the Data Import Wizard, you must make an initial connection to the Infoblox GUI using JWS (Java Web Start), which downloads to your management system the Java application files that you need to run the wizard. Because you used JWS in Create the Grid Master on page 322, you already have the necessary files installed.

Importing DHCP Data for HQ and Site 2


1. Save the DHCP configuration file from your legacy DHCP server at 10.0.2.20 to a local directory. 2. Visit www.infoblox.com/support , log in with your support account, and download the Data Import Wizard. The Data Import Wizard application downloads to a container within a Java sandbox on your management system and immediately launches, displaying the Welcome page. 3. After reading the information in the left panel, click Next. 4. Select Import to Infoblox Appliance, enter the following, and then click Next: Hostname or IP address: 10.0.1.10 Username: admin Password: 1n85w2IF 5. Select the following, and then click Next: What kind of data would you like to import? DHCP/IPAM Which legacy system are you importing from? ISC DHCP Which appliance will be serving this data? 10.0.2.10 6. Type the path and file name of the DHCP configuration file saved from the legacy server, and then click Next. or Click Browse, navigate to the file, select it, click Open, and then click Next. 7. In the Global DHCP Configuration table, double-click the Value cell for the domain-name-servers row, and change the IP addresses to 10.0.2.10. 8. When satisfied with the data, click Import. You can view the status of the importation process and a summary report in the Data Import Wizard Log. 9. To enable DDNS updates, log in to the grid master, open the DHCP and IPAM perspective and click DHCP Members -> corp100 -> Edit -> Grid DHCP Properties. 10. In the Grid DHCP Properties editor, click DNS Updates. 11. Select Enable dynamic DNS updates, and then click OK. 12. Click the Save and Restart Services icons. 13. To check the imported DHCP configuration file, click DHCP Members -> + (for corp100) -> 10.0.2.10 -> View -> DHCP Configuration.
NIOS 4.3r4 Infoblox Administrator Guide (Rev. A) 327

Deploying a Grid

14. In the DHCP configuration file, check that all the imported subnets are present, and navigate to the beginning of the file and check that you see the ddns-updates on statement. ( If you see ddns-updates off , enable DDNS updates for the grid as explained in steps 9-12.)

Importing DHCP Data for Site 1


1. Repeat the steps in Importing DHCP Data for HQ and Site 2, saving the DHCP configuration file from your legacy DHCP server at 10.1.1.20, and importing it to the grid master at 10.0.1.10 for the member with IP address 10.1.1.10 to serve. 2. Check the imported DHCP configuration file by logging in to the grid master and from the DHCP and IPAM perspective, click DHCP Members -> + (for corp100) -> 10.1.1.10 -> View -> DHCP Configuration.

Importing DHCP Data for Site 3


1. Repeat the steps in Importing DHCP Data for HQ and Site 2, saving the DHCP configuration file from your legacy DHCP server at 10.1.1.20, and importing it to the grid master at 10.0.1.10 for the member with IP address 10.3.1.10 to serve. 2. After the importation process completes, check the imported DHCP configuration file by logging in to the grid master and from the DHCP and IPAM perspective, click DHCP Members -> + (for corp100) -> 10.3.1.10 -> View -> DHCP Configuration.

Import DNS Data


Using the Infoblox Data Import Wizard, import DNS data from the legacy hidden primary server at 10.0.1.5 to the new hidden primary server at 10.0.1.10 (the grid master). There are three phases to this task:

Before Using the Wizard on page 328:


Save the named.conf file from the legacy server to a file in a local directory on your management system. Enable the legacy server to perform zone transfers to the NIOS appliance. Configure three name server groups for the grid, and allow the grid master/hidden primary DNS server at 10.0.1.10 to receive DDNS updates from the grid members at 10.0.2.10, 10.1.1.10, and 10.3.1.10. These members act as secondary DNS servers and DHCP servers.

Using the Wizard on page 329: Define the source, destination, and type of DNS data in the DNS configuration file (named.conf) that you want to import. After Using the Wizard on page 331: Check the imported DNS configuration file.

In this example, all the DNS data is in BIND 9 format. The Data Import Wizard supports various types of DNS formats, such as the following: BIND 4, 8, and 9 Microsoft Lucent VitalQIP Nortel NetID

Before Using the Wizard


You must set up the legacy server and grid master before using the Data Import Wizard.

