NIOS_AdminGuide_4

Infoblox Administrator Guide
NIOS 4.3 for Infoblox Core Network Services Appliances
Copyright Statements
2009, Infoblox Inc. All rights reserved. The contents of this document may not be copied or duplicated in any form, in whole or in part, without the prior written permission of Infoblox, Inc. The information in this document is subject to change without notice. Infoblox, Inc. shall not be liable for any damages resulting from technical errors or omissions which may be present in this document, or from use of this document. This document is an unpublished work protected by the United States copyright laws and is proprietary to Infoblox, Inc. Disclosure, copying, reproduction, merger, translation, modification, enhancement, or use of this document by anyone other than authorized employees, authorized users, or licensees of Infoblox, Inc. without the prior written consent of Infoblox, Inc. is prohibited. For Open Source Copyright information, see Appendix C, "Open Source Copyright and License Statements", on page 769.
Trademark Statements
Infoblox, the Infoblox logo, DNSone, NIOS, IDeal IP, bloxSDB, bloxHA and bloxSYNC are trademarks or registered trademarks of Infoblox Inc. All other trademarked names used herein are the properties of their respective owners and are used for identification purposes only.
Company Information
Infoblox is located at: 4750 Patrick Henry Drive Santa Clara, CA 95054-1851, USA Web: www.infoblox.com
support.infoblox.com
Phone: 408.625.4200 Toll Free: 888.463.6259 Outside North America: +1.408.716.4300 Fax: 408.625.4201
Product Information
Hardware Models: Infoblox-250, -500, -550, -550-A, -1000, -1200, -1050, -1050-A, -1550, -1550-A, -1552, -1552-A, and -2000 Document Number: 400-0172-004, Rev. A Document Updated: July 17, 2009
Warranty Information
Your purchase includes a 90-day software warranty and a one year limited warranty on the Infoblox appliance, plus an Infoblox Warranty Support Plan and Technical Support. For more information about Infoblox Warranty information, refer to Infoblox Web site, or contact Infoblox Technical Support.
Contents
Preface. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Document Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22 Documentation Organization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22 Documentation Conventions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24 Whats New . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26 Related Documentation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27 Customer Care . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27 User Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27 Software Upgrades . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27 Technical Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Part 1 Appliance Administration

Chapter 1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
NIOS Appliance Software Packages and Upgrades . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32 Product Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32 Deployment Scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34 Scenario 1 Independent NIOS Appliances . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34 Scenario 2 Basic Grid with Independent NIOS Appliances . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35 Scenario 3 Infoblox Grid with NIOS Virtual Appliances as Grid Members . . . . . . . . . . . . . . . . . . . . . . . . . . . 36 Scenario 4 Multiple Grids . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37 Scenario 5 Primary and Secondary NIOS Appliances . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
Chapter 2 Infoblox GUI. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39

Management System Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41 Accessing the Infoblox GUI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41 Connecting to a NIOS Appliance with JWS (Java Web Start) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42 About the Grid Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46 Installing the Grid Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46 Connecting to a NIOS Appliance Using the Grid Manager. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47 Setting Login Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48 SSL (Secure Sockets Layer) Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50 Managing Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51 Understanding the GUI Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53 Main Interface Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53 Customizing a Perspective Layout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56 Creating a Login Banner on a NIOS Appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57 Customizing Columns . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57 Home Perspective . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58 Using Global Search . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60 Printing from the GUI. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61 Accessing IP Address Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62 Logging in to IP Address Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
NIOS 4.3r5
Infoblox Administrator Guide (Rev. A)
Multilingual Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62 Host Names Support for Microsoft Windows Code Pages. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62 RADIUS Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63 UTF-8 Supported Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63 UTF-8 Support Limitations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64 Exporting Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65 Exporting Data from Panels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65 Exporting Data to a CSV File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
Chapter 3 Managing Administrators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69

About Admin Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71 About Admin Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73 Creating a Superuser Admin Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73 About Limited-Access Admin Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74 About Admin Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75 Creating Limited-Access Admin Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76 Deleting Admin Roles and Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77 Viewing Admin Group Assignments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77 About Administrative Permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78 Applying Permissions and Managing Conflicts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79 Defining Permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81 Viewing and Managing Permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85 Modifying Permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86 Removing Permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86 Administrative Permissions for Common Tasks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87 Administrative Permissions for Grid Members . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89 Administrative Permissions for Scheduling Tasks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90 Managing DNS Resource Permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91 Administrative Permissions for DNS Views . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92 Administrative Permissions for Zones . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93 Administrative Permissions for Resource Records . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94 Administrative Permissions for Shared Record Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95 Managing Administrative Permissions for DHCP Resources. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96 Administrative Permissions for Network Views . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97 Administrative Permissions for Networks and Shared Networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98 Administrative Permissions for Fixed Addresses. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100 Administrative Permissions for DHCP Ranges . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101 Administrative Permissions for DHCP Templates. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102 Administrative Permissions for MAC Address Filters. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103 Administrative Permissions for Network Discovery. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103 Administrative Permissions for the DHCP Lease History. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104 Administrative Permissions for the RADIUS Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104 Administrative Permissions for File Distribution Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106 Authenticating Administrators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107 Creating Local Admins. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107 Modifying and Removing an Admin Account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108 About Remote Admins. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108 Authenticating Using RADIUS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110 Remote RADIUS Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111 Configuring RADIUS Authentication on the NIOS Appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111 Adding RADIUS Servers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112
NIOS 4.3r5
Testing the RADIUS Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113 Maintaining the RADIUS Admins Server List on the NIOS Appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113 Disabling a RADIUS Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113 Configuring a RADIUS Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114 Configuring Admin Groups on the Remote RADIUS Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114 Configuring Remote Admin Accounts on the Remote RADIUS Server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114 Authorization Groups Using RADIUS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115 Accounting Activities Using RADIUS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115 Authenticating Admin Accounts Using Active Directory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116 Admin Authentication Using Active Directory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117 Configuring Active Directory Authentication for Admins. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117 Defining the Admin Policy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118 Specifying a List of Remote Admin Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118 Configuring the Default Admin Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118 Configuring a List of Authentication Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119 Changing Password Length Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119 Notifying Administrators. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119
Chapter 4 Managing Appliance Operations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121

Managing Time Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123 Changing Time and Date Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123 Changing Time Zone Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123 Monitoring Time Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124 Using NTP for Time Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125 Authenticating NTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126 NIOS Appliance as NTP Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128 Configuring a NIOS Appliance as an NTP Client. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129 NIOS Appliance as NTP Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132 Configuring a NIOS Appliance as an NTP Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133 Scheduling Tasks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136 Enabling and Disabling Task Scheduling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136 Scheduling a Task . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136 Viewing Scheduled Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137 Rescheduling and Deleting Scheduled Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138 Guidelines for Upgrading, Backing Up, and Restoring the Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138 Managing Security Operations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139 Enabling Support Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139 Enabling Remote Console Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139 Permanently Disabling Remote Console and Support Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140 Restricting HTTP Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140 Enabling HTTP Redirection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141 Modifying GUI Session Timeout Settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141 Disabling the LCD Input Buttons. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141 Modifying Security for a Grid Member . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142 Ethernet Port Usage. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143 Modifying Ethernet Port Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148 Using the LAN2 Port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149 NIC Failover . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150 Enabling DHCP on LAN2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151 Enabling DNS on LAN2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152
NIOS 4.3r5
Using the MGMT Port. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153 Appliance Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154 Grid Communications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156 DNS Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159 Setting Static Routes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161 Enabling DNS Resolution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164 Managing Licenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165 Viewing the Installed Licenses on a NIOS Appliance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165 Obtaining a 60-Day Temporary License . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165 Obtaining and Adding a License. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166 Removing Licenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166 Using the Recycle Bin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168 Disabling the Recycle Bin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169 Enabling the Recycle Bin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169 Viewing the Recycle Bin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169 Restoring Objects in the Recycle Bin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170 Emptying the Recycle Bin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170 Shutting Down, Rebooting, and Resetting a NIOS Appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171 Rebooting a NIOS Appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171 Shutting Down a NIOS Appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171 Resetting a NIOS Appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171 Managing the Disk Subsystem on the Infoblox-2000 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173 About RAID 10 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173 Evaluating the Status of the Disk Subsystem . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174 Appliance Front Panel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175 Replacing a Failed Disk Drive . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175 Disk Array Guidelines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176 Restarting Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177 Canceling a Scheduled Restart . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179
Chapter 5 Monitoring the Appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181

Viewing Detailed Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182 Appliance Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182 Service Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182 DB Capacity Used . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183 Disk Usage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183 FAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183 HA, LAN1, LAN2, or MGMT Port. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184 LCD . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184 Memory Usage. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184 Power Supply . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184 RAID . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 185 RAID Battery. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 185 Temperatures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 185 Replication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186 Using a Syslog Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187 Specifying Syslog Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187 Configuring Syslog for a Grid Member . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188 Setting DNS Logging Categories. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189 Viewing the Syslog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190 Searching for Text . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190 Downloading the Syslog File. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191
NIOS 4.3r5
Monitoring Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192 Using the Audit Log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192 Using the Replication Log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194 Using the Traffic Capture Tool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195 Using the Capacity Report. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196 Monitoring DNS Transactions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197
Chapter 6 Monitoring with SNMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203

Understanding SNMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204 SNMP MIB Hierarchy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205 MIB Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206 Infoblox MIBs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207 Loading the Infoblox MIBs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207 RADIUS MIBs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207 ibTrap MIB . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 208 ibPlatformOne MIB . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 231 ibDHCPOne MIB . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 239 ibDNSOne MIB . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 242 ibIPWC MIB . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 244 Configuring SNMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249 Accepting SNMP Queries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249 Setting System Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249 Adding SNMP Trap Receivers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 250 Configuring SNMP for a Grid Member . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 250
Chapter 7 Changing Software and Merging Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 251

Upgrading NIOS Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 252 Downgrading Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 252 Reverting to the Previously Running Software Version . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 252 Backing Up and Restoring a Configuration File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 253 Backing Up Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 253 Automatically Backing Up a Data File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 254 Downloading a Backup File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 255 Restoring a Configuration File. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 257 Loading a Configuration File on a Different Appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 258 Downloading a Support Bundle . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 259
Part 2 Appliance Deployment

Chapter 8 Deploying Independent Appliances . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 263
Independent Deployment Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 264 Deploying a Single Independent Appliance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 265 Method 1 Using the LCD. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 266 Method 2 Using the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 266 Method 3 Using the Infoblox NIOS Startup Wizard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 268 Method 4 Using the GUI. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 269
NIOS 4.3r5
Configuration Example: Deploying a NIOS Appliance for External DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 270 Cable the Appliance to the Network and Turn On Power . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 271 Specify Initial Network Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 271 Specify Appliance Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 272 Define a NAT Address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 273 Enable Zone Transfers on the Legacy Name Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 273 Import Zone Data. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 274 Designate the New Primary on the Secondary Name Server (at the ISP Site) . . . . . . . . . . . . . . . . . . . . . . . . . 276 Configure NAT and Policies on the Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 276 Deploying an Independent HA Pair. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 277 Method 1 Using the Infoblox NIOS Startup Wizard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 279 Method 2 Using the GUI. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 281 Configuration Example: Configuring an HA Pair for Internal DNS and DHCP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 283 Cable Appliances to the Network and Turn On Power . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 284 Specify Initial Network Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 285 Specify Appliance Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 285 Enable Zone Transfers on the Legacy Name Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 287 Import Zone Data. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 287 Define Networks, Reverse-Mapping Zones, DHCP Ranges, and Infoblox Hosts. . . . . . . . . . . . . . . . . . . . . . . . 289 Define Multiple Forwarders. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 291 Enable Recursion on External DNS Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 292 Modify the Firewall and Router Configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 292 Enable DHCP and Switch Service to the NIOS Appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 293 Manage and Monitor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 294 Verifying the Deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 295 Single Independent Appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 295 Independent HA Pair . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 295 Forcing an HA Failover . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 295 Infoblox Tools for Migrating Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 296 Upgrading Software on an Independent Appliance or HA Pair . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 297 Acquiring Software Upgrade Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 297 Distributing Software Upgrade Files. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 297 Running the Software Upgrade. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 297
Chapter 9 Deploying a Grid . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 299

Introduction to Grids . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 300 Grid Communications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 301 NAT Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 302 Automatic Software Version Coordination . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 305 Grid Bandwidth Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 307 Creating a Grid Master . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 309 VRRP Advertisements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 311 Port Numbers for Grid Communication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 312 Creating an HA Grid Master. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 313 Creating a Single Grid Master. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 315 Adding Grid Members . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 319 Adding a Single Member. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 319 Adding an HA Member . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 320 Configuration Example: Configuring a Grid . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 322 Cable All Appliances to the Network and Turn On Power . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 323 Create the Grid Master . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 324 Define Members on the Grid Master . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 326 Join Appliances to the Grid . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 327
8 Infoblox Administrator Guide (Rev. A) NIOS 4.3r5
Import DHCP Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 329 Import DNS Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 330 Using the Wizard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 331 After Using the Wizard. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 333 Enabling IPv6 On a Grid Member . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 335 About IPv6 Addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 335 Configuring IPv6 on a Grid Member . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 336 Configuration Example: Configuring IPv6 on a Grid Member . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 336 Managing a Grid . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 339 Changing Grid Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 339 Setting the MTU for VPN Tunnels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 339 Removing a Grid Member . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 340 Promoting a Master Candidate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 340 Upgrading NIOS Software on a Grid . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 341 Lite Upgrades. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 341 Uploading NIOS Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 342 About Upgrade Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 342 Distributing Software Upgrade Files. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 343 Testing a Software Upgrade . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 347 Performing a Software Upgrade . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 348 Monitoring Distribution and Upgrade Status. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 352
Part 3 Service Configuration

Chapter 10 Managing DNS Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 359
Configuring DNS Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 362 DNS Configuration Checklist. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 363 Restarting Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 364 Using Infoblox DNS Views. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 365 Default DNS View. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 367 DNS Views and Network Views . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 367 Creating DNS Views. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 367 Specifying Match Lists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 369 Adding Zones to a DNS View. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 370 Adding Records to a Zone . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 370 Managing DNS Views . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 372 Configuration Example: Configuring a DNS View. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 374 Understanding DNS for IPv6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 376 IPv6 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 376 Configuring DNS for IPv6 Addressing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 377 Delegating Zone Authority to Name Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 378 Specifying a Primary Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 378 Specifying a Secondary Server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 379 Configuring Authoritative Zones. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 382 Creating an Authoritative Forward-Mapping Zone. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 382 Creating an Authoritative Reverse-Mapping Zone . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 383 Adding an Authoritative Subzone. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 385 Creating a Root Zone . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 387 Importing Zone Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 388 Allowing Zone Transfers to an Appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 391 Importing Data into Zones . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 391 How Specific Zones and Records Are Imported . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 392
NIOS 4.3r5 Infoblox Administrator Guide (Rev. A) 9
Restoring Zone Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 392 Restoring Zone Data After a Zone Import Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 393 Restoring Zone Data After a Zone Reimport Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 393 Configuring Delegated, Forward, and Stub Zones . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 394 Configuring a Delegated Zone . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 394 Configuring a Forward Zone . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 397 Configuring Stub Zones. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 399 Using Name Server Groups. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 409 Creating Name Server Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 409 Applying Name Server Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 411 Managing Zones . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 412 Locking and Unlocking Zones . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 412 Modifying Zones . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 413 Removing Zones . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 413 Enabling and Disabling Zones . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 415 About DNSSEC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 416 DNSSEC Resource Records . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 417 DNSKEY Resource Records . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 417 RRSIG Resource Record. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 417 NSEC Resource Record . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 417 DS Resource Record . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 418 Configuring NIOS Appliances to Support DNSSEC. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 418 Enabling DNSSEC. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 420 Using the Recycle Bin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 422 Viewing the Recycle Bin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 422 Restoring Objects in the Recycle Bin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 422 Emptying the Recycle Bin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 423 Specifying Host Name Restrictions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 424 Grid Level . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 424 Member Level . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 425 Zone Level . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 425 Obtaining a List of Invalid Record Names . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 426 Associating Shared Record Groups With Zones. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 426 Configuring Extensible Attributes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 426 Host Records . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 427 Understanding Host Records . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 427 Adding Hosts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 429 Adding Bulk Hosts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 431 Specifying Bulk Host Name Formats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 431 Before Defining Bulk Host Name Formats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 431 Configuring Bulk Hosts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 434 Adding Resource Records . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 436 Entering MAC Addresses. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 436 Adding A Records . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 437 Adding NS Records . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 437 Adding AAAA Records . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 438 Adding PTR Records. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 439 Adding MX Records . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 440 Adding SRV Records . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 441 Adding TXT Records. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 442 Adding CNAME Records. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 443 Adding DNAME Records . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 445 Specifying Time To Live Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 450
10
NIOS 4.3r5
Managing Hosts and Resource Records . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 452 Modifying, Disabling, or Deleting a Host or Record. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 452 Viewing DNS Record Listings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 453
Chapter 11 Shared Records. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 455

Understanding Shared Records . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 456 Shared Records Benefits. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 457 Shared Records Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 457 Shared Records Limitations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 457 Using Shared Records . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 458 Configuring Shared Record Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 458 Viewing Records in Shared Record Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 459 Associating Shared Record Groups With Zones. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 459 Viewing Zones Associated With Shared Record Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 459 Removing Shared Record Group Zone Associations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 460 Deleting and Recovering Shared Record Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 460 Using the Shared Record Group API . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 460 Adding Shared Records. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 461 Adding Shared A Records . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 461 Adding Shared AAAA Records. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 461 Adding Shared MX Records. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 462 Adding Shared SRV Records . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 463 Adding Shared TXT Records . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 463 Configuration Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 465
Chapter 12 Configuring DNS Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 467

Configuring DNS Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 468 Changing General DNS Properties for a Grid . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 468 Enabling Zone Transfers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 470 Specifying DNS Queries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 472 Configuring a DNS Blackhole List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 474 Specifying Root Name Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 476 Specifying Sort Lists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 477 Using Forwarders with a Grid . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 477 Using Forwarders with a Member . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 478 Specifying Minimal Response Returns. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 478 Disabling and Enabling DNS Service for a Grid Member . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 478 Configuring Additional IP Addresses for a Grid Member. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 479 Configuring DNS Zone Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 480 Disabling Forwarding for a Zone . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 480 Specifying TTL Settings for a Zone . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 480 Changing the SOA Name for a Zone . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 481 Setting the Serial Number in the SOA Record . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 481 Adding an E-mail Address to the SOA Record . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 481 Allowing Zone Transfers for a Zone. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 482 Allowing Query Access for a Zone. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 483 Viewing DNS Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 484 Viewing DNS Cache Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 484 Viewing a DNS Configuration File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 484 Viewing DNS Zone Statistics. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 484
NIOS 4.3r5
11
Chapter 13 Configuring IP Routing Options. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 485

Multiple IP Addresses on an Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 486 IP Addressing on an Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 486 Configuring IP Addresses on the Loopback Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 486 Advertising Loopback IP Addresses to the Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 487 Configuration Example: Configuring IP Addresses on the Loopback Interface . . . . . . . . . . . . . . . . . . . . . . . . 487 Anycast Addressing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 488 Network Communication Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 488 OSPF . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 490 Configure OSPF on an Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 490 Configure an Anycast Address on an Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 492 Configuration Example: Configuring Anycast Addressing on the Appliance . . . . . . . . . . . . . . . . . . . . . . . . . . 492
Chapter 14 Managing DHCP Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 495

About Network Views . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 497 Creating Network Views . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 498 Deleting Network Views . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 498 Configuring a DHCP Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 499 Adding a Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 499 Splitting a Network into Subnets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 500 Expanding/Joining a Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 502 Adding a Shared Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 504 Viewing Networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 504 Modifying a Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 505 Removing a Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 505 Enabling and Disabling a Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 505 Configuring IP Addresses and DHCP Address Ranges. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 506 Guidelines for the Next Available IP Address. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 506 Adding a Fixed Address or a Roaming Host . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 507 Handling DHCP Leases With Client Identifiers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 509 Adding DHCP Ranges. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 509 Excluding Addresses from a DHCP Address Range . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 510 Creating and Managing Templates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 511 About Network Templates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 511 Creating and Managing Network Templates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 512 Creating and Managing DHCP Range Templates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 514 Creating and Managing Fixed Address Templates. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 517 Configuring Extensible Attributes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 522 Using the Recycle Bin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 523 Viewing the Recycle Bin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 523 Restoring Items in the Recycle Bin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 523 Emptying the Recycle Bin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 523
12
NIOS 4.3r5
Chapter 15 Configuring DHCP Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 525

Configuring DHCP Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 527 DHCP Configuration Checklist. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 529 Configuring DHCP Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 530 Specifying Ping Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 534 Specifying DHCP Lease Times. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 535 Specifying BOOTP Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 536 Specifying Custom DHCP Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 538 Defining Option 60 (Vendor-Class-Identifier) Match Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 539 Defining Custom Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 539 Configuring Advanced DHCP Options. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 541 Configuring the DHCP Option Space . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 541 Adding Vendor Option Spaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 541 Configuring DNS Updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 542 Enabling DHCP Logging. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 542 Defining Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 543 Configuring a MAC Address Filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 547 Configuring Option Filters. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 549 Configuration Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 552 Example DHCP Configuration File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 553 Configuring User Class Filters. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 554 Configuring a Relay Agent Filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 555 Managing DHCP Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 557 Configuring DHCP Failover . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 558 DHCP Failover Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 558 Creating a Failover Association. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 559 Monitoring the Failover Association. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 560 Failover Association Operations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 560 Viewing DHCP Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 561 Viewing a DHCP Configuration File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 561 Viewing DHCP Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 561
Chapter 16 Using Network Discovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 563

About Network Discovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 564 Administrative Permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 565 Discovery Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 566 Supported Discovery Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 567 Configuring Network Discovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 569 Updating the Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 570 Starting a Discovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 571 Monitoring Discovery Status. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 572 Viewing Discovered Data. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 573 Attributes of Discovered Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 573 Types of Discovered Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 573 Display of Discovered Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 574 Filtering Discovered Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 574 Searching Discovered Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 575 Managing Discovered Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 575 Managing Unmanaged Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 575 Resolving Conflicting Addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 577 Configuring DNS and DHCP for a Host . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 578 Clearing the Discovered Timestamp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 579
Chapter 17 Configuring DDNS Updates from DHCP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 581

Understanding DDNS Updates from DHCP. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 582 Configuring DHCP for DDNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 585 Specifying a Domain Name for DHCP Clients. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 586 Configuring DDNS on the DHCP Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 587 Sending Updates to DNS Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 588 Client FQDN Option (Option 81) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 589 Generating Host Names for DNS Updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 591 Updating DNS for Clients with Fixed Addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 592 Resending DNS Updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 592 Configuring DNS Update Verification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 593 Configuring DNS for DDNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 596 Enabling the DNS Server to Receive Updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 596 Forwarding Updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 598 Authenticating Updates with TSIG . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 599 Supporting Active Directory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 601 Sending DDNS Updates to a DNS Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 601 About GSS-TSIG . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 602 Sending Secure DDNS Updates to a DNS Server in the Same Domain. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 603 Configuring DHCP to Send GSS-TSIG Updates in the Same Domain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 605 Sending Secure DDNS Updates to a DNS Server in Another Domain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 612 Configuring DHCP to Send GSS-TSIG Updates to Another Domain. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 613 Sending GSS-TSIG Updates to a DNS Server in Another Forest . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 615 Receiving DDNS Updates from DHCP Clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 616 Receiving GSS-TSIG-Authenticated Updates from DHCP Clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 618 Configuring DNS to Receive GSS-TSIG Updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 620
Chapter 18 Managing IP Data IPAM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 627

Managing and Viewing IP Address Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 628 About Extensible Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 628 Defining Extensible Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 630 Modifying Extensible Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 632 Deleting Extensible Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 633 Searching for Data in Extensible Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 633 Adding, Modifying, and Removing Host Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 634 Adding, Modifying, and Removing DNS Records . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 634 Modifying DHCP Options. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 634 Converting DHCP Leases, Fixed Addresses, and Reserved Addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 634 Monitoring Overall DHCP Address Usage. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 637 Setting Watermark Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 637 Viewing IPAM Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 641 Downloading IPAM Status Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 641 Viewing IPAM Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 642 Viewing DHCP and DNS Usage and Device Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 642 Searching and Sorting IPAM Data. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 643 Viewing DHCP Lease Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 643 Viewing Historical DHCP Lease Records. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 645 Logging Member and Selective Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 645 Searching DHCP Lease Event Records . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 646 Viewing Lease Event Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 647 Exporting and Importing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 648
Chapter 19 NAC Foundation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 649

About the NAC Foundation Module . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 651 DHCP Authentication Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 651 Configuring the NAC Foundation Module . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 654 Configuring DHCP Ranges for Authorization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 655 Quarantined DHCP Range . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 655 Guest DHCP Range . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 655 Authorized DHCP Range . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 655 User Class Assignments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 656 Binding DHCP Ranges to the Quarantined and Authorized Levels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 656 Uploading Files for Customization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 657 Uploading Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 657 Creating Subdirectories . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 657 Managing the Image Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 658 Configuring the Captive Portal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 658 About Client Validation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 659 Configuring the McAfee Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 659 Enabling Validation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 660 About Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 660 Managing the Local User Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 660 Configuring the Self Service Portal. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 661 Importing Accounts from an Active Directory Server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 662 Configuring Active Directory Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 662 Configuring LDAP/LDAPS Authentication Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 662 Configuring the Authentication Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 663 Specifying an External Authentication Home RADIUS Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 664 About Guest Access. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 664 Configuring Guest Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 665 Viewing Guest and Authenticated Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 666 Configuration Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 668 Configure a Loopback Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 668 Configure a Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 668 Create DHCP Address Ranges in the Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 669 Configure AD Servers for Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 669 Bind DHCP Ranges to the Quarantined and Authorized Levels. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 670 Configure the Captive Portal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 670 Configure Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 671 Enable DHCP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 672 Verifying Your Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 672
Chapter 20 File Distribution Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 673

File Distribution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 674 Enabling and Configuring TFTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 675 Enabling and Configuring HTTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 676 Enabling and Configuring FTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 677 Managing Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 678 Uploading Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 678 Creating a Directory Structure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 678 Modifying File Distribution Storage Settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 679 Viewing Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 679
NIOS 4.3r5
15
Chapter 21 RADIUS Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 681

Understanding RADIUS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 683 Infoblox RADIUS Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 684 RADIUS Servers in a Grid . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 685 Authentication Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 686 Accounting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 686 Configuring RADIUS Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 687 Managing User Accounts in the Local Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 688 Adding Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 688 Importing Users From a Microsoft Active Directory Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 688 Viewing Imported Users and Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 690 Configuration Example: Importing Users from AD Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 690 Troubleshooting AD Error Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 692 Configuring LDAP Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 693 Managing Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 694 Generating a Self-Signed EAP Certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 694 Generating a Certificate Signing Request . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 695 Uploading Certificates to the Appliance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 695 Downloading Certificates from the Appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 695 About RADIUS Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 696 Defining Policies for User Groups. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 697 Using RADIUS Policies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 698 Configuring RADIUS Policies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 698 Managing Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 699 Configuring RADIUS Policy Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 699 Managing Policy Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 699 Assigning a Policy Group to a Grid Member. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 699 Network Access Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 700 Enabling RADIUS Services. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 701 RADIUS Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 701 RADIUS Accounting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 702 Understanding RADIUS Proxy Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 703 RADIUS Home Servers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 705 Configuring a RADIUS Authentication Home Server Object . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 706 Configuring a RADIUS Accounting Home Server Object . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 706 Managing RADIUS Proxy Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 707 Proxying RADIUS Access-Requests. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 708 Viewing the RADIUS Configuration File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 708 Proxying RADIUS Accounting-Requests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 709 Removing Home Servers and Shared Secret Relationships . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 709
Chapter 22 IPAM WinConnect . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 711

Configuring IPAM WinConnect . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 712 Uploading a WinConnect Bundle . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 712 Viewing Bundle Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 712 Managing the WinConnect Bundles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 712 Configuring the WinConnect Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 713 Backing Up and Restoring Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 714 Monitoring WinConnect Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 714
16
NIOS 4.3r5
Chapter 23 VitalQIP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 715

About VitalQIP on a Grid . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 716 HA Pair Grid Members . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 718 Deploying Grid Members as VitalQIP Remote Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 719 Uploading and Enabling VitalQIP Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 719 Launching VitalQIP on the Grid. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 723 Configuring Grid Members on the VitalQIP Enterprise Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 724 Using LDRM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 727 DHCP API . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 728 Monitoring VitalQIP Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 728 SNMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 729 Troubleshooting Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 729
Chapter 24 bloxTools Environment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 731

About the bloxTools Environment. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 732 System Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 732 Using the bloxTools Environment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 733 Configuring the Service. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 733 Uploading Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 734 Scheduling Tasks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 734 Monitoring the Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 735
Part 4 API Interface

Chapter 25 Infoblox DMAPI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 739
Introduction to Infoblox DMAPI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 740 Required Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 740 Infoblox DMAPI Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 741 Installing Perl and Infoblox DMAPI Packages. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 741 Infoblox Scripting Pack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 742 Running a Script . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 743 Testing the Connection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 744 Backing Up the Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 744 Writing a Script . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 746 Perl Information Resources. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 755 Infoblox-Specific Perl Resources. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 755 Perl Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 755
Part 5 Reference Material

Appendix A Product Compliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 759
Power Safety Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 760 AC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 760 DC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 760 Agency Compliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 761 FCC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 761 Canadian Compliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 761 VCCI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 762
RFC Compliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 763 DNS RFC Compliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 763 DHCP RFC Compliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 765
Appendix B Regular Expressions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 767

Supported Expressions for Search Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 767
Appendix C Open Source Copyright and License Statements . . . . . . . . . . . . . . . . . . . . 769

GNU General Public License . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 771 GNU Lesser General Public License . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 774 Apache Software License, Version 2.0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 780 perl Artistic License . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 785 ISC BIND Copyright . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 786 ISC DHCP Copyright. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 787 Julian Seward Copyright . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 788 Carnegie Mellon University Copyright . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 788 Thai Open Source Software Center Copyright . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 789 Ian F. Darwin Copyright . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 790 Lawrence Berkeley Copyright . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 791 MIT Kerberos Copyright. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 791 BSD License . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 792 David L. Mills Copyright . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 793 OpenLDAP License. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 793 OpenSSL License . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 794 VIM License . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 795 ZLIB License . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 797 Wietse Venema Copyright . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 797 ECLIPSE SOFTWARE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 798 Eclipse Public License - v 1.0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 798 AOP Alliance (Java/J2EE AOP standards) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 802 ASM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 802 Distributed Computing Laboratory, Emory University . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 803 COMMON DEVELOPMENT AND DISTRIBUTION LICENSE (CDDL). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 803 The FreeType Project LICENSE. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 807 The Independent JPEG Group's JPEG software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 811 Net-SNMP. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 813 The PHP License, version 3.01 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 819
Appendix D Hardware Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 821

About the Hardware Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 822 Identifying the Front Panel Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 822 Using the LCD Panel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 823 Using the Serial Console . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 823 Ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 824 About Back Panel Components. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 825 Connecting the Ethernet Cables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 825 Independent Appliance Cabling Using the LAN or Serial Port. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 825 HA Pair Appliance Cabling Using the LAN and HA Ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 826 Cabling for the MGMT Port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 827
Rack Mounting Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 831 Chassis Warning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 831 Rack Mounting and Safety . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 831 Hardware Platform Specifications and Requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 832 System Specifications. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 832 Environmental Specifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 832 AC Electrical Power Specifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 832 DC Electrical Power Specifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 832
Appendix E vNIOS Appliance Limitations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 833

vNIOS for Cisco . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 833 vNIOS for Riverbed . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 834
Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 835
NIOS 4.3r5
19
20
NIOS 4.3r5
Preface
This guide explains how to install, configure, and manage a NIOS appliance. This preface describes the content and organization of this guide, and provides information about how to find additional product information, including accessing Technical Support:
Document Overview on page 22 Documentation Organization on page 22 Documentation Conventions on page 24 Whats New on page 26 Related Documentation on page 27 Customer Care on page 27 User Accounts on page 27 Software Upgrades on page 27 Technical Support on page 27
NIOS 4.3r5
21
Preface
Document Overview
This guide describes how to install, configure, and manage NIOS appliances using NIOS 4.3r5. This manual was last updated on July 17, 2009. For updated documentation, visit our Support site at: http://support.infoblox.com.
Documentation Organization
This guide consists of five parts, as described in the following table.
Section
Content
Part 1 Appliance Administration Chapter 1, Overview, on page 31
Chapters 1 7
Provides general information about the NIOS software, plus provides definitions of the terms used to explain how NIOS appliances operate. It provides examples of how the appliances can be used in your network. Explains how to use the GUI of the NIOS appliance by defining what the GUI components are and how to use them. Explains how to configure and manage administrator groups and accounts in the local database and on external RADIUS servers. Explains how to configure NTP, secure administrative access, set routes, enable DNS resolution, activate licenses, and reset the NIOS appliance. It also provides information about ethernet and service port usage. Explains the purpose of the various logs and provides information on using syslog to monitor the NIOS appliance. Explains how to configure SNMP to monitor the NIOS appliance. It also describes the SNMP traps that the NIOS appliance can send and the Infoblox MIBs. Explains how to upgrade and downgrade software, and how to backup, merge, revert, and restore configuration files.
Chapter 2, Infoblox GUI, on page 39 Chapter 3, Managing Administrators, on

page 69
Chapter 4, Managing Appliance Operations, on page 121
Chapter 5, Monitoring the Appliance, on

page 181
Chapter 6, Monitoring with SNMP, on page

203
Chapter 7, Changing Software and Merging Files, on page 251 Part 2 Appliance Deployment Chapter 8, Deploying Independent Appliances, on page 263 Chapter 9, Deploying a Grid, on page 299
Chapters 8 9
Explains how to deploy single independent appliances and independent HA (high availability) pairs. Addresses grid deployment considerations and explains how to deploy single NIOS appliances and HA pairs as grid masters and members.
Part 3 Service Configuration Chapter 10, Managing DNS Data, on page

359
Chapters 10 18
Explains how to manage grid data configurations that are inherited by DNS members and zones, such as zone type and mapping information. This chapter also describes how to configure DNS views and how to modify, remove and disable authoritative, delegated, and forward zones. It concludes with how to add, modify, remove, and disable hosts and records.
22
NIOS 4.3r5
Document Overview
Section
Content Explains how to configure and use shared records. Shared records are groups of DNS resource records that you can assign to one or more zones. Use shared records to create and update multiple resource records shared by different zones. Explains how to configure the DNS services provided by the grid, which includes time-to-live (TTL) settings, zone transfers, queries, root name servers, dynamic updates, sort lists, and Transaction Signatures (TSIG) for DNS. This chapter also describes how to specify broadcast addresses, routers, and DNS servers. It describes how to specify and update zones on external servers and for fixed addresses. This chapter concludes with how to use the view DNS configuration files and statistical reports. Explains how to enable and configure anycast addressing as well as configure multiple IP address on loopback interfaces on the NIOS appliance. Explains how to configure networks, and features such as creating split and shared networks. This chapter also describes how to modify, remove and disable networks. This chapter concludes with how to add, modify, remove, and disable fixed addresses and DHCP address ranges. Templates are provided for creating networks, ranges, and fixed addresses. Explains how to manage grid data configurations that are inherited by DHCP members and networks, DHCP address ranges, and fixed addresses. This chapter explains how to configure the DHCP services provided by each member, which includes lease times, BOOT servers, and custom options. This chapter concludes with how to use the view DHCP configuration files and statistical reports. Explains how to configure and manage the network discovery feature. Explains how to set up DHCP and DNS services to work together to support DDNS (dynamic DNS) updates. Explains how to monitor IP address usage using the IPAM (IP address management) software module. Provides an overview of the NAC Foundation module and its components, and describes how to set parameters and configure various security functions. Explains the TFTP, HTTP and FTP services that the NIOS appliance provides for uploading and downloading data to and from a NIOS appliance.
Chapter 11, Shared Records, on page 455
Chapter 12, Configuring DNS Services, on

page 467
Chapter 13, Configuring IP Routing Options,

on page 485
Chapter 14, Managing DHCP Data, on page

495
Chapter 15, Configuring DHCP Services, on

page 525
Chapter 16, Using Network Discovery, on

page 563
Chapter 17, Configuring DDNS Updates from DHCP, on page 581 Chapter 18, Managing IP Data IPAM, on
page 627
Chapter 19, NAC Foundation, on page 649
Chapter 20, File Distribution Services, on

page 673
Chapter 21, RADIUS Services, on page 681 Explains how to configure RADIUS services on a NIOS appliance. Chapter 22, IPAM WinConnect, on page
711 Explains how to configure a NIOS appliance to run the IPAM WinConnect service. This chapter describes how to upload an IPAM WinConnect bundle, set operational parameters, and monitor the WinConnect service.
NIOS 4.3r5
23
Preface
Section
Content Explains how to configure NIOS appliances as VitalQIP DNS and DHCP remote servers. This chapter describes how to configure NIOS appliances to upload and manage VitalQIP binary bundles and policy files in a grid. Explains how to configure the bloxTools Environment, which provides a pre-installed environment for hosting custom web-based applications.
Chapter 23, VitalQIP, on page 715
Chapter 24, bloxTools Environment, on

page 731
Part 4 API Interface Chapter 25, Infoblox DMAPI, on page 739 Part 5 Reference Material Appendix A, "Product Compliance", on
page 759
Chapter 22
Provides an overview of the DMAPI interface and describes how to set up and use the Infoblox API.
Appendices A E
Provides product information, such as hardware and software specification and requirements. This appendix also supplies agency compliance and safety information and concludes with RFC compliance information for the product. Lists regular expressions that the NIOS appliance supports for searches. Provides the Open Source copyright and license information for the product. Describes the hardware components and explains how to rackmount and cable an Infoblox appliance. It also lists the hardware requirements and specifications. Describes the limitations of the NIOS virtual appliances.
Appendix B, "Regular Expressions", on

page 767
Appendix C, "Open Source Copyright and License Statements", on page 769 Appendix D, "Hardware Information", on
page 821
Appendix E, "vNIOS Appliance Limitations",

on page 833
Documentation Conventions
The text in this guide follows these style conventions. Style bold
input
Usage Indicates anything that you input by clicking, choosing, selecting, or typing in the GUI, or by pressing on the keyboard. Signifies command line entries that you type. Signifies variables typed into the GUI that you need to modify specifically for your configuration, such as command line variables, file names, and keyboard characters. Indicates that you will select the named tab.
variable
+ (for tabname)
> (for tabname)
24
NIOS 4.3r5
Document Overview
Variables
Infoblox uses the following variables to represent values that you type, such as file names and IP addresses: Variable Value Name of a group of administrators Name of the appliance administrator IP address range DHCP template Domain name Directory name Filter name Fixed address template Grid Master Grid Member Host name of an independent appliance Grid name IPv4 address Grid member name Subnet mask IP address of a network Name of a NAS Network template Network view Name of a policy on RADIUSone Name of a Policy Group Number of a port; predefined for certain protocols Name of a RADIUS server One of the services available from the Grid Manager DHCP template DNS view DNS zone
admin_group admin_name addr_range DHCP_template domain_name directory filter_name fixed_address_template grid_master grid_member hostname grid ip_addr member netmask network network_access_server network_template network_view policy policy_group port RADIUS_server service template_type dns_view zone
Navigation
Infoblox technical documentation uses an arrow -> to represent navigation through the GUI. For example, to access Grid Properties, the description is as follows: From the Grid perspective, click grid -> Edit -> Grid Properties.
NIOS 4.3r5
25
Preface
Whats New
The following sections are new or have been updated in this version of this guide: DHCP Roaming Hosts: Roaming hosts are hosts with dynamically assigned IP addresses. You can create roaming hosts for network devices such as laptop computers and mobile phones, which require different IP addresses each time they are moved from one network to another. For information, see Adding a Fixed Address or a Roaming Host on page 507. Allow/Deny IP Addresses to DHCP Clients: You can configure the appliance to assign or deny IP addresses within an address range to known and unknown DHCP clients. Known clients include roaming hosts and clients with fixed addresses or DHCP host entries. Unknown clients include clients that are not roaming hosts and clients that do not have fixed addresses or DHCP host entries. You can set this parameter when you configure the DHCP properties of an IP address range. For information, see Configuring DHCP Properties on page 530. Secure Upload to bloxTools: The bloxTools environment now supports SFTP (SSH File Transfer Protocol) for secure file transfers. You can enable both the FTP and SFTP services, and then use either one to upload data. For information, see Uploading Files on page 734. Support for Additional MAC Address Formats: In the Infoblox GUI, you can enter a MAC address using one of the following formats: aa:bb:cc:dd:ee:ff: Six groups of two hexadecimal digits separated by colons (:) aa-bb-cc-dd-ee-ff: Six groups of two hexadecimal digits separated by hyphens (-) aabb.ccdd.eeff: Three groups of four hexadecimal digits separated by periods (.) aabbcc-ddeeff: Two groups of six hexadecimal digits separated by a hyphen (-) aabbccddeeff: One group of 12 hexadecimal digits without any separator
26
NIOS 4.3r5
Related Documentation
Related Documentation
Other NIOS appliance documentation:
Infoblox CLI Guide Infoblox API Documentation Infoblox Administrator Guide for IP Address Manager Infoblox-500, Infoblox-1000 and Infoblox-1200 Quick Start Infoblox User Guide for the Infoblox-1050, 1550, and 1552 Appliances Infoblox User Guide for the Infoblox-500, 550 Appliance Infoblox Installation Guide for the Infoblox-550, -1050, -1550, and -1552 Appliances Infoblox Installation Guide for the Infoblox-550-A, -1050-A, -1550-A, and -1552-A Appliances Infoblox Installation Guide for the Infoblox-250 Appliance Infoblox Installation Guide for the Infoblox-2000 Appliance Quick Start Guide for Installing NIOS Software on Riverbed Services Platforms Quick Start Guide for Installing vNIOS Software on Cisco Application eXtension Platforms Infoblox Safety Guide
To provide feedback on any of the Infoblox technical documents, please e-mail techpubs@infoblox.com.
Customer Care
This section addresses user accounts, software upgrades, licenses and warranties, and technical support.
User Accounts
The Infoblox appliance ships with a default user name and password. Change the default admin account password immediately after the system is installed to safeguard its use. Make sure that the NIOS appliance has at least one administrator account with superuser privileges at all times, and keep a record of your account information in a safe place. If you lose the admin account password, and did not already create another superuser account, the system will need to be reset to factory defaults, causing you to lose all existing data on the NIOS appliance. You can create new administrator accounts, with or without superuser privileges. For more information, refer to Managing Administrators on page 41.
Software Upgrades
Software upgrades are available according to the Terms of Sale for your system. Infoblox notifies you when an upgrade is available. Register immediately with Infoblox Technical Support at http://www.infoblox.com/support/product_registration.cfm to maximize your Technical Support.
Technical Support
Infoblox Technical Support provides assistance via the Web, e-mail, and telephone. The Infoblox Support web site at http://support.infoblox.com provides access to product documentation and release notes, but requires the user ID and password you receive when you register your product online at: http://www.infoblox.com/support/product_registration.cfm.
NIOS 4.3r5
27
Preface
28
NIOS 4.3r5
Part 1 Appliance Administration

