Forum Discussion

jmanya_44531's avatar
jmanya_44531
Icon for Nimbostratus rankNimbostratus
Sep 14, 2013

LInk Controller Mail domain delegation

Hello guys, I know it is weekend but hope you could help me ASAP. I want to perform delegation to a Link Controller to handle incoming traffic which will be directed to a mail service and a web service, both deployed in a unique physical server. The zone I think could be is as follows:

 

The delegation is quite simple I think. But there is a problem. I can send and receive mails in a load balanced way, but I cannot get access to the website. I have performed a tracert to images.example.com and the IP is resolved but in the final line it shows mail.example.com. In other words, every time I try to tracert images.example.com, I reach mail.example.com. I am using the same IPs for inbound traffic (web & mail), but I think there is not a problem due to I have different ports on each virtual server. The WideIPs are: mail.example.com & images.example.com. I think the delegation is wrong. Could you give me any advice? It is possible to load balance incoming mail traffic?

 

Hope you could help me. The example above is just a test environment. I will put the F5 LC in producction this night. so please...! :(

 

Thanks in advance

 

Jorge

 

deployment

7 Replies

Sort By
  • StephanManthey's avatar
    StephanManthey
    Icon for MVP rankMVP
    Sep 14, 2013

    In your example above I´m missing the trailing dots behind images.example.com.

    Imho it should read: 

    images.example.com.     IN  NS  lc1
images.example.com.     IN  NS  lc2

    A delegation on your authoritative name server may look like this: 

    subdomain.f5test.local. IN   NS     lc_isp1.f5test.local.
subdomain.f5test.local. IN   NS     lc_isp2.f5test.local.
lc_isp1.f5test.local.   IN   A      10.1.0.253
lc_isp2.f5test.local.   IN   A      10.2.0.253
www.f5test.local.       IN   CNAME  www.subdomain.f5test.local.

    Both specified link controller interfaces are treated as authoritative for the subdomain.

    The link controller will be able to resolve www.subdomain.f5test.local to A records associated with virtual servers on your link controller.

    To accomplish this you will need 2 virtual servers (one per ISP link) which will be assigned to the so called Wide IP on the link controller.

    The virtual servers are bound to a local pool of servers (subset of LTM feature).

  • jmanya_44531's avatar
    jmanya_44531
    Icon for Nimbostratus rankNimbostratus
    Sep 14, 2013

    Hello Stephan,

     

    Really, I appreciate your help.

     

    I understand the delegation you posted, but what about MX records? Can I load balance inbound SMTP traffic? I such case, how could be the delegation on the authoritative Name Server? Maybe just leaving a IN MX 10 mail.f5test.local line in the first group of NS and having a CNAME as follows: mail IN CNAME mail.subdomain.f5test.local?

     

    Thanks a lot in advance for your help. Really...!

     

    Jorge

     

  • StephanManthey's avatar
    StephanManthey
    Icon for MVP rankMVP
    Sep 14, 2013

    By now I never recommended to balance incoming SMTP via link controller.

     

    You can use priorities for your MX records and control it that way.

     

    So for incoming mail you will have additional virtual servers to handle the related protocols.

     

    At the same time SMTP has it´s build in redundancy. That´s why I don´t see a real need to use the link controller functionality for this task.

     

    One thing to take care of is to SNAT outgoing mail traffic with the IP addresses associated with your MX records. Why? In case a reverse lookup is made at the receiving mail gateway it better points to an MX record.

     

    To accomplish this, you will have protocol specific wildcard virtual servers for outbound traffic combined with a SNAT pool. SNAT pool members will be the virtual IP addresses for incoming mail.

     

  • Techgeeeg's avatar
    Techgeeeg
    Icon for Nimbostratus rankNimbostratus
    Nov 08, 2013

    Hi Stephan, For the outgoing mails we have to create the VS which will be PerformanceL4 or Forwarding?? and it will be a Host or a network VS??

     

  • StephanManthey's avatar
    StephanManthey
    Icon for MVP rankMVP
    Nov 08, 2013

    Hi,

     

    it would be network virtual servers 0.0.0.0/0 on the relevant TCP ports. You can use your default gateway pool which contains the interfaces of your outbound router.

     

    Instead of using SNAT AutoMap please create a SNATpool with the IP addresses of your virtual servers for inbound mail and use it with your network virtual servers. Thanks, Stephan

     

  • Techgeeeg's avatar
    Techgeeeg
    Icon for Nimbostratus rankNimbostratus
    Apr 30, 2014

    Hi Stephan,

     

    Continuation to the above .... once the LC is implemented and everything is working fine if someone do nslookup or dig for the particular url it gives Name as test.subdomain.application.com and aliases as test.application.com if i want the reply of dig or nslookup to show only test.application.com and not the CNAME test.subdomain.application.com is it possible????

     

  • StephanManthey's avatar
    StephanManthey
    Icon for MVP rankMVP
    May 01, 2014

    Hi Techgeeeg,

     

    the CNAME response comes from your authoritative nameserver. There we have the so called delegation, to get the Link Controller involved into the name resolution process.

     

    So the CNAME is required to return a hostname in a subdomain, which is handled by the Link Controller.

     

    Now your local resolver will send a new A-query which will be resolved by the Link Controller. The answer will contain an A-record (virtual IP address). (If you create a hostname-based WideIP, the Link Controller will automatically map the assigned virtual servers VIPs as a resource. The automatic mapping requires the virtual IP addresses to belong to the same address range as the self IPs on VLANs, associated with your internet links. Manual changes in the wideip.conf / bigip_gtm.conf and config reload may be required.)

     

    That´s more or less like a zone file with multiple A-records for a single hostname in BIND. The difference is in the availablity checking done by the Link Controller. Typically it will return a single A-record only, depending on the selected load balancing algorithm and it´s availability.

     

    The Link Controller will return CNAME records as fallback method only.

     

    I´m wondering, if your question is related to the high availability of incoming mail?

     

    Thanks and happy holiday,

     

    Stephan

     

    PS:

     

    1) Due to the bank holiday my responses may be delayed.

     

    2) Unfortunately I don´t have access to a Link Controller right now (I own just a LTM/GTM combo).