Legacy Server
1. Log in to the legacy name server at 10.0.1.5 and save the named.conf file, which contains all the DNS settings that you want to import into the Infoblox name server, to a local directory on your management system. 2. On the legacy server, enable zone transfers to the NIOS appliance.

328

Infoblox Administrator Guide (Rev. A)

NIOS 4.3r4

Configuration Example: Configuring a Grid

Infoblox Grid Master DDNS Updates


1. Log in to the grid master at 10.0.1.10, open the DNS perspective and click DNS Members -> + (for corp100) -> 10.0.1.10 -> Edit -> Member DNS Properties. 2. In the Member DNS Properties editor, click Updates and enter the following: 3. Override grid update settings: Select check box. 4. Allow dynamic updates from: Click Add. 5. In the Dynamic Updater Item dialog box, enter the following, and then click OK: 6. IP Address Option: Select this option, and enter 10.0.2.10 in the adjacent field. 7. Permission: Allow 8. Click the Save icon. 9. Repeat steps 2 to 4 to add 10.1.1.10 and 10.2.1.10 as IP addresses from which you allow DDNS updates. Note: When all DNS servers are members in the same grid, the members use database replication to synchronize all their dataincluding DNS zone data. You can change the default behavior so that grid members use zone transfers instead. In this example, grid members use database replication.

Infoblox Grid Master Name Server Groups


1. From the DNS perspective, click DNS Members -> corp100 -> Edit -> Grid DNS Properties. 2. In the Grid DNS Properties editor, click Name Server Groups -> Add, to open the Grid Name Server Group dialog box. 3. Enter the following: Name Server Group Name: HQ-Group Grid Primary: ns1.corp100.com; Stealth: Select check box. Grid Secondaries: Click Add -> Select Member, select ns2.corp100.com in the Select Grid Member dialog box, and then click OK. Select Grid replication (recommended), and then click OK to close the Name Server Group Member Secondary dialog box and return to the Grid Name Server Group dialog box. 4. Click OK to close the Grid Name Server Group dialog box. 5. Repeat steps 2 to 4 to create another group. Name it Site1-Group, and use ns1.corp100.com as the hidden primary server, ns3.site1.corp100.com as a secondary server, and grid replication for zone updates. 6. Repeat steps 2 to 4 to create another group. Name it Site2-Group, and use ns1.corp100.com as the hidden primary server, ns4.site2.corp100.com as a secondary server, and grid replication for zone updates. 7. Click the Save and Restart Services icons.

Using the Wizard


While progressing through the Data Import Wizard, you must define the source, destination, and type of DNS data that you want to import. You then make some simple modifications to the data and import it.

Defining the Source, Destination, and Type of DNS Data


1. Launch the Data Import Wizard. 2. After reading the information in the left panel of the welcome page, click Next. 3. Select Import to Infoblox Appliance, enter the following, and then click Next: Hostname or IP address: 10.0.1.10 Username: admin Password: 1n85w2IF The Data Import Wizard Log opens in a separate window behind the wizard. Leave it open while you continue.
NIOS 4.3r4 Infoblox Administrator Guide (Rev. A) 329

Deploying a Grid

4. Select the following, and then click Next: What kind of data would you like to import? DNS Which legacy system are you importing from? BIND 9 Which appliance will be serving this data? 10.0.1.10 5. Select the following, and then click Next: What BIND 9 DNS configuration file would you like to use? Click Browse, navigate to the named.conf file you saved from the legacy server, select it, and then click Open. What type of BIND 9 DNS data do you want to import? DNS zone information and DNS record data Where is the BIND 9 DNS record data? Zone transfer(s) from a DNS server; 10.0.1.5 The wizard displays two tables of data. The upper table contains global DNS server configuration parameters. The lower table contains zone configurations. The Data Import Wizard Log presents a summary listing the number of views, zones, and DNS records in the configuration file.