This section provides basic information about the NIOS appliance, including a description of the various modules and a list of product terminology, a description of the user interface and information about basic configuration tasks. It includes the following chapters: Chapter 1, "Overview", on page 31 Chapter 2, "Infoblox GUI", on page 39 Chapter 3, "Managing Administrators", on page 69 Chapter 4, "Managing Appliance Operations", on page 121 Chapter 5, "Monitoring the Appliance", on page 181 Chapter 6, "Monitoring with SNMP", on page 203 Chapter 7, "Changing Software and Merging Files", on page 251
NIOS 4.3r5
29
30
NIOS 4.3r5
Chapter 1 Overview
This chapter provides general information about the NIOS appliance operating system and software modules. It defines terms used in this manual and describes various deployment scenarios. The topics in this chapter include:
NIOS Appliance Software Packages and Upgrades on page 32 Product Terminology on page 32 Deployment Scenarios on page 34 Scenario 1 Independent NIOS Appliances on page 34 Scenario 2 Basic Grid with Independent NIOS Appliances on page 35 Scenario 3 Infoblox Grid with NIOS Virtual Appliances as Grid Members on page 36 Scenario 4 Multiple Grids on page 37 Scenario 5 Primary and Secondary NIOS Appliances on page 38
NIOS 4.3r5
31
Overview
NIOS Appliance Software Packages and Upgrades

All NIOS appliances run the NIOS operating system. NIOS appliances provide core services and a framework for integrating all the components of the modular Infoblox solution. The appliances support local HA (high availability) both at the appliance and database levels via bloxHA failover and bloxSYNC database synchronization. For information about HA pairs, see Deploying an Independent HA Pair on page 277 and Adding an HA Member on page 320. NIOS appliances support the following software packages: The DNSone software package is fully-BIND compliant. It provides integrated DNS and DHCP services with built-in IPAM services. DNSone stores all DNS and DHCP data in the integrated bloxSDB semantic database, which is built into NIOS. It includes a TFTP server for downloading firmware and configuration files to VoIP phones. The NSQ (Network Services for Alcatel-Lucent VitalQIP)software package provides support for Lucents VitalQIP IP address management software. The Grid upgrade provides a real-time, integrated services and data management framework that integrates a collection of distributed appliances into a unified grid. The Network Services for VoIP package provides integrated DNS, DHCP, TFPT, and RADIUS proxy services. The NSA (Network Services for Authentication) software package provides support for the RADIUS (Remote Authentication Dial-In User Service) protocol and the underlying authentication methods required for 802.1X authentication, as well as the Infoblox grid module. The Network Services Suite (NSS) provides integrated DNS, DHCP, TFPT, RADIUS, and the grid services. The IPAM WinConnect package provides powerful tools and capabilities for managing your IP environment and IP address data at an enterprise level.
Product Terminology
Before you begin, review Table 1.1 for a description of some key terminology. Some terms, such as grids and high availability, are used in different ways by other networking-product vendors. The alphabetically arranged table can help you understand the terms and concepts as Infoblox uses them and as they are used in this guide.
Table 1.1 Product Terminology

Term DNSone Gateway HA address Description The software package that enables the NIOS appliance to provide DNS, DHCP and TFTP services. You can add the Grid upgrade to NIOS appliances running DNSone. The default router for the immediate network segment of an interface. The IP address of the HA port. The active node of the grid master uses this address for grid communications, network data and services, andif the MGMT port is disabledGUI access. See Ethernet Port Usage on page 143. Two physical Infoblox appliances that are linked to perform as a single virtual appliance in an HA (high availability) configuration. In this configuration, one appliance is the active node and the other is the passive node. The fully qualified domain name(s) of the NIOS appliance that you are configuring. A group of NIOS appliances that are connected together to provide a single point of appliance administration and service configuration in a secure, highly available environment.
HA pair
Host name Grid
32
NIOS 4.3r5
Product Terminology
Term Grid Master
Description The grid member that maintains the semantic database that is distributed among all members of the grid. You connect to the GUI of the grid master to configure and monitor the entire grid. Any single NIOS appliance or HA pair of Infoblox appliances that belong to a grid. Each member can use the data and the services of the grid. You can also modify settings so that a member can use unique data and member-specific services. The Grid upgrade provides grid capabilities. The IP address of the LAN port. The active node of the grid master uses this address for management protocols if the MGMT port is disabled. The passive node uses its LAN port for grid communications and management protocols if the MGMT port is disabled. See Ethernet Port Usage on page 143. Enables a grid member to assume the role of grid master as a disaster recovery measure. The IP address that both nodes comprising the grid master use for management protocols. Also, when you enable the MGMT port, the active node of the grid master uses the MGMT address for GUI access. See Ethernet Port Usage on page 143. Infoblox appliances and Infoblox Virtual Appliances that run NIOS software. A third-party hardware platform that runs the vNIOS software package. Supported platforms are Riverbed Steelhead appliances with Riverbed Services Platform modules and Cisco Application eXtension Platforms in Integrated Services Routers. A single component of an HA (high availability) pair. An HA pair consists of an active node and a passive node. Specifying the services provided by your NIOS appliances, such as enabling DNS and DHCP, configuring dynamic updates, creating sort lists, using custom options and filters at the grid, member, zone, and network level. The shared IP address of an HA pair. A VIP address links to the HA port on the active node. The VRID (virtual router ID) identifies the VRRP (Virtual Router Redundancy Protocol) HA pair to which the NIOS appliance belongs. Through this ID, two HA nodes identify each other as belonging to the same HA pair and they obtain a virtual MAC address to share together with a VIP (virtual IP address). The VRID can be any number between 1 and 255, and it must be unique on the local LAN so that it does not conflict with any other NIOS appliances using VRRP on the same subnet. A portion of the domain name space for which a NIOS appliance or another name server is authoritative (for example, has the SOA [start of authority] record). A zone can also be delegated or forwarded. Zones are the primary objects used to manage DNS data and DNS services.
Grid Member
Grid LAN address
Master Candidate MGMT Address
NIOS appliance NIOS virtual appliance
Node Service configuration
Virtual IP Virtual Router ID
Zone
NIOS 4.3r5
33
Overview
Deployment Scenarios
The NIOS appliances can fit into network topologies in a variety of ways, and can provide DNS and DHCP services in a variety of ways. This section introduces some typical ways that you can deploy your NIOS appliances:
Scenario 1 Independent NIOS Appliances on page 34 Scenario 2 Basic Grid with Independent NIOS Appliances on page 35 Scenario 3 Infoblox Grid with NIOS Virtual Appliances as Grid Members on page 36 Scenario 4 Multiple Grids on page 37 Scenario 5 Primary and Secondary NIOS Appliances on page 38
Scenario 1 Independent NIOS Appliances

The simplest type of deployment is one that uses independent appliances, as shown in Figure 1.1.
Figure 1.1 Independent NIOS Appliances
Network Clients
Independent HA Pair Providing DNS Services
Internet Independent Appliance Providing DHCP Services
GUI Client
In the sample deployment that is shown above, three appliances are deployed as independent appliances as follows: An independent HA pair of Infoblox appliances that provides DNS services An independent standalone Infoblox appliance that provides DHCP services
An Infoblox appliance can provide network services as an HA pair or as an independent appliance without being part of a grid. Independent appliances can provide DNS and DHCP services at the same time. Note: When an Infoblox appliance is used as an independent appliance, that appliance assumes the identity of the grid master in the GUI, even though it is not part of an actual grid.
34
NIOS 4.3r5
Scenario 2 Basic Grid with Independent NIOS Appliances

Multiple NIOS appliances can be deployed within a grid (see Figure 1.2). A grid consists of a master and at least one member. A member can be a single NIOS appliance or an HA pair that provides DNS and DHCP services seamlessly across an entire network. The NIOS appliance also provides connectivity for external primary name servers that operate independently from a grid.
Figure 1.2 Grid and Independent Appliances

Independent Primary Server
Network Clients
GUI Client
Internet
Independent DNS Secondary Server Grid
Grid Master Grid Member HA Grid Member
A grid is controlled through a single GUI. The Infoblox GUI allows you to centrally configure and monitor any or all grid members. This approach reduces the time normally required to configure multiple network appliances and services because you can enter all of the settings, appliance data, and network services for each member using one interface, not all the individual interfaces of each member on a recurring basis. The Infoblox distributed database architecture enables all grid members to instantaneously receive changes to the grid configuration settings because there is automatic synchronization between all of the NIOS appliances via a secure link.
NIOS 4.3r5
35
Overview
Scenario 3 Infoblox Grid with NIOS Virtual Appliances as Grid Members

You can install Infoblox vNIOS software on a Riverbed Steelhead appliance running RSP (Riverbed Services Platform) or on a Cisco AXP (Application eXtension Platform) service module in an ISR (Integrated Services Router), and configure it as a NIOS virtual appliance. You can configure the NIOS virtual appliance as a grid member, but not as an HA pair, a grid master, or a grid master candidate. (For a complete list of the limitations of NIOS virtual appliances, see vNIOS Appliance Limitations on page 833.)
Figure 1.3 illustrates NIOS virtual appliances in a grid. In the illustration, the grid master and the grid master
candidate are Infoblox HA pairs in the data center. The Cisco vNIOS virtual appliance is a grid member in one branch office, the Riverbed vNIOS virtual appliance is a grid member in another branch office, and the other grid members are Infoblox appliances.
Figure 1.3 Infoblox Grid with NIOS Virtual Appliances

Branch Office - North
Data Center Grid Master Candidate
Grid Master Branch Office - East
Cisco vNIOS Virtual Appliance Branch Office - West Branch Office - South Riverbed vNIOS Virtual Appliance
36
NIOS 4.3r5
Scenario 4 Multiple Grids

The NIOS appliance is designed to manage independently-controlled grids, each from a unique location (see Figure 1.4). For example, a global network could be managed by four independent grids. The NIOS appliance is designed for scalable implementations to ease your network management needs. Each grid is centrally managed, which significantly reduces costs associated with DNS and DHCP management tasks.
Figure 1.4 Multiple Grids
European Grid Americas Grid Asia/PAC Grid
Australian Grid
GUI Clients
NIOS 4.3r5
37
Overview
Scenario 5 Primary and Secondary NIOS Appliances

NIOS appliances can also be deployed with other network servers. For example, Figure 1.5 shows how a NIOS appliance can operate as the primary DNS server along with two secondary name servers (a local secondary name server and a NIOS appliance external secondary server) without the NIOS appliances being part of a grid. The primary DNS server is deployed inside the corporate internal firewall. In this case, the primary DNS server is an HA pair of Infoblox appliances, which provides redundancy in the event of hardware failure. The NIOS appliance external secondary name server is deployed outside of the companys internal firewall. In this case, the NIOS appliance external secondary name server is a single NIOS appliance, but it could have been an HA pair.
Figure 1.5 Primary and Secondary Servers
Network Clients
Independent HA Pair (Primary Server)
Internet
GUI Client
DNS Server (Secondary Server) Independent Appliance (External Secondary Server)
Because the external secondary name server is outside of the corporate network, it provides an offsite source of name resolution for the corporate customers and partners should the corporate connection to the Internet fail. Moreover, even when the corporate link to the Internet is up, the external secondary server receives most of the queries for data in the corporate external zones. This type of deployment results in the following benefits: The use of the corporate Internet connection for name resolution traffic is minimized. Name resolution by Internet name servers is faster.
NIOS appliances can also operate as forwarders or caching-only servers, either as a single node or as part of an HA pair. A forwarder is responsible for handling queries from the internal name servers for Internet domain names (queries that they cannot process themselves because they lack Internet connectivity). Just as the primary DNS server is located inside the corporate internal firewall, the forwarder is also located inside the firewall. Consequently, you must configure firewall rules that allow the forwarder to perform the following tasks: Send queries to the Internet name servers Receive responses from those Internet name servers Block unsolicited DNS messages from the Internet name servers
38
NIOS 4.3r5
Chapter 2 Infoblox GUI

This chapter introduces the two versions of the Infoblox GUI (Graphical User Interface) and the Infoblox web interface for network and IP address management: Infoblox Grid Manager GUI for NIOS appliances running a software package, such as DNSone or the NSQ (Network Services for Lucent VitalQIP) package, with the Grid upgrade Infoblox Device Manager GUI for NIOS appliances running a software package without the Grid upgrade IP Address Manager provides access to your NIOS appliance for network and IP address management
The chapter lists the requirements for the management system you use to access a NIOS appliance, explains how to access the NIOS appliance, describes the components of the Infoblox Grid Manager GUI, and introduces the IP Address Manager GUI. Topics in this chapter include:
Management System Requirements on page 41 Accessing the Infoblox GUI on page 41 Connecting to a NIOS Appliance with JWS (Java Web Start) on page 42 About the Grid Manager on page 46 Installing the Grid Manager on page 46 Connecting to a NIOS Appliance Using the Grid Manager on page 47 Setting Login Options on page 48 SSL (Secure Sockets Layer) Protocol on page 50 Managing Certificates on page 51 Understanding the GUI Components on page 53 Main Interface Components on page 53 Customizing a Perspective Layout on page 56 Creating a Login Banner on a NIOS Appliance on page 57 Customizing Columns on page 57 Home Perspective on page 58 Using Global Search on page 60 Printing from the GUI on page 61 Accessing IP Address Manager on page 62 Logging in to IP Address Manager on page 62
NIOS 4.3r5
39
Infoblox GUI
Multilingual Support on page 62 UTF-8 Supported Fields on page 63 UTF-8 Support Limitations on page 64 Exporting Data on page 65 Exporting Data on page 65 Exporting Data on page 65 Exporting Data from Panels on page 65 Exporting Data to a CSV File on page 67
40
NIOS 4.3r5
Management System Requirements
Management System Requirements

The management system is the computer from which you configure and manage the NIOS appliance. The management system must meet the following requirements to operate a NIOS appliance.
Figure 2.1 Software and Hardware Requirements for the Management System
Management System Software Requirements GUI ACCESS Internet Explorer 6.0 or higher on Microsoft Windows XP and Internet Explorer 7.0 on Windows Vista or Mozilla 1.7 or higher on Linux Fedora Core 5 or higher, Red Hat and Sun Java Runtime Environment (JRE) version 1.5.0_14 or version 1.6 JWS application, which is automatically installed with JRE 1.5.0_14 or higher CLI ACCESS Secure Socket Shell (SSH) client that supports SSHv2 Terminal emulation program, such as minicom or Hilgraeve Hyperterminal Microsoft
Management System Hardware Requirements Minimum System: 500 MHz CPU with 256 MB RAM available to the product GUI, and 56 Kbps connectivity to NIOS appliance Recommended System: 1 GHz (or higher) CPU with 512 MB RAM available for the product GUI, and network connectivity to NIOS appliance Monitor Resolution: 1024 x 768 (minimum) to 1600 x 1200 (maximum)
Note: If the browser used to manage the NIOS appliance has a pop-up blocker enabled, you must turn off the pop-up blocker for the IP address used to manage the NIOS appliance.
Accessing the Infoblox GUI

Before you access the Infoblox GUI, connect your NIOS appliance to the network as described in the installation guide, user guide or quick start guide that shipped with your product. Refer to Hardware Information on page 821 for more information on cabling and powering up the NIOS appliance. Note: Before proceeding, make sure that your computer meets the current requirements for the GUI client as described in Management System Requirements. You can access and log in to a NIOS appliance using JWS (Java Web Start). You can use any computer on your network that runs the following applications: JRE (Java Runtime Environment) version 1.5.0_14 or version 1.6 JWS application, which is automatically installed with the corresponding version of the JRE Standard browser that associates JNLP (Java Network Launching Protocol) file types with the JWS application
Alternatively, you can install the Grid Manager on management systems running one of the supported Microsoft Windows operating systems, as described in About the Grid Manager on page 46.
NIOS 4.3r5
41
Infoblox GUI
Connecting to a NIOS Appliance with JWS (Java Web Start)

To make an initial management connection to the NIOS appliance using JWS: 1. Start your browser, and enter https://ip_addr, where ip_addr is the IP address of the NIOS appliance that you entered through the LCD or serial port, or the default IP address 192.168.1.2. See Using the LCD Panel on page 823 and Using the Serial Console on page 823. The NIOS appliance sends its server certificate to the browser to authenticate itself during the SSL (Secure Socket Layer) handshake. Because the default certificate is self-signed, your browser does not have a trusted CA (certificate authority) certificate or a cached NIOS appliance server certificate (saved from an earlier connection) to authenticate the NIOS appliance certificate. Also, the host name in the default certificate is www.infoblox.com, which is unlikely to match the host name of your NIOS appliance. Consequently, messages appear warning that the certificate is not from a trusted certifying authority and that the host name on the certificate is either invalid or does not match the name of the site that sent the certificate. Note: To eliminate certificate warnings, you can replace the default self-signed certificate with a different certificate that has the host name of your NIOS appliance. You can either generate another self-signed certificate with the right host name and save it to the CA certificate store of your browser (and, later in the procedure, to the certificate stores for JWS and the downloaded GUI application), or request a CA-signed certificate with the right host name and load it on the NIOS appliance. For information, see Managing Certificates on page 51. 2. Either accept the certificate just for this session or save it to the certificate store of your browser. 3. On the NIOS appliance home page, click Launch Grid Manager or Launch Device Manager. The browser and JWS perform the following operations: a. The browser requests the JNLP (Java Network Launching Protocol) file from the NIOS appliance and sends the file it receives to JWS (Java Web Start). Because this is the initial connection attempt, JWS does not yet have this file cached. In subsequent connection attempts, comparing the newly downloaded JNLP file with the cached file can indicate whether JWS needs to update any items that the file specifies. c. If JWS discovers there is no cached JNLP file or that the new JNLP file differs from the earlier file, JWS builds an SSL tunnel to the sources specified in the JNLP file. For this initial connection, JWS must make an SSL connection to the NIOS appliance to download the GUI application. JWS displays a security warning prompting you to accept or reject the NIOS appliance certificate the NIOS appliance sends to authenticate itself. If the default certificate is in use, warning messages appear stating the certificate is not from a trusted certifying authority, and that the host name on the certificate is either invalid or does not match the name of the site. This is the same certificate that the NIOS appliance uses to authenticate itself during all SSL handshakes. 4. Either accept the NIOS appliance server certificate just for this SSL session, or save it permanently to the JWS server certificate store. After the SSL tunnel is established, the NIOS appliance begins to download the GUI application, which is signed with a different certificate than the server certificate the NIOS appliance uses to authenticate itself during SSL handshakes. The certificate authenticating the GUI application is signed by Verisign. When received by JWS, it displays a security warning prompting you to accept or reject the signed application. 5. Do one of the following: Click Yes to accept the authenticity of the Infoblox GUI application for this download. Click Always to accept the authenticity of the Infoblox GUI application for this and future downloads by saving the certificate to the JWS application certificate store. Note: To manage server certificates in JWS, open the Java Application Cache Viewer, and then click Edit -> Preferences -> Security -> Certificates.
b. JWS checks for the JNLP file in its cache and, if it finds it, compares it with the recently received JNLP file.
42
NIOS 4.3r5
JWS downloads the Infoblox GUI application and any other items it needsor, for subsequent connections, just the items it needs to update. For this initial connection, JWS downloads the GUI application. It might also download a different version of JRE. The NIOS appliance supports JRE 1.5.0_14 or JRE 1.6. 6. After the Infoblox GUI application download is complete, begin the login process by choosing the host name of the NIOS appliance from the Hostname drop-down list. 7. Enter the user name and password. The default user name is admin, and the default password is infoblox. Note: The user name and password are case-sensitive. Infoblox recommends changing them after you log in. For more details, refer to Authenticating Administrators on page 107. To reuse the same user name, select Options -> Save User Name. The NIOS appliance saves the user name and it appears automatically the next time you invoke the GUI. The GUI application initiates an SSL connection to the NIOS appliance. The NIOS appliance sends its server certificate to authenticate itself to the application. If the default certificate is in use, warning messages appear stating the certificate is not from a trusted certifying authority and that the host name on the certificate is either invalid or does not match the name of the site. 8. Accept the certificate for this session, or save it permanently to the server certificate store of the GUI application. Note: To manage CA (Certificate Authority) and server certificates in the Infoblox GUI application, open the GUI application login prompt, and select Options -> Manage Certificates. The SSL tunnel completes, and the login process continues. If the login is successful, the connection between the Infoblox GUI application and the NIOS appliance is complete. If the login is not successful, an error message appears and the login prompt returns. When the session ends, the Infoblox GUI application remains in the Java sandbox. You can launch it from this location the next time you want to connect to the NIOS appliance.
NIOS 4.3r5
43
Infoblox GUI
Figure 2.2 Java Web Start Initial Access
= CA (Certificate Authority) Certificates = Server Certificates = Java Application Certificates
= Infoblox Server Certificate (authenticates the appliance when establishing an SSL tunnel) = Application Certificate (authenticates GUI application during download)
Management Client Browser Certificates Browser
SSL Tunnel JNLP File Download
NIOS appliance
1 The browser and appliance form an SSL

tunnel. The browser either accepts the appliance certificate automatically or the administrator accepts it manually. Then the browser downloads the JNLP (Java Network Launching Protocol) file and passes it to the Java application. GUI Application Download
Certificate authenticating the appliance to management system browser
Java Certificates
Java Sandbox
+
Certificates authenticating appliance and downloaded GUI application to Java application
2 The JNLP files instructs Java to check if it
Infoblox GUI Application
has the latest GUI application and downloads it if necessary. Java and the appliance form a new SSL tunnel between themselves. If Java automatically accepts the two certificatesone authenticating the appliance and the other authenticating the GUI applicationor if the administrator accepts them manually, the GUI application download proceeds. Commands
GUI Certificates
GUI Application
application and 3 The Infoblox GUI third SSL tunnel.thethe GUI appliance form a If application accepts the appliance certificate automatically or the administrator accepts it manually, the administrator can complete the login and begin sending commands to the appliance.
Certificates authenticating an appliance to GUI application
After you make the initial connection, you can start the Infoblox GUI application with one of these methods: Browser This is identical to the initial connection. Start your browser, and enter https://domain_name or https://ip_addr to reach the NIOS appliance. Infoblox GUI Application Shortcut If you created a shortcut (when prompted by JWS), double-click the shortcut icon on your desktop. JWS checks the JNLP file and the NIOS appliance resource files (.jar files containing components of the Infoblox GUI application) for updates. JWS downloads any updated items it might find, and then the GUI application login prompt appears. Java Application Cache Viewer Open the Java Application Cache Viewer, and click the Infoblox GUI application that you want to use. Then click either Launch Online or Launch Offline. When you select Launch Online, JWS checks the JNLP file and the NIOS appliance resource files for updates before the GUI application connects to the NIOS appliance. When you select Launch Offline, JWS does not check for updates before the Infoblox GUI application connects to the NIOS appliance.
Infoblox Administrator Guide (Rev. A) NIOS 4.3r5
44
Running a Single GUI Application

JWS can use the same Infoblox GUI application for different NIOS appliances as long as each NIOS appliance is running the same version of software. However, each time you use the browser to initiate a connection to a different NIOS appliance, JWS downloads the GUI application to the Java sandboxeven if you have already downloaded the same version of the application when connecting to another NIOS appliance. If you manage a number of independent NIOS appliances, this can result in many unnecessary downloads. To use the same GUI application for multiple NIOS appliances running the same software version, do not begin the connection process from the browser. Instead, do the following: 1. Use the GUI application shortcut or open the Java Application Cache Viewer. 2. Click the GUI application that you want to use, and then click Launch Online (to check for updates) or Launch Offline (to bypass update checks).
Figure 2.3 Java Application Cache Viewer
GUI Application for the NIOS appliance
3. When the login prompt appears, either select an existing host name from the Hostname drop-down list, or type a new host name in the Hostname field. Then enter the correct user name and password, and click Login.
Clearing Cache on a Linux Computer

The following error message usually indicates that you must clear your Linux computer cache:
Server software version xx-xx-xx is not compatible with this GUI application. Obtain a compatible GUI version by pointing a browser at https://xx.xx.xx."
Enter the following commands on a Linux terminal window to clear your computer's cache:
cd /.java/deployment/cache/javaws rm -rf https
This clears the cache. 1. Open a web browser and go to the same web address (https://xx.xx.xx). 2. Click Launch ID Grid.
NIOS 4.3r5
45
Infoblox GUI
About the Grid Manager

You can install the Infoblox Grid Manager on a computer running any of the following Microsoft Windows operating systems: Microsoft Windows XP with Service Pack 2 Microsoft Windows Vista with Service Pack 1
The Grid Manager installs the NIOS appliance JRE files and GUI application files in a container within a Java sandbox on your computer. After the installation, the files remain in the sandbox and the Grid Manager always launches from this location. The files in the sandbox are used only by the Grid Manager and do not affect any other Java application on your system. Thus, your system can have a different version of the JRE for other applications. The Grid Manager installs a complete, self-contained application package that can handle multiple versions of NIOS. It automatically caches the GUI version it uses to connect to a NIOS appliance. When you attempt to connect to a NIOS appliance that is running a different GUI version, the Grid Manager automatically detects the difference and downloads the other GUI version, after your confirmation. This allows you to easily connect to NIOS appliances running different versions of the NIOS software. You can configure the number of cached versions on your local computer as explained in Managing Cache Settings on page 49.
Installing the Grid Manager

Note the following guidelines when installing the Grid Manager: On a computer running Microsoft Windows XP: If the computer is in a domain, all users except restricted users can install the Grid Manager. If the computer is not in a domain, only Administrators can install the Grid Manager. Users with administrator rights can install the Grid Manager on a computer running Microsoft Windows Vista. Other users are prompted for the administrator password when they try to install Grid Manager.
These restrictions pertain to the Grid Manager installation only. After it is installed, any user can access the Grid Manager. To install the Grid Manager: 1. Download the Grid Manager setup.exe file from the Infoblox Support web site. 2. Double-click the .exe file to launch the Grid Manager Wizard. 3. In the Welcome splash screen, click Next. 4. Accept the License Agreement, and click Next. 5. Verify and/or change information in the Customer Information screen, and click Next. 6. Verify and/or change the local installation folder (C:\Program Files\Infoblox) on your computer, and click Next. 7. Verify the installation settings, and click Install. The Wizard installs the new files in the destination folder. 8. At the end of the installation procedure, click Finish. A Launch Infoblox Grid Manager icon appears on the desktop and Infoblox Grid Manager appears in the Start menu of your computer.
46
NIOS 4.3r5
Changing the File Location

Note that in some cases, because of limited permissions or other restrictions, you cannot write to a system file. In this case, before you launch the Grid Manager, you can change the environment variable to point to a directory for which you have write permission. 1. Right click My Computer on the desktop. 2. Select Properties -> Advanced tab -> Environment Variables. 3. In the User Environment Variables dialog box, click New. 4. In the New User Variables dialog box, do the following and then click OK: Type INFOBLOX_UI_CACHE_DIR in the Variable Name field. Type the name of a directory for which you have write permission in the Variable Value field. 5. Click OK to close the User Environment Variables dialog box.
Connecting to a NIOS Appliance Using the Grid Manager

1. To launch the Infoblox Grid Manager, double-click the Launch Infoblox Grid Manager icon on your desktop or click Start > All Programs > Infoblox, Inc. > Infoblox Grid Manager > Launch Infoblox Grid Manager. I f you are launching the Grid Manager for the first time, it detects that there are no installed versions in the cache and does the following: Copies the JAR files from the local installation folder to the following location on your management system:
C:\Documents and Settings\user\Application Data\Infoblox\Install\NIOS_version
Unpacks the JAR files to the following directory:

C:\Documents and Settings\user\Application Data\Infoblox\deploy\NIOS version
Note that you can change the directory as described in Changing the File Location. Creates a log file for the GUI deployment called ibdeploy.log. Launches the login dialog box. 2. Enter the IP address of the NIOS appliance or grid master to which you are connecting. Infoblox Grid Manager looks for the correct software version in the cache on the computer: If this is the first time you are connecting to that NIOS appliance, it does not find the files in the cache and displays a message indicating that the appropriate version of the software is not found in the cache, and offers to download the new version. If you click OK, Grid Manager downloads the files to a folder in C:\Documents and Settings\user\Application Data\Infoblox\Install\NIOS version. After the download is complete, the Infoblox Grid Manager login screen displays. When you launch Grid Manager to connect to the same NIOS appliance, it detects the server software information in the current cache and launches using this cache file; if there is a more recent version, it picks up the more recent version and stores this in the cache. 3. Enter your user name and password. The default user name is admin, and the default password is infoblox. Note: The user name and password are case-sensitive. To reuse the same user name, select Options -> Save User Name. The NIOS appliance saves the user name and it appears automatically the next time you invoke the GUI. The GUI application initiates an SSL connection to the NIOS appliance. The NIOS appliance sends its server certificate to authenticate itself to the application. If the default certificate is in use, warning messages appear stating that the certificate is not from a trusted certifying authority and that the host name on the certificate is either invalid or does not match the name of the site.
NIOS 4.3r5
47
Infoblox GUI
4. Accept the certificate for this session, or save it permanently to the server certificate store of the GUI application. Note: To manage CA (Certificate Authority) and server certificates in the Infoblox GUI application, open the GUI application login prompt, and select Options -> Manage Certificates. The SSL tunnel completes, and the login process continues. If the login is successful, the connection between the Infoblox GUI application and the NIOS appliance is complete. If the login is not successful, an error message appears and the login prompt returns. When the session ends, the Infoblox GUI application remains in the Java sandbox. It launches from this location the next time you want to connect to the NIOS appliance.
Setting Login Options

The NIOS Login dialog box provides several options that you can set to facilitate the login process.
Specify the Host Name

You can define the default host name that appears when the login prompt displays: Select Options -> Hostname, and then select one of the following: Initial: Retains the host name that you enter when you first install the NIOS appliance. Last used: Enters a host name when you log in and retains it for subsequent logins. Blank: Leaves the host name blank whenever you log in.
Save User Name

You can save your user name so that you do not have to type it each time you log in. Select Options -> Save User Name
Manage Certificates
You can manage CA (Certificate Authority) and server certificates in the NIOS appliance. You can import certificates, select and view their details, or remove them. 1. Select Options -> Manage Certificate. The NIOS GUI Certificates dialog appears. 2. Select the Server Certificates or the CA Certificates tab and click Import. 3. Navigate to where the certificate is located and click Open. You can manually import a certificate into the clients data store. You can also delete a certificate (select it and click Remove) and view detailed information on it (select it and click Details).
48
NIOS 4.3r5
Managing Cache Settings

By default, Grid Manager caches 10 NIOS versions on your computer. You can change this default at any time in the Login dialog box. Each cache file uses approximately 15 MB of disk space. Consider this when setting the number of cache files for retention. When the system meets the predefined maximum number of cache files, it deletes the first (oldest) and then adds the new version to the cache file. To edit the cache settings: 1. Select the Options menu -> Cache Settings. 2. In the Cache Settings dialog box, enter the number of GUI versions to cache. You can enter a number between 2 and 32. Note that when you use a Linux computer to first connect to a NIOS appliance, JWS automatically downloads the GUI application to your computer. Though this initial version is retained in the cache, the Grid Manager does not include it in the total number of cached versions. It includes only the versions that it downloads. Therefore, when your computer connects to a NIOS appliance that is running a different version and the Grid Manager downloads it to your computer, it includes this version in the total number of cached versions.
NIOS 4.3r5
49
Infoblox GUI
SSL (Secure Sockets Layer) Protocol

When you log in to the NIOS appliance, your computer makes an HTTPS (Hypertext Transfer Protocol over Secure Sockets Layer protocol) connection to the NIOS appliance. HTTPS is the secure version of HTTP, the client-server protocol used to send and receive communications throughout the Web. HTTPS uses SSL (Secure Sockets Layer) to secure the connection between a client and server. SSL provides server authentication and encryption. The NIOS appliance supports SSL versions 2 and 3. When a client first connects to a server, it starts a series of message exchanges, called the SSL handshake. During this exchange, the server authenticates itself to the client by sending its server certificate. A certificate is an electronic form that verifies the identity and public key of the subject of the certificate. (In SSL, the subject of the certificate is the server.) Certificates are typically issued and digitally signed by a trusted third party, the Certificate Authority (CA). A certificate contains the following information: the dates it is valid, the issuing CA, the server name, and the public key of the server. A server generates two distinct but related keys: a public key and a private key. During the SSL handshake, the server sends its public key to the client. Once the client validates the certificate, it encrypts a random value with the public key and sends it to the server. The server decrypts the random value with its private key. The server and the client use the random value to generate the master secret, which they in turn use to generate symmetric keys. The client and server end the handshake when they exchange messages indicating that they are using the symmetric keys to encrypt further communications.
Figure 2.4 SSL Handshake
Client contacts the NIOS appliance and recommends certain parameters, such as SSL version, cipher settings, and session-specific data.
The appliance either agrees or recommends other parameters. It also sends its certificate which contains its public key. Plain Text Cipher Text
Client encrypts random number with the public key and sends it to the appliance. The appliance uses its private key to decrypt the message.
Cipher The client and the appliance generate the master secret, and then the symmetric keys. Text The client and the appliance agree to encrypt all messages with symmetric keys.
Cipher Text
The client and the appliance send all their messages through the SSL tunnel which uses the cipher settings and encryption to secure their connection. Public Key Private Key
50
NIOS 4.3r5
SSL (Secure Sockets Layer) Protocol
Managing Certificates
The NIOS appliance generates a self-signed certificate when it first starts. A self-signed certificate is signed by the subject of the certificate, and not by a CA (Certificate Authority). This is the default certificate. When your computer first connects to the NIOS appliance, it sends this certificate to authenticate itself to your browser. Because the default certificate is self-signed, your browser does not have a trusted CA certificate or a cached NIOS appliance server certificate (saved from an earlier connection) to authenticate the NIOS appliance certificate. Also, the host name in the default certificate is www.infoblox.com, which is unlikely to match the host name of your NIOS appliance. Consequently, messages appear warning that the certificate is not from a trusted certifying authority and that the host name on the certificate is either invalid or does not match the name of the site that sent the certificate. Either accept the certificate just for this session or save it to the certificate store of your browser. To eliminate certificate warnings, you can replace the default self-signed certificate with a different certificate that has the host name of your NIOS appliance. The NIOS appliance supports X.509 certificates in .PEM format. After initial login, you can do one of the following: Generate another self-signed certificate with the correct host name and save it to the certificate store of your browser. Generate a self-signed certificate, see Generating a Self-Signed Certificate on page 51. Request a CA-signed certificate with the correct host name and load it on the NIOS appliance. Use a certificate from a CA by generating a certificate signing request as described in Generating a Certificate Signing Request on page 52. When you receive the certificate from the CA, import it as described in Importing a Certificate on page 52.
Additionally, before you log in to the NIOS appliance, you can manage the certificates on the client machine. For information, see Manage Certificates on page 48
Generating a Self-Signed Certificate

You can replace the default certificate with a self-signed certificate that you generate. When you generate a self-signed certificate, you can specify the correct host name and change the public/private key size, enter valid dates and specify additional information specific to the NIOS appliance. If you have multiple appliances, you can generate a certificate for each appliance with the appropriate host names. To generate a self-signed certificate: 1. For a grid: From the Grid perspective, click + (for grid ) -> + (for Members ) -> grid_member -> Tools -> HTTPS Certificate -> Generate Self-Signed Certificate. For an independent appliance or HA pair: From the Device perspective, click hostname) -> Tools -> HTTPS Certificate -> Generate Self-Signed Certificate. 2. In the Create Self-Signed Certificate dialog box, enter the following: Key Size: Select either 2048 or 1024 for the length of the public key. *Days Valid: Specify the validity period of the certificate. *Common Name: Specify the domain name of the NIOS appliance. You can enter a fully qualified domain name (FQDN). Organization: Type the name of your company. Organizational Unit: Type the name of your department. Locality: Type a location, such as the city or town of your company. State or Province: Type the state or province. Country Code: Enter the 2-letter code that identifies the country, such as US. Administrators E-mail Address: Enter the e-mail address of the appliance administrator. Comment: Enter additional notes. An asterisk (*) indicates the field is required. 3. Click OK to close the Create a Self-Signed Certificate dialog box.
NIOS 4.3r5
51
Infoblox GUI
4. Click the Save icon. The NIOS appliance logs you out, or you can log out yourself. When you log in to the appliance again, it uses the certificate you generated.
Generating a Certificate Signing Request

You can generate a certificate signing request (CSR) that you can use to obtain a signed certificate from your own trusted CA. Once you receive the signed certificate, you can import it into the NIOS appliance, as described in Importing a Certificate on page 52. To generate a CSR: 1. For a grid: From the Grid perspective, click + (for grid ) -> + (for Members ) -> grid_member -> Tools -> HTTPS Certificate -> Generate Signing Request. or For an independent appliance or HA pair: From the Device perspective, click hostname) -> Tools -> HTTPS Certificate -> Generate Signing Request. 2. In the Create Certificate Signing Request dialog box, enter the following: Key Size: Select either 2048 or 1024 for the length of the public/private key pair. *Common Name: Specify the domain name of the NIOS appliance. You can enter a fully qualified domain name (FQDN). Organization: Type the name of your company. Organizational Unit: Type the name of your department. Locality: Type a location, such as the city or town of your company. State or Province: Type the state or province. Country Code: Enter the 2-letter code that identifies the country, such as US. Administrators E-mail Address: Enter the e-mail address of the appliance administrator. Comment: Enter additional notes. An asterisk (*) indicates the field is required. 3. Click OK to close the Create Certificate Signing Request dialog box. 4. In the Download filename dialog box, navigate to where you want to download the CSR, enter the file name and click Save.
Importing a Certificate
You can replace the default server certificate with a signed certificate from your own trusted CA. First, generate a certificate signing request as described inGenerating a Certificate Signing Request on page 52. When you import a certificate, the NIOS appliance finds the matching CSR and takes the private key associated with the CSR and associates it with the newly imported certificate. The appliance then automatically deletes the CSR. To import a certificate: 1. For a grid: From the Grid perspective, click + (for grid ) -> + (for Members ) -> grid_member -> Tools -> HTTPS Certificate -> Upload Certificate. or For an independent appliance or HA pair: From the Device perspective, click hostname -> Tools -> HTTPS Certificate -> Upload Certificate. 2. Navigate to where the certificate is located and click Open. The appliance imports the certificate and logs you out. When you log in to the appliance again, it uses the certificate you imported.
52
NIOS 4.3r5
Understanding the GUI Components

You can view data and configuration settings and make configuration changes through the Infoblox GUI using the following two methods: Device Manager: When a NIOS appliance functions as an independent appliance, you launch the Device Manager to access the GUI. The name appears in the title bar of the browser window. Grid Manager: When the NIOS appliance is in a grid, you log in to the grid master and launch the Grid Manager. The name appears in the title bar of the browser window.
Main Interface Components

The following figure illustrates the typical layout of the Infoblox GUI. You can detach and move the GUI components and customize the GUI as necessary.
Figure 2.5 Infoblox GUI Overview

Menu Tool Bar Perspective
Editor Panels View and select items to edit. Detach and move panels, viewers and editors to customize the GUI layout. Properties Viewer View object properties. Enter and edit information.
Menu
Each item in the menu is a drop-down list of available options. The menu items change dynamically according to the perspective you are in. Tip: Select an item and right-click to quickly access menu options.
Tool Bar
The tool bar contains a Save icon which you click to save your configuration changes, and a Restart Services icon, which you click to restart services on a appliance or a grid.
Save Restart Services
NIOS 4.3r5
53
Infoblox GUI
Perspectives
A perspective is a container for tools used to manage the grid or appliance and its services. The Infoblox GUI application provides a set of perspectives, each focusing on a specific functional area. The GUI displays a perspective when you click the appropriate icon on the tool bar:
Home Perspective Icon DNS Perspective Icon Authentication, Authorization, and Accounting Perspective Icon Administrators Perspective Icon
Grid or Device Perspective Icon
DHCP and IPAM Perspective Icon
File Distribution Perspective Icon
Global Search Perspective Icon
Home: This perspective contains sections that display the overall grid service status and deleted objects in the recycle bin. It also contains sections with buttons and links that allow you to quickly access panels and editors for managing data in the DNS, AAA, Administrators, DHCP/IPAM, and File Distribution perspectives. For more information, see Home Perspective on page 58. Device: In this perspective, you configure an independent appliance and set its operational parameters. Grid: In this perspective, you configure a grid and set operational parameters. A Grid license is required for this feature. DNS: In this perspective, you enable and configure DNS services on the appliance or the grid. DHCP and IPAM: In this perspective, you enable and configure DHCP service and IP Address Management features. Administrators: In this perspective, you configure administrators. File Distribution: In this perspective, you enable and configure HTTP and TFTP (Trivial File Transfer Protocol) services. AAA: In this perspective, you configure RADIUS services to authenticate and authorize users, as well as manage user accounts, policies, and policy groups. Global Search: In this perspective, you search the entire database for a specific text string. All database objects matching the text string are displayed in this perspective. For information about this perspective, see Using Global Search on page 60. VitalQIP: This is not a standard part of the Infoblox GUI. In this perspective, you can configure the appliance to function as a VitalQIP remote server. A VitalQIP license is required for this feature. Note: The VitalQIP icon is displayed only when the NSQ software module and required licensing are installed.
54
NIOS 4.3r5
Panel
Panels list objects that you can select and edit. You can expand or collapse lists by selecting the + or - sign beside an object. Panels can be opened and closed from the View menu on the top menu bar.
Shortcuts
Double-click the tab of a panel to fully expand; double-click the tab again to reset the panel. Select an object and right-click to display options. Double-click an item to edit it (open its editor). Ctrl+click to select multiple items.
Editor
You can enter information and configure objects in an editor. You can open multiple editors at one time. After you enter information in an editor, you must click the Save icon to save your changes.
Properties Viewer
Viewers display information about a selected object. You cannot edit or select objects in a viewer. However, you can expand, collapse, detach and move viewers to different locations.
Online Help
The Infoblox appliance ships with online help that you can access from anywhere in the GUI. The Help menu provides access to the following: About Infoblox Grid Manager: View information about the NIOS software version running on the appliance. Download Admin Guide: Download the Infoblox Administrator Guide. API Documentation: Display the API documentation. Training: Display information about Infoblox training workshops. Help Contents: Display the main Help system. Dynamic Help: Access Help for the active panel, editor, or viewer. A window is active when its title bar is highlighted.
In addition, to access Help for a dialog box, click the question mark (?) icon in the bottom left corner of the dialog box.
NIOS 4.3r5
55
Infoblox GUI
Customizing a Perspective Layout

You can customize the layout of a perspective, except for the Home perspective, by detaching and rearranging panels and views. In this way, you can structure your workspace for optimum efficiency. To customize a perspective layout:
1. Right-click the tab of the panel or view, and select Detached from the context menu. 2. Left-click and drag to the desired location.
3. Resize and tile multiple detached panels or views to create a custom layout.
56
NIOS 4.3r5
Creating a Login Banner on a NIOS Appliance

To create a statement that appears on the top of the Login screen (a banner message), follow the procedures in this section. This function is useful for posting security warnings or user-friendly information well above the user name and password fields on the Login screen. A login banner message can be up to 3000 characters long. In a grid, perform this task on the grid master. To create a login banner: 1. From the Grid perspective, click grid -> Edit -> Grid Properties. or From the Device perspective, click hostname -> Edit -> Device Properties. 2. In the Grid (or Device) editor, click Security. 3. Select Enable Login Banner and enter the text you want displayed in the Banner Text field. 4. Click the Save icon.
Customizing Columns
The NIOS appliance supports the ability to customize columns displayed in any perspective or panel within the GUI. (An exception to this is the Properties view panel; the NIOS appliance does not support customizing columns within the Properties view panel.) You can move columns around and display or hide certain columns from view. For example, you might want to view only columns related to IP addresses without displaying location or appliance information in the DHCP Lease History panel. Resetting a perspective does not override column settings. The appliance retains changes to the columns even after you reset a perspective. Column settings are applied to all administrators and users accessing the appliance. If you customize the columns, your column settings appear to all other users when they log in to the appliance. You can customize columns in any of the following ways: Hide columns so that they are not shown in the display Show columns so that they are displayed and not hidden Select the order in which the columns are displayed within a panel Change the size of the columns. Each column can have maximum pixel size of 999
Note: You can select extensible attributes to be displayed in any position, except for the first column position.
Customizing Columns within the GUI

To customize columns: 1. From any perspective or panel, click Edit -> Edit Columns. 2. When the Edit Column dialog box appears, you can set the following options: SIze: Specify the column width, in pixels. You can specify any number from 1 through 999. Auto Fit: Resize the column width to accommodate the largest string in the column. Select the Auto Fit check box to enable this option. Keep in mind that enabling this option resizes for the current values within the column. This option does not resize for future values. Restore Default: Click Restore Default to restore back to the default column display. To hide and display columns, and change their order: Display column: Select the check box of each attribute or column you want to display. Click the Select All button to automatically select all columns available within the list. Hide column: Deselect the check box of each attribute or column you want to hide. Click the Deselect All button to automatically deselect all columns within the list, hiding all items.
NIOS 4.3r5
57
Infoblox GUI
Ordering columns: Select a column from the list and click Up to move that column to the left in the display. Click Down to move that column to the right in the display. 3. Click OK. You can also change the order of the columns in a panel by dragging-and-dropping a column. The leftmost column within the tree panel has some special restrictions. You cannot move the leftmost column. However, you can move the column next to the leftmost column over as the first column. Take note that when you do this, the icons you use to expand and collapse items remains in the same location in the panel (the left side of the panel). To edit columns using the drag-and-drop method: 1. From any perspective or panel, select any column heading title. 2. Drag and then drop the column to move the column around.
Home Perspective
The Home perspective is the default perspective when you launch the Infoblox GUI for the first time. For subsequent logins, the GUI displays the perspective that you last accessed. You can go back to the Home perspective by clicking . The Home perspective contains sections with buttons and links that allow you to quickly access panels and editors for viewing and managing data. You can collapse or expand each section by clicking the down arrow key next to the section title. You can refresh the Home perspective to obtain updated information about the grid or device services and the recycle bin by pressing F5 or clicking View -> Refresh. Note: The Home perspective only displays links to functions for which you have valid licenses. For information about licenses, see Managing Licenses on page 165. The Home perspective contains the following sections: Grid Status or Device Status: Displays all the relevant grid or device services and their current status. Click Manage grid services to access the Grid perspective or click Manage device services to access the Device perspective. For information, see Service Status on page 182. Recycle Bin: Displays the first eight deleted objects that are currently in the recycle bin. Click See complete list for a complete list of deleted objects in the recycle bin. For information, see Using the Recycle Bin on page 168. Manage DNS DNS Views and Zones: Manage your DNS views and zones. For information, see Configuring a DNS View on page 367. DNS Members: Manage the DNS properties of each member. For information, see Managing DNS Data on page 359. Manage AAA Note: This section is for managing RADIUS services. You must have appropriate licenses to configure RADIUS services. User Store: Add and manage users and user authentication for local database. For information, see Managing the Local User Database on page 660. Certificates: Manage the EAP certificates on the appliance. For information, see Managing Certificates on page 694. External Devices: Configure the appliance to authenticate users against an AD (Active Directory) or LDAP (Lightweight Directory Access Protocol) server. You can also configure the appliance to communicate with RADIUS authentication home servers when the correct license is installed. For information, see About Authentication on page 660.
58
NIOS 4.3r5
Manage Administrators Groups: Create and manage admin groups. For information, see About Admin Groups on page 73. Local Admins: View a list of the local admin accounts and manage their properties. For information, see Creating Local Admins on page 107. Remote Admins: Configure authentication for remote admins. For information, see About Remote Admins on page 108.
Manage DHCP/IPAM DHCP Networks: Create and manage networks and network views. For information, see About Network Views on page 497. DHCP Members: Configure grid members to serve DHCP. For information, see Configuring DHCP Properties on page 530. DHCP Failover: Configure DHCP failover association. For information, see Configuring DHCP Failover on page 558. DHCP Option Spaces: Configure a variety of predefined DHCP options spaces and custom DHCP options. For information, see Configuring Advanced DHCP Options on page 541.
Manage File Distribution Directories: Create a directory structure for TFTP, FTP, and HTTP file management. For information, see Managing Files on page 678. File Distribution Members: Configure grid members for file distribution access using TFTP, HTTP, and FTP. For information, see File Distribution on page 674.
Scheduled Tasks: Displays the scheduled time, object type, and action of up to eight pending scheduled tasks with the earliest scheduled dates and times. Click See Complete List to view detailed information about the scheduled tasks in the Scheduled Tasks panel. For information, see Viewing Scheduled Tasks on page 137.
NIOS 4.3r5
59
Infoblox GUI
Using Global Search

This function allows you to search through the entire NIOS appliance database for any instances matching a specific text string. The global search option allows you to search across different perspectives and views, instead of searching under each perspective or view individually. For example, you can search for a specific host name across both the DNS perspective and DHCP perspective with a single global search, or you can search for all occurrences of a specific MAC address within the database. The Global Search perspective is located next to the other perspectives in the GUI toolbar. The Global Search perspective opens up a panel called Search Results and displays all matches within the panel. All match results are displayed with the following information: Name: Name of the matching object. Type: Object type matching the global search. For example, the Type field identifies the type of record or type of address of the matching object. Matched Attribute: Attribute of the matching object. For example, if the global search matched the address corresponding to a hostname, then field displays the address of the hostname. Matched Value: The value of the matching object. For example, if the global search matched the address of a hostname, then the field displays the hostname. Note: NIOS displays search results based upon the page size setting from the administrator settings. For information about page size configuration, see Authenticating Administrators on page 107. To search globally: 1. From the Global Search perspective, type the text string to search on the appliance database. 2. Click Search. NIOS supports regular expressions for global search. Regular expressions, commonly known as regex, are a set of key combinations that are meant to allow the user to have a variety of control over what they are searching for. Note: You cannot search zones based on the zone type. You can filter search results based on the zone type. From the Search Results panel, you can do the following: Open a panel to view the properties of a matching object. Open a panel to edit the properties of a matching object. Remove a matching object from the database. Define the administrative permissions of an object, as described in Defining Permissions for an Object on page 60.
You can perform these operations by clicking matching object -> Edit.
Defining Permissions for an Object

You can select an object in the Search Results panel and define its administrative permissions as follows: 1. Select an object from the list and click Edit -> Manage Permissions. 2. In the Manage Resource Permissions dialog box, complete the following: Admin Group: Click Add, and select an admin group in the Select Admin Group dialog box. After you click OK to close the dialog box, the appliance lists the admin group you selected. Permissions: The appliance displays the name of the object in the Resource column. Select the permission for the object by clicking Read/Write, Read Only or Deny. 3. Click OK to close the Manage Resource Permissions dialog box. For information on setting administrative permissions, see Applying Permissions and Managing Conflicts on page 79.
60
NIOS 4.3r5
Printing from the GUI
Printing from the GUI

NIOS appliance supports the ability to print the contents of the GUI from any perspective. Printing from the GUI allows you to print the contents of a view within any perspective shown on the display. All page modifications that are applied to the display contents, such as filters and sorting, affect the print output as well. You can print to the following outputs: Hard copy to the printer, or conversion to a PDF (Portable Document Format) file (see Print Hard Copy or PDF File on page 61 Text file (see Print Output to a Text File on page 61) CSV file (MS WIndows only with this feature installed) (see Exporting Data on page 65)
The amount of content printed depends on the page size configuration set by the administrator. For information on configuring the page size, see Authenticating Administrators on page 107. Note: GUI printing is supported on the Microsoft Windows operating system only.
Print Hard Copy or PDF File

To print a hard copy or PDF file from the GUI: 1. From any perspective, click File -> Print. The Print dialog box appears. 2. Set the print options you want for the print job. You can set the following print options: Selected printer Print preferences: portrait or landscape page orientation, legal or letter page size, and page margins. Print to file (for PDF generation) Page range Number of copies 3. Click Print.
Print Output to a Text File

To print to a text file in the Windows operating system: 1. Install a text printer on your Windows management system. 2. From any perspective, click File -> Print. The print dialog box appears. 3. Select the text printer, and then configure the print options accordingly. 4. Click Print. NIOS prints the contents of the GUI to a text file. The location of the output file depends on the printer software you use.
NIOS 4.3r5
61
Infoblox GUI
Accessing IP Address Manager

IP Address Manager is a web interface that provides access to your NIOS appliance for network and IP address management. It provides a number of tools that you can use to effectively manage your IP address space. For information about IP Address Manager and supported browsers, refer to the Infoblox Administrator Guide for IP Address Manager.
Logging in to IP Address Manager

To log in to IP Address Manager: 1. Open an internet browser window. 2. Start your browser and enter https://<IP address or hostname of your NIOS appliance> 3. On the Grid Manager login page, click Launch IPAM Manager. The IP Address Manager login page appears. 4. Enter your user name and password. The default user name is admin and the default password is infoblox. 5. Click Login or press Enter. IP Address Manager displays the Dashboard page. For information about the dashboard and other features of IP Address Manager, refer to the Infoblox Administrator Guide for IP Address Manager.
Multilingual Support
The NIOS appliance supports UTF-8 (Unicode Transformation Format-8) encoding for the following: Host names for Microsoft Windows clients that support Microsoft Windows code pages RADIUS authentication Input fields through the Infoblox GUI
UTF-8 is a variable-length character encoding standard for Unicode characters. Unicode is a code table that lists the numerous scripts used by all possible characters in all possible languages. It also has a large number of technical symbols and special characters used in publishing. UTF-8 encodes each Unicode character as a variable number of one to four octets (8-bit bytes), where the number of octets depends on the integer value assigned to the Unicode character. For information about UTF-8 encoding, refer to RFC 3629 (UTF-8, a transformation format of ISO 10646) and the ISO/IEC 10646-1:2000 Annex D. For information about Unicode, refer to The Unicode Standard. Depending on the OS (operating system) that your management system uses, you must install the appropriate language files in order to enter information in a specific language. For information about how to install language files, refer to the documentation that comes with your management system.
Host Names Support for Microsoft Windows Code Pages

The NIOS appliance supports UTF-8 encoding of host names for Microsoft Windows clients that support Microsoft Windows code pages. When you use the appliance as a DHCP server, you can configure the DHCP service on the appliance to convert client host names that are encoded with a Microsoft code page to UTF-8 encoded characters. The appliance stores the UTF-8 encoded host names in the database. If you also configure the DHCP service on the appliance to perform DDNS updates, the appliance sends the UTF-8 encoded host names in the DDNS updates. For information about how to configure the Microsoft Windows code page for converting host names into UTF-8 characters, see Configuring DHCP Properties on page 530..
62
NIOS 4.3r5
Multilingual Support
RADIUS Authentication
For RADIUS authentication, the NIOS appliance supports single-byte international character sets in the following: Microsoft Windows XP and Vista OS RADIUS and LDAP user names, passwords, and comments Replicated AD user names, passwords, and groups in all of the NIOS interfaces, except the Data Import Wizard Proxy requests if the RADIUS server that is proxied supports them
When you configure the NIOS appliance as a RADIUS server, you can enable RADIUS authentication and accounting on each grid member.. If you want the RADIUS server to support wireless supplicants on a Windows client that does not use a Latin I (1252) code page, you must change the default code page on the NIOS appliance to match the client set up. The NIOS appliance uses the code page to translate single-byte characters into UTF-8 encoded characters. For information about how to configure the code page for RADIUS authentication, see RADIUS Authentication on page 701.
UTF-8 Supported Fields

The NIOS appliance supports UTF-8 encoding in all of the comment fields and most input fields. You can enter non-English characters in these data fields through the Infoblox GUI and the Infoblox API. When you use the Infoblox API, all the non-ASCII strings must be UTF-8 encoded so that you can use Unicode characters. The NIOS appliance does not support UTF-8 encoding for data that is configurable through the Infoblox CLI commands. In general, the following items support UTF-8 encoding: In the NAC Foundation module, the following fields that you use to customize the captive portal, self service portal, and DHCP guest registration page: Company Name Welcome Message Help Desk Message All comment and custom fields Acceptable Use Policy files All the predefined and user-defined extensible attributes All the comment fields in all of the Infoblox GUI perspectives File name fields for FTP and TFTP backup and restore operations The login banner text field. When you use the serial console or SSH, the appliance cannot correctly display the UTF-8 encoded information that you enter for the login banner
Note: For data fields that do not support UTF-8 encoding, the appliance displays an error message when you use non-English languages.
NIOS 4.3r5
63
Infoblox GUI
UTF-8 Support Limitations

The NIOS appliance has the following UTF-8 support limitations: Object names that have data restrictions due to their usage outside of the Infoblox database do not support UTF-8 encoding. For example, IP addresses, DNS names, and Active Directory domain names. When importing a database, most of the ASCII control characters cannot be encoded. This might cause failures in upgrades or database restore operations. Search is based on the Unicode standard. Depending on the language, you might not be able to perform a case-sensitive search. Binary data is encoded as text. Hard-coded data in the DHCP authentication configuration remains in English. For example, the text on buttons such as Accept, Continue, or Register, as well as HTML pages such as the complete.html file that tells you your password has been successfully changed. UTF-8 encoding does not fully support regular expressions. It matches constant strings. However, It does not encode characters that are inside square brackets or followed by regular expressions such as *, ?, or +. You can use UTF-8 characters to authenticate both the User Name and Password through the Infoblox GUI, but not through the Infoblox CLI. The Infoblox CLI does not not support UTF-8 encoding.
64
NIOS 4.3r5
Exporting Data
Exporting Data
You can export certain types of data from the NIOS appliance to a CSV (Comma Separated Values) file and store it in a directory on your management station. You can then use a text editor or an application, such as Microsoft Excel, to view the data in the CSV file. The default name of the CSV file reflects the type of data being exported. For example, an export of grid members data has the file name Grid.csv. You can change the file name, for example, by appending a date as in Grid022908, to maintain multiple copies of the exported files.
Exporting Data from Panels

You can export data from most panels in the Infoblox Grid or Device Manager. When you export data from panels with multiple columns, such as the Detailed Status panel in the Grid perspective and the Records panel in the DNS perspective, the exported data reflects what is displayed in the GUI. You can move, hide, and sort columns as described in Customizing Columns on page 57, to organize the data before you export it to a CSV file. Note that you cannot export data from a panel when all its columns are hidden. The following is a list of panels from which you can export data. The exported CSV files contain exactly what is displayed in the panels, except for the files exported from the grid, DNS views, networks, and directories panel. Grid Perspective You can export a list of grid members from the Grid panel. You can export the data that is displayed in the following panels: Detailed Status Recycle Bin
DNS Perspective You can export a list of views and their zones from the DNS views panel. You can export the data that is displayed in the following panels: Records Shared Record Group Associations Zone Statistics
DHCP and IPAM Perspective You can export a list of networks from the Networks panel. You can export the data that is displayed in the following panels: Ranges, Fixed Addresses and Filters Ranges and Fixed Address Templates IP Address Management DHCP Leases DHCP Lease History Network Statistic DHCP Statistics DHCP Failover Status
AAA Perspective You can export data from the User Accounts panel. File Distribution Perspective You can export a list of directories from the Directories panel and the data that is displayed in the Files panel. Global Search Perspective You can export data from any search panel that is associated with any of the perspectives and windows that you can export.
NIOS 4.3r5
65
Infoblox GUI
Exporting Hierarchical Data

By default, the Records panel lists DNS records individually by record name, in alphabetical order, as shown in the following figure:
Figure 2.6 Resource Records List
When you export records from the Records panel and the records are individually listed, then the exported CSV file lists all records displayed in the panel, as shown in the following figure:
Figure 2.7
Alternatively, you can click the
icon to display records hierarchically, as shown in the following figure:
Figure 2.8 Hierarchical View
When you export data from the Records panel and the records are listed hierarchically, then the CSV file lists only the parent records that are displayed in the Records panel, as shown in the following figure:
Figure 2.9 Hierarchical Export
66
NIOS 4.3r5
Exporting Data
Exporting Data to a CSV File

To export data to a CSV file: 1. From a panel that supports CSV file export, do one of the following: Right-click anywhere on the panel and select Export from the context menu. Select File -> Export. 2. In the save as dialog box, do the following: Select the destination directory for the file. Either use the default name or type a new name for the file. The .csv file extension is automatically applied to the filename. A CSV Export Status dialog box displays the status of the export.
Exporting Large Files

If you are exporting a file with more than 500 objects, the NIOS appliance displays a dialog box with a progress bar indicating the status of the export process. You can click one of the following: Run in Background to run the export in background mode, allowing you to complete other tasks in NIOS while the export is running Cancel to cancel the export Details to view details about the export
If you select Run In Background, the appliance displays the status of the export at the bottom of the window, as shown in the following figure:
Figure 2.10 CSV Export Status

Click to view background tasks in the Progress panel.
You can view background tasks by clicking the icon shown in Figure 2.10. The Progress panel displays the status of all the current long-running tasks. You can cancel a task by clicking the icon beside the progress bar, as shown in Figure 2.11.
Figure 2.11 CSV Export Progress Panel
Click to cancel the task.
Note: If you anticipate exporting large amounts of data, consider increasing the size of your java heap.
NIOS 4.3r5
67
Infoblox GUI
68
NIOS 4.3r5
Chapter 3 Managing Administrators

This chapter describes the various tasks associated with setting up admin groups and accounts. It contains the following sections:
About Admin Accounts on page 71 About Admin Groups on page 73 Creating a Superuser Admin Group on page 73 About Limited-Access Admin Groups on page 74 About Admin Roles on page 75 Creating Limited-Access Admin Groups on page 76 Deleting Admin Roles and Groups on page 77 Viewing Admin Group Assignments on page 77 About Administrative Permissions on page 78 Applying Permissions and Managing Conflicts on page 79 Applying Permissions and Managing Conflicts on page 79 Viewing and Managing Permissions on page 85 Modifying Permissions on page 86 Removing Permissions on page 86 Administrative Permissions for Common Tasks on page 87 Administrative Permissions for Grid Members on page 89 Administrative Permissions for Scheduling Tasks on page 90 Managing DNS Resource Permissions on page 91 Administrative Permissions for DNS Views on page 92 Administrative Permissions for Zones on page 93 Administrative Permissions for Resource Records on page 94 Administrative Permissions for Shared Record Groups on page 95 Managing Administrative Permissions for DHCP Resources on page 96 Managing Administrative Permissions for DHCP Resources on page 96 Administrative Permissions for Network Views on page 97 Administrative Permissions for Networks and Shared Networks on page 98 Administrative Permissions for Fixed Addresses on page 100 Administrative Permissions for DHCP Ranges on page 101 Administrative Permissions for DHCP Templates on page 102
NIOS 4.3r5
69
Managing Administrators
Administrative Permissions for MAC Address Filters on page 103 Administrative Permissions for Network Discovery on page 103 Administrative Permissions for the DHCP Lease History on page 104
Administrative Permissions for the RADIUS Service on page 104 Administrative Permissions for File Distribution Services on page 106 Authenticating Administrators on page 107 Creating Local Admins on page 107 Modifying and Removing an Admin Account on page 108 About Remote Admins on page 108 Authenticating Using RADIUS on page 110 Remote RADIUS Authentication on page 111 Configuring RADIUS Authentication on the NIOS Appliance on page 111 Adding RADIUS Servers on page 112 Testing the RADIUS Server on page 113 Maintaining the RADIUS Admins Server List on the NIOS Appliance on page 113 Disabling a RADIUS Server on page 113 Configuring a RADIUS Server on page 114 Configuring Admin Groups on the Remote RADIUS Server on page 114 Configuring Remote Admin Accounts on the Remote RADIUS Server on page 114 Authorization Groups Using RADIUS on page 115 Accounting Activities Using RADIUS on page 115 Authenticating Admin Accounts Using Active Directory on page 116 Admin Authentication Using Active Directory on page 117 Configuring Active Directory Authentication for Admins on page 117 Defining the Admin Policy on page 118 Specifying a List of Remote Admin Groups on page 118 Configuring the Default Admin Group on page 118 Configuring a List of Authentication Methods on page 119 Changing Password Length Requirements on page 119 Notifying Administrators on page 119
70
NIOS 4.3r5
About Admin Accounts
About Admin Accounts

When an admin connects to the NIOS appliance and logs in with a user name and password, the appliance starts a 2-step process that includes both authentication and authorization. First, the appliance tries to authenticate the admin using the user name and password that were entered. Second, it determines the authorized privileges of the admin by identifying the group to which the admin belongs. It grants access to the admin only when it successfully completes this process. Infoblox uses the concept of administrator groups to which you add one or more individual administrators. The administrators inherit the permissions and properties of the group to which they belong. The NIOS appliance can authenticate users that are stored on its local database as well as users stored remotely on an Active Directory domain controller and a RADIUS server. Regardless of the location of an admin account, all administrators must belong to an admin group. In addition, the group from which the admin receives privileges and properties is stored locally. The tasks involved in storing administrator accounts locally and remotely are listed in Table 3.1.
Table 3.1 Storing Admin Accounts Locally and Remotely

NIOS appliance To store admin accounts locally Use the default admin group (admin-group) or define a new group Set the privileges and properties for the group Add admin accounts to the group Configure communication settings with a RADIUS server or an Active Directory domain controller Configure communication settings with the NIOS appliance Import Infoblox VSAs (vendor-specific attributes) (if RADIUS) Define an admin group with the same name as that on the NIOS appliance Define admin accounts and link them to an admin group Define admin accounts RADIUS server or AD Domain Controller
If you use admin groups:
If you use admin groups on the RADIUS server or Active Directory domain controller: To store admin accounts remotely Use an existing admin group or define a new one Set the privileges and properties for the group
If you do not use admin groups on the RADIUS server: Assign an admin group as the default
If you do not use admin groups:
The admin policy defines how the appliance authenticates the admin: with the local database, RADIUS, or Active Directory. You must add RADIUS or Active Directory as one of the authentication methods in the admin policy to enable that authentication method for admins. See Configuring a List of Authentication Methods on page 119for more information about configuring the admin policy.
NIOS 4.3r5
71
Figure 3.1 illustrates the relationship of local and remote admin accounts, admin policy, admin groups, and
permissions and properties.
Figure 3.1 Privileges and Properties Applied to Local and Remote Admin Accounts
NIOS appliance RADIUS or Active Directory
Admin Users
Local Admin Groups
Access permissions and properties come from local admin group definitions. Login
The NIOS appliance first checks the remote admin policy to determine which of the following authentication methods to use and where to get membership information from: local-admin database, RADIUS, or Active Directory.
Remote Admin Groups When remote admin accounts are not in an admin group (or in a group whose name does not match that of a local group), the NIOS appliance applies the default admin group permissions and properties (if configured).
Admin-Group1 Adam Login Default Admin-Group Balu Login Group names must match. Login Login
Admin-Group2 Christine
Admin-Group2
Admin-Group3 Dan Eve There can be admin accounts in a local and remote admin group with the same group name.
Admin-Group3
When admin accounts are in an admin group that matches a group configured locally, the appliance selects the first group (based on remote admin policy) and applies the permissions and properties to the admin belonging to that group.
Assigned from local admin group definitions: Admin Permissions (for resources, such as zones, networks, members and DHCP lease history) Properties (for page and tree sizes)
Note: = Admin Account
Complete the following tasks to create admin accounts: 1. Use the default admin groups or create admin groups. See About Admin Groups on page 73. 2. Define the administrative permissions of each admin group. See About Administrative Permissions on page 78. 3. Create admin accounts and assign them to the appropriate admin group. To add accounts to the local database, see Creating Local Admins on page 107. To configure the appliance to authenticate admin accounts stored remotely, see About Remote Admins on page 108.
72
NIOS 4.3r5
About Admin Groups
About Admin Groups

All administrators must belong to an admin group. The permissions and properties that you set for a group apply to the administrators that you assign to that group. There are three types of admin groups: Superuser Superuser admin groups provide their members with unlimited access and control of all the operations that a NIOS appliance performs. There is a default superuser admin group, called admin-group, with one superuser administrator, admin. You can add users to this default admin group and create additional admin groups with superuser privileges. Superusers can access the appliance through its console, GUI, and API. In addition, only superusers can create admin groups. Limited-Access Limited-access admin groups provide their members with read-only or read/write access to specific resources. These admin groups can access the appliance through the GUI, API, or both. They cannot access the appliance through the console. ALL USERS The ALL USERS group is a default group in which you define global permissions for all limited-access users. This group implicitly includes all limited-access users configured on the appliance.
Creating a Superuser Admin Group

Superusers have unlimited access to the NIOS appliance. They can perform all the operations that the appliance provides. There are some operations, such as creating admin groups and accounts, that only superusers can perform. Note that there must always be one superuser admin account stored in the local database to ensure that at least one administrator can log in to the appliance in case the NIOS appliance loses connectivity to the remote admin databases such as RADIUS servers or AD domain controllers. There is a default superuser admin group (admin-group). You can create additional superuser admin groups, as follows: 1. Log in as a superuser. 2. From the Administrators perspective, click Groups -> Edit -> Add Group. 3. In the Add Administrator Group editor, enter the following: Group Name: Enter the name for the admin group. Comment: Enter pertinent information about the group, such as location or department. The data entered here displays in the Comment column when you select the admin group name in the tree view. Superuser: Select this check box to grant the admin accounts that you assign to this group full authority to view and configure all types of data. Page Size: Enter a value for the number of lines of data that you want a single GUI list view to contain for administrators that belong to this group. When there is a lot of data, you can improve the display performance by setting a smaller page size, such as 100 instead of 1000. You can set the page size from 10 to 2000. The default page size is 100. Disable this admin group: Select this check box to retain an inactivated profile for this admin group in the configuration. For example, you might want to define a profile for recently hired administrators who have not yet started work. Then when they do start, you simply need to clear this check box to activate the profile. 4. Click the Save icon. You can do one of the following: Add local admins to the superuser group; see Creating Local Admins on page 107. Assign the superuser group to remote admins; see About Remote Admins on page 108.
NIOS 4.3r5
73
About Limited-Access Admin Groups

All admin groups, except superuser admin groups, require either read-only or read-write permission to access certain resources, such as grid members, and DNS and DHCP resources. Therefore, when you create an admin group, you must specify which resources the group is authorized to access and their level of access. There are two ways to define the permissions of an admin group. You can create the group and assign permissions directly to the group. In addition, you can create roles that contain permissions and assign the roles to the admin group. Only superusers can create admin groups and define their administrative permissions. Complete these tasks to configure an admin group: 1. If you want to use admin roles to assign permissions to admin groups, create the admin roles as described in About Admin Roles on page 75. 2. Define the permissions of the newly created admin roles, as described in Applying Permissions and Managing Conflicts on page 79. 3. Create the admin group, as described in Creating Limited-Access Admin Groups on page 76. 4. Define the administrative permissions of the admin group. Assign roles to the admin group, as described in Creating Admin Roles on page 75. Assign specific permissions as described in Applying Permissions and Managing Conflicts on page 79. 5. Assign admins to the group. For local admin groups, see Creating Local Admins on page 107. For remote admins, see About Remote Admins on page 108.
74
NIOS 4.3r5
About Admin Roles

A role is a group of permissions that you can apply to one or more admin groups. Roles allow you to quickly and easily apply a suite of permissions to an admin group. You can define roles once and apply them to multiple admin groups. The appliance contains the following system-defined admin roles: AAA Admin: Provides read-write access to all grid AAA properties. DHCP Admin: Provides read-write access to all DHCP MAC filters, members, networks, and shared networks, and read-only access to the DHCP templates and DHCP lease history. DNS Admin: Provides read-write access to all members, all shared record groups, and all DNS views. File Distribution Admin: Provides read-write access to all grid file distribution properties. Grid Admin: Provides read-write access to all DHCP MAC filters, DHCP templates, members, networks, shared networks, DHCP lease history, all shared record groups, all DNS views, Grid AAA properties, Grid File distribution properties.
You can assign these system-defined roles to admin groups and create additional roles based on the job functions in your organization. If you are creating a role that has similar permissions to an existing role, you can copy the role and then make the necessary modifications to the new role. Thus you do not have to create each new role from scratch. You can assign up to 20 roles to an admin group, and you can assign a role to more than one admin group. When you make a change to a role, the appliance automatically applies the change to that role in all admin groups to which the role is assigned.
Creating Admin Roles

There are two ways to create an admin role. You can create a new role and define its permissions, and you can copy an existing role. To create a new role from scratch: 1. From the Administrators perspective, click Roles -> Edit -> Add Role to display the Add Role editor. 2. Complete the following: Role Name: Enter a name for the role. Comment: Optionally, enter information about the role. 3. Click the Save icon. To copy an existing role: 1. From the Administrators perspective, click Roles -> admin_role -> Edit -> Copy Role As. 2. In the Copy Role As dialog box, enter the name of the new role you are creating. You can also enter information about the new role in the Comment field. Click OK to close the dialog box. The appliance displays the new role and its permissions. After you create roles, you can do the following: Define their permissions. For information and guidelines on defining permissions, see About Administrative Permissions on page 78. Assign roles to admin groups, as described in Creating Limited-Access Admin Groups on page 76.
NIOS 4.3r5
75
Creating Limited-Access Admin Groups