Modifying DNS Data


While importing data from the legacy DNS server, you cancel the importation of global configuration settings, and apply the name server groups you created in Before Using the Wizard on page 328 to the zones you want to import. 1. In the Global DNS Configuration table, select all rows by clicking the top row and then SHIFT+clicking the bottom row. 2. Right-click the selected rows to display the Set Import Options dialog box, select Do not import, and then click Apply. 3. In the DNS Zones table, clear the Import check box for the default view. 4. Select corp100.com, lab.corp100.com and all the corresponding reverse-mapping zones. Tip: You can use SHIFT+click to select multiple contiguous rows and CTRL+click to select multiple noncontiguous rows.

5. Right-click the selected rows, and then select Set Import Options. 6. In the Set Import Options dialog box, enter the following, and then click Apply: Set Zone Type: No change Set Import Option: No change Set View: default Set Member: HQ-Group master 7. Select site1.corp100.com and all the reverse-mapping zones with 1 in the second octet in the zone name (1.1.10.in-addr.arpa, 2.1.10.in-addr.arpa, 3.1.10.in-addr.arpa, and so on). 8. Right-click the selected rows, and select Set Import Options. 9. In the Set Import Options dialog box, make the same selections as in Step 6 , but choose Site1-Group master from the Set Member drop-down list. 10. Similarly, select site2.corp100.com and all the reverse-mapping zones with 2in the second octet in the zone name. 11. Right-click the selected rows, and select Set Import Options. 12. In the Set Import Options dialog box, make the same selections as in Step 6 , but choose Site2-Group master from the Set Member drop-down list.

330

Infoblox Administrator Guide (Rev. A)

NIOS 4.3r4

Configuration Example: Configuring a Grid

Importing DNS Data


1. Click Import. The wizard imports the global DNS parameters and zone-specific configuration settings from the named.conf file and performs a zone transfer of the data from the legacy server. 2. Use the Data Import Wizard Log to monitor progress and review results afterward. The log lists all the zones that the wizard imports and concludes with a total of all the successfully and unsuccessfully imported zones. Note: If the wizard is unable to import a zone, an error message with an explanation appears in the log. 3. To close the Data Import Wizard, click Exit. This closes the Data Import Wizard Log as well.

After Using the Wizard


After you import data, you must restart services on the grid master and delete the A records for the legacy servers from the corp100.com zone. You can also confirm that the imported data is correct and complete by checking the DNS configuration and the forward- and reverse-mapping zones. 1. Log in to the grid master (10.0.1.10), and then click the Restart Services icon. Note: When importing data through the wizard rather than entering it through the GUI, the Restart Services icon does not change to indicate you must restart service for the appliance to apply the new data. Still, restarting service on the grid master is necessary for the imported configuration and data to take effect. 2. To remove A records for the legacy servers, from the DNS perspective, click DNS Views -> + (for DNS Views) -> + (for default) -> + (for Forward Mapping Zones) -> corp100.com. 3. CTRL+click the following A records in the corp100.com zone, and then click Edit -> Remove Multiple: ns1 (for 10.0.1.5) ns2 (for 10.0.2.5) ns3.site1.corp100 (for 10.1.1.5) ns4.site3.corp100 (for 10.2.1.5) 4. Remove the respective A records for legacy servers from the site1.corp100 and site3.corp100 subzones. 5. To check the imported DNS configuration file, from the DNS perspective, click DNS Members -> + (for corp100) -> 10.0.1.10 -> View -> DNS Configuration. Note: If you do not see the imported DNS configuration file, make sure you enabled DNS and restarted services. 6. Scroll through the DNS configuration log to check that each imported zone has an allow-update statement like the following one for the 10.1.10.in-addr.arpa reverse-mapping zone:
zone "10.1.10.in-addr.arpa" in { allow-update { key DHCP_UPDATER; 10.0.2.10; 10.1.1.10; 10.2.1.10; }; };

NIOS 4.3r4

Infoblox Administrator Guide (Rev. A)