When you create a limited-access admin group, you can assign roles to it. The group then inherits the permissions of its assigned roles. In addition, you can assign permissions directly to the group, as described in Applying Permissions and Managing Conflicts on page 79. Only superusers can create admin groups. To create an admin group: 1. From the Administrators perspective, click Groups -> Edit -> Add Group to display the Add Administrator Group editor. 2. Expand the Group Properties section and enter the following: Group Name: Enter the name for the admin group. Comment: Enter pertinent information about the group, such as location or department. The data entered here displays in the Comment column when you select the admin group name in the tree view. Superuser: Clear this check box to create a limited-access admin group. Page Size: Enter a value for the number of lines of data that you want a single GUI list view to contain for administrators that belong to this group. When there is a lot of data, you can improve the display performance by setting a smaller page size, such as 100 instead of 1000. You can set the page size from 10 to 2000. The default page size is 100. Access Method: Specify whether the admin group can use the GUI and the API (application programming interface) to configure the appliance. Access through GUI: Select this check box to allow the admin group to use the GUI. Access through API: Select this check box to allow the admin group to use the API. For information about the API, see Chapter 25, Infoblox DMAPI, on page 739. Disable this admin group: Select this check box to retain an inactivated profile for this admin group in the configuration. For example, you might want to define a profile for recently hired administrators who have not yet started work. Then when they do start, you simply clear this check box to activate the profile. 3. Optionally, expand the Roles section and complete the following: Click Add. In the Select Role dialog box, select the roles you want to assign to the admin group, and then click OK. You can assign up to 20 roles to an admin group. The appliance displays the selected roles in the list box. When an admin group is assigned multiple roles, the appliance applies the permissions to the group in the order the roles are listed. Therefore if there are conflicts in the permissions among the roles, the appliance uses the permission from the role that is listed first and ignores all the others. You can reorder the list by selecting a role and clicking Move Up or Move Down. To delete a role, select it and click Delete. After you select roles, you can click Check for conflicts to check for any conflicting permissions. For information about checking conflicts, see Applying Permissions and Managing Conflicts on page 79. Click Cancel to close the dialog box. 4. Click the Save icon.
76
NIOS 4.3r5
Deleting Admin Roles and Groups

You can remove both system-defined and user-defined admin roles and admin groups. To delete an admin group or role: 1. Do one of the following from the Administrator perspective: To remove an admin role, click + (for Roles) -> admin_role. To remove an admin group, click + (for Groups) -> admin_group. 2. Click Edit -> Remove.
Viewing Admin Group Assignments

You can view to which admin groups a role is assigned by selecting the role and clicking View -> Admin Role Assignments.
NIOS 4.3r5
77
About Administrative Permissions

You can assign permissions to admin roles which you then assign to admin groups, or you can assign permissions directly to an admin group. The following are permissions you can grant roles and admin groups: Deny: Prevents admins from viewing, adding, modifying and deleting the resource. This is the default permission level. Read-Only: Allows admins to view and search for the resource. Admins cannot add, modify or delete the resource. Read/Write: Allows admins to view, search for, add, modify, and delete the resource.
By default, the appliance denies access to certain resources. Admin groups must have either read-only or read/write permission to access the following resources: Grid membersSee Administrative Permissions for Grid Members on page 89 Scheduling tasksSee Administrative Permissions for Scheduling Tasks on page 90 DNS resourcesSee Managing DNS Resource Permissions on page 91. DHCP resourcesSeeManaging Administrative Permissions for DHCP Resources on page 96. RADIUS resourcesSee Administrative Permissions for the RADIUS Service on page 104. File distribution resourcesSee Administrative Permissions for File Distribution Services on page 106.
You can define permissions at a global level, for example, for all DNS views or all DHCP networks in the database, and at a more granular level, such as a specific zone, network, and even an individual database object, such as a resource record or fixed address. The appliance applies permissions hierarchically in a parent-child structure. When you define a permission to a resource, the permission applies to all the other resources and objects contained within that resource. For example, if you grant an admin group read-write permission to a grid, it automatically has read-write permission to all members in the grid. However, you can override the grid-level permission by setting a different permission, read-only or deny, for a grid member. Permissions at more specific levels override those set at a higher level. When admins have permission to objects that are in a parent object, but are not given rights to the parent object, the appliance displays the parent object in the tree view, for navigational purposes only. For example, as shown in Figure 3.2, admins do not have permission to the Internal view and to corp.com, but have permission to the child zone called sales.corp.com. In this case, the admins can see the Internal view and corp.com in the tree view, but cannot see their contents. The admins can see the contents of sales.corp.com zone only.
Figure 3.2 Navigating to Objects
Admins in DNS Admins3 can navigate to sales.corp.com and create resource records, even if they have no permission to the Internal view and corp.com.
78
NIOS 4.3r5
Applying Permissions and Managing Conflicts

When an admin tries to access an object, the appliance checks the permissions of the group to which the admin belongs. Because permissions at more specific levels override those set at a higher level, the appliance checks object permissions hierarchicallyfrom the most to the least specific. In addition, if the admin group has permissions assigned directly to it and permissions inherited from its assigned roles, the appliance checks the permissions in the following order: 1. Permissions assigned directly to the admin group 2. Permissions inherited from admin roles in the order they are listed in the Roles section of the Administrator Group editor. 3. Permissions defined for the All Users group. For example, an admin from the DNS1 admin group tries to access the a1.test.com A record in the test.com zone in the Infoblox default view. The appliance first checks if the DNS1 admin group has a permission defined for the a1.test.com A record. If there is none, then the appliance checks the roles assigned to DNS1, and then the All Users group. If there is no permission defined for the a1.test.com A record, the appliance continues checking for permissions in the order listed in Table 3.2. The appliance uses the first permission it finds.
Table 3.2 Permission Checking

The appliance checks object permissions from the most to the least specific, as listed. 1. a1.test.com A record 2. A records in test.com 3. test.com 4. All zones in the default view 5. Default view 6. All A records 7. All zones 8. All DNS views An admin group that is assigned multiple roles and permissions can have conflicts among the different permissions. As stated earlier, the appliance uses the first permission it finds and ignores the others. For example, as shown in Table 3.3, if an admin group has read/write permission to all A records in the test.com zone and a role assigned to it is denied permission to test.com, the appliance provides read/write access to A records in the test.com zone, but denies access to the test.com zone and all its other resource records. For each object, the appliance checks permissions in the order listed. a. DNS1 admin group b. Role 1, Role, 2, Role 3 c. All Users group
Table 3.3 Directly-Assigned Permissions and Roles
Permission assigned to the admin group Permission inherited from an admin role Effective permissions
Read/Write to all A records in the test.com zone Deny to the test.com zone Deny to the test.com zone Read/Write to all A records in test.com Deny to all other resource records in test.com
NIOS 4.3r5
79
If the group has multiple roles, the appliance applies the permissions in the order the roles are listed. If there are conflicts in the permissions among the roles, the appliance uses the permission from the role that is listed first. For example, as shown in Table 3.4, the first role assigned to the admin group has read-only permission to all A records in the test.com zone and the second role has read/write permission to the same records. The appliance applies the permission from the first admin role.
Table 3.4 Multiple Roles
Role 1 permission Role 2 permission Effective permissions
Read-only to all A records in the test.com zone Read/Write to all A records in test.com Read/Write to all MX records in test.com Deny to the test.com zone Read-only to all A records in the test.com zone Read/Write to all MX records in test.com
You can check for conflicting permissions when you add permissions to roles and to admin groups, and when you assign roles to an admin group. When you use the Check for conflicts function, the appliance lists which permissions are in conflict and indicates which ones it uses and ignores, as shown in Figure 3.3. If you want to change the permission the appliance uses, you must change the order in which the roles are listed or change the permissions that are directly assigned to the admin group.
Figure 3.3 Checking for Conflicts
80
NIOS 4.3r5
Defining Permissions
From the Administrators perspective, you can define global permissions and object permissions for admin groups and roles. Although you can add global permissions only from the Administrators perspective, you can add permissions to specific objects from the Administrators perspective and from the object itself. You can also select multiple objects using SHIFT+click and CTRL+click when you apply permissions to specific objects. However, you cannot select multiple objects when defining global permissions. When you add permissions to objects, you can select multiple objects with the same or different object types. When you select multiple objects with the same object type, you can apply permissions not only to the selected objects, but also to the sub object types that are contained in the selected objects. As described in Figure 3.4, when you select five DNS forward-mapping authoritative zones, the appliance labels the five DNS zones collectively as Selected Objects. Since all five DNS zones are of the same object type, forward-mapping authoritative, you can also apply permissions to all the resource records in these zones. You can choose one or more of the resources to which you want to apply permissions in the Add Permissions dialog box.
Figure 3.4 Selecting Multiple Objects with the Same Object Type
You select five forward-mapping authoritative DNS zones that have resource records such as A records, Hosts, and CNAME records.
The appliance displays the following resources in the Add Permissions dialog box.
corp100.com
2 Since all DNS zones

have the same object type, you can apply object permissions to all the DNS zones as well as to all the resource records in the DNS zones.
A records in selected objects
corp200.com
Hosts in selected objects
corp300.com
<Resource records> in selected objects (for other resource records)
corp400.com
corp500.com
As shown in Figure 3.5, the appliance displays the resources in the Permissions section of the Add Permissions dialog box. You can choose Selected objects to apply permissions to all DNS zones, A records in selected objects to apply permissions to all A records in the selected DNS zones, Hosts in selected objects to apply permissions to all host records, and so on.
NIOS 4.3r5
81
Figure 3.5 Add Object Permissions for Selected Objects with the Same Object Type
When you select multiple objects with more than one object type, you can add permissions to the selected objects as well as to the sub object types that are common among the selected objects. For example, when you select three DNS forward-mapping authoritative zones and two DNS IPv4 reverse-mapping authoritative zones as illustrated in Figure 3.6, you can apply permissions to all the five DNS zones as well as to the CNAME, DNAME, and Host records in these zones because CNAME, DNAME, and Host records are the common sub object types in these zones. In another example, when you select three DNS forward-mapping authoritative zones and two networks, you can apply permissions only to the selected objects (the three DNS zones and the two networks). You cannot apply permissions to any sub object types in the selected objects because DNS zones and networks do not have any common sub object types.
Figure 3.6 Multiple Objects with Common Sub Object Types

When you select three DNS forward-mapping authoritative zones and two IPv4 reverse-mapping authoritative zones, you can apply object permissions to all the DNS zones as well as the CNAME, DNAME and Host records in these DNS zones. CNAME records in selected objects DNAME records in selected objects Hosts in selected objects
corp100.com
0.0.10.in-addr.arpa
corp200.com
0.0.127.in-addr.arpa
corp300.com
82
NIOS 4.3r5
To add permissions to a role or an admin group from the Administrators perspective: 1. Do one of the following from the Administrators perspective: To define the permissions of an admin role, click + (for Roles) -> + role -> Edit -> Add Permissions. or To define the permissions of an admin group, click + (for Groups) -> admin_group -> Edit -> Add Permissions. The Add Permissions dialog box appears. The dialog box does not list the existing permissions of the role or admin group. To view existing permissions, see Viewing and Managing Permissions on page 85. If you try to add permission to an object that has a conflict with an existing permission, the appliance displays an error message. 2. To define global permissions, click Add in the Add Global Permissions tab. The appliance displays the default resource, All Members in the Resource column. 3. Do one of the following: Select Read/Write, Read Only, or Deny for the All Members resource. or Click the arrow for Resource to expand the resource list, and then select the resource for which you are setting the global permission. Select Read/Write, Read Only, or Deny. Click Add again to define additional global permissions. 4. To define permissions for specific objects and resources, do the following in the Add Object Permissions tab: Click Find Object.... In the Select Object dialog box, identify the objects to which you want to add permissions, as follows: In the Text field, enter the value or partial value of an object. This field is not case-sensitive. Select the object type for which you are searching in the Type drop-down list. By default, the appliance searches all object types. You can select multiple object types using SHIFT+click for contiguous objects and CTRL+click for non-contiguous objects. Click Search. The appliance lists the objects that it finds in the Search Results section. In the Search Results section, select the objects to which you are defining permissions, and then click OK. You can select multiple objects using SHIFT+click for contiguous objects and CTRL+click for non-contiguous objects. In the Add Object Permissions tab, the appliance displays the following: Object: The name of the selected objects. When you select multiple objects, the appliance displays Multiple Objects in this field. Type: The object type of the selected objects. When you select more than one object type, the appliance displays Multiple Types in this field. To view the list of selected objects, click View Selected Objects. The appliance displays the selected objects to which you want to add permissions. 5. In the Permissions section, do the following: Click Add. In the Resource column, click the arrow to expand the resource list, and then select the resource for which you are setting the object permission. Select the appropriate permission: Read/Write, Read Only, or Deny. Click Add again if you want to define additional object permissions. 6. After you apply permissions to the selected objects, do one of the following: Click Check Conflicts to check whether the permissions that you define have conflict with other permissions. The appliance displays conflicting permissions in the Permissions Conflict dialog box. For information, see Applying Permissions and Managing Conflicts on page 79. Click Apply if you want to set permissions for additional objects. The appliance stores the permissions that you have defined and clears all the information in the Add Permissions dialog box so that you can define permissions for additional objects. Click Add to continue defining permissions for other objects. Click OK when you are finished.
In addition, you can also set permissions for specific objects from the object itself. For example, to define permissions for a particular grid member, navigate to that grid member and define its permissions. To define the permission of a specific object: 1. Navigate to the object. For example, to define permissions for a particular grid member, do the following from the Grid perspective, click + (for grid) -> + (for Members) -> member. 2. Select the object and do one of the following: Right-click and select Manage Permissions from the context menu. Click Edit-> Manage Permissions. The appliance displays the Manage Resource Permissions dialog box. For example, Figure 3.7 shows the Manage Resource Permissions dialog box where you define permissions for the selected grid member.
Figure 3.7 Manage Permissions for a Grid Member
3. In the Manage Resource Permissions dialog box, do the following: Admin Group/Role: Click Add, and then select a role or an admin group in the Select Admin Group or Role dialog box. After you click OK to close the dialog box, the appliance lists the role or admin group you selected. Permissions: Click Add. After the appliance displays the object in the Resource column, select Read/Write, Read Only or Deny.
84
NIOS 4.3r5
4. Optionally, you can check whether the permission you defined conflicts with another permission. Click Check Conflicts and the appliance displays conflicting permissions in the Permissions Conflict dialog box. For information, see Applying Permissions and Managing Conflicts on page 79 5. Click OK to close the Manage Resource Permissions dialog box.
Viewing and Managing Permissions

Superusers can view the permissions of all admin groups. All other admins can view the permissions of their own admin group. To view the permissions of a role or an admin group, do one of the following: To view the permissions of an admin group, from the Administrators perspective, click + (for Groups) -> + (for admin_group) -> + (for Permissions). To view the permissions of a role, from the Administrators perspective, click + (for Roles) -> + (for admin_role). AAA Permissions DHCP Permissions DNS Permissions File Distribution Permissions Grid Permissions
The appliance lists the permission types of the selected role or group, which can be:
You can select a permission type and view its corresponding permissions in the Permissions panel. By default, the appliance displays the permissions in alphabetical order. You can display a hierarchical list by clicking the icon.
Filtering the List of Permissions

You can filter the permissions you view by selecting one of the following: Effective Permissions: Select to view only the permissions that the appliance is using for this group. The permissions that were ignored due to conflicts are not listed in this view. Direct Permissions: Select to view only the permissions that were specifically assigned to the group. Permissions that were inherited from roles are not listed in this view. Conflicting Permissions: Select to view only the permissions that are in conflict. All Permissions: Select to view all permissions.
NIOS 4.3r5
85
Modifying Permissions
You can modify the permissions of user-defined admin roles and admin groups. You cannot modify the permissions of system-defined admin roles. When you change the permissions of a role that has been assigned to multiple admin groups, the appliance automatically applies the change to the role in all admin groups to which it is assigned. To change the existing permissions of a role or an admin group: 1. Do one of the following from the Administrator perspective: To modify the permissions of an admin role, click + (for Roles) -> + (for admin_role). To modify the permissions of an admin group, click + (for Groups) -> + (for admin_group) -> + (for Permissions). 2. Select the permission type and in the Permissions panel, select the resource that you want to modify. 3. Click Edit -> Permission Properties. 4. In the Permission Properties editor, select the new permission: Read/Write, Read-Only or Deny. 5. Optionally, click Check for conflicts to view any conflicts that result from the change. For information about conflicting permissions, see Applying Permissions and Managing Conflicts. 6. To save the change, click the Save icon.
Removing Permissions
You can remove permissions from user-defined admin roles and admin groups. You cannot remove permissions from system-defined admin roles. When you remove permissions from a role, it is removed from the role in all admin groups to which the role is assigned. You can remove a permission from a group as long as it was not inherited from a role. You cannot remove permissions that were inherited from a role. To remove a permission: 1. Do one of the following from the Administrator perspective: To remove the permissions of an admin role, click + (for Roles) -> + (for admin_role). To remove the permissions of an admin group, click + (for Groups) -> + (for admin_group) -> + (for Permissions). 2. Select the permission type and in the Permissions panel, select the resource that you want to remove 3. Right-click, and then select Remove. 4. Click Yes when the confirmation dialog appears.
86
NIOS 4.3r5
Administrative Permissions for Common Tasks
Administrative Permissions for Common Tasks

The following table lists some of the common tasks admins can perform and the required permissions for each task. You can define admin roles with the required permissions, and then add the roles to admin groups. For information, see About Admin Roles on page 75.
Table 3.5 Permissions for Common Tasks

To perform the following tasks... Modify grid member configuration Restart services for a grid member Restart services for an entire grid Restart service from the DHCP perspective Restart service from the DNS perspective Create DNS views Modify and delete a DNS view Create DNS zones Assign grid members to a DNS zone Modify and delete a DNS zone Create a specific type of resource record, such as A records Admins need the following permissions Modify and delete a specific type of resource record, such as A records View DNS resource records Create shared record groups Modify and delete shared record groups View network properties and network statistics in a network Create network views and their associated DNS views Modify and delete network views and their associated DNS views Create networks Read/Write to the grid member Read/Write to the grid member Read-only to all grid members Read/Write to all network views Read-only to all grid members Read/Write to all DNS views Read-only to all grid members Read/Write to all DNS views Read/Write to the DNS view Read/Write to the parent zones Read/Write to the grid members Read/Write to the DNS zone Read/Write to the DNS zone Read/Write to the resource record type or Read/Write to the DNS zone Read/Write to the resource record type or Read/Write to the DNS zone Read-only to the resource records or Read-only to the DNS zone Read/Write to all shared record groups Read/Write to the shared record groups Read-only to the network view that contains the network Read/Write to all network views Read/Write to all DNS views Read/Write to the network views Read/Write to the DNS views Read/Write to all networks
NIOS 4.3r5
87
To perform the following tasks... Assign networks to grid members Modify and delete networks Modify and delete networks that are assigned to grid members Create fixed addresses in a network Modify and delete all fixed addresses in a network View and search for fixed addresses in a network Create DHCP ranges Modify and delete DHCP ranges Schedule tasks for supported objects, such as adding an A record or deleting a host record
Admins need the following permissions Read/Write to the networks Read/Write to the grid members Read/Write to the networks Read/Write to the networks Read/Write to the grid members Read/Write to the parent network Read/Write to all fixed addresses in the network Read-only to all fixed addresses in the network Read/Write to the parent network Read/Write to the DHCP ranges in the network Read/Write to schedule tasks Read/Write to the DNS zones to which the objects belong Read/Write to the networks to which the objects belong Read/Write to network discovery Read/Write to the networks on which you want to run the discovery
Initiate and control network discoveries on a network
For information about specific tasks and their required permissions, see the following: Grid membersSee Administrative Permissions for Grid Members on page 89 Scheduling tasksSee Administrative Permissions for Scheduling Tasks on page 90 DNS resourcesSee Managing DNS Resource Permissions on page 91. DHCP resourcesSeeManaging Administrative Permissions for DHCP Resources on page 96. RADIUS resourcesSee Administrative Permissions for the RADIUS Service on page 104. File distribution resourcesSee Administrative Permissions for File Distribution Services on page 106.
88
NIOS 4.3r5
Administrative Permissions for Grid Members
Administrative Permissions for Grid Members

By default, the grid master denies access to grid members when a limited-access admin group does not have defined permissions. You can grant an admin group read-only or read/write permission, or deny access to all grid members or you can grant permission to specific grid members, as described in Applying Permissions and Managing Conflicts on page 79. Note: Only superusers can modify DNS and DHCP grid properties. The following table lists the tasks admins can perform and the required permissions for grid members.
Table 3.6 Grid Member Permissions

To perform the following tasks View DNS member properties View and download syslog View DNS cache and configuration file View DHCP member properties View network statistics and DHCP configuration file Restart grid DNS and DHCP services Assign members to networks Assign members to DHCP ranges Edit member properties Clear DNS cache Add grid members to a Match Members list of a view Delete a view with grid members in a Match Members list Assign members to DNS zones Read/Write to grid members Read-only to views Read/Write to grid members Read/Write to zones Read/Write to grid members Read/Write to networks Read/Write to DHCP ranges Read/Write to grid members Admins need the following permissions Read-only to grid members
NIOS 4.3r5
89
Administrative Permissions for Scheduling Tasks

You can schedule tasks, such as adding hosts or modifying fixed addresses, for a future date and time. To schedule tasks, you must first enable the scheduling feature at the grid level, and then define administrative permissions for admin groups and admin roles. For information, see Scheduling Tasks on page 136. Only superusers can enable and disable this feature and grant scheduling permissions to admin groups. Limited-access admin groups can schedule tasks only when they have scheduling permissions. Superusers can do the following: Enable and disable task scheduling at the grid level Grant and deny scheduling permissions to admin groups and admin roles Schedule tasks for all object types Reschedule and delete any scheduled task
You can set global permissions to schedule tasks as described in Defining Permissions on page 81. The following table lists the tasks admins can perform and the required permissions. Users with read/write permission to scheduling can view, reschedule, and delete their own scheduled tasks.
Table 3.7 Scheduling Task Permissions

To perform the following tasks Schedule the addition, modification, and deletion of all supported object types. View, reschedule, and delete scheduled tasks. Admins need the following permissions Read/Write to scheduling tasks Read/Write to all networks and DNS zones Read/Write to all shared record groups
To schedule tasks for specific resources, admins must have Read/Write permission to scheduling tasks, plus the required permissions to the supported resources. For information about permissions for specific resources, see the following: Grid membersSee Administrative Permissions for Grid Members on page 89 DNS resourcesSee Managing DNS Resource Permissions on page 91. DHCP resourcesSeeManaging Administrative Permissions for DHCP Resources on page 96.
Note that the appliance deletes all pending scheduled tasks when superusers disable task scheduling at the grid level. The appliance deletes an admins scheduled tasks when superusers do the following: Set the scheduling permission of admin groups and roles to Deny Delete or disable an admin group or an admin role Delete or disable local admins Delete the scheduling permission from any admin group or admin role that contains users with pending scheduled tasks Change the admin group of a limited-access admin
90
NIOS 4.3r5
Managing DNS Resource Permissions

You can grant roles and admin groups read-only or read/write permission, or deny access to the following DNS resources: DNS Views Zones A records AAAA records CNAME DNAME MX PTR SRV TXT Hosts Bulk Hosts Shared Record Groups Shared A records Shared AAAA records Shared MX records Shared SRV records Shared TXT records
The appliance applies permissions for DNS resources hierarchically. Permissions to a DNS view apply to all zones and resource records in that view. Permissions for a zone apply to all its subzones and resource records, and resource record permissions apply to those resource records only. To override permissions set at higher level, you must define permissions at a more specific level. To assign permissions, see Applying Permissions and Managing Conflicts on page 79. The following sections describe the different types of permissions that you can set for DNS resources:
Administrative Permissions for DNS Views on page 92 Administrative Permissions for Zones on page 93 Administrative Permissions for Resource Records on page 94
NIOS 4.3r5
91
Administrative Permissions for DNS Views

Limited-access admin groups can access DNS views, including the default view, only if their administrative permissions are defined. Permissions to a DNS view apply to all its zones and resource records. To override view-level permissions, you must define permissions for its zones and resource records. For example, you can grant an admin group read-only permission to a view and read/write permission to all its zones. This allows the admins to display the view properties, but not edit them, and to create, edit and delete zones in the view. You can grant read-only or read/write permission, or deny access to DNS views, as follows: All viewsGlobal permission that applies to all DNS views in the database. A specific viewApplies to its properties and its zones, if you do not define zone-level permissions. This overrides the global view permissions. All zones in a viewIf you do not define permissions for zones, they inherit the permissions of the view they are in.
For information on setting permissions for a view and its zones, see Applying Permissions and Managing Conflicts on page 79. The following table lists the tasks admins can perform and the required permissions for DNS views.
Table 3.8 Permissions for Views

To perform the following tasks Display view properties Display zones and resource records Create, modify, and delete views Create, modify, and delete all zones and resource records Modify and delete a view Create, modify, and delete zones and resource records in a view Add grid members to a Match Members list of a view Delete a view with grid members in a Match Members list Display zone properties, subzones, and resource records Create, modify, and delete zones Create, modify, and delete subzones and resource records Read/Write to grid members Read/Write to the view Read-only to all zones in a view Read/Write to all zones in a view Read/Write to the view Read/Write to all views Admins need the following permissions Read-only to all views
92
NIOS 4.3r5
Administrative Permissions for Zones

By default, zones inherit administrative permissions from the DNS view in which they reside. You can override view-level permissions by setting permissions for specific zones. Permissions set for a zone are inherited by its subzones and resource records. To override zone-level permissions, set permissions for specific subzones and resource records. For example, you can grant an admin group the following permissions: Read-only to a zone and to all its A, AAAA, and PTR records Read/Write permission to all MX and SRV records in the zone Deny to all the other resource recordsCNAME, DNAME, TXT, host, and bulk host All zones Global permission that applies to all zones in all views. All zones in a viewPermissions at this level override the global permissions. A specific zoneApplies to the zone properties and resource records, if you do not define permissions for its resource records. This overrides global and view-level permissions. If you delete a zone and reparent its subzone, the subzone inherits the permissions of the new parent zone. Each resource record type in a zoneFor example, you can define permissions for all A records and for all PTR records in a zone. if you do not define permissions for resource records, they inherit the permissions of the zone in which they reside.
You can grant read-only or read/write permission, or deny access to zones as follows:
For information on setting permissions for zones and resource records, see Applying Permissions and Managing Conflicts on page 79. The following table lists the tasks admins can perform and the required permissions for zones.
Table 3.9 DNS Zone Permissions

To perform the following tasks View zone properties, subzones, and resource records Search for a zone, its subzones, and resource records Create, modify, and delete subzones and resource records Search for zones, subzones, and resource records Create, modify, and delete all zones in a view Create, modify, and delete subzones and resource records Search for zones, subzones, and resource records Modify and delete a zone Create, modify, and delete subzones and resource records Lock and unlock a zone Search within a zone for its subzones and resource records Assign grid members to a zone Delete a zone with assigned grid members Assign a name server group to a zone Delete a zone with name server groups assigned Read/Write to the zone Read/Write to grid members Read/Write to the zone Read/Write to all grid members in the name server group Read/Write to the zone Read/Write to all zones in the view Read/Write to all zones Admins need the following permissions Read-only to the zone
NIOS 4.3r5
93
To perform the following tasks Assign a shared record group to a zone Copy resource records from one zone to another
Admins need the following permissions Read/Write to the shared record group Read-only to the source zone Read-only to resource records to be copied Read/Write to the destination zone Read/Write to all resource records in the destination zone
Source zone:
Destination zone:
Administrative Permissions for Resource Records

Resource records inherit the permissions of the zone to which they belong. You can override zone-level permissions by setting permissions for specific resource records. You can grant read-only or read/write permission, or deny access to resource records as follows: Each resource record type in all zones and in all viewsGlobal permission that applies to all resource records of the specified type; for example, all A records in the database. Each resource record type in a zone Permissions at this level override global permissions. A specific resource recordOverrides zone-level permissions.
For information on setting permissions for resource records, see Applying Permissions and Managing Conflicts on page 79. The following table lists the tasks admins can perform and the required permissions for resource records.
Table 3.10 DNS Resources

To perform the following tasks View resource records for a specified type only Search for records of a specified type Create, modify, and delete resource records for a specified type Search for records of a specified type View a resource record View, modify, and delete a resource record Read-only to the resource record Read/Write to the resource record Admins need the following permissions Read-only to the resource record type, such as all A records or all PTR records Read/Write to the resource record types, such as all A records or all PTR records
The following are additional guidelines: Only admins with read/write permission to bulk host records and read/write permission to reverse zones can create bulk host records and automatically add reverse-mapping zones. To create host records, admins must have read/write permission to the network and zone of the host. Admins must have read-only permission to the host records in a zone to view the Host Name Compliance Report. Admins must have read/write permission to the resource records in a zone to modify host names that do not comply with the host policy.
94
NIOS 4.3r5
Administrative Permissions for Shared Record Groups

By default, only superusers can add, edit, and delete shared record groups. Limited-access admin groups can access shared record groups, only if their administrative permissions are defined. You can set different permissions for a shared record group and for each type of shared resource record in the group. For example, you can grant a role or an admin group the following permissions: Read-only to a shared record group and to all its shared A and AAAA records Read/Write permission to all the shared MX and SRV records in the shared record group Deny to the TXT records All shared record groupsGlobal permission that applies to all shared record groups in the database. A specific shared record groupOverrides global permissions. Each shared record type in all shared record groups The shared resource record types include shared A records, shared AAAA records, shared MX records, shared SRV records, and shared TXT resource records. Each shared record type in a shared record group Permissions at this level override global permissions. A specific shared recordOverrides zone-level permissions. Shared record group permissions override zone permissions. Even if a zone is locked, superusers and limited-access users with read/write access can still edit or delete a shared record in the zone.
You can grant read-only or read/write permission, or deny access to shared record groups, as follows:
Note the following guidelines:
For information on setting permissions for shared record groups, see Applying Permissions and Managing Conflicts on page 79. The following table lists the tasks admins can perform and the required permissions for shared record groups.
Table 3.11 Permissions for Shared Record Groups

To perform the following tasks View a shared record group Create, modify, and delete shared record groups Modify and delete a shared record group Assign a shared record group to zones Change the zones associated with a shared record group Delete zones with a shared record group assigned. Before you delete a shared record group, you must remove all zones associated with it. View shared records for a specific type only Search for records of a specified type Create, modify, and delete shared records for a specified type View shared records for a specific type in a specified shared record group only Create, modify, and delete shared records for a specific type in a specified shared record group View a shared record View, modify, and delete a shared record Read-only to the shared record type in all shared record groups Read/Write to the shared record type in all shared record groups Read-only to the shared record type in the specific shared record group Read/Write to the shared record type in the specific shared record group Read-only to the specific shared record Read/Write to the specific shared record
Infoblox Administrator Guide (Rev. A) 95
Admins need the following permissions Read-only to the shared record group Read/Write to all shared record groups Read/Write to the shared record group Read/Write to the shared record group Read/Write to the target zones
NIOS 4.3r5
Managing Administrative Permissions for DHCP Resources

Limited-access admin groups can access certain DHCP resources only if their administrative permissions are defined. By default, the appliance denies access when a limited-access admin group does not have defined permissions. You can grant admin groups read-only or read/write permission, or deny access to the following DHCP resources: Network views Networks Shared networks DHCP ranges Fixed addresses MAC address filters Network templates DHCP range templates Fixed address templates DHCP lease history
You can grant an admin group broad permissions to DHCP resources, such as read/write permission to all networks and shared networks in the database. In addition, you can grant permission to specific resources, such as a specific network, a DHCP range, or an individual IP address in a network. Permissions at more specific levels override global permissions. The following sections describe the different types of permissions that you can set for DHCP resources:
Administrative Permissions for Network Views on page 97 Administrative Permissions for Networks and Shared Networks on page 98 Administrative Permissions for Fixed Addresses on page 100 Administrative Permissions for DHCP Ranges on page 101 Administrative Permissions for DHCP Templates on page 102 Administrative Permissions for MAC Address Filters on page 103 Administrative Permissions for the DHCP Lease History on page 104
96
NIOS 4.3r5
Administrative Permissions for Network Views

Limited-access admin groups can access network views, including the default network view, only if they have read-only or read/write permission to a specific network view or to all network views. Permissions granted to a network view apply to all its networks, shared networks, DHCP ranges and fixed addresses. You can grant admin groups read-only or read/write permission, or deny access to network views as follows: All network viewsGlobal permission that applies to all network views in the database. A specific network viewPermission to a specific network view applies to the properties you set in the Network View editor, and to all the networks and shared networks in the network view. This overrides the global permission to all network views. When you configure permissions for a network view, you can also set permissions for the following: All networks in the selected network viewIf you do not define permissions for networks, they inherit the permissions of their network view. All shared networks in a specific network viewIf you do not define permissions for shared networks, they inherit the permissions of their network view. Note that you can grant an admin group read-only or read/write permission to specific networks in a network view, without granting them permission to that network view. For information, see Administrative Permissions for Networks and Shared Networks on page 98. For information on how to define permissions for network views, see Applying Permissions and Managing Conflicts on page 79. The following table lists the tasks admins can perform and the required permissions for network views.
Table 3.12 Network View Permissions

To perform the following tasks View the properties of all network views View network statistics View and search for networks and shared networks View the properties of a network view View and search for networks and shared networks in a network view Create and delete network views and their associated DNS views Modify network views Create, modify, and delete networks and shared networks in a network view Expand/join networks Delete a network view and the associated DNS view Modify a network view Create, modify, and delete networks and shared networks in a network view Expand/join networks in a view View the properties of all networks in a view Search for networks in a view View network statistics Read-only to all networks in the network view Read/Write to the specific network view Read/Write to all or specific DNS views Read/Write to the specific network view Read/Write to all network views Read/Write to all DNS views Read/Write to all network views Read-only to the network view Admins need the following permissions Read-only to all network views
NIOS 4.3r5
97
To perform the following tasks Create, modify, and delete networks, DHCP ranges and fixed addresses in a network view Expand/join networks View the properties of all shared networks in a view Search for shared networks in a view Create, modify, and delete shared networks in a network view
Admins need the following permissions Read/Write to all networks in the network view Read-only to all shared networks in the network view Read/Write to all shared networks in the network view
Administrative Permissions for Networks and Shared Networks

Limited-access admin groups can access networks, including shared networks, only if their administrative permissions are defined. Permissions for a network apply to all its DHCP ranges and fixed addresses. To override network-level permissions, you must define permissions for specific DHCP ranges and fixed addresses. For example, you can grant an admin group read-only permission to a network, read/write permission to its DHCP ranges, and read-only permission to its fixed addresses. You can grant read-only or read/write permission, or deny access to networks, as follows: All networksGlobal permission that applies to all networks in the database. All shared networksGlobal permission that applies to all shared networks in the database. A specific networkNetwork permissions apply to its properties and to all DHCP ranges, fixed addresses and hosts in the network, if they do not have permissions defined. This overrides global permissions. All DHCP ranges in a networkIf you do not define permissions for DHCP ranges, they inherit the permissions of the network in which they reside. All fixed addresses in a networkIf you do not define permissions for fixed addresses, they inherit the permissions of the network in which they reside.
To define permissions for a specific network and its DHCP ranges and fixed addresses, see Applying Permissions and Managing Conflicts on page 79. The following table lists the tasks admins can perform and the required permissions for networks.
Table 3.13 Network Permissions

To perform the following tasks View the properties of all networks View network statistics View the IP Address Management panel Create, modify, and delete networks Create, modify, and delete DHCP ranges and fixed addresses Expand/join networks Create networks from templates View shared networks Create, modify, and delete shared networks Read/Write to all networks Read-only to network templates Read-only to all shared networks Read/Write to all shared networks Read-only to all networks Read-only to all DNS views Read/Write to all networks Admins need the following permissions Read-only to all networks
98
NIOS 4.3r5
To perform the following tasks View the properties of a network View network statistics Search for a network Modify and delete a network Create, modify, and delete DHCP ranges and fixed addresses in a network Expand/join networks, if admins have read/write permission to both networks Create/Split network and automatically create a reverse zone Assign a grid member to a network and its DHCP ranges Modify and delete a network with the assigned grid member View DHCP ranges Search for DHCP ranges Create, modify, and delete DHCP ranges View fixed addresses Search for fixed addresses Create, modify, and delete fixed addresses
Admins need the following permissions Read-only to the specific network
Read/Write to the specific network
Read/Write to the network Read/Write to the parent zones Read/Write to the network Read/Write to the grid member Read-only to all DHCP ranges in the network Read/Write to all DHCP ranges in the network Read-only to all fixed addresses in the network Read/Write to all fixed addresses in the network
NIOS 4.3r5
99
Administrative Permissions for Fixed Addresses

Fixed addresses inherit the permissions of the networks in which they reside. You can override network-level permissions by defining permissions for fixed addresses. You can grant read-only or read-write permission, or deny access to fixed addresses, as follows: All fixed addressesGlobal permission that applies to all fixed addresses in the database. All fixed addresses in a network Permissions at this level override global permissions. If you do not define permissions for fixed addresses, they inherit the permissions of the network in which they reside. A single fixed addressOverrides global and network-level permissions.
For information on setting permissions for fixed addresses, see Applying Permissions and Managing Conflicts on page 79. The following table lists the tasks admins can perform and the required permissions for fixed addresses.
Table 3.14 Permissions for Fixed Addresses

To perform the following tasks View fixed addresses Search for fixed addresses View fixed addresses in a network Search for fixed addresses in a network Create, modify, and delete fixed addresses Read-only to all fixed addresses in the network Read/Write to all fixed addresses Read/Write to all fixed addresses in the network Read-only to the fixed address Read/Write to the fixed address Admins need the following permissions Read-only to all fixed addresses
Create, modify, and delete fixed addresses in a network View a fixed address Modify and delete a fixed address
100
NIOS 4.3r5
Administrative Permissions for DHCP Ranges

DHCP ranges inherit the permissions of the networks in which they reside. You can override network-level permissions by defining permissions for DHCP ranges. You can read-only or read/write permission, or deny access to DHCP address ranges, as follows: All DHCP rangesGlobal permission that applies to all DHCP ranges in the database. All DHCP ranges in a networkPermissions at this level override global permissions. If you do not define permissions for DHCP ranges, they inherit the permissions of the network in which they reside. A single DHCP rangeOverrides global and network-level permissions.
For information on setting permissions for DHCP ranges, see Applying Permissions and Managing Conflicts on page 79. The following table lists the tasks admin can perform and the required permissions for DHCP ranges.
Table 3.15 DHCP Ranges

To perform the following tasks View DHCP ranges Search for DHCP ranges View DHCP ranges in a network Search for DHCP ranges in a network Create, modify, and delete DHCP ranges Search for DHCP ranges Create, modify, and delete DHCP ranges in a network Search for DHCP ranges in a network Modify and delete a DHCP range Apply relay agent filters and Option filters to a DHCP range Apply a MAC address filter to a DHCP range Assign a grid member to a DHCP range Modify and delete a DHCP range with an assigned grid members or DHCP failover association Read/Write to the DHCP range Read-only to the MAC address filter Read/Write to the DHCP range Read/Write to all DHCP ranges in the network Read/Write to the DHCP range Read/Write to all DHCP ranges Read-only to all DHCP ranges in the network Admins need the following permissions Read-only to all DHCP ranges
NIOS 4.3r5
101
Administrative Permissions for DHCP Templates

There are three types of DHCP templatesnetwork, DHCP range, and fixed address templates. To access any of these templates, a limited-access admin group must have read-only permission to the template. Limited-access admin groups cannot have read/write permission to the templates. Only superusers can create, modify and delete network, DHCP range, and fixed address templates. An admin group with read-only permission to the DHCP templates can view them and use them to create networks, DHCP ranges and fixed addresses, as long as they have read/write permissions to those DHCP resources as well. You can set global read-only permission that applies to all DHCP templates, and you can set permissions to specific templates as well. For information on setting permissions, see Applying Permissions and Managing Conflicts on page 79. The following table lists the tasks admins can perform and the required permissions for DHCP templates.
Table 3.16 Permissions for DHCP Templates

To perform the following tasks View a template Create a network from a template Create a DHCP range from a template Admins need the following permissions Create a fixed address from a template Read-only permission to the DHCP template Read-only permission to the DHCP template Read/Write permission to all networks Read-only permission to the DHCP template Read/Write permission to all DHCP ranges or to the network Read-only permission to the DHCP template Read/Write permission to all fixed addresses or to the network
Note the following additional guidelines: DHCP range templates and fixed address templates do not inherit their permissions from network templates. You must set permissions for each type of template. An admin group can create a network using a network template that includes a DHCP range template and a fixed address template, even if it has no permission to access the DHCP range and fixed address templates.
102
NIOS 4.3r5
Administrative Permissions for MAC Address Filters

Limited-access admin groups can access MAC address filters only if their administrative permissions are defined. The appliance denies access to MAC address filters for which an admin group does not have defined permissions. You can grant read-only or read/write permission, or deny access to MAC address filters as follows: All MAC address filters in the database A specific MAC address filter
For information on setting permissions, see Applying Permissions and Managing Conflicts on page 79. The following table lists the tasks admins can perform and the required permissions for MAC address filters.
Table 3.17 Permissions for MAC Filters

To perform the following tasks View a MAC address filter and its MAC address entries Apply a MAC address filter to a DHCP range Delete a MAC address filter from a DHCP range Create, modify, and delete MAC address filters Add and delete MAC address entries Modify and delete a MAC address filter Add, modify, and delete MAC address entries Read/Write to the MAC address filter Admins need the following permissions Read-only to the MAC address filter Read-only to the MAC address filter Read/Write to the DHCP range Read/Write to all MAC address filters
Administrative Permissions for Network Discovery

Limited-access admin groups can initiate a discovery and manage discovered data based on their administrative permissions. You can set global permissions for network discovery as described in Applying Permissions and Managing Conflicts on page 79. The following table lists the tasks admins can perform and the required permissions for network discovery.
Table 3.18 Permissions for Network Discovery

To perform the following tasks Initiate and control a discovery on networks with read-only permission View discovered data View discovered data. Add unmanaged data to existing hosts, and resolve conflicting IP addresses. Convert unmanaged data to a host, fixed address, reservation, A record, or PTR record Read/Write to networks selected for discovery Read/Write to networks selected for discovery Read/write to the DNS zone or specific record type Admins need the following permissions Read/Write to network discovery Read-only to networks selected for discovery
NIOS 4.3r5
103
Administrative Permissions for the DHCP Lease History

A limited-access admin group can view and export the DHCP lease history if it has read-only permission to the DHCP lease history. Permissions to the DHCP lease history are different from the network permissions. Therefore, an admin group can access the DHCP lease history, regardless of its network permissions. Note that only superusers can import a DHCP lease history file. To define permissions for the DHCP lease history: 1. Do one of the following from the Administrator perspective: To define the permissions of an admin role, click + (for Roles) -> + admin_role -> Edit -> Add Permissions. To define the permissions of an admin group, click + (for Groups) -> admin_group -> Edit -> Add Permissions. 2. Click Add in the Add Global Permissions tab. From the Resource drop down list, select DHCP Lease History, and then click Read Only or Deny. 3. Click OK to close the dialog box.
Administrative Permissions for the RADIUS Service

If you configured the RADIUS service on the NIOS appliance, you can restrict access to the service and its resources. By default, the appliance denies access to the resources of the RADIUS service, unless an admin group has their administrative permissions defined. You can grant read-only or read/write permission, or deny access to the following RADIUS resources: Grid AAA PropertiesApplies to the grid and its members, the local and replicated users, policies, and external services, unless permissions are defined. You can set this from the Administrators perspective only. Member AAA properties Overrides the grid-level permission for the member only. The permission you set here does not affect the permissions for the local and replicated users, policies and external services. AAA Local UsersInherits the grid permission, unless otherwise defined. AAA Replicated UsersInherits the grid permission, unless otherwise defined. AAA PoliciesInherits the grid permission, unless otherwise defined. AAA External ServicesInherits the grid permission, unless otherwise defined.
For information on setting permissions, see Applying Permissions and Managing Conflicts on page 79. The following table lists the tasks admins can perform and the required permissions for RADIUS resources.
Table 3.19 Permissions for AAA

To perform the following tasks Download CA certificates Download certificate signing request Download EAP server certificate View the AAA member properties All tasks in the AAA perspective View syslog View RADIUS configuration Export RADIUS detail file Edit member properties View local users Add, modify, and delete local users View replicated users Read/Write to AAA member properties Read-only to AAA local users Read/Write to AAA local users Read-only to AAA replicated users Read/Write to grid AAA properties Read-only to AAA member properties Admins need the following permissions Read-only to AAA grid properties
104
NIOS 4.3r5
Add, modify, and delete AD domains Synchronize with AD domain Delete replicated AD users and groups View RADIUS authentication and accounting home servers, network access servers, and AD, LDAP and McAfee authentication services Add, modify, and delete network access servers Add, modify, and delete RADIUS authentication home servers Add, modify, and delete RADIUS accounting home servers Add, modify, and delete AD authentication services Add, modify, and delete LDAP authentication services Add, modify, and delete McAfee validation services Associate the grid member with a NAS View policies Add, edit and delete policies
Read/Write to AAA replicated users
Read-only to external services
Read/Write to external services
Read/Write to external services Read/Write to AAA member properties Read-only to AAA policies Read/Write to AAA policies
NIOS 4.3r5
105
Administrative Permissions for File Distribution Services

You can restrict access to the TFTP, HTTP and FTP services provided by the appliance. By default, the appliance denies access to the TFTP, HTTP and FTP services, unless an admin group has their administrative permissions defined. You can grant read-only or read/write permission, or deny access to the following resources: Grid File Distribution PropertiesApplies to the grid and its members, directories, and files. You can set this from the Administrators perspective only. Member File Distribution PropertiesApplies to the grid member properties only. A specific directoryApplies to the directory and its files.
For information on setting permissions, see Applying Permissions and Managing Conflicts on page 79. The following table lists the tasks admins can perform and the required permissions for file distribution services.
Table 3.20 Permissions for File Distribution Services

To perform the following tasks View the grid and member file distribution properties, directories, and files Edit the grid and member file distribution properties Create and remove directories and files View the member file distribution properties Edit the member file distribution properties View a directory, its files, and subdirectories Remove a directory Add and remove files and subdirectories Admins need the following permissions... Read-only to Grid File Distribution Properties Read/Write to Grid File Distribution Properties Read-only to Member File Distribution Properties Read/Write to Member File Distribution Properties Read-only to the directory Read/Write to the directory
106
NIOS 4.3r5
Authenticating Administrators
Authenticating Administrators
The NIOS appliance supports the following authentication methods: local database, RADIUS, and Active Directory. The appliance can use any combination of these authentication methods. It authenticates admins against its local database by default. Therefore, if you want to use local authentication only, then you must configure the admin groups and add the local admin accounts, as described in Authenticating Administrators on page 107. If you want to authenticate admins using RADIUS and Active Directory in addition to local authentication, then you must define those services on the appliance and define the admin policy. For additional information, see About Remote Admins on page 108. Note: Infoblox strongly recommends that even if you are using remote authentication, you must always have at least one local admin in a local admin group to ensure connectivity to the NIOS appliance in case the remote servers become unreachable.
Creating Local Admins

When you create an admin account, you must specify the name, password, and admin group of the admin. You can optionally provide an e-mail address and specify the page size of the GUI. In addition, you can also control in which time zone the appliance displays the time in the audit log and the DHCP and IPAM perspective windows, such as the DHCP Lease History and DHCP Leases panels. The appliance can use the time zone that it automatically detects from the management system that the admin uses to log in. Alternatively, you can override the time zone auto-detection feature and specify the time zone. To create an admin account and add it to an admin group: 1. Log in using a superuser account. 2. From the Administrators perspective, click + (for Groups) -> admin_group -> Edit -> Add Local Admin. 3. Enter the following: Admin Name: Enter the name of the administrator. This is the name that the administrator uses to log in. Group: Choose the admin group of the administrator. An admin can belong to only one admin group at a time. Email Address: Enter the e-mail address for this administrator. Note that this address simply provides contact information. The NIOS appliance does not send e-mail notifications to it. You define the e-mail address for notifications on the Email section of the Device or Grid Editor. Comment: Enter pertinent information about the administrator, such as location or department. Password: Enter a password for the administrator to use when logging in. Re-Type Password: Enter the same password. Override admin group page size: Clear this check box to use the same page length specified for the admin group. Select this check box to enter a different page length. Page Size: Enter a value for the number of lines of data that you want a single GUI list view to contain for this administrator. When there is a lot of data, you can improve the display performance by setting a smaller page size, such as 100 instead of 1000. You can set the page size from 10 to 2000. The default page size is 100. Override auto-detect time zone: Select this check box if you want to specify the time zone for the administrator. Clear this check box if you want the appliance to automatically detect the time zone from the management system that the administrator uses to connect to the appliance. Time Zone: Select the time zone that the appliance uses when it displays the dates and time stamps in the audit log and the DHCP and IPAM perspective windows.
NIOS 4.3r5
107
Disable this admin: Select this check box to retain an inactive profile for this administrator in the configuration. For example, you might want to define a profile for a recently hired administrator who has not yet started work. Then when he or she does start, you simply need to clear this check box to activate the profile. 4. Click the Save icon to save your changes.
Modifying and Removing an Admin Account

You can modify and remove the admin accounts you create, but you can only partially modify the default superuser account adminand only when you are logged in as the superuser admin. Furthermore, because there must always be a superuser account on the appliance, you can only remove the default admin account after you create another superuser account.
About Remote Admins

You can configure the NIOS appliance to authenticate admins whose user credentials are stored on a RADIUS server or AD domain controller. The appliance can authenticate users against more than one authentication server, and supports remote and local authentication. To authenticate admins using RADIUS and Active Directory, you must define those services on the appliance and define the admin policy. The admin policy lists which authentication methods to use and in what order. It also lists admin groups that you have configured on the appliance and to which you can assign remote admins. An admin inherits its privileges from its admin group; therefore, all admins must be assigned to an admin group. If you configured admin groups on the remote authentication server, the group names on the remote authentication server must match the group names on the NIOS appliance so the appliance can assign an admin to the correct group. If you did not configure admin groups on the remote authentication server, you must configure a default group for remote admins on the NIOS appliance. When an admin logs in with a user name and password, the appliance uses the first method listed in the admin policy to authenticate the admin. If authentication fails, the appliance tries the next method listed. It tries each method on the list until it is successful or all methods fail. If all methods fail, then the appliance denies access to the appliance. If authentication succeeds, the NIOS appliance determines the admins privileges based on the admin group of the admin. It tries to match the admin group names in the order in which they are listed in the admin policy to any groups received from the remote server. If it finds a match, the NIOS appliance applies the privileges of that group to the admin and allows access. If the appliance does not find a match, then it applies the privileges of the default group. If no default group is defined, then the appliance denies access. Figure 3.8 illustrates the authentication and authorization process for remote admins.
108
NIOS 4.3r5
About Remote Admins
Figure 3.8 Authenticating Remote Admins

Admin NIOS appliance 2 The appliance checks the admin policy for the first authentication method, which is RADIUS. The appliance sends an Access-Request packet to the RADIUS server.
1 An admin enters his user name and password to log in to the appliance. Admin Policy
RADIUS Server
3 The RADIUS server responds with an Access-Reject package because the admins user name and password are not in its database. AD Server 4 The appliance tries the next authentication method on the list, which is Active Directory (AD). It sends a request to the AD server.
5
Remote Admin Groups Eng IT-Bldg2
The AD server finds the user name and password in its database and sends an access accept together with the admins group memberships.
User Name admin10 Member Of IT-Bldg1 IT-Bldg2
7 The appliance allows the admin to log in and applies the privileges of the IT-BLDG2
6 The appliance matches one of the admins groups with a group in the admin policy.
To configure the appliance to authenticate admins against a RADIUS server and an AD controller: Configure the RADIUS authentication service and AD authentication service. For information about the RADIUS authentication service, see Authenticating Using RADIUS. For information about the AD authentication service, see Authenticating Admin Accounts Using Active Directory on page 116. Configure admin groups that match those on the remote server. Optionally, specify a default admin group. For information about admin groups, see About Admin Groups on page 73. Configure the admin policy, as described in Defining the Admin Policy on page 118.
Note: Infoblox strongly recommends that even if you are using remote authentication, you must always have at least one local admin in a local admin group to ensure connectivity to the appliance in case the remote servers become unreachable.
NIOS 4.3r5
109
Authenticating Using RADIUS

RADIUS provides authentication, accounting, and authorization functions. The NIOS appliance supports authentication using the following RADIUS servers: RADIUSone, FreeRADIUS, Microsoft, Cisco, and Funk. You must be a superuser to configure admin accounts and RADIUS server properties on the NIOS appliance. When you configure the appliance to authenticate administrators using a RADIUS server, the appliance acts similarly to a network access server (NAS), which is a RADIUS client that sends authentication and accounting requests to the RADIUS server. Figure 3.9 illustrates the authentication process.
Figure 3.9 Authentication using a RADIUS server

Administrator NIOS appliance RADIUS Server
A user makes an HTTPS connection to the NIOS appliance and sends a user name and password.
2 policy and selects RADIUS as the

authentication method.
The appliance checks the remote admin
The appliance sends an Access-Request packet to the RADIUS
The appliance lets the user log in and applies the authorization profile.
4a If the RADIUS server authenticates the

user, it sends back an Access-Accept packet.
The appliance does not allow the user to log in.
4b If the RADIUS server rejects the
authentication request, it sends back an Access-Reject packet.
110
NIOS 4.3r5
Remote RADIUS Authentication

When you configure the NIOS appliance for remote authentication with a RADIUS server, you must specify the authentication method of the RADIUS server. Specify PAP (Password Authentication Protocol) or CHAP (Challenge Handshake Authentication Protocol). PAP tries to establish the identity of a host using a two-way handshake. The client sends the user name and password in clear text to the NIOS appliance. The appliance uses a shared secret to encrypt the password and sends it to the RADIUS server in an Access-Request packet. The RADIUS server uses the shared secret to decrypt the password. If the decrypted password matches a password in its database, the user is successfully authenticated and allowed to log in. With CHAP, when the client tries to log in, it sends its user name and password to the NIOS appliance. The appliance then creates an MD5 hash of the password together with a random number that the appliance generates. It then sends the random number, user name, and hash to the RADIUS server in an Access-Request package. The RADIUS server takes the password that matches the user name from its database and creates its own MD5 hash of the password and random number that it received. If the hash that the RADIUS server generates matches the hash that it received from the appliance, then the user is successfully authenticated and allowed to log in. To configure the NIOS appliance to authenticate administrators using a RADIUS server, you must configure admin accounts and groups for these administrators on the RADIUS server. Then, on the NIOS appliance, you must do the following: Configure RADIUS service on the appliance. Define one or more admin groups and specify its privileges and settings. The names must match admin group names defined on the RADIUS server. The NIOS appliance applies these privileges and settings to users belonging to those groups on the RADIUS server. See About Admin Groups on page 73 for information about defining admin groups. If there are no admin groups defined on the RADIUS server, designate an admin group as the default group. See
Configuring the Default Admin Group on page 118 for information about defining a default admin group.
Add RADIUS service to the list of admin authentication methods in the admin policy to enable RADIUS authentication. See Configuring a List of Authentication Methods on page 119 for more information about configuring admin policy.
Configuring RADIUS Authentication on the NIOS Appliance

To configure RADIUS server authentication for admins: 1. From the Administrators perspective, click + (for Remote Admins) -> RADIUS Authentication Services -> RADIUS Service -> Edit -> General RADIUS Properties. 2. In the RADIUS Authentication for Administrators editor, enter the following: Use MGMT port: Select check box if the MGMT port is enabled and you want the NIOS appliance to communicate with all RADIUS servers through its MGMT port. If you clear the check box, you can still selectively use the MGMT port for one or more specific RADIUS servers (see Adding RADIUS Servers on page 112). Optionally, modify the Authentication settings. These settings apply to all RADIUS servers that you configure on the NIOS appliance. Retry Period: Specify the number of seconds that the appliance waits for a response from the RADIUS server. The default is 5. Maximum Retries: Specify how may times the appliance attempts to contact an authentication RADIUS server. The default is 6.
If you configured multiple RADIUS servers for authentication and the NIOS appliance fails to contact the first server in the list, it tries to contact the next server, and so on.
NIOS 4.3r5
111
Optionally, modify the Accounting settings. Retry Period: Specify the number of seconds that the appliance waits for a response from the RADIUS server. The default is 5. Maximum Retries: Specify how may times the appliance attempts to contact an accounting RADIUS server. The default is 1000.
If you configured multiple RADIUS servers for accounting and the NIOS appliance fails to contact the first server in the list, it tries to contact the next server, and so on. 3. Click the Save icon to save your changes.
Adding RADIUS Servers

You configure RADIUS server settings for admins at the grid level. Therefore all members in a grid use the same set of RADIUS servers. You can configure multiple RADIUS servers for redundancy. When you do, the appliance tries to connect to the first RADIUS server on the list and if the server does not respond within the maximum retransmission limit, then it tries the next RADIUS server on the list. To add and configure the properties of a RADIUS server: 1. From the Administrators perspective, click + (for Remote Admins) -> RADIUS Authentication Services -> RADIUS Service -> Edit -> General RADIUS Properties. The RADIUS Authentication for Administrators editor appears. 2. In the RADIUS Server Group section, click Add. 3. In the RADIUS Server Properties editor, enter the following: Server Name: Type a name for the RADIUS server. This name is for internal reference; for example, auth1. It does not need to be the FQDN (fully qualified domain name) of the RADIUS server. Comment: Enter additional information about the RADIUS server. Authentication Type: Specify the authentication method of the RADIUS server. You can specify either PAP (Password Authentication Protocol) or CHAP (Challenge Handshake Authentication Protocol). The default is PAP. IP Address: The IP address of the RADIUS server that is used for authentication. UDP Port: The destination port on the RADIUS server. The default is port 1812. Shared Secret: Enter the shared secret that the NIOS appliance and the RADIUS server use to encrypt and decrypt their messages. This shared secret is a value that is known only to the NIOS appliance and the RADIUS server. Enable Accounting: Select this check box to enable the accounting feature, so you can track an administrators activities during a session. IP Address: The IP address of the RADIUS server that is used for accounting. The default is the IP address of the authentication RADIUS server. UDP Port: The destination port on the RADIUS server. The default is port 1813. Shared Secret: Enter the shared secret that the appliance and the RADIUS server use to encrypt and decrypt their accounting messages. A shared secret is a value that is known only to the appliance and the RADIUS server.
Accounting
Use MGMT port: If you clear the Use MGMT port check box in the General RADIUS Properties editor and select this check box, the NIOS appliance uses the MGMT port for administrator authentication communications with just this RADIUS server. If you select the Use MGMT port check box in the General RADIUS Properties editor, this check box becomes irrelevant. Whether you select or clear it, the NIOS appliance always uses the MGMT port for communications with all RADIUS servers, including this one.
112
NIOS 4.3r5
Disable this server: Select this check box to disable a RADIUS server if, for example, the connection to the server is down and you want to stop the NIOS appliance from trying to connect to this server. 4. Click OK. 5. Click the Save icon to save your changes.
Testing the RADIUS Server

After you add a RADIUS server to the NIOS appliance, you can validate the configuration. The appliance uses a pre-defined user name and password when it tests the connection to the RADIUS server. The pre-defined user name is infoblox_test_user and the password is infoblox_test_password. Do not use these as your administrator user name and password. To test the configuration: 1. From the Administrators perspective, click + (for Remote Admins) -> RADIUS Authentication Services -> RADIUS Service -> Edit -> General RADIUS Properties. The RADIUS Authentication for Administrators dialog box appears. 2. In the RADIUS Server Group section, select a server and click Modify. The RADIUS Server Properties dialog box appears. 3. Click Test Configuration. If the NIOS appliance connects to the RADIUS server using the configuration you entered, it displays a message confirming the configuration is valid. If it is unable to connect to the RADIUS server, the appliance displays a message indicating an error in the configuration.
Maintaining the RADIUS Admins Server List on the NIOS Appliance

When you add multiple RADIUS servers, the appliance lists the servers in the order in which you added them. This list also determines the order in which the NIOS appliance attempts to contact a RADIUS server. You can change the order of the list, as follows: 1. From the Administrators perspective, click + (for Remote Admins) -> RADIUS Authentication Services -> RADIUS Service -> Edit -> General RADIUS Properties. The RADIUS Authentication for Administrators dialog box appears. 2. The RADIUS Server Group section lists the RADIUS servers. Do the following: To move a server up on the list, select it and click Move Up. To move a server down on the list, select it and click Move Down. 3. Click the Save icon to save your changes.
Disabling a RADIUS Server

You can disable a RADIUS server if, for example, the connection to the server is down and you want to stop the NIOS appliance from trying to connect to this server. To disable a RADIUS server: 1. From the Administrators perspective, click + (for Remote Admins) -> RADIUS Authentication Services -> RADIUS Service -> Edit -> General RADIUS Properties. The RADIUS Authentication for Administrators dialog box appears. 2. In the RADIUS Server Group section, select a server and click Modify. The RADIUS Server Properties dialog box appears. 3. Click Disable this server. 4. Click OK. 5. Click the Save icon to save your changes.
NIOS 4.3r5
113
Configuring a RADIUS Server

In addition to setting up the NIOS appliance to communicate with a RADIUS server, you must also set up the remote RADIUS server to communicate with the NIOS appliance. Note: If you have two Infoblox appliances in an HA pair, enter both the members of the HA pair as separate access appliances and use the LAN IP address of both appliances (not the VIP address). Depending on your particular RADIUS server, you can configure the following RADIUS server options to enable communication with the NIOS appliance: Authentication Port Accounting Port Domain Name/IP Address of the NIOS appliance Shared Secret Password Vender Types
Configuring Admin Groups on the Remote RADIUS Server

Infoblox supports admin accounts on one or more RADIUS servers. To set up admins and associate them with an admin group on a remote RADIUS server, do the following: Import Infoblox VSAs (vendor-specific attributes) to the dictionary file on the RADIUS server For third-party RADIUS servers, import the Infoblox vendor file (the Infoblox vendor ID is 7779) Define a local admin group on the NIOS appliance (or use an existing group) Define a remote admin groupwith the same name as the group defined on the NIOS applianceon the RADIUS server Associate one or more remote admin accounts on the RADIUS server with the remote admin group
Refer to the documentation for your RADIUS server for more information.
Configuring Remote Admin Accounts on the Remote RADIUS Server

To set up remote admin accounts on a RADIUS server and apply the privileges and properties of the admin group designated as the default group on the NIOS appliance, do the following: Define an admin group on the NIOS appliance and specify it as the default group. You define admin groups for remote admins within the admin policy. See Defining the Admin Policy on page 118 for more information on configuring remote admin policies and remote admin group lists. On the RADIUS server: Create one or more admin accounts. (See RADIUSone documentation.) Add and activate a policy for the admin accounts, but do not associate the policy with a policy group that contains an infoblox-group-info attribute. When an administrator whose account is stored on a RADIUS server attempts to log in to a NIOS appliance, the NIOS appliance forwards the user name and password for authentication to the RADIUS server. When the server successfully authenticates the administrator and it responds to the NIOS appliance without specifying an admin group, the appliance applies the privileges and properties of the default admin group to that administrator. Refer to the documentation for your RADIUS server for more information.
114
NIOS 4.3r5
Authorization Groups Using RADIUS

You can specify authorization privileges for an admin group on the NIOS appliance only. The appliance ignores authorization settings from the RADIUS server. Therefore, you must configure all admin groups on the NIOS appliance, regardless of where the admin accounts that belong to those groups are storedon the NIOS appliance or on the RADIUS server. For information about specifying superuser and limited-access authorization privileges, see Creating a Superuser Admin Group on page 73 and About Limited-Access Admin Groups on page 74.
Accounting Activities Using RADIUS

You can enable the accounting feature on the RADIUS server to track an administrators activities during a session. After an administrator successfully logs in, the appliance sends an Accounting-Start packet to the RADIUS server.
NIOS 4.3r5
115
Authenticating Admin Accounts Using Active Directory

Active Directory (AD) is a distributed directory service that is a repository for user information. The NIOS appliance can authenticate admin accounts by verifying user names and passwords against Active Directory. If the admin does not exist on the AD domain controller, or if the user name and password do not match entries on the domain controller, the NIOS appliance denies access to the admin. However, if the NIOS appliance verifies the user name and password successfully, it grants access. In addition, the NIOS appliance queries the AD domain controller for the group membership information of the admin. The appliance matches the group names from the domain controller with the admin groups on its local database. It then authorizes services and grants the admin privileges, based upon the matching admin group on the appliance. You must be logged in to the NIOS appliance as a superuser to configure the AD authentication service. Figure 3.10 illustrates the Active Directory authentication process.
Figure 3.10 Authentication Using a Domain Controller
Administrator
NIOS Appliance
Domain Controller
A user makes an HTTPS connection to the NIOS appliance and sends an account name and password.
2 The appliance checks the remote admin

authentication policy to determine which method to use to authenticate the user. The authentication policy selects AD authentication as the first method to use.
3 The appliance sends a request to the

domain controller within the network to authenticate the admin. The appliance also requests the admins group membership information.
The appliance lets the user log in and applies the authorization profile. The appliance grants all permissions specific to the administrator based on the group membership sent from the domain controller associated with the admin account. If there is no group membership information for the admin, the default group is assigned (if configured).
4a
Authentication is successful. The domain controller successfully authenticates the admin user. The group membership information for the administrator is sent to the appliance. The first group in the group list matching the groups returned by the domain controller is assigned to the admin, along with the associated permissions after that admin logs in.
4b Authentication is unsuccessful. The

The appliance does not allow the user to log in.
domain controller sends back a deny access result to the appliance. No group membership information is sent.
116
NIOS 4.3r5
Authenticating Admin Accounts Using Active Directory
Admin Authentication Using Active Directory

To configure the NIOS appliance to authenticate admins using Active Directory, you must first configure user accounts on the domain controller. Then, on the NIOS appliance, do the following: Configure an AD authentication service on the appliance and configure one or more AD domain controllers to contact. For information about configuring AD authentication service for admins, see Admin Authentication Using Active Directory on page 117. If you configured admin groups on the AD controller, you can create those same groups on the NIOS appliance and specify their privileges and settings. Note that the admin group names must match those on the AD domain controller. You can specify a default group as well. The NIOS appliance assigns admins to the default group if none of the admin groups on the NIOS appliance match the admin groups on the AD domain controller or if there are no other admin groups configured. For information about configuring group permissions and privileges, see About Admin Groups on page 73. Enable Active Directory authentication by adding Active Directory to the list of authentication methods in the admin policy. The appliance refers to this list in the admin policy to determine which authentication method to use and in what order. See Defining the Admin Policy on page 118 for more information about configuring admin policy.
Configuring Active Directory Authentication for Admins

To configure an Active Directory authentication service on the NIOS appliance: 1. From the Administrators perspective, click + (for Remote Admins) -> AD Authentication Services -> Edit -> Add AD Authentication Service. 2. In the AD Authentication Service Services editor, enter the following: Name: Enter a name for the service. Port: Enter the port number on the domain controller to which the appliance sends authentication requests. Transport Encryption: Select SSL to transmit through an SSL (Secure Sockets Layer) tunnel. Infoblox strongly recommends that you select this option to ensure the security of all communications between the NIOS appliance and the AD server. If you select this option, you must upload a CA certificate from the AD server. For information about uploading a CA certificate, see Uploading Certificates to the Appliance on page 695. Comment: Enter pertinent information about the service. Disable this AD authentication service: Select this check box to retain an inactive AD service profile. AD Domain: Enter the DNS style name of the domain in which the user credentials are located. AD Domain Controller Failover List: Enter the IP address of the domain controller to which the appliance connects. You can add multiple domain controllers for failover purposes. The NIOS appliance tries to connect with the first domain controllers on the list. If it is unable to connect, it tries the next domain controllers on the list, and so on. You can change the order in which the servers are listed by selecting a server and clicking Move up or Move down. Timeout: The number of seconds that the NIOS appliance waits for a response from the specified authentication server. 3. Click the Save icon.
NIOS 4.3r5
117
Defining the Admin Policy

After you configure the properties of each authentication service you want to use, you must then define the admin policy. The admin policy defines which authentication methods to use, and in what order. In addition, it lists admin groups for remote admins. You must define at least one admin group for remote admins. The admin group determines the privileges of the admin account.
Specifying a List of Remote Admin Groups

You can configure a list of admin groups for remote admins, and prioritize each group by moving them up or down within the list. When the appliance receives information that the admin belongs to one or more groups, the appliance selects the first group in the list that matches, and assigns that group to the admin. If no groups are returned by the domain controller or the RADIUS server, the default group is assigned (if specified). To configure the remote admin group list: 1. From the Administrators perspective, click + (for Remote Admins) -> click + (for Admin Policy) -> Policy Configuration -> Edit -> Remote Admin Policy Properties. The Policy Configuration editor appears. 2. From the Remote Admin Group Ordering section, click Add to open up the Select Admin Group dialog box and to add an admin group to the list. 3. Select an admin group from the Select Admin Group dialog box and click OK to add it to the list. 4. Select an admin group from the Remote Admin Group Ordering section and click Move down to move the group down in the ordering within the list. Select an admin group from the Remote Admin Group Ordering section and click Move up to move the group up in the ordering within the list. 5. Click the Save icon to save your changes.
Configuring the Default Admin Group

You can designate an admin group as the default group. The appliance assigns an admin to the default group if no other admin groups are defined or if it does not find a matching admin group. Note that the NIOS appliance denies access to admins if there is no matching admin group to assign and no default group configured. Even though the authentication is successful, the NIOS appliance denies access to the remote admin because there is no group to assign to the admin and therefore no permissions defined for the user. To configure the default admin group: 1. From the Administrators perspective, click + (for Remote Admins) -> click + (for Admin Policy) -> Policy Configuration -> Edit -> Remote Admin Policy Properties. The Policy Configuration editor appears. 2. Click Select Default Group to open up the Select Admin Default Group dialog box. 3. Select an admin group from the Select Admin Default Group dialog box to act as the default. Click OK. The Default Group Name field displays the selection you made. 4. Click the Save icon to save your changes.
118
NIOS 4.3r5
Changing Password Length Requirements
Configuring a List of Authentication Methods

You can configure a list of authentication methods, and prioritize each method within the list. The appliance uses the first method on the list. If unsuccessful, the appliance uses the next method on the list. Each authentication method within the list is used in order as they appear. To configure a list of authentication methods for remote admins: 1. From the Administrators perspective, click + (for Remote Admins) -> click + (for Admin Policy) -> Policy Configuration -> Edit -> Remote Admin Policy Properties. The Policy Configuration editor appears. 2. From the Admin Authentication section, click Add to open up the Select Admin Authentication Method dialog box and to add an authentication method to the list. 3. Select an authentication method from the Select Admin Authentication Method dialog box and click OK to add it to the list. 4. Select an authentication method from the Admin Authentication section and click Move down to move the method down in the ordering within the list. Select an authentication method from the Admin Authentication section and click Move up to move the method up in the ordering within the list. The first method within the list is used first. 5. Click the Save icon to save your changes.
Changing Password Length Requirements

Password length requirements control how long a password must be for a NIOS appliance admin account. Increasing this value reduces the likelihood of hackers gaining unauthorized access. To change password length requirements: 1. From the Grid perspective, click grid -> Edit -> Grid Properties. or From the Device perspective, click hostname -> Edit -> Device Properties. 2. In the Grid (or Device) editor, click Security. 3. Enter a number from 4 to 64 in the Minimum Password Length field. 4. Click the Save icon to save your changes.
Notifying Administrators
You can notify individual administrators about system status via e-mail, or notify a group of people using an alias e-mail address. If you have configured DNS resolution on your network, the E-mail relay configuration function is not required. If you did not configure the settings on the DNS Resolver section, you must enter a static IP address of the target system in the Relay Name/IP Address field. Use the Test e-mail settings button to test the E-mail settings and to verify that the recipient received the notification. In addition, the appliance sends e-mail to administrators when certain events occur. Here is a list of events that trigger e-mail notifications: Changes to link status on ports and online/offline replication status Events that generate traps, except for upgrade failures (ibUpgradeFailure). For a list of events, see Infoblox MIBs on page 207
You can define the e-mail settings at the grid and member levels.
NIOS 4.3r5
119
Grid Level
To notify an administrator of an independent appliance or a grid: 1. From the Grid perspective, click grid -> Edit -> Grid Properties. or From the Device perspective, click hostname -> Edit -> Device Properties. 2. In the Grid (or Device) editor, click Email, and then enter the following: Enable e-mail notification: Select this check box. E-mail address: Enter the e-mail address of the administrator. Use an e-mail alias to notify multiple people. Use e-mail relay: Select this check box if the NIOS appliance must send e-mail to an intermediary SMTP (Simple Mail Transfer Protocol) server that relays it to the SMTP server responsible for the domain name specified in the e-mail address. Some SMTP servers only accept e-mail from certain other SMTP servers and might not allow e-mail from the NIOS appliance. In this case, specify the DNS name or IP address of a different SMTP server that does accept e-mail from the NIOS appliance and that will then relay it to the SMTP server that can deliver it to its destination. Clear this check box if it is unnecessary to use an e-mail relay server. Relay Name/IP Address: If you have configured DNS resolution, enter the DNS name of the relay server. If DNS resolution is not configured, enter the IP address of the relay server. 3. Optionally, click Test e-mail settings to confirm this feature is operating properly. 4. Click the Save icon to save your changes.
Member Level
To define e-mail settings for a member, follow the navigational path below and override the grid-level settings. Click the Save icon to save your changes. From the Grid perspective, click Grid -> + (for grid) -> + (for Members) -> member -> Edit -> Member Properties -> Email.
120
NIOS 4.3r5
Chapter 4 Managing Appliance Operations

Managing the operations of a NIOS appliance involves defining system parameters such as time, security and port settings. This chapter describes how to set these operational parameters and how to set up a static route when the NIOS appliance can send and receive traffic through multiple gateways. The tasks covered in this chapter include:
Managing Time Settings on page 123 Changing Time and Date Settings on page 123 Changing Time Zone Settings on page 123 Monitoring Time Services on page 124 Using NTP for Time Settings on page 125 Authenticating NTP on page 126 NIOS Appliance as NTP Client on page 128 NIOS Appliance as NTP Server on page 132 Scheduling Tasks on page 136 Enabling and Disabling Task Scheduling on page 136 Scheduling a Task on page 136 Viewing Scheduled Tasks on page 137 Rescheduling and Deleting Scheduled Tasks on page 138 Guidelines for Upgrading, Backing Up, and Restoring the Database on page 138 Managing Security Operations on page 139 Enabling Support Access on page 139 Enabling Remote Console Access on page 139 Permanently Disabling Remote Console and Support Access on page 140 Restricting HTTP Access on page 140 Enabling HTTP Redirection on page 141 Modifying GUI Session Timeout Settings on page 141 Disabling the LCD Input Buttons on page 141 Modifying Security for a Grid Member on page 142 Ethernet Port Usage on page 143 Modifying Ethernet Port Settings on page 148 Using the LAN2 Port on page 149 NIC Failover on page 150 Enabling DNS on LAN2 on page 152 Enabling DHCP on LAN2 on page 151
NIOS 4.3r5
121
Managing Appliance Operations
Using the MGMT Port on page 153 Appliance Management on page 154 Grid Communications on page 156 DNS Services on page 159 Setting Static Routes on page 161 Enabling DNS Resolution on page 164 Managing Licenses on page 165 Viewing the Installed Licenses on a NIOS Appliance on page 165 Obtaining a 60-Day Temporary License on page 165 Obtaining and Adding a License on page 166 Removing Licenses on page 166 Using the Recycle Bin on page 168 Disabling the Recycle Bin on page 169 Enabling the Recycle Bin on page 169 Viewing the Recycle Bin on page 169 Restoring Objects in the Recycle Bin on page 170 Emptying the Recycle Bin on page 170 Shutting Down, Rebooting, and Resetting a NIOS Appliance on page 171 Rebooting a NIOS Appliance on page 171 Shutting Down a NIOS Appliance on page 171 Resetting a NIOS Appliance on page 171 Managing the Disk Subsystem on the Infoblox-2000 on page 173 About RAID 10 on page 173 Evaluating the Status of the Disk Subsystem on page 174 Replacing a Failed Disk Drive on page 175 Disk Array Guidelines on page 176 Restarting Services on page 177
122
NIOS 4.3r5
Managing Time Settings
Managing Time Settings

You can define the date and time settings for your NIOS appliance when it first starts, using the Infoblox Appliance Startup Wizard. Alternatively, you can set the date and time of the appliance anytime after you first configure it if you did not do so using the startup wizard or if you need to change it if, for example, you move an appliance from a location in one time zone to a location in a different time zone. To set the date and time of the appliance, you can either manually enter the values or configure the appliance to synchronize its time with a public NTP server.
Changing Time and Date Settings

You can set the date and time on grid members and on independent appliances or HA pairs. For appliances in a grid, you can set the date and time at the grid level and at the member level. Grid-level date and time settings apply to all members unless you override them at the member level. Note: You cannot manually set the date and time if you have previously enabled NTP service. To change the time and date for a grid or for an independent appliance or HA pair: 1. From the Grid or Device perspective, click Grid (or Device) -> Set Date and Time. 2. In the Date and Time dialog box, enter the date (in MM/DD/YYYY format) and time (in HH:MM format) in the appropriate fields. For PM hours, use the integers 13-24. 3. To close the Date and Time dialog box, click OK. To change the time and date for a grid member: 1. From the Grid perspective, click + (for grid) -> + (for Members) -> member -> Grid -> Set Date and Time. 2. In the Date and Time dialog box, enter the date (in MM/DD/YYYY format) and time (in HH:MM format) in the appropriate fields. For PM hours, use the integers 13-24. 3. To close the Date and Time dialog box, click OK. Note: Changing the date and time resets the application and terminates the management session.
Changing Time Zone Settings