331

Deploying a Grid

Enable DHCP and Switch Service to the Grid


Finally, you must enable DHCP service on the three grid members at 10.0.2.10, 10.1.1.10, and 10.2.1.10, and switch DNS and DHCP service from the legacy DNS and DHCP servers to them. 1. Log in to the grid master (10.0.1.10), from the DHCP and IPAM perspective, click DHCP Members -> + (for corp100) -> 10.0.2.10 -> Edit -> Member DHCP Properties -> General Properties, select Enable DHCP Server , and then click the Save icon. 2. Click 10.1.1.10 -> Edit -> Member DHCP Properties -> General Properties, select Enable DHCP Server , and then click the Save icon. 3. Click 10.3.1.10 -> Edit -> Member DHCP Properties -> General Properties, select Enable DHCP Server , and then click the Save and Restart Services icons. Note: DNS service is enabled by default. To confirm that it is enabled, from the DNS perspective, click DNS Members -> + (for corp100) -> 10.0.2.10 -> Edit -> Member DNS Properties -> General Properties, and make sure the Enable DNS Server check box is selected. The grid members are ready to serve DHCP and DNS, and send DDNS updates. 4. Take the legacy DHCP and DNS servers offline.

332

Infoblox Administrator Guide (Rev. A)

NIOS 4.3r4

Enabling IPv6 On a Grid Member

Enabling IPv6 On a Grid Member


You can configure NIOS appliances to provide DNS services over IPv4 (Internet Protocol version 4) and IPv6 (Internet Protocol version 6) networks. You can configure the grid member as a dual-mode name server, capable of serving DNS data in response to both IPv4 and IPv6 queries. An IPv4 query returns an IPv4 response, while an IPv6 query returns an IPv6 response. Configuring a grid containing an IPv4 primary server and IPv6 secondary servers is not supported. You must enable IPv6 on both the primary and secondary servers within the grid to enable them to communicate with each other. Infoblox highly recommends that you enable IPv6 on your grid appliances before configuring IPv6 secondaries, forwarders, delegations, and subnets. The NIOS appliance supports one IPv6 address on the grid member. Infoblox integrates IPv6 address management into many of the same places where IPv4 addresses are entered. Data validation occurs on all IP address fields and automatic validation is done to ensure proper entry of either an IPv4 address or an IPv6 address. This section includes the following topics:

About IPv6 Addresses on page 333 Configuring IPv6 on a Grid Member on page 334

Note: IPv6 is not supported on Cisco virtual grid members.

About IPv6 Addresses


An IPv6 address is a 128-bit number in colon hexadecimal notation. It consists of eight 16-bit groups of hexadecimal digits separated by colons (example: 12ab:0000:0000:0123:4567:89ab:0000:cdef).

Figure 9.14 IPv6 Address Structure


n bits m bits 128-n-m bits

Global Routing Prefix

Subnet ID

Interface ID

Network Prefix

Interface ID

When you enter an IPv6 address, you can use double colons to compress a contiguous sequence of zeros. You can also omit any leading zeros in a four-hexadecimal group. For example, the complete IPv6 address 2006:0000:0000:0123:4567:89ab:0000:cdef can be shortened to 2006::123:4567:89ab:0:cdef. Note that if there are multiple noncontiguous groups of zeros, the double colon can only be used for one group to avoid ambiguity. The NIOS appliance displays an IPv6 address in its shortened form, regardless of its form when it was entered. For more information about DNS for IPv6, see RFC 3596, DNS Extensions to Support IP Version 6. For more information about DNS management options, see Managing DNS Data on page 357.

NIOS 4.3r4

Infoblox Administrator Guide (Rev. A)