Whether you enable NTP (Network Time Protocol) or manually configure the date and time, you must always set the time zone manually. For a grid, you can set the time zone at the grid level, which then applies to all members. If different members are in different time zones, you can choose the time zone that applies to most members at the grid level, and then override the setting at the member level for the remaining members. Note: Changing the time zone does not reset the application nor does it terminate the management session. To change the time and date for a grid or for an independent appliance or HA pair: 1. From the Grid or Device perspective, click Grid (or Device) -> Set Time Zone. 2. Choose an appropriate time zone from the drop-down list, and then click OK. To change the time zone for a grid member: 1. From the Grid perspective, click + (for grid) -> + (for Members) -> member -> Grid -> Set Member Time Zone. 2. In the Member Time Zone dialog box, enter the following: Override Grid Time Zone: Select this check box. Member Time Zone: Choose an appropriate time zone for the location of the selected member. 3. To close the Member Time Zone dialog box, click OK.
NIOS 4.3r5
123
Monitoring Time Services

You can monitor the internal NTP daemon that runs within a grid to ensure the time among its members is synchronized, and if you configure the appliance as an NTP server for external clients, you can monitor this service as well. In a grid, the grid master and its members use an internal NTP daemon to synchronize their time. It is not user-configurable and functions regardless of how you set the time on the grid master. You can monitor this internal NTP service by checking the status icon and corresponding description in the Detailed Status panel. To display the Detailed Status panel, from the Grid perspective, click View -> Detailed Status. The following are descriptions of the NTP status icons in the Detailed Status panel:
Icon
Color Green Yellow Red
Meaning The NTP service is running properly. The appliance is synchronizing its time. The NTP service is not running properly. View the corresponding description for additional information.
When you enable NIOS appliances as NTP servers, you can monitor the status of the NTP service by checking the NTP status icons in the Grid panel. The following are descriptions of the NTP status icons in the Detailed Status panel. The type of information that can appear in the Description column corresponds to the SNMP trap messages. For information about the Infoblox SNMP traps, see Chapter 6, Monitoring with SNMP, on page 203.
Icon
Color Green Yellow Red Gray
Meaning The NTP service is enabled and running properly. The NTP service is enabled, and the appliance is synchronizing its time. The NTP service is enabled, but it is not running properly or is out of synchronization. The NTP service is disabled.
124
NIOS 4.3r5
Using NTP for Time Settings

Note: Cisco and Riverbed virtual grid members do not support NTP service. NTP (Network Time Protocol) is a standard protocol that system clocks use to ensure their time is always accurate. Appliances that use NTP try to get their time as close as possible to UTC (Coordinated Universal Time), the standard timescale used worldwide. NTP uses UDP (User Datagram Protocol) on port 123 for communications between clients and servers. NTP is based on a hierarchy where reference clocks are at the top. Reference clocks use different methods such as special receivers or satellite systems to synchronize their time to UTC. NTP servers on the first level of the hierarchy synchronize their time with the reference clocks, and serve time to clients as well. Each level in the hierarchy is a stratum; stratum-0 is a reference clock. Stratum-1 servers synchronize their clocks with reference clocks. Stratum-2 servers synchronize their clocks with stratum-1 servers, and so forth. The stratum number indicates the number of levels between the NTP server and the reference clock. A higher stratum number could indicate more variance between the NTP server and the reference clock. You can configure a NIOS appliance to function as an NTP client that synchronizes its clock with an NTP server. NTP clients typically use time information from at least three different sources to ensure reliability and a high degree of accuracy. There are a number of public NTP servers on the Internet with which the NIOS appliance can synchronize its clock. For a list of these servers, you can access http://www.ntp.org. In a grid, the grid master and grid members can function as NTP clients that synchronize their clocks with external NTP servers. They can in turn function as NTP servers to other appliances in the network. This allows you to deploy multiple NTP servers to ensure accurate and reliable time across the network. To configure the grid master and grid members as NTP clients, you must first enable the NTP service and configure external NTP servers at the grid level. You can then configure the grid master and grid members to override the grid-level NTP servers and use their own external NTP servers. A grid member synchronizes its clock with the grid master if you do not configure it to use external NTP servers.
NIOS 4.3r5
125
Figure 4.1 Infoblox Appliances as NTP Servers

Internet Stratum-1 NTP servers use reference clocks to synchronize their time to UTC (Coordinated Universal Time). Reference Clocks
Stratum-1 NTP Servers Grid Member 2 synchronizes its clock with an external NTP server. It also functions as a stratum-2 NTP server to external devices on its network. Grid Master Grid Member 2
As an NTP client, the grid master synchronizes its time with stratum-1 NTP servers. The grid master also functions as a stratum-2 NTP server to Grid Member 1. NTP messages between the grid master and Grid Member 1 go through encrypted VPN tunnels.
As an NTP client, Grid Member 1 synchronizes its clock with the grid master. It also functions as a stratum-3 NTP server to external devices on its network.
Grid Member 1
VPN Tunnel
2 Network
1 Network
Authenticating NTP
To prevent intruders from interfering with the time services on your network, you can authenticate communications between a NIOS appliance and a public NTP server, and between a NIOS appliance and external NTP clients. NTP communications within the grid go through an encrypted VPN tunnel, so you do not have to enable authentication between members in a grid. NTP uses symmetric key cryptography, where the server and the client use the same algorithm and key to calculate and verify a MAC (message authentication code). The MAC is a digital thumbprint of the message that the receiver uses to verify the authenticity of a message. As shown in Figure 4.2, the NTP client administrator must first obtain the secret key information from the administrator of the NTP server. The server and the client must have the same key ID and data. Therefore, when you configure the NIOS appliance as an NTP client and want to use authentication, you must obtain the key information from the administrator of the external NTP server and enter the information on the NIOS appliance. When you configure a NIOS appliance as an NTP server, you must create a key and send the key information to clients in a secure manner. A key consists of the following: Key Number: A positive integer that identifies the key. Key Type: Specifies the key format and the algorithm used to calculate the MAC (message authentication code) of a message. M: The key is a 1-31 character ASCII string using MD5 (Message Digest). S: The key is a 64-bit hexadecimal number in DES (Data Encryption Standard) format. The high order 7 bits of each octet form the 56-bit key, and the low order bit of each octet is given a value so that the octet maintains odd parity. You must specify leading zeros so the key is exactly 16 hexadecimal digits long and maintains odd parity. A: The key is a DES key written as a 1-8 character ASCII string.
N: The key is a 64-bit hexadecimal number in NTP format. It is the same as the S format, but the bits in each octet have been rotated one bit right so the parity bit is in the high order bit of the octet. You must specify leading zeros and odd parity must be maintained. Key String: The key data used to calculate the MAC. The format depends on the Key Type you select. When the NTP client initiates a request for time services to the NTP server, it creates the MAC by using the agreed upon algorithm to compress the message and then encrypts the compressed message (which is also called a message digest) with the secret key. The client appends the MAC to the message it sends to the NTP server. When the NTP server receives the message from the client, it performs the same procedure on the message it compresses the message it received, encrypts it with the secret key and generates the MAC. It then compares the MAC it created with the MAC it received. If they match, the server continues to process and respond to the message. If the MACs do not match, the receiver drops the message.
Figure 4.2 NTP Client Administrator Obtaining Secret Key from NTP Server Administrator
NTP Server Secret Key Administrator Information
NTP Client Administrator
NTP Client
NTP server administrator sends the secret key information to the NTP client administrator, who adds the key to the NTP client.
Message
When the NTP client sends a request for time services to the NTP server, it uses the agreed upon algorithm and secret key to create the MAC (message authorization code). It then sends the MAC and message to the NTP server.
MD5 or DES Message Digest Message
MAC
+ MAC
Encrypted with Secret Key
MD5 or DES Message Digest
MAC Encrypted with Secret Key
NTP server uses the agreed upon algorithm and secret key to create the MAC. It compares this MAC with the MAC it received. If they match, the server responds to the request of the client for time services. If the MACs do not match, the server ignores the message from the client.
NIOS 4.3r5
127
NIOS Appliance as NTP Client

You can configure an independent NIOS appliance, a grid master, or any grid member in a grid as an NTP client that synchronizes its system clock with an external NTP server. When you enable a NIOS appliance to function as an NTP client, you must specify at least one NTP server with which the appliance can synchronize its clock. If you specify multiple NTP servers, you should specify servers that synchronize their time with different reference clocks and that have different network paths. This increases stability and reduces risk in case a server fails. For a list of public NTP servers, you can access www.ntp.org. When you specify multiple NTP servers, the NTP daemon on the appliance determines the best source of time by calculating round-trip time, network delay, and other factors that affect the accuracy of the time. NTP periodically polls the servers and adjusts the time on the appliance until it matches the best source of time. If the difference between the appliance and the server is less than five minutes, the appliance adjusts the time gradually until the clock time matches the NTP server. If the difference in time is more than five minutes, the appliance immediately synchronizes its time to match that of the NTP server. To secure communications between a NIOS appliance and an NTP server, you can authenticate communications between the appliance and the NTP server. When you configure authentication, you must obtain the key information from the administrator of the NTP server and enter the key on the appliance. For information, see Authenticating NTP on page 126. In a grid, you can configure the grid master and grid members to synchronize their clocks with external NTP servers. When you enable the NTP service on the grid, the grid master automatically functions as an NTP server to the grid members. A grid member can synchronize its time with the grid master, an external NTP server, or another grid member. Like all other grid communications, the grid master and its members send NTP messages through an encrypted VPN tunnel.
Figure 4.3 Grid Master as NTP Client

NTP Server 1 NTP Server 2 NTP Server 3 NTP Server 4
Secret Keys
The grid master uses three public NTP servers to calibrate its clock to the correct time. It uses symmetric key cryptography to authenticate NTP messages. Internet The grid master serves time to Grid Member 1. All NTP communications with the grid go through encrypted VPN tunnels.
Grid Master
VPN Tunnels
Grid Member 1
Grid Member 2
Grid Member 2 synchronizes its clock with a public NTP server. The grid master serves as a backup NTP server when the member cannot reach the public NTP server.
128
NIOS 4.3r5
Configuring a NIOS Appliance as an NTP Client

In a grid, the grid master and grid members can synchronize their clocks with external NTP servers. They then forward the clock time to other appliances in the network. Likewise, in an independent HA pair, the active node communicates directly with an external NTP server. The passive node then synchronizes its clock with the active node. In a grid, you must first enable the NTP service and configure external NTP servers at the grid level before you configure the grid master and grid members as NTP clients. To configure an independent appliance, a grid master, or a grid member as an NTP client, perform the following tasks: Enable the NTP service. For information, see Enabling the NTP Service on page 129. Specify one or more external NTP servers. For information, see Specifying External NTP Servers on page 129. Optionally, enable authentication between the appliance and the NTP server if the NTP server requires authentication. For information, see Managing Authentication Keys on page 131.
Enabling the NTP Service

To enable the NTP service at the grid level: 1. For a grid: From the Grid perspective, click + (for grid ) -> + (for Services ) -> NTP -> Edit -> Service Properties. or For an independent NIOS appliance or HA pair: From the Device perspective, click + (for hostname ) -> NTP -> Edit -> Service Properties. 2. In the NTP Properties editor, select the Enable NTP check box .
Specifying External NTP Servers

To specify external NTP servers: 1. For a grid: From the Grid perspective, click + (for grid ) -> + (for Services ) -> NTP -> Edit -> Service Properties. or For an independent NIOS appliance or HA pair: From the Device perspective, click + (for hostname ) -> NTP -> Edit -> Service Properties. or For a grid master or grid member: From the Grid perspective, click + (for grid ) -> + (for Members) -> + (for Services ) -> NTP -> Edit -> Service Properties. In the Member NTP Properties editor, do the following: Enable use of external NTP server for this member: Select this check box to enable this grid member to use external NTP servers. When you select this check box, you must enter at least one external NTP server for the member. Exclude grid master as NTP server: Select this check box if you want to exclude the grid master from being one of the time sources. By default, the appliance automatically configures the grid master as the backup NTP server for a grid member. When the member cannot reach any of its configured NTP servers, it uses the grid master as the NTP server. The appliance does not display the grid master in the NTP external server list. For a grid master, this check box has no meaning. 2. Click Add in the External NTP Servers section. 3. In the NTP External Server dialog box, enter the following information, and then click OK. NTP Server Address: You can enter either the IP address or the resolvable host name of an NTP server. You can view a list of public NTP servers at ntp.isc.org. To check whether the DNS server can resolve the NTP server host name, click Resolve. You must have a DNS name resolver configured. For information, see Enabling DNS Resolution on page 164. Enable Authentication: Select this check box to enable authentication of NTP communications between the external NTP server and the NIOS appliance (the grid master or grid member in a grid, an independent NIOS appliance, or the active node in an independent HA pair).
Note: To prevent intruders from interfering with the time services on your network, you can authenticate communications between a grid member and an external NTP server, as well as between a grid member and external NTP clients. NTP communications within the grid go through an encrypted VPN tunnel, so you do not have to enable authentication between the grid master and grid members. Authentication Key: Click Select Key. In the Select NTP Authentication Key dialog box, select a key that you previously entered, and then click OK. Note that you must enter authentication keys at the grid level when you configure a grid master or grid member to use external NTP servers. For information, see Entering an NTP Authentication Key on page 130. 4. Click the Save and Restart Services icons.
Managing External NTP Servers

You can specify multiple NTP servers for failover purposes. The NIOS appliance attempts to connect to the NTP servers in the order they are listed. A grid member uses the grid master as the NTP server when it cannot reach any of its external NTP servers. You can change the order of the list by selecting an NTP server and using the Move Up and Move Down buttons. You can add and delete servers and modify their information as well.
Entering an NTP Authentication Key

To add an NTP authentication key: 1. For a grid: From the Grid perspective, click + (for grid ) -> + (for Services ) -> NTP -> Edit -> Service Properties. or For an independent NIOS appliance or HA pair: From the Device perspective, click + (for hostname ) -> NTP -> Edit -> Service Properties. or For a grid master or grid member: From the Grid perspective, click + (for grid ) -> + (for Members) -> + (for Services ) -> NTP -> Edit -> Service Properties. 2. To enter a new authentication key, click Add in the NTP Authentication Keys section. 3. In the NTP Authentication Key dialog box, enter the following information. Number: A positive integer that identifies a key. Type: Specifies the key format and the algorithm used to calculate the MAC (message authentication code) of a message. MD5 in ASCII format (M): The key is a 1-31 character ASCII string using MD5 (Message Digest). DES in hex format (S): The key is a 64-bit hexadecimal number in DES (Data Encryption Standard) format. The high order 7 bits of each octet form the 56-bit key, and the low order bit of each octet is given a value so that the octet maintains odd parity. You must specify leading zeros so the key is exactly 16 hexadecimal digits long and maintains odd parity. DES in ASCII format (A): The key is a DES key written as a 1-8 character ASCII string. DES in NTP format (N): The key is a 64-bit hexadecimal number in NTP format. It is the same as the S format, but the bits in each octet have been rotated one bit right so the parity bit is in the high order bit of the octet. You must specify leading zeros and odd parity must be maintained. String: The key data used to calculate the MAC. The format depends on the Key Type you select. 4. Click OK. Note that if you enter a new key, the appliance checks if the key already exists in the key list. If the key exists, but either the key type or key string does not match, the NIOS appliance sends an error message.
130
NIOS 4.3r5
5. Click the Save and Restart Services icons. Note: When you configure a grid master or a grid member to use external NTP servers, you cannot override the grid-level authentication keys. You must use the authentication keys that you enter at the grid level.
Managing Authentication Keys

After you enter an authentication key, you can modify or delete it. Note that you cannot delete a key that an NTP server references. You must first delete all NTP servers that reference that key and then delete the key. To delete a key from the list: 1. For a grid: From the Grid perspective, click + (for grid ) -> + (for Services ) -> NTP -> Edit -> Service Properties. or For an independent appliance or HA pair: From the Device perspective, click + (for hostname ) -> NTP -> Edit -> Service Properties. or For a grid master or grid member: From the Grid perspective, click + (for grid ) -> + (for Members) -> + (for Services ) -> NTP -> Edit -> Service Properties. 2. In the NTP Properties or the Member NTP Properties editor, select the key that you want to delete from the NTP Authentication Keys list, and then click Delete. 3. Click the Save icon.
NIOS 4.3r5
131
NIOS Appliance as NTP Server

After you enable NTP on a grid, the grid membersincluding the grid mastercan function as NTP servers to clients in different segments of the network. Similarly, after you enable NTP on an independent appliance or an HA pair, and it synchronizes its time with an NTP server, you can configure it to function as an NTP server as well.
Figure 4.4 Grid Members as NTP Servers

NTP Server 1 NTP Server 2 NTP Server 3
Secret Keys The grid master uses three public NTP servers to calibrate its clock to the correct time. It uses symmetric key cryptography to secure NTP messages. The grid master serves time to the grid members. All NTP communications with the grid go through the encrypted VPN tunnels. The grid members serve time to devices on their networks. Each member uses symmetric key encryption to secure NTP messages. Each member also has an access control list that defines which appliances can access the time services. When a client that is not on the list tries to access an appliance functioning as an NTP server, the appliance ignores the message.
Internet
Grid Master Access Control List Grid Member
VPN Tunnels
Grid Member
3 Network
2 Network
To configure a NIOS appliance as an NTP server, perform the following tasks: Enable the appliance as an NTP server. Enable authentication between the appliance and its NTP clients. Optionally, specify which clients can access the NTP service of the appliance. Optionally, specify which clients can use ntpq to query the appliance.
132
NIOS 4.3r5
Configuring a NIOS Appliance as an NTP Server

You can configure a grid memberincluding the grid masteror an independent appliance or HA pair to function as an NTP server. When you enable a NIOS appliance to function as an NTP server, you can enable authentication between a NIOS appliance functioning as an NTP server and its NTP clients. When you enable authentication, you must specify the keys that the appliance and its clients must use for authentication. In a grid, you can enter NTP authentication keys at the grid level so that all the members can use them to authenticate their clients. You can also enter keys at the member level, if you want that member to use different keys from those set at the grid level. However, when you configure a grid member to use external NTP servers, you must enter keys at the grid level. After you enter the keys, you can download the key file and distribute the file to the NTP clients. To enable an appliance as an NTP server and authenticate NTP traffic between a NIOS appliance and an NTP client, perform the following tasks: Enable an appliance as an NTP server and define authentication keys. For information, see Enabling an Appliance as an NTP Server on page 133. Optionally, define NTP access control. For information, see Defining NTP Access Control on page 134. Optionally, define NTP query access control. For information, see Defining Query Access Control on page 134.
Enabling an Appliance as an NTP Server

To enable an appliance as an NTP server and add authentication keys: 1. For a grid: From the Grid perspective, click + (for grid ) -> + (for Services ) -> NTP -> Edit -> Service Properties. or For an independent appliance or HA pair: From the Device perspective, click + (for hostname ) -> NTP -> Edit -> Service Properties. or For a grid master or grid member: From the Grid perspective, click + (for grid ) -> + (for Members ) -> + (for
hostname ) -> NTP -> Edit -> Service Properties. In the Member NTP Properties editor, do the following:
Enable this member as an NTP server: Select this check box to configure a grid master or a grid member as an NTP server. Override Grid NTP authentication setting: Select this check box to enter NTP authentication keys at the member level. The member uses these keys when acting as an NTP server and authenticates requests from NTP clients. Clear the check box to use the grid-level authentication keys. Note: When you configure a grid master or a grid member to use external NTP servers, you cannot override the grid-level NTP authentication settings. You must use the grid-level authentication keys or enter keys at the grid level. 2. Click Add in the NTP Authentication Keys section. For information, see Entering an NTP Authentication Key on page 130. 3. Click the Save icon. After you enter the authentication keys, you can download the key file (usually called ntp.keys) and distribute it to the NTP clients. To copy an NTP authentication key for distribution to NTP clients: 1. For a grid: From the Grid perspective, click + (for grid ) -> + (for Services ) -> NTP -> Edit -> Service Properties. or For an independent appliance or HA pair: From the Device perspective, click + (for hostname ) -> NTP -> Edit -> Service Properties. or For a grid master or a grid member: From the Grid perspective, click + (for grid ) -> + (for Members ) -> + (for hostname ) -> NTP -> Edit -> Service Properties.
2. Choose the key in the NTP Authentication Keys list, and then click Modify. 3. Note the key number and type, and select the contents of the String field.Paste the key string in a text file and include the key number and type (M, S, A, or N) in the file. 4. Distribute this to the NTP clients using a secure transport.
Defining NTP Access Control

The NTP access control list specifies which clients can use a NIOS appliance as an NTP server. If you do not use the access control list, then the NIOS appliance does not allow access to its NTP service. To specify which clients can access the NTP service of a NIOS appliance: 1. For a grid: From the Grid perspective, click + (for grid ) -> + (for Services ) -> NTP -> Edit -> Service Properties. or For an independent appliance or HA pair: From the Device perspective, click + (for hostname ) -> NTP -> Edit -> Service Properties. or For a grid master or a grid member: From the Grid perspective, click + (for grid ) -> + (for Members ) -> + (for
hostname ) -> NTP -> Edit -> Service Properties. In the Member NTP Properties editor, do the following:
Enable this member as an NTP server: Select this check box to configure a grid master or a grid member as an NTP server. Override Grid NTP access control: Select this check box to enter IP addresses for NTP access control at the member level instead of using the grid-level list. Enter the clients that can use this member as an NTP server in the Add Access Range dialog box. Clear the check box to use the grid-level access control list. 2. Click Add in the NTP Access Control section. 3. In the Add Access Range dialog box, select one of the following in IP Address Option, and then click OK. Address: The appliance allows a client from a single IP address to use its NTP service. Enter the IP address in the Address field. Network: The appliance allows clients from a subnet to use its NTP service. Enter the network address in the Address field, and then choose an appropriate netmask from the Subnet Mask drop-down list. Any: The appliance allows clients from any address to use its NTP service. 4. Click the Save icon.
Defining Query Access Control

The NIOS appliance can accept queries from clients using ntpq, the standard utility program used to query NTP servers about their status and operational parameters. The NTP query access control list specifies from which clients the NIOS appliance is allowed to accept ntpq queries. If you do not use this list, then the appliance does not accept ntpq queries from any client. To specify from which clients a NIOS appliance can accept ntpq queries: 1. For a grid: From the Grid perspective, click + (for grid ) -> + (for Services ) -> NTP -> Edit -> Service Properties. or For an independent appliance or HA pair: From the Device perspective, click + (for hostname ) -> NTP -> Edit -> Service Properties. or For a grid master or a grid member: From the Grid perspective, click + (for grid ) -> + (for Members ) -> + (for
hostname ) -> NTP -> Edit -> Service Properties.
134
NIOS 4.3r5
In the Member NTP Properties editor. do the following: Enable this member as an NTP server: Select this check box to configure a grid master or a grid member as an NTP server. Override Grid NTP query access control: Select this check box to enter IP addresses for NTP query access control at the member level instead of using the grid-level list. Enter the clients from which this member is allowed to accept ntpq queries in the Add NTP Query Client dialog box. Clear the check box to use the grid-level query access control list. 2. In the Add NTP Query Client dialog box, select one of the following in IP Address Option, and then click OK. Address: The appliance accepts ntpq queries from specific NTP clients. Enter the IP address in the Address field. Network: The appliance accepts ntpq queries from a subnet. Enter the network address in the Address field, and then choose an appropriate netmask from the Subnet Mask drop-down list. Any: The appliance accepts ntpq queries from any address. 3. Click the Save icon.
NIOS 4.3r5
135
Scheduling Tasks
You can schedule tasks, such as adding hosts or modifying fixed addresses, for a future date and time. The scheduling feature is useful when you want to add, modify, or delete specific records at a desired date and time. Using this feature, you can streamline your day-to-day operations. For example, you can schedule the deletion of records that you use for testing when the test time is up. You can also reassign an IP address to a fixed address when the location of the server to which the fixed address is assigned changes from one network to another. You can schedule the addition, modification, and deletion of the following objects: DNS resource records (except SOA records) Hosts Bulk hosts Shared records Fixed addresses
To schedule tasks and view scheduled tasks, superusers must first enable the scheduling feature at the grid level. For information, see Enabling and Disabling Task Scheduling on page 136. Only superusers can enable and disable this feature and grant scheduling permissions. When the scheduling permission is added or inherited from an admin role, limited-access admin groups can schedule tasks. They can also view, reschedule, and delete their own scheduled tasks. For information, see Administrative Permissions for Scheduling Tasks on page 90.
Enabling and Disabling Task Scheduling

You can enable and disable task scheduling at the grid level only. The scheduling feature is disabled by default. You must enable it before you can schedule tasks. Any change to the current scheduling setting takes effect in the next login. If you enable the scheduling feature when it is currently disabled, you must log out and then log back in to the appliance before you schedule any task. Superusers can do the following to enable the scheduling feature: Enable task scheduling at the grid level Grant scheduling permissions to admin groups and admin roles
To enable scheduling at the grid level: 1. From the Grid perspective, select grid -> Edit -> Grid Properties. 2. In the Grid Properties section, select the Enable task scheduling check box. 3. Click the Save icon. 4. Log out and log back in to the appliance. To grant scheduling permissions to an admin group or an admin role: 1. Follow the steps as described in Applying Permissions and Managing Conflicts on page 79. Ensure that you select Schedule Tasks in the Resource column of the Add Permissions dialog box. You can disable the scheduling feature after you enabled it by deselecting the Enable task scheduling check box in the Grid Properties section. Ensure that you click the Save icon. When you disable the scheduling feature, the appliance immediately deletes all pending scheduled tasks and you cannot schedule any task.
Scheduling a Task
After you schedule a task, administrators cannot modify the object associated with the scheduled task until after the appliance executes the task. However, the object can still be updated with DHCP leases and other auto-generated services. The appliance implements the scheduled tasks in the order of their scheduled times. You get a warning message when the scheduled time of your task coincides with that of another scheduled task. You can choose to continue with the operation or reschedule the task for a different date and time. The appliance can handle up to 500 scheduled tasks from all users.
136
NIOS 4.3r5
Scheduling Tasks
To schedule a task: 1. Add, modify, or delete a record according to the instructions for the task in this guide. 2. After you complete the configuration, ensure that you click the Schedule Save icon a later date and time. 3. In the Schedule Change dialog box, do the following: Now: Select this to have the appliance perform the task now. Schedule: Select this to schedule the task for a future date and time. This is selected by default. Date: Enter the date when you want the appliance to perform the task. The appliance displays todays date. Time: Enter the time when you want the appliance to perform the task. Time Zone: Select the time zone for the scheduled date and time. Admin Local Time: The appliance displays the scheduled date and time in the admins local time zone. You cannot edit this field. 4. Click OK. The appliance executes the task at the scheduled date and time. It also displays the pending scheduled task in the Scheduled Tasks panel. For information, see Viewing Scheduled Tasks on page 137. to schedule the task for
Viewing Scheduled Tasks

The appliance logs the scheduled tasks in the audit log and displays the pending tasks in the Scheduled Tasks panel of the Grid perspective. In the Scheduled Tasks section of the Home perspective, the appliance displays up to eight tasks with the earliest scheduled start time. You can view scheduled tasks in the following:
Scheduled Tasks section from the Home perspective. For information, see Home Perspective on page 137. Scheduled Tasks panel from the Grid perspective. For information, see Grid Perspective on page 137.
Home Perspective
The Scheduled Tasks section of the Home perspective displays the following information for each task. Scheduled Time: The date, time, and time zone of the scheduled task. Affected Object: The name of the object that is associated with the task. For example, if the task involves an A record, this field displays the domain name of the record. If it is a fixed address, it displays the IP address of the fixed address. Action: The operation the appliance performs in this task. The value can be one of the following: INSERT: Addition UPDATE: Modification DELETE: Deletion To view a complete list of scheduled tasks, click See Complete List in the Scheduled Tasks section. The appliance displays the Scheduled Tasks panel in the Grid perspective. For information, see Grid Perspective on page 137.
Grid Perspective
The Scheduled Tasks panel of the Grid perspective displays the pending scheduled tasks that the admin is allowed to view. Superusers can view all scheduled tasks, and limited-access admins can view their own scheduled tasks. To view scheduled tasks in this panel, from the Grid perspective, click grid -> View -> Scheduled Tasks. The report displays the following information for each task: ID: The task ID in chronological order based on the date, time, and time zone when the task is scheduled. Scheduled Time: The date, time, and time zone when the task will be executed. Submitted Time: The data, time, and time zone when the task was submitted. Submitter: The admin who scheduled the task.
NIOS 4.3r5
137
Affected Object: The name of the object that is associated with the task. For example, if the task involves an A record, this field displays the domain name of the record. If it is a fixed address, it displays the IP address of the fixed address. Object Type: The object type. For example, the appliance can display A Record or Fixed Address. Action: The operation the appliance performs in this task. The value can be one of the following: INSERT: Addition UPDATE: Modification DELETE: Deletion
Change Audit Log: The message that appears in the audit log.
You can click any column header, except for Change Audit Log, to sort the tasks in ascending order. By default, the appliance sorts the tasks by Scheduled Time.
Rescheduling and Deleting Scheduled Tasks

Only superusers can view, reschedule, and delete all scheduled tasks. Limited-access admins can view, reschedule, and delete their own scheduled tasks. The appliance sends email notifications to local admins when email notification is enabled at the grid level and any of the following happens: A superuser scheduled a task, and another superuser reschedules or deletes the task. A limited-access admin scheduled a task, and a superuser reschedules or deletes the task. A superuser or a limited-access admin scheduled a task, and the task failed.
Remote admins and local admins without email addresses do not receive email notifications. To reschedule a task: 1. From the Grid perspective, click grid -> View -> Scheduled Tasks. 2. In the Scheduled Tasks panel, select the task that you want to reschedule. 3. Right-click the task and select Reschedule. 4. In the Schedule Change dialog box, modify the date and time when you want the appliance to execute the task. 5. Click OK. To delete a scheduled task: 1. From the Grid perspective, click grid -> View -> Scheduled Tasks. 2. In the Scheduled Tasks panel, select the task that you want to delete. You can select multiple tasks using SHIFT+click and CRTL+click. 3. Right-click the task and select Remove. 4. In the Confirm Delete Request dialog box, click Yes. The appliance deletes the scheduled task and does not perform the scheduled operation. Therefore, no change is made to any record after you delete a scheduled task.
Guidelines for Upgrading, Backing Up, and Restoring the Database

You should take into consideration the impact on scheduled tasks when you perform any of the following: Upgrade the NIOS software: In a full upgrade, all scheduled tasks are deleted. In a lite upgrade, scheduled tasks are not deleted. Back up the NIOS database: All scheduled tasks are backed up for troubleshooting purpose. Restore the database: The scheduled tasks are not restored. Promote a grid member to a grid master: All scheduled tasks are deleted. Revert the NIOS software image: All scheduled tasks are deleted.
138
NIOS 4.3r5
Managing Security Operations

The procedures in this section apply to both independent and grid installations. You can specify these security operations:
Enabling Support Access on page 139 Enabling Remote Console Access on page 139 Permanently Disabling Remote Console and Support Access on page 140 Restricting HTTP Access on page 140 Enabling HTTP Redirection on page 141 Modifying GUI Session Timeout Settings on page 141 Disabling the LCD Input Buttons on page 141 Modifying Security for a Grid Member on page 142
Enabling Support Access

Infoblox Technical Support might need access to your NIOS appliance to troubleshoot problems. This function enables an SSH (Secure Shell) daemon that only Infoblox Technical Support can access. If you have any questions, contact Infoblox Technical Support at support@infoblox.com. By default, this option is disabled. To enable Infoblox Technical Support access: 1. From the Grid perspective, click grid -> Edit -> Grid Properties. or From the Device perspective, click hostname -> Edit -> Device Properties. 2. In the Grid (or Device) editor, click Security, and then select Enable Support access. 3. Click the Save icon. Note: When configuring grid members, you can selectively override the grid-level Support access setting at the member level.
Enabling Remote Console Access

This function makes it possible for a superuser admin to access the Infoblox CLI from a remote location using an SSH (Secure Shell) v2 client. The management system must have an SSH v2 client to use this function. After opening a remote console connection using an SSH client, log in using a superuser name and password. By default, this option is disabled. To enable remote console access: 1. From the Grid perspective, click grid -> Edit -> Grid Properties. or From the Device perspective, click hostname -> Edit -> Device Properties. 2. In the Grid (or Device) editor, click Security, and then select Enable remote console access. 3. Click the Save icon. Note: When configuring grid members, you can selectively override the grid-level remote console access setting at the member level.
NIOS 4.3r5
139
Permanently Disabling Remote Console and Support Access

You can permanently disable remote console (Secure Shell v2) access for appliance administration and for Infoblox Technical Support to perform remote troubleshooting. Disabling this type of access might be required in a high-security environment. WARNING: After permanently disabling remote console and support access, you cannot re-enable them! Not even resetting an appliance to its factory default settings can re-enable them. To permanently disable remote console access and Infoblox Technical Support access: 1. From the Grid perspective, click grid -> Edit -> Grid Properties. or From the Device perspective, click hostname -> Edit -> Device Properties. 2. In the Grid (or Device) editor, click Security, and then select Permanently disable remote console and support access. 3. Click the Save icon.
Restricting HTTP Access

You can specify the IP addresses from which administrators are allowed to access the NIOS appliance. When the NIOS appliance receives a connection request, it tries to match the source IP address in the request with IP addresses in the list. If there is at least one item in the HTTP Access Control list and the source IP address in the request does not match it, the NIOS appliance ignores the request. Caution: If you specify an address or network other than the one from which you are currently accessing the appliance, when you save your configuration, you will lose your administrative session and be unable to reconnect. To restrict HTTP access to the Infoblox GUI to select addresses: 1. From the Grid perspective, click grid -> Edit -> Grid Properties. or From the Device perspective, click hostname -> Edit -> Device Properties. 2. To set restrictions on the IP addresses from which administrators can access the NIOS appliance, select Enable HTTP access restrictions in the Security section, click Add, enter the following, and then click OK: Address Type: Address: To allow administrative access to the GUI from a single IP address, select this option and enter the IP address in the Address field. Note that if you specify an address other than the one from which you are currently accessing the appliance, when you save your configuration, you will lose your administrative session and be unable to reconnect. Network: To restrict administrative access to the GUI to a subnet, select this option and enter the network address in the Address field and choose an appropriate netmask from the drop-down list. Note that if you specify a subnet other than the one from which you are currently accessing the appliance, when you save your configuration, you will lose your administrative session and be unable to reconnect. 3. Click the Save icon to save your changes. The application restarts and your management session terminates. 4. From the JWS (Java Web Start) login prompt, log back in to the appliance.
140
NIOS 4.3r5
Enabling HTTP Redirection

You can enable the NIOS appliance to redirect administrative connection requests using HTTP to the secure HTTPS protocol. When you disable redirection, the NIOS appliance ignores any administrative connection requests not using HTTPS. By default, the NIOS appliance does not redirect HTTP connection requests to HTTPS. To enable redirection: 1. From the Grid perspective, click grid -> Edit -> Grid Properties. or From the Device perspective, click hostname -> Edit -> Device Properties. 2. In the Grid (or Device) editor, click Security, and then select Auto-Redirect HTTP -> HTTPS. 3. Click the Save icon to save your changes. The application restarts and your management session terminates. 4. From the JWS (Java Web Start) login prompt, log back in to the appliance.
Modifying GUI Session Timeout Settings

You can set the length of idle time before an administrative session to the Infoblox GUI times out. The default timeout value is 600 seconds (10 minutes). Note: If you change Session Timeout settings, you must log out of the session by selecting File -> Logout, and log back in. The setting takes effect only after you log out and log back in. To modify session timeout settings: 1. From the Grid perspective, click grid -> Edit -> Grid Properties. or From the Device perspective, click hostname -> Edit -> Device Properties. 2. Click Security n the Grid (or Device) editor and enter a number between 60 and 31536000 seconds (one minute one year) in the Session Timeout field. The default session timeout is 600 seconds (10 minutes). 3. Click the Save icon to save your changes. 4. Select File -> Logout to log out of the GUI. 5. Log back into the GUI to apply the new timeout value to the session. The GUI tracks mouse and keyboard activity. If there is no activity for the specified timeout interval, the appliance displays a message that the timeout has occurred. Click OK to restart the GUI.
Disabling the LCD Input Buttons

By default, the LCD input function is enabled, which allows you to use the LCD buttons on the front panel of a NIOS appliance to change the IP address settings of the LAN port. You can disable this function if the appliance is in a location where you cannot restrict access exclusively to NIOS appliance administrators and you do not want anyone to be able to make changes through the LCD. To disable LCD input to the appliance: 1. From the Grid perspective, click grid -> Edit -> Grid Properties. or From the Device perspective, click hostname -> Edit -> Device Properties. 2. In the Grid (or Device) editor, click Security, and then clear Enable LCD input. 3. Click the Save icon to save your changes.
NIOS 4.3r5
141
Modifying Security for a Grid Member

You can override a number of grid-level security settings at the member level. Note: You can only manage session timeout settings, HTTPS redirection, HTTP access, audit log rolling, password length, and login banner text at the grid level. To enable support access for a member: 1. From the Grid perspective, click + (for grid ) -> + (for Member ) -> member -> Edit -> Member Properties. 2. In the Grid (or Device) editor, click Security, and then enter the following: To override grid-level settings for remote console access, select the Override grid remote console access setting check box, and then select or clear the Remote console access enabled check box. To override grid-level settings for Infoblox Technical Support access, select the Override grid support access setting check box, and then select or clear the Enable support access check box. To override grid-level LCD input settings, select the Override grid support LCD input setting check box, and then select or clear the Enable LCD input check box. 3. Click the Save icon to save your changes.
142
NIOS 4.3r5
Ethernet Port Usage
Ethernet Port Usage

The three Ethernet ports on a NIOS appliance perform different functions, which vary depending on deployment and configuration choices. The three Ethernet ports that transmit and receive traffic to the NIOS appliance are as follows: LAN1 port This is the default port for single independent appliances, single grid members, and passive nodes in HA pairs. All deployments use the LAN port for management services if the MGMT port is disabled. On Infoblox-500, -1000, and -1200 appliances, this port is labeled LAN. On Infoblox-250, -550, -550-A, -1050, -1050-A, -1550, -1550-A, -1552, -1552-A, and -2000 appliances, it is labeled LAN1. LAN2 port The LAN2 port is not enabled by default. By default, an appliance uses the LAN1 port (and HA port when deployed in an HA pair). To enable and configure the LAN2 port, you must have read/write permission to the grid member on which you want to enable the port. The LAN2 port is available on Infoblox-250, 550-A, -1050-A, -1550-A, -1552-A, and -2000 appliances. HA port This is the default port for the active grid master node and the active node in an independent HA pair. MGMT port If the MGMT port is enabled, the NIOS appliance uses it for many types of management services (see Table 4.3 on page 145 for specific types).
Table 4.1 displays the type of traffic per port for both grid and independent deployments. For a more detailed list of the different types of traffic, see Table 4.3 on page 145. Table 4.1 Appliance Roles and Configuration, Communication Types, and Port Usage
Appliance Role HA Grid Master HA Grid Master Single Grid Master HA Grid Member HA Grid Member Single Grid Member Independent HA Pair Independent HA Pair Single Independent HA Grid Master HA Grid Master Single Grid Master HA Grid Member HA Grid Member Single Grid Member Independent HA Pair Independent HA Pair Single Independent HA Pair Yes Yes No Yes Yes No Yes Yes No Yes Yes No Yes Yes No Yes Yes No HA Status Active Passive Active Passive Active Passive Active Passive Active Passive Active Passive MGMT Port Disabled Disabled Disabled Disabled Disabled Disabled Disabled Disabled Disabled Enabled Enabled Enabled Enabled Enabled Enabled Enabled Enabled Enabled Database Synchronization VIP on HA LAN1 LAN1 LAN1 LAN1 LAN1 VIP on HA LAN1 VIP on HA LAN1 LAN1 LAN1 or MGMT LAN1 or MGMT LAN1 or MGMT VIP on HA LAN1 Core Network Services VIP on HA LAN1 VIP on HA LAN1 VIP on HA LAN1 VIP on HA LAN1 or MGMT VIP on HA LAN1 or MGMT VIP on HA LAN1 or MGMT Management Services LAN1 LAN1 LAN1 LAN1 LAN1 LAN1 LAN1 LAN1 LAN1 MGMT MGMT MGMT MGMT MGMT MGMT MGMT MGMT MGMT GUI Access VIP on HA LAN1 VIP on HA LAN1 MGMT MGMT MGMT MGMT
NIOS 4.3r5
143
Table 4.2 Appliance Roles and Configuration, Communication Types, and Port Usage for Appliances with LAN2 Ports
HA Status Active Passive Active Passive Active Passive Active Passive Database Synchronization VIP on HA LAN1 LAN1 LAN1 LAN1 LAN1 VIP on HA LAN1 VIP on HA LAN1 LAN1 Core Network Services VIP on HA LAN1 and/or LAN2 VIP on HA LAN1 and/or LAN2 VIP on HA LAN1 and/or LAN2 VIP on HA LAN1, LAN2 and/or MGMT VIP on HA LAN1, LAN2 and/or MGMT VIP on HA LAN1, LAN2 and/or MGMT Management Services LAN1 or LAN2 LAN1 or LAN2 LAN1 or LAN2 LAN1 or LAN2 LAN1 or LAN2 LAN1 or LAN2 LAN1 or LAN2 LAN1 or LAN2 LAN1 or LAN2 MGMT MGMT MGMT GUI Access VIP on HA LAN1 VIP on HA LAN1 MGMT MGMT
Appliance Role HA Grid Master HA Grid Master Single Grid Master HA Grid Member HA Grid Member Single Grid Member Independent HA Pair Independent HA Pair Single Independent HA Grid Master HA Grid Master Single Grid Master
MGMT Port Disabled Disabled Disabled Disabled Disabled Disabled Disabled Disabled Disabled Enabled Enabled Enabled
LAN2 Port Enabled Enabled Enabled Enabled Enabled Enabled Enabled Enabled Enabled Enabled Enabled Enabled
HA Grid Member HA Grid Member Single Grid Member
Active Passive
Enabled Enabled Enabled
LAN1 or MGMT LAN1 or MGMT LAN1 or MGMT
MGMT MGMT MGMT
Independent HA Pair Independent HA Pair Single Independent
Active Passive
VIP on HA LAN1
MGMT MGMT MGMT
MGMT MGMT
To see the service port numbers and the source and destination locations for traffic that can go to and from a NIOS appliance, see Table 4.3. This information is particularly useful for firewall administrators so that they can set policies to allow traffic to pass through the firewall as required. Note: The colors in both tables represent a particular type of traffic and correlate with each other.
144
NIOS 4.3r5
Ethernet Port Usage
Table 4.3 Sources and Destinations for Services

Service Key Exchange VPN SRC IP LAN1 on grid member LAN1 on grid member DST IP VIP on HA grid master, or LAN1 on single master VIP on HA grid master, or LAN1 on single master Proto 17 UDP SRC Port 2114 DST Port 2114 Notes Initial key exchange for establishing VPN tunnels Required for Grid 17 UDP 1194 or 5002, or 1024 -> 63999 1194 or 5002, or 1024 -> 63999 Default VPN port 1194 for grids with new DNSone 3.2 installations and 5002 for grids upgraded to DNSone 3.2; the port number is configurable Required for Grid DHCP Client LAN1, LAN2, VIP, or broadcast on NIOS appliance Client 17 UDP 68 67 Required for DHCP service
DHCP
LAN1, LAN2 or VIP on NIOS appliance LAN1, LAN2 or VIP on Infoblox DHCP failover peer VIP on HA grid master or LAN1 or LAN2 on single master LAN1, LAN2, or VIP LAN1, LAN2 , VIP, or MGMT, or client
17 UDP
67
68
Required for DHCP service
DHCP Failover
LAN1, LAN2 or VIP on Infoblox DHCP failover peer LAN1, LAN2 or VIP on grid member in a DHCP failover pair LAN1, LAN2, or VIP LAN1, LAN2 , VIP, or MGMT
6 TCP
519
519
Required for DHCP failover
DHCP Failover
6 TCP
1024 -> 65535
7911
Informs functioning grid member in a DHCP failover pair that its partner is down Required for DHCP failover
DDNS Updates DNS Transfers
17 UDP 6 TCP
1024 -> 65535 53, or 1024 -> 65535
53 53
Required for DHCP to send DNS dynamic updates For DNS zone transfers, large client queries, and for grid members to communicate with external name servers Required for DNS For DNS queries Required for DNS
DNS Queries NTP
Client
LAN1, LAN2, VIP, or broadcast on NIOS appliance VIP, LAN1 or LAN2
17 UDP
53, or 1024 -> 65535 1024 -> 65535
53
NTP client
17 UDP
123
Required if the NIOS appliance is an NTP server
NIOS 4.3r5
145
Service RADIUS Authentication
SRC IP NAS (network access server)
DST IP LAN1 or VIP
Proto 17 UDP
SRC Port 1024 65535
DST Port 1812
Notes For proxying RADIUS Authentication-Requests. The default destination port number is 1812, and can be changed to 1024 63997. When configuring an HA pair, ensure that you provision both LAN IP addresses on the RADIUS server. For proxying RADIUS Accounting-Requests. The default destination port number is 1813, and can be changed to 1024 63998. Required to proxy requests from RADIUS clients to servers. The default source port number is 1814, and although it is not configurable, it is always two greater than the port number for RADIUS authentication. Required to respond to the UNIX-based traceroute tool to determine if a destination has been reached Required for response from ICMP echo request (ping) Required to send pings and respond to the Windowsbased traceroute tool Gateway sends an ICMP TTL exceeded message to a Windows client, which then records router hops along a data path Required to synchronize Grid, TSIG authentication, and DHCP failover Optional for synchronizing logs among multiple appliances
RADIUS Accounting
NAS (network access server)
LAN1 or VIP
17 UDP
1024 65535
1813
RADIUS Proxy
LAN1 or VIP
RADIUS home server
17 UDP
1814
1024 -> 63997 (auth), or 1024 -> 63998 (acct)
ICMP Dst Port Unreachable ICMP Echo Reply ICMP Echo Request ICMP TTL Exceeded
VIP, LAN1, LAN2, or MGMT, or UNIX-based client VIP, LAN1, LAN2, or MGMT, or client VIP, LAN1, LAN2, or MGMT, or client Gateway device (router or firewall)
LAN1, LAN2, or UNIX-based client VIP, LAN1, LAN2, or MGMT, or client VIP, LAN1, LAN2, or MGMT, or client Windows client
1 ICMP Type 3
1 ICMP Type 0 1 ICMP Type 8 1 ICMP Type 11
NTP
LAN1 on active node of grid master or LAN1 of independent appliance LAN1, LAN2, or VIP
NTP server
17 UDP
1024 -> 65535
123
SMTP
Mail server
6 TCP
1024 -> 65535
25
Required if SMTP alerts are enabled
146
NIOS 4.3r5
Ethernet Port Usage
Service SNMP
SRC IP NMS (network management system) server VIP on grid master or HA pair, LAN1 or MGMT on independent appliance
DST IP VIP, LAN1, LAN2, or MGMT NMS server
Proto 17 UDP
SRC Port 1024 -> 65535 1024 -> 65535
DST Port 161
Notes Required for SNMP management Required for SNMP trap management. Uses MGMT as the source IP when enabled. Uses VIP on grid master or HA pair, or LAN1 on independent appliance when MGMT is disabled.
SNMP Traps
17 UDP
162
SSHv2
Client
LAN1, LAN2, VIP, or MGMT on NIOS appliance
6 TCP
1024 -> 65535
22
Administrators can make an SSHv2 connection to the LAN1, LAN2, VIP, or MGMT port Optional for management Required for remote syslog logging NIOS appliance responds with ICMP type code 3 (port unreachable) For contacting a TFTP server during database and configuration backup and restore operations Required if the HTTP-redirect option is set on the grid properties security page Required for administration through the GUI
Syslog
LAN1, LAN2, or MGMT of NIOS appliance LAN1, LAN2, or UNIX-based appliance LAN1 or MGMT
syslog server
17 UDP
1024 -> 65535 1024 -> 65535 1024 -> 65535
514
Traceroute
VIP, LAN1, LAN2, or MGMT, or client TFTP server
17 UDP
33000 -> 65535 69, then 1024 -> 63999 80
TFTP Data
17 UDP
HTTP
Management System Management System
VIP, LAN1, or MGMT VIP, LAN1, or MGMT
6 TCP
1024 -> 65535 1024 -> 65535
HTTPS/ SSL
6 TCP
443
NIOS 4.3r5
147
Modifying Ethernet Port Settings

By default, the NIOS appliance automatically negotiates the optimal connection speed and transmission type (full or half duplex) on the physical links between the 10/100Base-T and 10/100/1000Base-T ports on the NIOS appliance and the Ethernet ports on a connecting switch. It is usually unnecessary to change the default auto-negotiation setting; however, you can manually configure connection settings for a port if necessary. Occasionally, for example, even though both the NIOS appliance and the connecting switch support 1000-Mbps (megabits per second) full-duplex connections, they might fail to auto-negotiate that speed and type, and instead connect at lower speeds of either 100 or 10 Mbps using potentially mismatched full- and half-duplex transmissions. If this occurs, first determine if there is a firmware upgrade available for the switch. If so, apply the firmware upgrade and test the connection. If that does not resolve the issue, manually set the ports on the NIOS appliance and on the switch to make 1000-Mbps full-duplex connections. To change Ethernet port settings: 1. From the Grid perspective, click + (for grid ) -> + (for Member ) -> member -> Edit -> Member Properties. or From the Device perspective, click hostname -> Edit -> Device Properties. Note: You must enable the MGMT port before modifying its port settings. See Using the MGMT Port on page 153. 2. In the Grid Member or Device editor, click LAN/HA Ports, MGMT Port, or LAN2 Port, and then enter the following for Node 1 and for Node 2, if the appliance is in an HA pair: Use Automatic [ LAN | HA | MGMT | LAN2 ] Port Settings: Clear check box. [ LAN | HA | MGMT | LAN2 ] Speed: Choose the connection speed that you want the port to use. [ LAN | HA | MGMT | LAN2 ] Duplex: Choose Full for concurrent bidirectional data transmission or Half for data transmission in one direction at a time. 3. Click the Save icon to save your changes. Note: The port settings on the connecting switch must be identical to those you set on the NIOS appliance.
148
NIOS 4.3r5
Using the LAN2 Port
Using the LAN2 Port

The LAN2 port is a 10/100/1000Base-T Ethernet connector on the front panel of Infoblox-250, 550-A, -1050-A, -1550-A, -1552-A, and -2000 appliances. The LAN2 port is not enabled by default. By default, an appliance uses the LAN1 port (and HA port when deployed in an HA pair). To enable and configure the LAN2 port, you must have read/write permission to the grid member on which you want to enable the port. When you enable the LAN2 port and SNMP, the appliance sends traps from this port for LAN2 related events. You can configure the LAN2 port in different ways. You can enable the NIC failover feature which groups the LAN1 and LAN2 ports into one logical interface. Alternatively, you can configure the LAN2 port on a different IP network than LAN1, and enable the LAN2 port to provide DNS and DHCP services. In addition, you can use the IP address of the LAN2 port as the captive portal IP address in the NAC Foundation module. For information about these features, see the following sections: For information about the NIC Failover feature, see NIC Failover on page 150. For information about configuring the LAN2 port to provide DHCP services, see Enabling DHCP on LAN2 on page 151. For information about configuring the LAN2 port to provide DNS services, see Enabling DNS on LAN2 on page 152. For information about configuring the LAN2 port as the captive portal IP address, see Configuring the Captive
Portal on page 658.

Note that you cannot use the LAN2 port to access the GUi or to connect to the grid.
NIOS 4.3r5
149
NIC Failover
You can use the LAN2 port in conjunction with the NIC failover feature to provide redundancy and additional fault tolerance in your network. When you enable the NIC failover feature, the LAN1 and LAN2 ports are grouped into one logical interface. They share one IP address and appear as one interface to the network. Then, if a link to one of the ports fails or is disabled, the appliance fails over to the other port, avoiding a service disruption. You can connect the LAN1 and LAN2 ports to the same switch or to different switches, but they must be on the same VLAN. One port is active and the other port is idle at all times. The other port becomes active only when the previously active port fails. The LAN1 and LAN2 ports share the IP address of the LAN1 port; the port that is currently active owns the IP address. When you enable services on the appliance, such as DNS and DHCP, clients send their service requests to the LAN1 port IP address and receive replies from it as well. The port supports the services and features supported on the LAN1 port as listed in Table 4.2 and Table 4.3. Note that you cannot enable NIC failover, if the LAN2 port is serving DNS or DHCP. As shown in Figure 4.5, the appliance is connected to the grid through its MGMT port, and the LAN1 and LAN2 ports are connected to the same switch. NIC failover is enabled and the LAN1 and LAN2 port share the IP address of the LAN1 port, which is 1.1.1.5. In the illustration, LAN1 is the active port. You can enable NIC failover on a single independent appliance or grid member. You cannot enable this feature on an HA pair.
Figure 4.5 Using the NIC Failover Feature
Grid Master
LAN1 10.1.1.5 Private Network 10.1.1.0/24 for Grid Communications and Appliance Management MGMT 10.1.1.20 LAN1 LAN2 The LAN1 and LAN2 ports share the LAN1 IP address. Only 1 port is active at anytime. LAN1 1.1.1.5
Clients send service requests and replies to the LAN1 IP address.
Public Network 1.1.1.0/24 DNS and DHCP Services
150
NIOS 4.3r5
Using the LAN2 Port
To enable the LAN2 port and the NIC failover feature: 1. From the Grid perspective, click + (for grid ) -> + (for Member ) -> grid_member -> Edit -> Member Properties. or From the Device perspective, click hostname -> Edit -> Device Properties. 2. In the Grid Member editor, click LAN2 Port to expand the section, and then enter the following: Enable LAN2: Select this check box. Enable NIC failover for LAN1 and LAN2: Select this check box. The appliance greys out the IP address field. You cannot enter a separate IP address for the LAN2 port because the LAN1 and LAN2 ports share the IP address of the LAN1 port. 3. Click the Save and Restart Services icons. The Detailed Status panel displays the status of both the LAN1 and LAN2 ports.
Enabling DHCP on LAN2

You can configure an appliance to provide DHCP services through the LAN1 port only, the LAN2 port only, or both the LAN1 and LAN2 ports. Note that when you enable both ports, they must be connected to different subnets. To enable DHCP on LAN2: 1. From the Grid perspective, click + (for grid ) -> + (for Member ) -> grid_member -> Edit -> Member Properties. or From the Device perspective, click hostname -> Edit -> Device Properties. 2. In the Grid Member editor, click LAN2 Port to expand the section, and then enter the following: Enable LAN2: Select this check box. Configure LAN2 IP address: Select this check box and specify the following: V(IP) Address: Enter the IP address of the LAN2 port, which must be in a different subnet from that of the LAN1 port. Subnet Mask: Select the appropriate netmask. Gateway: Enter the IP address of the default gateway of the LAN2 port.
LAN2 Virtual Router ID (if HA): If the appliance is in an HA pair, enter a VRID number. 3. From the DHCP and IPAM perspective, select the DHCP Members tab, and then click + (for grid ) -> + (for Member ) -> grid_master -> Edit -> Member Properties. 4. Click General Properties to expand the section and do the following: Enable DHCP service on the LAN2 port: Select this check box. 5. Click the Save and Restart Services icons.
NIOS 4.3r5
151
Enabling DNS on LAN2

If you enable DNS on an appliance, it always serves DNS on the LAN1 port. Optionally, you can configure the appliance to provide DNS services through the LAN2 port as well. For example, the appliance can provide DNS services through the LAN1 port for internal clients on a private network, and DNS services through the LAN2 port for external clients on a public network. To enable DNS on LAN2: 1. From the Grid perspective, click + (for grid ) -> + (for Member ) -> grid_member -> Edit -> Member Properties. or From the Device perspective, click hostname -> Edit -> Device Properties. 2. In the Grid Member editor, click LAN2 Port to expand the section, and then enter the following: Enable LAN2: Select this check box. Configure LAN2 IP address: Select this check box and specify the following: V(IP) Address: Enter the IP address of the LAN2 port, which must be in a different subnet from that of the LAN1 port. Subnet Mask: Select the appropriate netmask. Gateway: Enter the IP address of the default gateway of the LAN2 port.
LAN2 Virtual Router ID (if HA): If the appliance is in an HA pair, enter a VRID number. 3. From the DNS perspective, select the DNS Members tab, and then click + (for grid ) -> + (for Member ) -> grid_master -> Edit -> Member Properties. 4. Click General Properties to expand the section and do the following: Enable DNS service on the LAN2 port: Select this check box and specify the following: Automatically create glue A and PTR records for LAN2 IP: The NIOS appliance can automatically generate A (address) and PTR records for a primary name server whose host name belongs to the name space of the zone. Select this check box to enable the appliance to automatically generate an A and PTR record. Select one of the following from the Source queries, notifies, and zone transfer requests drop-down list: VIP: The appliance uses the IP address of the HA port as the source for queries, notifies, and zone transfer requests. MGMT: The appliance uses the IP address of the MGMT port as the source for queries, notifies, and zone transfer requests. LAN2: The appliance uses the IP address of the LAN2 port as the source for queries, notifies, and zone transfer requests. Any: The appliance chooses which port to use as the source for queries, notifies, and zone transfer requests. 5. Click the Save and Restart Services icons.
152
NIOS 4.3r5
Using the MGMT Port
Using the MGMT Port

Note: This feature is not supported on Cisco and Riverbed virtual grid members. The MGMT (Management) port is a 10/100Base-T Ethernet connector on the front panel of an Infoblox-500, -1000, and -1200 appliance, and a 10/100/1000Base-T Ethernet connector on the front panel of an Infoblox-250, -550, -550-A, -1050, -1050-A, -1550, -1550-A, -1552, -1552-A, and -2000 appliance. It allows you to isolate the following types of traffic from other types of traffic on the LAN and HA ports:
Appliance Management on page 154 Grid Communications on page 156 DNS Services on page 159
For information about what types of traffic qualify as appliance management, grid communications, and DNS services, see Table 4.3 on page 145. Note: The MGMT port currently does not support DHCP, NTP, NAT, RADIUS proxying, or TFTP. Some NIOS appliance deployment scenarios support more than one concurrent use of the MGMT port. The following table depicts MGMT port uses for various appliance configurations.
Table 4.4 Supported MGMT Port Uses for Various appliance Configurations
Appliance Configuration Single Independent Appliance Independent HA Pair Grid Master Grid Master Candidate HA Grid Member Single Grid Member Appliance Management Grid Communications Not Applicable Not Applicable DNS Services
* *
* Although you manage all grid members through the grid master, if you enable the MGMT port on common grid members, they can send syslog events, SNMP traps, and e-mail notifications, and receive SSH connections on that port. Infoblox does not support MGMT port usage for some appliance configurations (indicated by the symbol in Table 4.4) because it cannot provide redundancy through the use of a VIP. A grid master that is an HA pair needs the redundancy that a VIP interface on the HA port provides for grid communications. Similarly, DNS servers in an HA pair need that redundancy to answer DNS queries. Because the MGMT port does not support a VIP and thus cannot provide redundancy, grid masters (and potential grid masters) do not support grid communications on the MGMT port. In addition, NIOS appliances in an HA pair support DNS services on the active node only (indicated by the symbol in Table 4.4). Only the active node can respond to queries that it receives. If a DNS client sends a query to the MGMT port of the node that happens to be the passive node, the query can eventually time out and fail.
NIOS 4.3r5
153
The MGMT port is not enabled by default. By default, a NIOS appliance uses the LAN port (and HA port when deployed in an HA pair). You must log in using a superuser account to enable and configure the MGMT port. You can enable the MGMT port through the Infoblox GUI (as explained in the following sections) or through a console connection with the following command: set interface mgmt speed auto duplex auto Note: For information about connecting Ethernet cables to the MGMT port, refer to Cabling for the MGMT Port on page 827.
Appliance Management
You can restrict administrative access to a NIOS appliance by connecting the MGMT port to a subnet containing only management systems. This approach ensures that only appliances on that subnet can access the Infoblox GUI and receive appliance management communications such as syslog events, SNMP traps, and e-mail notifications from the appliance. If you are the only administrator, you can connect your management system directly to the MGMT port. If there are several administrators, you can define a small subnetsuch as 10.1.1.0/29, which provides six host IP addresses (10.1.1.110.1.1.6) plus the network address 10.1.1.0 and the broadcast address 10.1.1.7and connect to the NIOS appliance through a dedicated switch (which is not connected to the rest of the network). Figure 4.6 shows how an independent appliance separates appliance management traffic from network protocol services. Note that the LAN port is on a different subnet from the MGMT port.
Figure 4.6 Appliance Management from One or More Management Systems

The NIOS appliance serves DNS and DHCP to the public network through the LAN port. LAN 1.1.1.5 MGMT 10.1.1.1 Ethernet Cable NIOS appliance-1 DNS and DHCP Clients LAN 1.1.1.6 MGMT 10.1.1.1 Several management systems connect to the MGMT port of the NIOS appliance through a dedicated switch. Infoblox Appliance -2 Note: Because the two private networks are used solely for appliance management and are completely isolated from the rest of the networkand therefore from each othertheir address space can overlap without causing any routing issues Ethernet Cable Dedicated Switch Management Systems 10.1.1.2 - 10.1.1.5 Private Network 10.1.1.0/29 Appliance Management A single management system connects directly to the MGMT port of the NIOS appliance through an Ethernet cable.
Private Network 10.1.1.0/30 Appliance Management
154
NIOS 4.3r5
Using the MGMT Port
Similarly, you can restrict management access to a grid master to only those appliances connected to the MGMT ports of the active and passive nodes of the grid master. To enable the MGMT port on an independent appliance or grid master for appliance management and then cable the MGMT port directly to your management system or to a network forwarding appliance such as a switch or router: 1. From the Grid perspective, click + (for grid ) -> + (for Member ) -> grid_master -> Edit -> Member Properties. or From the Device perspective, click hostname -> Edit -> Device Properties. Note: You must enable the MGMT port before modifying its port settings. See Using the MGMT Port on page 153. 2. In the Grid Member or Device editor, click MGMT Port, and then enter the following in Node 1 subsection for a single grid master or independent appliance, and in the Node 1 and Node 2 subsections for an HA grid master or independent HA pair: Enable management (MGMT) port: Select check box. Enable VPN services on the MGMT port: Clear check box. Restrict Support and remote console access to MGMT port: Select the check box to restrict SSH (Secure Shell) v2 access to the MGMT port only. This restricts Infoblox Technical Support and remote console connectionsboth of which use SSH v2to just the MGMT port. For an HA pair, you can make an SSH v2 connection to the MGMT port on both the active and passive nodes. Clear the check box to allow SSH v2 access to both the MGMT and LAN ports. For an HA pair, you can make an SSH v2 connection to the MGMT and LAN ports on both the active and passive nodes. IP Address: Type the IP address for the MGMT port, which must be in a different subnet from that of the LAN and HA ports. Subnet Mask: Choose an appropriate subnet mask for the number of management systems that you want to access the appliance through the MGMT port. Gateway: Type the default gateway for the MGMT port. If you need to define any static routes for traffic originating from the MGMT portsuch as SNMP traps, syslog events, and email notificationsdestined for remote subnets beyond the immediate subnet, specify the IP address of this gateway in the route. Use automatic MGMT port settings: Select the check box to instruct the NIOS appliance to negotiate the optimum port connection type (full or half duplex) and speed with the connecting switch automatically. If you clear the check box, manually configure the same settings on both the NIOS appliance and the switch. By default, the check box is selected. 3. Click the Save icon to save your settings. 4. Close the current JWS (Java Web Start) application window. 5. Cable the MGMT port to your management system or to a switch or router to which your management system can also connect. 6. If your management system is in a subnet from which it cannot reach the MGMT port, move it to a subnet from which it can. The Infoblox Grid (or Device) Manager GUI is now accessible through the MGMT port on the NIOS appliance from your management system. 7. Start a new JWS session, and then log in to the IP address of the MGMT port. 8. Check the Detailed Status and Grid panels to make sure the status icons are green.
NIOS 4.3r5
155
Grid Communications
You can isolate all grid communications to a dedicated subnet as follows: For grid communications from the grid master, which can be an HA pair or a single appliance, the master uses either the VIP interface on the HA port of its active node (HA master) or its LAN port (single master). Neither a single nor HA grid master can use its MGMT port for grid communications. (This restriction applies equally to master candidates.) Common grid members connect to the grid master through their MGMT port.
This ensures that all database synchronization and grid maintenance operations are inaccessible from other network elements while the common grid members provide network protocol services on their LAN ports.
Figure 4.7 shows how grid members communicate to the master over a dedicated subnet. Figure 4.7 Grid Communications
The private network (10.1.1.0/24) is reserved for grid communications between the grid master and all grid members, and for appliance management between the management system and the grid master.
HA Grid Master HA HA VIP 10.1.1.5 HA HA
Master Candidate
The grid master and master candidate connect to the private network using a VIP on their HA ports.
VIP 10.1.1.10
Private Network 10.1.1.0/24 for Grid Communications and appliance Management Management System 10.1.1.30 MGMT 10.1.1.15 Single Member MGMT 10.1.1.20 Passive Node MGMT 10.1.1.21 Active Node HA Member HA HA LAN 1.1.1.6 The common grid members use the public network (1.1.1.0/24) for DNS and DHCP services. VIP 1.1.1.7 The common grid members connect to the private network through their MGMT ports*. They connect to the public network through their LAN and HA ports (using a VIP).
DNS and DHCP Clients * Only the active node of an HA member connects to the grid master. The passive node communicates just with the active node. If there is an HA failover, the newly promoted active node must first join the grid before continuing grid communications with the grid master on behalf of the HA member.
156
NIOS 4.3r5
Using the MGMT Port
Enabling Grid Communications over the MGMT Port for Existing Grid Members
To enable the MGMT port for grid communications on an existing single or HA grid member: 1. Log in to the grid master with a superuser account. 2. From the Grid perspective, click + (for grid ) -> + (for Member ) -> member -> Edit -> Member Properties. 3. In the Grid Member editor, click MGMT Port, and then enter the following for Node 1. For an HA member, enter the IP address, subnet mask, and gateway address for both Node 1 and Node 2. Enable management (MGMT) Port: Select the check box. Enable VPN services on the MGMT Port: Select the check box. Restrict Support and remote console access to MGMT port: Select the check box to restrict SSH (Secure Shell) v2 access to the MGMT port only. This restricts Infoblox Technical Support and remote console connectionsboth of which use SSH v2to just the MGMT port. For an HA pair, you can make an SSH v2 connection to the MGMT port on both the active and passive nodes. Clear the check box to allow SSH v2 access to both the MGMT and LAN ports. For an HA pair, you can make an SSH v2 connection to the MGMT and LAN ports on both the active and passive nodes. IP Address: Type the IP address of the MGMT port on the grid member, which must be in a different subnet from that of the LAN and HA ports. Subnet Mask: Choose the subnet mask for the MGMT port IP address. Gateway: Type the default gateway for the MGMT port. Use automatic MGMT port settings: Select the check box to instruct the NIOS appliance to negotiate the optimum port connection type (full or half duplex) and speed with the connecting switch automatically. If you clear the check box, manually configure the same settings on both the NIOS appliance and the switch. By default, the check box is selected. 4. If the IP addresses of the LAN and HA ports are in the same subnet as the IP address of the MGMT port, click Node Properties in the Grid Member editor, and then change the IP address of the LAN port (for a single member) and LAN and HA ports (for an HA member). 5. Click the Save icon to save your settings. The master communicates the new port settings to the member, which immediately begins using them. The member stops using its LAN port for grid communications and begins using the MGMT port. 6. To confirm that the member still has grid connectivity, check that the status icons for that member are green on the Detailed Status and Grid panels.
Enabling Grid Communications over the MGMT Port for New Grid Members
To enable the MGMT port for grid communications on a single appliance or HA pair and then join it to a grid:
Member MGMT Port Configuration on the Grid Master

1. Log in to the grid master with a superuser account. 2. From the Grid perspective, click grid -> Add Grid Member. 3. In the Grid Member editor, click Node Properties, configure the network settings for a single member or the network and HA settings for an HA member, and then clear the Master Candidate check box. Any member that is a master candidate cannot use the MGMT port for grid communications. 4. In the Grid Member editor, click MGMT Port, and then enter the following for Node 1 (for a single appliance). For an HA pair, enter the IP address, subnet mask, gateway address, and port settings for both Node 1 and Node 2. Enable management (MGMT) Port: Select the check box. Enable VPN services on the MGMT Port: (You must add the member before you can select this check box, which you do in step 7.)
NIOS 4.3r5
157
Restrict Support and remote console access to MGMT port: Select the check box to restrict SSH (Secure Shell) v2 access to the MGMT port only. This restricts Infoblox Technical Support and remote console connectionsboth of which use SSH v2to just the MGMT port. For an HA member, you can make an SSH v2 connection to the MGMT port on both the active and passive nodes. Clear the check box to allow SSH v2 access to both the MGMT and LAN ports. For an HA member, you can make an SSH v2 connection to the MGMT and LAN ports on both the active and passive nodes. IP Address: Type the IP address of the MGMT port on the grid member. This is the address that you previously set when configuring the appliance. The MGMT port address cannot be in the same subnet as the addresses of the LAN and HA ports. Subnet Mask: Choose the subnet mask for the MGMT port IP address. Gateway: Type the default gateway for the MGMT port. Use automatic MGMT port settings: Select the check box to instruct the member to negotiate the optimum port connection type (full or half duplex) and speed with the connecting switch automatically. If you clear the check box, manually configure the same settings on both the NIOS appliance and the switch. By default, the check box is selected. 5. Click the Save icon to add the member. 6. In the Grid perspective, select the member you just created, click Edit -> Member Properties. 7. In the Grid Member editor, click MGMT Port, select Enable VPN services on the MGMT Port, and then click the Save icon.
MGMT Port Configuration on Appliance or HA Pair

1. Log in as a superuser to the MGMT port of the appliance or active node of the HA pair that you want to join to the grid. 2. From the Grid perspective, click + (for grid ) -> + (for Member ) -> member -> Edit -> Member Properties. 3. In the Grid Member editor, click MGMT Port, and then change the following for Node 1 (for a single appliance). For an HA pair, enter the IP address, subnet mask, and gateway address for both Node 1 and Node 2. Enable management (MGMT) Port: Select the check box. Enable VPN services on the MGMT Port: (You cannot select this because the appliance or HA pair is not yet a grid member. When the appliance or HA pair joins the grid, it receives its new configuration from the grid master, and in that configuration, this option is set.) Note: For the remainder of the MGMT port settings, configure the same settings that you previously set for the single or HA member on the grid master (see step 4 in Member MGMT Port Configuration on the Grid Master on page 157). 4. If the IP addresses of the LAN and HA ports are in the same subnet as the IP address of the MGMT port, click Node Properties in the Grid Member editor, and then change the IP address of the LAN port (for a single member) and LAN and HA ports (for an HA member). 5. Click the Save icon to save your settings. 6. From the Grid perspective, click + (for grid ) -> + (for Member ) -> member -> Edit -> Join Grid. 7. Enter the following in the Join Grid dialog box: Virtual IP of Grid Master: Type the VIP address of the grid master for the grid to which you want to add the single appliance or HA pair. Grid Name: Type the name of the grid. Grid Shared Secret: Type the shared secret of the grid. Re-type Grid Shared Secret: To ensure accuracy, retype the shared secret. Use MGMT port to join grid: Because you have already enabled the MGMT port, this option is available. Select it to connect to the grid through the MGMT port.
158
NIOS 4.3r5
Using the MGMT Port
For a single appliance, it connects to the grid master from its MGMT port. The grid master allows it to join the grid, and sends it its configuration andif the appliance is running a different software version from the rest of the gridthe software version for the grid. When an HA pair joins the grid through their MGMT ports, each node joins separately. The process occurs as follows: 1. You join the active node to the grid first (step 7) and the grid master sends it the remainder of its configuration andif the node is running a different software version from the rest of the gridthe software version for the grid. 2. The HA pair fails over. 3. You now log in to the other node, which is now active, and join it to the grid (repeat step 7). The master sends it its configuration and (if necessary) the version of software running on the grid. 4. The HA pair fails over again, so that the node that was active when you started the join operation becomes the active node again when you finish it. After an appliance or HA pair is part of the grid, you continue configuring it through the grid master.
DNS Services
You can configure a single independent appliance or single grid member to provide DNS services through the MGMT port in addition to the LAN port. For example, the appliance can provide DNS services through the MGMT port for internal clients on a private network, and DNS services through the LAN port for external clients on a public network. While providing DNS services on the MGMT port, you can still use that port simultaneously for appliance management. Figure 4.8 shows a management system communicating with a single independent appliance through its MGMT port while the appliance also provides DNS services on that port to a private network. Additionally, the appliance provides DNS services to an external network through its LAN port.
Figure 4.8 DNS Services on the LAN and MGMT Ports, and appliance Management on the MGMT Port
External DNS Client
External Network
External DNS Clients
External DNS services go through the LAN port.
LAN Port Single Independent Appliance
Appliance management and internal DNS services go through the MGMT port.
MGMT Port
Management System
Internal Network
Internal DNS Clients
Like a single independent appliance, a single grid member can also support concurrent DNS traffic on its MGMT and LAN ports. However, because you manage all grid members through the grid master, a grid member only uses an enabled MGMT port to send SNMP traps, syslog events, and email notifications, and to receive SSH connections.
NIOS 4.3r5
159
In addition, the active node of an HA pair can provide DNS services through its MGMT port. To use this feature, you must enable DNS services on the MGMT ports of both nodes in the HA pair and specify the MGMT port IP addresses of both nodes on the DNS client as well, in case there is a failover and the passive node becomes active. Note that only the active node can respond to queries that it receives. If a DNS client sends a query to the MGMT port of the node that happens to be the passive node, the query can eventually time out and fail. To enable DNS services on the MGMT port of an appliance: 1. From the Grid perspective, click + (for grid ) -> + (for Member ) -> grid_master -> Edit -> Member Properties. or From the Device perspective, click hostname -> Edit -> Device Properties. 2. In the Grid Member or Device editor, click MGMT Port, and then enter the following in Node 1 subsection for a single grid master or independent appliance, and in the Node 1 and Node 2 subsections for an HA grid master or independent HA pair: Enable management (MGMT) Port: Select the check box. IP Address: Enter the IP address of the MGMT port. The MGMT port IP address must be in a different subnet from that of the LAN and HA ports. Subnet mask: Choose an appropriate subnet mask for the MGMT port. Gateway: Enter the IP address of the gateway for the MGMT port. 3. Click the Save icon to save your settings for the MGMT port. 4. From the DNS perspective of the Member DNS Properties editor, click DNS Members -> + (for grid ) -> member -> DNS -> Modify -> General. 5. In the Member DNS Properties editor, click General, and then select Enable DNS service. 6. Select the Enable DNS service on the MGMT port check box. 7. Select one of the following from the Source queries, notifies, and zone transfer requests drop-down list: VIP: The appliance uses the HA port for source queries, notifies, and zone transfer requests. MGMT: The appliance uses the MGMT port for source queries, notifies, and zone transfer requests. Any: The appliance selects the port for source queries, notifies, and zone transfer requests. This is usually the LAN port. If the LAN port is part of the MGMT port, the appliances use the MGMT port. 8. Click the Save icon to save your settings. 9. Click the Restart Services icon if it flashes. 10. To see that the appliance now also serves DNS on the MGMT port: From the DNS perspective, click DNS Members -> + (for grid ) -> member -> View -> Properties, and look in the General section. Check that the value for Enable DNS service on the MGMT Port is true. or From the DNS perspective, click DNS Members -> + (for grid ) -> member -> View -> DNS Configuration, and check that the IP address of the MGMT port appears in the address match list in the listen-on substatement.
160
NIOS 4.3r5
Setting Static Routes