333

Deploying a Grid

Configuring IPv6 on a Grid Member


You can configure a grid member to support both IPv4 and IPv6 connections by configuring an IPv6 address on the member, in addition to the standard IPv4 address. When you enable IPv6 on a member, you can manually enter the IPv6 gateway address or enable the member to automatically acquire the address from router advertisements. Routers periodically send router advertisements that contain link-layer addresses and configuration parameters. A NIOS appliance that supports IPv6 can listen for router advertisements and obtain the default gateway IP address and link MTU (maximum transmission unit). The link MTU is the maximum packet size, in octets, that can be conveyed in one transmission unit over a link. Thus you can set parameters on a router once and automatically propagate it to all attached hosts. To configure the member to support IPv6: 1. Log in to the grid master as a superuser. 2. From the Grid perspective, click grid -> grid_member -> Edit -> Member Properties. 3. In the Edit Grid Member editor, click Node Properties to open up that section, and then enter the following: Enable IPv6: Select this check box to enable IPv6 support. (V)IP Address: Type the IPv6 address for the grid member on the interface. An IPv6 address is a 128-bit number in colon hexadecimal notation. It consists of eight 16-bit groups of hexadecimal digits separated by colons (example: 12ab:0000:0000:0123:4567:89ab:0000:cdef). CIDR Prefix: Choose the CIDR netmask for the subnet to which the VIP address connects. CIDR is an alternative to subnet masking that organizes IP addresses into subnetworks. Also known as supernetting, CIDR allows multiple subnets to be grouped together for network routing. The prefix length can range from 0 to 128, due to the larger number of bits in the IPv6 address. Obtain router configuration automatically: Select this check box to enable the appliance to acquire the IP address of the default gateway and the link MTU from router advertisements. When you select this check box, you cannot enter a gateway IP address. Gateway: Type the IPv6 address of the default gateway of the subnet to which the VIP address connects. Comment: Type a comment that provides some useful information about the IPv6 interface. 4. Click the Save icon.

Configuration Example: Configuring IPv6 on a Grid Member


Let us revisit the example network topology from the previous section Configuration Example: Configuring a Grid on page 320. In the previous example, you configured seven NIOS appliances in a grid serving internal DHCP and DNS for an enterprise with the domain name corp100.com. There were four sites: HQ and three branch offices. The distribution and roles of the NIOS appliances at the four sites are as follows: HQ site (four appliances in two HA pairs): HA grid master hidden primary DNS server. Enable this member (node 1 and node2) as a dual-mode member, supporting both IPv4 and IPv6 connections. HA member secondary DNS server and DHCP server for HQ Site 1 (two appliances in an HA pair): HA member secondary DNS server and DHCP server for Site 1. Site 2(one appliance): single member secondary DNS server and DHCP server for Site 2.

For this example, let us consider only the steps required to update the HA grid master as a dual-mode appliance, supporting both IPv4 and IPv6 connections.

334

Infoblox Administrator Guide (Rev. A)

NIOS 4.3r4

Enabling IPv6 On a Grid Member

Figure 9.15 Network Diagram for IPv6 Grid Member Example


HQ Site Zone: corp100.com

...
Network: 10.0.1.0/24 (IPv4) Network: 2001::/64 (IPv6) Grid Master ns1.corp100.com VIP: 10.0.1.10 (IPv4) Gateway: 10.0.1.1 VIP: 2001::10 (IPv6) Gateway: 2001::1 VRID: 143 Hidden Primary

Zone: lab.corp100.com

...
Network: 10.0.15.0/24 Address Range:10.0.15.50 - 10.0.15.200 HA Grid Member ns2.corp100.com VIP: 10.0.2.10 VRID: 210 Secondary DNS Server DHCP Server

DNS Server
Legacy Hidden Primary DNS Server ns1.corp100.com; 10.0.1.5 VPN Tunnel Internet

Firewalls

...
Zone: site1.corp100.com Network: 10.1.1.0/24 Address Range:10.1.1.50 - 10.1.1.200

HA Grid Member ns3.site1.corp100.com VIP: 10.1.1.10 VRID: 111 Secondary DNS Server DHCP Server

Single Grid Member ns4.site2.corp100.com LAN: 10.2.1.10 Secondary DNS Server DHCP Server

...
Zone: site2.corp100.com Network: 10.2.1.0/24 Address Range:10.2.1.50 - 10.1.1.200

Legacy Secondary DNS Server ns3.site1.corp100.com; 10.1.1.5 and DHCP server 10.1.1.20 Branch Office: Site 1

Legacy Secondary DNS Server ns4.site2.corp100.com; 10.2.1.5 and DHCP server 10.2.1.20 Branch Office: Site 2

To configure the grid master to support both IPv4 and IPv6:

Node 1
1. Log in to the node 1 of the grid master as a superuser. 2. From the Grid perspective, click id_grid --> ns1.corp100.com -> Edit -> Member Properties. 3. In the Edit Grid Member editor, click Node Properties to open up that section, and then enter the following: Enable IPv6: Select the check box to enable IPv6. (V)IP Address: Type the IPv6 address 2001::10. CIDR Prefix: Choose /64 as the CIDR prefix.

NIOS 4.3r4

Infoblox Administrator Guide (Rev. A)

335

Deploying a Grid

Gateway: Type the IPv6 gateway address 2001::1. Comment: Type any useful comment. 4. Click the Save icon.

Node 2
1. Log in to the node 2 of the grid master as a superuser. 2. From the Grid perspective, click id_grid --> ns1.corp100.com -> Edit -> Member Properties. 3. In the Edit Grid Member editor, click Node Properties to open up that section, and then enter the following: Enable IPv6: Select the check box to enable IPv6. (V)IP Address: Type the IPv6 address 2001::11. CIDR Prefix: Choose /64 as the CIDR prefix. Gateway: Type the IPv6 gateway address 2001::1. Comment: Type any useful comment. 4. Click the Save icon.

336

Infoblox Administrator Guide (Rev. A)

NIOS 4.3r4

Managing a Grid

Managing a Grid
After you configure a grid master and add members, you might need to perform the following tasks:

Changing Grid Properties Setting the MTU for VPN Tunnels Removing a Grid Member Promoting a Master Candidate on page 338 Upgrading NIOS Software on a Grid on page 339

Changing Grid Properties


You can change a grid name, its shared secret, and the port number of the VPN tunnels that the grid uses for communications. If you make such changes after populating a grid with members, all current members will lose grid connectivity and you will have to rejoin them to the grid manually. To modify the properties of a grid: 1. From the Grid perspective, click id_grid -> Edit -> Grid Properties. 2. In the Grid editor, click Grid Properties, and then enter the following: Name: Type the name of a grid. The default name is Infoblox. Shared Secret: Type a shared secret that all grid members use to authenticate themselves when joining the grid. The default shared secret is test. Retype Shared Secret: Type the shared secret again to confirm its accuracy. VPN Port Number: Type the port number that the grid members use when communicating with the grid master through encrypted VPN tunnels. The default port number is 1194. After changing the port number, you must reboot the single master or the active node of an HA master (which forces an HA failover). For more information, see Port Numbers for Grid Communication on page 310. Enable Recycle Bin: Select the check box to enable the recycle bin feature. This option is supported only for superusers. The recycle bin stores the deleted items when the user deletes grid, DNS, or DHCP configuration items in the GUI for the grid member. Enabling the recycle bin allows you to undo the deletions and to restore the items on the appliance at a later time. If you do not enable the recycle bin feature, deleted items from the GUI are permanently removed from the database. 3. Click OK to save your changes. 4. (If necessary after changing the VPN port number) From the Grid perspective, click + (for id_grid) -> + (for Members) -> master -> Edit -> Reboot.

Setting the MTU for VPN Tunnels


You can configure the VPN MTU (maximum transmission unit) for any appliance with a network link that does not support the default MTU size (1500 bytes) and that cannot join a grid because of this limitation. If an appliance on such a link attempts to establish a VPN tunnel with a grid master to join a grid, the appliance receives a PATH-MTU error, indicating that the path MTU discovery process has failed. For information about the MTU discovery process, see RFC 1191, Path MTU Discovery . To avoid this problem, you can set a VPN MTU value on the grid master for any appliance that cannot link to it using a 1500-byte MTU. When the appliance contacts the master during the key exchange handshake that occurs during the grid-joining operation, the master sends the appliance the MTU setting to use. To set the VPN MTU for a grid member: 1. From the Grid perspective, click + (id_grid ) -> + (for Members) -> member -> Edit -> Member Properties. 2. In the Grid Member editor, click VPN, select Set VPN MTU, and then enter a value between 600 and 1500. 3. Click the Save icon to save the VPN MTU settings for this member.

NIOS 4.3r4

Infoblox Administrator Guide (Rev. A)

337

Deploying a Grid

Removing a Grid Member


You might want or need to remove a member from a grid, perhaps to disable it or to make it an independent appliance or an independent HA pair. To remove a grid member: 1. Log in to the grid master as a superuser. 2. From the Grid perspective, click + (for id_grid) -> + (for Members) -> member -> Edit -> Remove member.

Promoting a Master Candidate


To be able to promote a master candidate, you must have previously designated a grid member as a master candidate before anything untoward happens to the current master. When adding or modifying a grid membe