When you put the NIOS appliance on a segment of the network where there is a single path to and from it, a single default route is sufficient. For example, in Figure 4.9 on page 161, the appliance is in the DMZ behind a firewall and connects to the rest of the network through the DMZ interface on the firewall. For example, when hosts send DNS queries from the Internet and the internal network to the appliance and when the appliance replies to those hosts, the firewall takes care of all the routing. Note: This feature is not supported on Cisco virtual grid members.
Figure 4.9 Single Default Route
Internet 1.2.2.1 The default route points all traffic from the LAN or LAN1 port on the NIOS appliance to the DMZ interface (1.2.2.1) on the firewall. DMZ LAN Port Firewall NIOS appliance The appliance responds to all queries from the Internet and internal network by sending its responses to the DMZ interface (1.2.2.1) on the firewall. The appliance only needs a single default route to the firewall. The firewall then routes the traffic where it needs to go. Default route: Network: 0.0.0.0 Netmask: 0.0.0.0 Gateway: 1.2.2.1
Internal Network
When the NIOS appliance is on a segment of the network where there are multiple gateways through which traffic to and from the appliance can flow, a single default route is insufficient. For an example, see Figure 4.10.
NIOS 4.3r5
161
Figure 4.10 Erroneously Routed DNS Replies
Internet
Firewall-1
1.2.2.1
The default route points all traffic from the NIOS appliance to the DMZ interface (1.2.2.1) on firewall-1.
DMZ NIOS appliance Default route: Network: 0.0.0.0 Netmask: 0.0.0.0 Gateway: 1.2.2.1 1.2.2.2 Firewall-2
Switch
DNS queries from the Internet reach the appliance through firewall-1, and the appliance sends its replies back through firewall-1. DNS queries from the internal network reach the appliance through firewall-2, but because there is only one default route, the appliance erroneously sends DNS replies to the DMZ interface (1.2.2.1) on firewall-1.
Internal Network 10.1.1.0/24
To resolve the problem illustrated in Figure 4.10 on page 162, add a second route pointing traffic destined for 10.1.1.0/24 to use the gateway with IP address 1.2.2.2 on firewall-2. This is shown in Figure 4.11.
Figure 4.11 Properly Routed DNS Replies
Internet The default route on the NIOS appliance points traffic destined for the Internet to the DMZ interface (1.2.2.1) on firewall-1.
1.2.2.1 Firewall-1 DMZ 1.2.2.0/24
NIOS appliance
Default route: Network: 0.0.0.0 Netmask: 0.0.0.0 Gateway: 1.2.2.1 Route to: Network: 10.1.1.0 Netmask: 255.255.255.0 Gateway: 1.2.2.2
Switch
1.2.2.2 Firewall-2
Internal Network 10.1.1.0/24
A second route on the appliance points traffic destined for 10.1.1.0/24 to the DMZ interface (1.2.2.2) on firewall-2.
162
NIOS 4.3r5
Whenever you want the NIOS appliance to send traffic through a gateway other than the default gateway, you need to define a separate route. Then, when the appliance performs a route lookup, it chooses the route that most completely matches the destination IP address in the packet header. When you enable the MGMT port, the gateway you reference in a static route determines which port the NIOS appliance uses when directing traffic to a specified destination. If a route definition references a gateway that is in the same subnet as the IP and VIP addresses of the LAN (or LAN1) and HA ports, the NIOS appliance uses the LAN (or LAN1) or HA port when directing traffic to that gateway. If a route definition references a gateway that is in the same subnet as the MGMT port, the NIOS appliance uses the MGMT port when directing traffic to that gateway.
Figure 4.12 Static Routes for the LAN and MGMT Ports
Internet LAN Gateway (Firewall-1) 1.2.2.1 DMZ 1.2.2.0/24 Switch Switch LAN Gateway (Firewall-2) 1.2.2.2 10.1.1.1 Two static routes direct traffic from the NIOS appliance: From the LAN port (eth1, 1.2.2.5) through the gateway at 1.2.2.2 to the 10.1.1.0/24 subnet. Internal Network 10.1.1.0/24 Route Tables on the NIOS appliance
From LAN: 1.2.2.0/24 dev eth1 scope link 10.1.1.0/24 via 1.2.2.2 dev eth1 default via 1.2.2.1 dev eth1 From MGMT: 10.1.2.0/24 dev eth0 scope link 10.1.3.0/24 via 10.1.2.1 dev eth0 default via 10.1.2.1 dev eth0 From all: 10.1.1.0/24 via 1.2.2.2 dev eth1 10.1.3.0/24 via 10.1.2.1 dev eth0 1.2.2.0/24 dev eth1 proto kernel scope link src 1.2.2.5 10.1.2.0/24 dev eth0 proto kernel scope link src 10.1.2.5 default via 1.2.2.1 dev eth1
LAN Port 1.2.2.5
MGMT Port 10.1.2.5 NIOS appliance
10.1.2.1
10.1.3.1
Administrators
Subnet 10.1.2.0/24
MGMT Gateway
Subnet 10.1.3.0/24
From the MGMT port (eth0, 10.1.2.5) through the gateway at 10.1.2.1 to the 10.1.3.0/24 subnet.
Note: There is a route table for each port as well as a comprehensive route table. For an HA pair, the LAN port route table is duplicated for the HA port. In this illustration, the static routes are shown in green.
The need for routes can apply to any type of traffic that originates from the appliance, such as DNS replies, DHCP messages, SNMP traps, ICMP echo replies, Infoblox GUI management, and grid communications.
NIOS 4.3r5
163
To set a static route, do the following: 1. For a grid member: From the Grid perspective, click + (for grid ) -> + (for Member s) -> member -> Edit -> Member Properties. or For an independent appliance or HA pair: From the Device perspective, click hostname -> Edit -> Device Properties. 2. In the Member or Device editor, click Static Routes, click Add, and then enter the following: Network Address: Type the address of the remote network to which the NIOS appliance routes traffic. Netmask: Choose the netmask that defines the remote network. Gateway Address: Type the IP address of the gateway on the local subnet through which the NIOS appliance directs traffic to reach the remote network. The gateway address must meet the following requirements: It must belong to a working gateway router or gateway switch. It must be in the same subnet as the NIOS appliance. Note: Consult your network administrator before specifying the gateway address for a static route on the appliance. Specifying an invalid gateway address can cause problems, such as packets being dropped or sent to an incorrect address. 3. Click the Save icon to save your settings.
Enabling DNS Resolution

You can specify a network server to perform domain name queries and specify up to two name servers for resolving a DNS name, plus use a search list to perform partial name resolution. If a NIOS appliance provides DHCP services only, specify a DNS name server or servers that the appliance can use for DNS lookups. You specify the IP address of a preferred name server and that of an alternate name server, plus use a search list for performing partial name resolution. To enable DNS resolution for a grid or for an independent appliance or HA pair: 1. From the Grid perspective, click grid -> Edit -> Grid Properties. or From the Device perspective, click hostname -> Edit -> Device Properties. 2. In the Grid editor, click DNS Resolver, and then enter the following: Use DNS name resolver: Select the check box to enable the NIOS appliance to send DNS queries to the preferred or alternate name servers whose IP addresses you specify in the following fields. Preferred Name Server: Type the IP address of the server to which the appliance sends queries first. Alternate Name Server: Type the IP address of the name server to which you want the NIOS appliance to send queries if it does not receive a response from the preferred name server. Search Domain Group: Define a group of domain names that the NIOS appliance can add to partial queries that do not specify a domain name. For example, if you define a RADIUS authentication home server as as1, and you list "corp100.com" and "hq.corp100.com" in the domain group list, then the NIOS appliance sends a query for "as1.corp100.com" and another query for "as1.hq.corp100.com" to the preferred or alternate name server. To add a domain name to the group, type a domain name in the Domain field, and then click Add. To remove a domain name from the group, select it, and then click Delete. 3. Click the Save icon. Note: You can override the grid-level settings at the member level.
164
NIOS 4.3r5
Managing Licenses
Managing Licenses
Licenses come pre-installed on a NIOS appliance according to the software packages you ordered at the time of purchase. If you wish to upgrade an existing appliance with the Grid license, you must contact Infoblox Technical Support and follow the procedures in Obtaining and Adding a License on page 166. There are three types of licenses: Maintenance licenses Examples: NIOS and Grid maintenance licenses. The duration of maintenance licenses are one, two, or three years. You can obtain these licenses from your Infoblox sales representative. Service licenses Examples: DNS, DHCP, Grid. These are permanent licenses. You can obtain these licenses from your Infoblox sales representative. Temporary licenses You can enable one of several sets of temporary service licenses through the CLI command set temp_license . These licenses last for 60 days.
Two weeks before a maintenance license or a temporary license expires, an expiration warning appears during the GUI login process. The warning reappears during each login until you renew the license. To do renew a license, contact your Infoblox sales representative. If you decide not to renew an expired license and want to stop the warning from reappearing, do the following: 1. Back up the configuration and database as described in Backing Up and Restoring a Configuration File on page 253. 2. Log in to the Infoblox CLI, enter the show license command, and save all the license key strings. 3. Remove all the licensesand the entire configuration and databaseby entering the reset all licenses command. For details, see Removing Licenses on page 166. 4. Add the unexpired licenses back to the appliance using either the Infoblox GUI or CLI. 5. Restore the backup file as described in Backing Up and Restoring a Configuration File on page 253.
Viewing the Installed Licenses on a NIOS Appliance

If the appliance you are identifying is part of a grid, you must log in to the master GUI for the grid to view the licenses installed. If the appliance is deployed as a single independent appliance, log in to the GUI for that appliance. To view the licenses installed on a NIOS appliance, follow these steps: 1. Log in to the Infoblox GUI using a superuser account. 2. From the Grid or Device perspective, click hostname -> View -> Properties. 3. Click the + icon beside the License section to expand it and view the licenses installed on the appliance.
Obtaining a 60-Day Temporary License

You can use the CLI command set temp_license to generate and install temporary 60-day licenses. This can provide licensed features and functionality for the interim, while you wait for your permanent license to arrive. To generate a temporary license: 1. Log in to the NIOS appliance through a remote console window. For more information on how to open a remote console window, see the User Guide for your appliance. 2. After the Infoblox command prompt, enter the following command:
set temp_license
The following options appear: 1. DNSone (DNS, DHCP) 2. DNSone with Grid (DNS, DHCP, Grid) 3. Network Services for Alcatel-Lucent VitalQIP (QIP, Grid) 4. Network Services for Voice (DHCP, Grid) 5. Network Services for Authentication (RADIUS, Grid)
NIOS 4.3r5
165
6. Network Services Suite (DNS, DHCP, RADIUS, Grid) 7. Add DNS Server license 8. Add DHCP Server license 9. Add RADIUS Server license 10. Add Grid license 3. Enter the number for the license you want to install. 4. Confirm the selection when prompted, and the following message appears:
Temporary license is installed.
Obtaining and Adding a License

A valid Grid license is required for grid NIOS appliance deployments. You can upgrade existing independent appliances to use a Grid license and then add them to a grid. To upgrade your license, contact your Infoblox sales representative. To add a license: 1. Log in to the Infoblox GUI using a superuser account. 2. From the Grid or Device perspective, click hostname -> Edit -> Add License. 3. In the Add License dialog box, copy the hardware ID and serial number of your appliance and paste this information into an e-mail to Infoblox Support. 4. When you receive the license key, use the shortcut keys Ctrl-C (for copy) and Ctrl-V (for paste) to copy the license key from the response e-mail, and then paste it in the Enter license string field. 5. Click OK to close the Add License dialog box. 6. Close the browser window and log in to the Infoblox GUI. 7. If you are activating licenses for an HA pair, you must repeat this procedure for the second node.
Removing Licenses
You can remove licenses and reset a NIOS appliance to its factory default settings. For example, if you have a NIOS appliance running the DNSone package with the Grid upgrade, but you want to use it as an independent appliance and manage it through the Device Manager GUI, you can do the following: 1. Log in to the NIOS appliance CLIlocally through the Console port or remotely through an SSHv2 connection and use the show license command to view all the licenses installed on the appliance. The output of the the show license command looks similar to the following:
Infoblox > show license Version: 4.0r1 Hardware ID: ecafc0c469e8c75eb59cb7e4b5912a6 License Type: Grid Expiration Date: 11/04/2006 License String: GQAAAAOS5WYrGV/JEzH6wrHYQ8L1b25y3Y+VPPY= License Type: DNS Expiration Date: Permanent License String: EQAAAAKS4n90WFGNUSirwvyUT9/z
166
NIOS 4.3r5
Managing Licenses
License Type: DHCP Expiration Date: Permanent License String: EgAAAAKU8nMlRBzcTWX63rHYFoymOQ== License Type: Grid Maintenance Expiration Date: 11/04/2006 License String: GwAAAA2Z6HAtBkPFPyfzg/yVRsLzI2x0kYyKaPb22g== License Type: NIOS Maintenance Expiration Date: 11/04/2006 License String: GwAAAAiV/nAGGljQEDv0h/yVRsLzI2x0kYyKb/P20Q==
2. Copy the output of the show license command, and save it to a text file on your management system. 3. Reset the NIOS appliance and remove all the licenses by entering the reset all licenses command. 4. This command returns all settings to their default values and removes all licenses.
Infoblox > reset all licenses The entire system will be erased to default settings and all licenses will be removed. WARNING: THIS WILL ERASE ALL DATA AND LOG FILES THAT HAVE BEEN CREATED ON THIS SYSTEM. ARE YOU SURE YOU WANT TO PROCEED? (y or n): y
The application restarts with the default settings and no licenses. 5. Log in to the CLI through the Console port, and check that all the licenses are gone by entering the show license command.
Infoblox > show license Version: 4.0r1 Hardware ID: ecafc0c469e8c75eb59cb7e4b5912a6 Infoblox >
6. Add back only the DNS, DHCP, and NIOS Maintenance licenses by entering the set license command and then copying and pasting the text string for each license:
Infoblox > set license Enter license string: EQAAAAKS4n90WFGNUSirwvyUT9/z Install license? (y or n): y License is installed. Infoblox > set license Enter license string: EgAAAAKU8nMlRBzcTWX63rHYFoymOQ= = Install license? (y or n): y License is installed. Infoblox > set license Enter license string: GwAAAAiV/nAGGljQEDv0h/yVRsLzI2x0kYyKb/P20Q== Install license? (y or n): y License is installed.
7. To check that the licenses are now installed, enter the show license command. When you next log in to the GUI, the Infoblox Device Manager appears instead of the Infoblox Grid Manager.
NIOS 4.3r5
167
Using the Recycle Bin

The recycle bin protects against unintended deletions of data. It provides a way to restore data where the deletion of the object (such as a zone) would result in a major data loss. At the grid level, you can use the recycle bin to restore or permanently remove deleted DNS and DHCP objects. In the DNS perspective, you can restore or permanently remove DNS configuration objects. In the DHCP and IPAM perspective, you can restore or permanently remove DHCP configuration objects. When you use the recycle bin, you can restore the deleted objects to the active configuration on the appliance at a later time. You can also remove the objects permanently from the recycle bin. If you do not use the recycle bin, the appliance immediately removes objects from the database when you delete the objects. You must have superuser permissions to fully manage the recycle bin. If you have non-superuser permissions, you can view, restore, and permanently remove only the objects that you delete. The appliance stores the following deleted objects in the recycle bin: DNS views DNS zones Network views Networks Shared networks DHCP ranges MAC and option 82 filters Host records Bulk host records Bulk host templates NS records for both forward-mapping and IPv4 reverse-mapping zones A records AAAA records CNAME records for both forward-mapping and IPv4 reverse-mapping zones DNAME records for both forward-mapping and IPv4 reverse-mapping zones MX records SRV Records TXT records PTR records for both IPv4 and IPv6 zones
The appliance also stores the following deleted DNS resource records:
When you delete a DNS zone that contains resource records, you cannot restore the resource records individually. You must restore the zone. When you restore the zone, all the resource records in the zone are restored accordingly. The appliance does not restore resource records that are shared or automatically generated. This section discusses the following topics:
Disabling the Recycle Bin on page 169 Enabling the Recycle Bin on page 169 Viewing the Recycle Bin on page 169 Restoring Objects in the Recycle Bin on page 170 Emptying the Recycle Bin on page 170
168
NIOS 4.3r5
Using the Recycle Bin
Disabling the Recycle Bin

The appliance enables the recycle bin by default. You can disable the recycle bin globally in the Grid perspective. If you disable the recycle bin, you cannot restore or remove objects in the recycle bin. You must have superuser permissions to disable the recycle bin. To disable the recycle bin: 1. From the Grid perspective, click id_grid -> Edit -> Grid Properties. 2. In the Grid editor, click Grid Properties, and then enter the following: Enable Recycle Bin: Deselect the check box to disable the recycle bin. When you disable the recycle bin, the appliance permanently removes an object from the database when you delete the object. You cannot restore the deleted object. 3. Click the Save icon.
Enabling the Recycle Bin

You can enable the recycle bin globally in the Grid perspective. You must enable the recycle bin before restoring and emptying the recycle bin from the corresponding perspective. The appliance enables the recycle bin by default. You must have superuser permissions to enable the recycle bin. To enable the recycle bin: 1. From the perspective, click id_grid -> Edit -> Grid Properties. 2. In the Grid editor, click Grid Properties, and then enter the following: Enable Recycle Bin: Select the check box to enable the recycle bin. When you delete objects in the GUI, the recycle bin stores the deleted objects. Enabling the recycle bin allows you to undo the deletions and to restore the deleted objects on the appliance at a later time. 3. Click the Save icon.
Viewing the Recycle Bin

The appliance displays all deleted objects in the recycle bin. You can view all deleted objects in the Recycle Bin panel. When you view the recycle bin from the Grid perspective, the appliance displays all deleted DNS and DHCP objects for the grid. When you view the recycle bin from either the DNS or the DHCP and IPAM perspective, the appliance displays all deleted objects for the corresponding perspective. By default, records are sorted by Name. To display the Recycle Bin panel and to view the deleted configuration objects in the recycle bin: 1. From the Grid perspective, click id_grid -> View -> Recycle Bin. or From the DNS perspective, click View -> Recycle Bin. or From the DHCP and IPAM perspective, click View -> Recycle Bin. The Recycle Bin panel appears. 2. Scroll through the Recycle Bin panel pages using the page arrows located on the lower-left corner of the Recycle Bin panel. The panel page length is set by the administrator. For information, see Authenticating Administrators on page 107. The panel displays the following information for each object: Name: The name of the deleted object. Object Type: The type of the deleted object. Parent/Container: The place from which the object was deleted. Admin: The role that deleted the object. Time: The date/time when the object was deleted.
NIOS 4.3r5
169
Restoring Objects in the Recycle Bin

You can restore deleted objects from the recycle bin only if you enable the recycle bin, and only if you select an object in the panel. You can restore only one object at a time. Deleted objects are stored in the recycle bin until you empty the bin. To restore items from the Recycle Bin panel: 1. From the Grid perspective, click grid -> View -> Recycle Bin. The Recycle Bin panel appears. or From the DNS perspective, click View -> Recycle Bin. or From the DHCP and IPAM perspective, click View -> Recycle Bin. The Recycle Bin panel appears. 2. Select the object that you want to restore. 3. Click Edit -> Restore Selected Object or right click the object, and then select Restore Selected Object . A warning message appears prompting you to confirm that you wish to continue with the restore. 4. Click Yes. Confirm that the object is restored to the active configuration. You can do this by confirming that the object does not appear in the Recycle Bin panel any longer, and that it is reestablished in the appropriate perspective.
Emptying the Recycle Bin

You can permanently delete the contents of the recycle bin only if the recycle bin is enabled. You must have superuser permissions to empty the recycle bin. To empty the recycle bin: 1. From the Grid perspective, click grid -> View -> Recycle Bin. The Recycle Bin panel appears. or From the DNS perspective, click View -> Recycle Bin. or From the DHCP and IPAM perspective, click View -> Recycle Bin. The Recycle Bin panel appears. 2. Click Edit -> Empty Recycle Bin. A warning message appears prompting you to confirm that you wish to empty the recycle bin. 3. Click Yes. Confirm that all objects are removed from the Recycle Bin panel.
170
NIOS 4.3r5
Shutting Down, Rebooting, and Resetting a NIOS Appliance
Shutting Down, Rebooting, and Resetting a NIOS Appliance

To reboot and shut down a NIOS appliance, you can use the Infoblox Manager GUI or the Infoblox CLI. To reset a NIOS appliance, you must use the Infoblox CLI.
Rebooting a NIOS Appliance

You can reboot a single NIOS appliance, a single node in an HA pair, or both nodes in an HA pair. To reboot a single NIOS appliance or one or both nodes in an HA pair using the GUI: 1. From the Grid or Device perspective, click hostname -> Edit -> Reboot. 2. For an HA pair, choose whether to boot one node (and which one) or both nodes, and then click OK. To reboot a single NIOS appliance using the CLI: 1. Log in to the Infoblox CLI using a superuser account for the NIOS appliance that you intend to reboot. 2. Enter the following CLI command: reboot
Shutting Down a NIOS Appliance

Under normal circumstances, you do not need to turn off or shut down a NIOS appliance. It is designed to operate continuously. However, if you want to turn off a NIOS appliance and it is inconvenient to turn off the power switch, you can shut down the NIOS appliance using the GUI. Before shutting down a remote appliance, make sure you can restart it. You cannot restart the system using the GUI. Note: If there is a disruption in power when the NIOS appliance is operating, the NIOS appliance automatically reboots itself when power is restored. To shutdown a NIOS appliance using the GUI: 1. Log in to the Infoblox Manager GUI using a superuser account. 2. From the Grid or Device perspective, click hostname -> Edit -> Shutdown. 3. For an HA pair, choose whether to shut down one node (and which one) or both nodes, and then click OK. The NIOS appliance shuts down. The fans might continue to operate until the appliance cools down. To shutdown a NIOS appliance using the CLI: 1. Log in to the Infoblox CLI using a superuser account. 2. Enter the following CLI command: shutdown
Resetting a NIOS Appliance

There are three ways to reset a NIOS appliance:
Resetting the Database on page 172 Resetting a NIOS Appliance to Factory Settings on page 172 Resetting the NIOS Appliance to Factory Settings and Removing Licenses on page 172
You can perform these functions only through the CLI.
NIOS 4.3r5
171
Resetting the Database

You can reset the database if you lose the administrator account and password or if you want to clear the database but preserve the log files to diagnose a problem. This function removes the configuration files, and the DNS and DHCP data from the appliance database. During this procedure, you are given the option to preserve the network settings of the appliance, which are the IP address and subnet mask, the IP address of the gateway, the host name, and the remote access setting. To reset the database: 1. Log in to the Infoblox CLI using a superuser account. 2. Enter the following CLI command: reset database The appliance then displays a message similar to the following:
The following network settings can be restored after reset: IP Address: 10.1.1.10 Subnet Mask: 255.255.255.0 Gateway: 10.1.1.1 Host Name: ns1.corp100.com Remote Console Access: true The entire database will be erased. Do you wish to preserve basic network settings? (y or n)
3. Press the Y key to preserve the network settings or the N key to return the network settings to their default values (192.168.1.2, 255.255.255.0, 192.168.1.1).
Resetting a NIOS Appliance to Factory Settings

You can reset a NIOS appliance to its original factory settings. This removes the database, network settings, logs, and configuration files. Then, it reboots with its factory settings, which are the default user name and password, and default network settings. When you perform this procedure, the appliance does not give you the option to preserve your network settings. Note: If you have previously imported HTTPS certificates, the appliance regenerates the certificates and replaces them. To reset the NIOS appliance to its factory settings: 1. Log in to the Infoblox CLI using a superuser account. 2. Enter the following CLI command: reset all
Resetting the NIOS Appliance to Factory Settings and Removing Licenses

You can also reset a NIOS appliance to its original factory settings and remove all the licenses installed on the appliance. This removes the database, network settings, logs, configuration files, and licenses. The appliance then reboots with its factory settings, which are the default user name and password, and default network settings. Note: If you have previously imported HTTPS certificates, the NIOS appliance regenerates the certificates and replaces them. To reset the NIOS appliance to its factory settings and remove all its licenses: 1. Log in to the Infoblox CLI using a superuser account. 2. Enter the following CLI command: reset all licenses
172
NIOS 4.3r5
Managing the Disk Subsystem on the Infoblox-2000

Among its many features, the Infoblox-2000 uses a RAID (Redundant Array of Independent Disks) 10 array to provide the optimum mix of high database performance and redundant data storage with recovery features in the event of disk failures. The disk array is completely self managed. There are no maintenance or special procedures required to service the disk subsystem. Caution: Never remove more than one disk at a time from the array. Removing two or more disks at once can cause an array failure and result in an unrecoverable condition. You should replace only one disk at a time, using a replacement disk from Infoblox. For information, see Replacing a Failed Disk Drive on page 175.
About RAID 10
RAID 10 (or sometimes called RAID 1+0) uses a minimum of four disk drives to create a RAID 0 array from two RAID 1 arrays, as shown inFigure 4.13 . It uses mirroring and striping to form a stripe of mirrored subsets. This means that the array combinesor stripesmultiple disk drives, creating a single logical volume (RAID 0). RAID 10 combines the high performance of RAID 0 and the high fault tolerance of RAID 1. Striping disk drives improves database write performance over a single disk drive for large databases. The disks are also mirrored (RAID 1), so that each disk in the logical volume is fully redundant.
Figure 4.13 RAID 10 Array Configuration

RAID 0
RAID 1
RAID 1
Disk 1 Primary
Disk 1 Backup
Disk 2 Primary
Disk 2 Backup
When evaluating a fault on the Infoblox-2000, it is best to think of the disk subsystem as a single, integrated unit with four components, rather than four independent disk drives. For information, see Evaluating the Status of the Disk Subsystem on page 174.
NIOS 4.3r5
173
Evaluating the Status of the Disk Subsystem

You can monitor the disk subsystem through the Infoblox Grid Manager GUI, the scrolling front panel LCD display, and four front panel LEDs next to the disk drives. In addition, you can monitor the disk status by using the CLI command show hardware_status. The following example displays the status of an Infoblox-2000 using the command:
Infoblox > show hardware_status POWER: Power OK Fan1: 7258 RPM Fan2: 6887 RPM Fan3: 7258 RPM CPU1_TEMP: +20.0 C CPU2_TEMP: +24.0 C SYS_TEMP: +35 C RAID_ARRAY: OPTIMAL RAID_BATTERY: OK READY Yes 103 HOURS
The Detailed Status panel provides a detailed status report on the appliance and service operations. To see a detailed status report, from the Grid perspective, select grid, and then click View -> Detailed Status. After displaying the Detailed Status panel, you can view the status of individual grid members and services by selecting them in the Grid panel. For more information on the Detailed Status panel, see Viewing Detailed Status on page 182. The RAID icon indicates the status of the RAID array on the Infoblox-2000. Icon Color Green Yellow Red Meaning The RAID array is in an optimal state. A new disk was inserted and the RAID array is rebuilding. The RAID array is degraded. At least one disk is not functioning properly. The GUI lists the disks that are online. Replace only the disks that are offline.
The Grid Manager GUI also displays detailed status of the RAID array. In the event of a disk failure, you must replace the failed disk with one that is qualified and shipped from Infoblox and has the same disk type as the rest of the disks in the array. The appliance displays information about mismatched disks in the Description column. The disk type can be one of the following: IB-Type 1: Infoblox supported disk type IB-Type 2: Infoblox supported disk type Unk: Unknown disk type that Infoblox does not support
All disk drives in the array must have the same disk type for the array to function properly. You can have either IB-Type 1 or IB-Type 2, but you cannot mix both in the array. When you have a mismatched disk in the array, you must promptly replace the disk with a replacement disk from Infoblox to avoid operational issues.
174
NIOS 4.3r5
Appliance Front Panel

The disk drives are located on the right side of the appliance front panel. To the right of each drive there is an LED that displays the status of each drive. The front panel LCD scrolls and displays the disk array status every 20 seconds.
Table 4.5 Disk Drive LEDs

LED Color Green Yellow Dark Condition Disk operating normally Disk read/write activity Disk has failed or not inserted Action None Disk is functioning normally or is synchronizing if recently inserted. Verify the failure in the GUI or CLI. Remove the disk and replace with a functional disk drive. Note that the drive rebuilds with its twin.
Replacing a Failed Disk Drive

The Infoblox-2000 is designed to provide continuous operation in the event of a failed disk. Replace an original RAID disk only when there is a disk failure. Hot-swapping a disk drive is a simple process that does not require issuing commands or a GUI operation. When you replace a failed disk, you must replace it with an Infoblox supplied disk. To ensure that you receive the correct replacement disk, report the disk type or part number of the failed disk. The appliance displays the disk type in the Detailed Status panel, and the Infoblox part number is printed on the disk. Installing disks that are not qualified and shipped from Infoblox could cause failures in the appliance. To replace a disk drive, follow this procedure: 1. Identify and verify the failed drive via the Grid Manager, front panel LCD, or CLI. 2. If the activity light is green or blinking yellow, make sure you have identified the correct drive. There are conditions where a drive could be in the process of failing and still be green or yellow. Note: Do not remove a correctly functioning drive. 3. Push in the latch for the drive and pull the release lever out towards you. 4. When the drive disengages, wait about 30 seconds for the disk to completely stop spinning. 5. Slide it out of the slot. Replacement drives are shipped as a complete unit, ready to insert into the appliance. There is no preparation required. To install a replacement drive, follow this procedure: 1. Insert the replacement drive into the drive bay slot. 2. Gently slide the drive into place. When you feel the release lever engage, continue applying gentle pressure to the drive while pushing the release lever towards the appliance. 3. The release lever locks into place and the LED next to the disk drive lights up. Note that if the alarm buzzer is sounding, it automatically turns off about 20 seconds after the drive is inserted. 4. The disk drive automatically goes into rebuild mode.
NIOS 4.3r5
175
Disk Array Guidelines

Infoblox has designed the disk array to be completely self managed. There are no maintenance procedures required for a normally functioning disk array. Mishandling the disk array can cause an unrecoverable error and result in a failed appliance. Infoblox highly recommends that you observe the following guidelines: Remove only one disk at a time. Do not remove two or more disks from the appliance at the same time. Removing two or more disks at the same time might result in an appliance failure and require an RMA of the appliance. This rule applies to both powered and powered down appliances. If the status of the array is degraded, remove the failed or failing disk drive only. Do not remove an optimally functioning drive. If your acceptance procedure requires a test of the RAID hot swap feature, remove only one disk drive at a time. You can remove a second disk only after you replace the first disk and the array completes its rebuilding process. Do not remove a disk drive if the array is rebuilding. This could result in an appliance failure. Verify the status of the array before removing a disk drive. Use the following procedure to remove a spinning disk: 1. Unlatch and pull the disk about two cm (one inch) to disengage contact. 2. Wait about 30 seconds for the disk to completely stop spinning. 3. Remove the disk and handle it with care. Do not drop the disk or ship it loosely in a carton. You can hot swap a drive while the appliance remains in production. There are some conditions that may require powering down the appliance to replace a failed unit. This normally happens if the RAID controller detects an error that could damage the array. If you insert a replacement drive into a live array and the controller doesnt recognize the drive, power down the appliance. If you inadvertently remove the wrong disk drive, do not immediately remove the disk drive that you originally intended to remove. Verify the status of the array and replace the disk drive that you removed earlier before removing another drive. Removing a second drive could render the appliance inoperable. If a drive failed, there is an audio alarm buzzer. The alarm automatically stops about 20 seconds after a functional disk has been inserted into the array. All disks in the RAID array should have the same disk type for the array to function properly. In the unlikely event that two disk drives fail simultaneously and the appliance is still operational, remove and replace the failed disk drives one at a time. Rebuild time can vary. The rebuild process takes approximately two hours on an idle appliance. On very busy appliances (over 90% utilization), the disk rebuild process can take as long as 40 hours. On a grid master serving a very large grid, expect the rebuild process to take at least 24 hours. Replace a failed or mismatched disk only with a replacement disk shipped from Infoblox. When you request a replacement disk, report the disk type displayed in the Detailed Status panel of the GUI or the Infoblox part number on the disk.
176
NIOS 4.3r5
Restarting Services
Restarting Services
Whenever you make a change (such as add a zone, network, or a range) you click the Restart icon to restart services. You can restart the DNS, DHCP, RADIUS, and VitalQIP services after you make configuration changes. You can also specify a future restart time. You can restart services at the grid level or the member level as described in:
Restarting Grid Services on page 177 Restarting Member Services on page 178
You can cancel a schedule that you create to restart services. A superuser can cancel any scheduled restarts. Only a superuser or administrators with read and write permission to all of the grid members can schedule a grid restart. When a superuser schedules a grid restart, a limited-access user cannot schedule a member-level restart. Limited-access users cannot cancel a superusers scheduled changes. Limited-access users cannot create or modify a schedule for a grid member if a schedule for the member (created by another user) already exists.
USER logon_id action service restart schedule 'schedule' on grid (or member) grid name or member node id
The following rules apply to superusers and limited-access users:
The system writes every scheduled change action to the audit log as follows:
For example:
USER jdoe insert service restart schedule '02/20/2007 01:30:00' on grid Infoblox USER jdoe deleted service restart schedule '02/22/2007 01:30:00' on node id 3
For more information on the audit log, see Using the Audit Log on page 192.
Restarting Grid Services

Only a superuser or administrators with read and write permission to all grid members can schedule a grid restart. You can restart services at the grid level either simultaneously or sequentially, and also specify the restart services time. After you enter a specific date and time, the system schedules to restart services at the specified time on each grid member, one by one. To restart services at the grid level: 1. Click the Restart Services icon. The Restart Grid Services dialog box appears. 2. Enter the following in the Restart services on all members section: Simultaneously: Restarts the services on all of the members in a grid at the same time. Sequentially: This is the default option. Restarts the services on each grid member according to the number of seconds you enter in the Sequential Delay field. For example, if you enter the sequential delay as 10 seconds, the system restarts services on the first member, and 10 seconds later on the second member. 3. Select one of the following options in the Restart services time section: Immediately: Restarts services at once. Scheduled: Enter the following information to schedule all grid members to restart at a certain date and time: Date: Enter the date on which the services should restart in MM/DD/YYYY (month/day/year) format. Time: Enter the time in hh:mm:ss (hours: minutes: seconds) format. Hours must be a numeric value between 0 and 23. For example, if you make the change at 10:00 a.m. on Wednesday and want the change to occur at 10:30 p.m., enter 22:30:00.
NIOS 4.3r5
177
Time Zone: Select a time zone from the drop-down menu. The drop-down menu displays the grid default time (see Changing Time Zone Settings on page 123). However, you can select a different time zone. For example, if the grid default time zone is Eastern time and you are in California, you can schedule a restart in the Pacific time zone. Enter the date and time and select the Pacific time zone and click the Save icon. When you invoke the GUI the next time, the system calculates the time difference between the two time zones and displays the scheduled time in the grid default time zone (Eastern time).
Note: The NIOS appliance converts the time zone to the grid default time zone only after you save and reinvoke the GUI. Click the Show Details button to view the following restart services details: IP address of the grid members that are restarting, services that are restarting (such as DNS, DHCP, and RADIUS), the restart date and time, and the time zone. 4. Click OK. The Restart Services icon changes from the Infoblox logo restart has been scheduled. to a clock to indicate that a
Restarting Member Services

The member restart time always supersedes the grid restart time. If the member restart time is later than the grid restart time, then the member restarts services at its scheduled time. If the member restart time is ahead of the grid restart time, then the member restarts services at its scheduled restart time, and again during the grid restart time. To restart member services: 1. Click the Restart Services icon. The Restart Member Services dialog box appears. 2. You can specify whether the member should restart services when necessary or you can force it to restart services. Select one of the following under the Restart services section: Restart services (if needed): This option restarts all active DNS, DHCP, RADIUS, and VitalQIP proxy services if there are any changes requiring a service restart. To see which services are enabled and must be restarted, click Show Details. Force restart services: This option forces all active services to restart regardless of their state. 3. Select one of the following options in the Restart services time section: Immediately: Restarts services instantly. Scheduled: Enter the date, time, and select the time zone as follows: Date: Specify the date on which the services should restart in MM/DD/YYYY (month/day/year) format. Time: Specify the time in hh:mm:ss (hours: minutes: seconds) format. Hours must be a numeric value between 0 and 23. For example, if you make the change at 10:00 a.m. on Wednesday and want the change to occur at 10:30 p.m., enter 22:30:00. Time Zone: Select a time zone from the drop-down menu. The drop-down menu displays the member default time zone (see Changing Time Zone Settings on page 123). But, you can select a different time zone when you create the schedule. For example, if the member default time zone is Eastern time and you are in California, you can schedule a restart in the Pacific time zone. Enter the date and time and select the Pacific time zone and click the Save icon. When you invoke the GUI the next time, the system calculates the time difference between the two time zones and displays the scheduled time in the member default time zone (Eastern time).
Note: The NIOS appliance converts the time zone to the grid default time zone only after you save and reinvoke the GUI.
178
NIOS 4.3r5
Restarting Services
Click the Show Details button to view the following restart services details: IP addresses of the members that are restarting, services that are restarting (such as DNS, DHCP, and RADIUS), the restart date and time, and the time zone. The Restart Services icon changes from the Infoblox logo restart has been scheduled. to a clock to indicate that a
Canceling a Scheduled Restart

Limited-access users can only cancel a schedule that they created. Superusers can cancel a schedule that any user created. You can cancel scheduled changes for the grid only from the grid level and scheduled changes for the member only from the member-level. You can cancel a scheduled restart either by using the Manage Restart Services option or by resetting the restart services time to Immediately (instead of selecting Scheduled) in the Restart Member Services dialog box. Use the following steps to cancel a scheduled restart using the Manage Restart Services option. When you use this option, the system cancels the schedule to restart services on the member or grid and does not restart services. 1. From the Grid or Device perspective, select the drop-down menu next to the clock icon in the GUI. 2. Select Manage Restart Services. The Manage Grid Services dialog box or the Manage Device Services dialog box appears. 3. Click Cancel Restart. The Cancel Schedule Warning message appears. 4. Click Yes and click OK. The Restart Services icon in the GUI changes back from the clock icon to the Infoblox logo provided there is no other scheduled restart. Use the following steps to cancel a scheduled restart by resetting the restart services time. When you use this option, the system cancels the scheduled restart and restarts the services on the member or the grid at once. 1. From the Grid or Device perspective, click the grid or the member. 2. Select the drop-down menu next to the clock icon in the GUI. 3. Select Restart Member Services or Restart Grid Services. The Restart Member Services or Restart Grid Services dialog box appears. 4. Select Immediately in the Restart services time section and click OK. The Cancel Schedule Warning message appears. 5. Click Yes and click OK. The Restart Services icon in the GUI changes back from the clock icon to the Infoblox logo provided there is no other scheduled restart.
NIOS 4.3r5
179
180
NIOS 4.3r5
Chapter 5 Monitoring the Appliance

This chapter describes the status icons in the Infoblox GUI that indicate the state of appliances, services, database capacity, ethernet ports, HA, and grid replication. It also explains how to use the various logs and the traffic capture tool to monitor a NIOS appliance. You can set the monitoring parameters at the grid and member levels. The topics in this chapter include:
Viewing Detailed Status on page 182 Appliance Status on page 182 Service Status on page 182 DB Capacity Used on page 183 Disk Usage on page 183 HA, LAN1, LAN2, or MGMT Port on page 184 LCD on page 184 Memory Usage on page 184 Replication on page 186 Using a Syslog Server on page 187 Specifying Syslog Servers on page 187 Configuring Syslog for a Grid Member on page 188 Setting DNS Logging Categories on page 189 Viewing the Syslog on page 190 Searching for Text on page 190 Downloading the Syslog File on page 191 Monitoring Tools on page 192 Using the Audit Log on page 192 Using the Replication Log on page 194 Using the Traffic Capture Tool on page 195 Using the Capacity Report on page 196 Monitoring DNS Transactions on page 197
NIOS 4.3r5
181
Monitoring the Appliance
Viewing Detailed Status

The NIOS GUI changes the color of status icons to indicate the state of appliances, services, database capacity, ethernet ports, HA, and grid replication. For the Infoblox-1552 and 2000, the GUI displays status icons for the power supplies. For the Infoblox-2000, the GUI displays icons to indicate the state of the RAID array and disk controller backup battery. To see a detailed status report for a grid, from the Grid perspective, select grid, and then click View -> Detailed Status. After displaying the Detailed Status panel, you can view the status of individual grid members and services by selecting them in the Grid panel. The Detailed Status panel provides a detailed status report on the following appliance and service operations:
Appliance Status
The status icons indicate the operational status of a grid member and a general description about what it is currently doing. The appliance status icon can be one of the following colors: Icon Color Green Yellow Red Meaning The appliance is operating normally in a running state. The appliance is connecting or synchronizing with its grid master. The grid member is offline, is not licensed (that is, it does not have a DNSone license with the Grid upgrade that permits grid membership), is upgrading or downgrading, or is shutting down.
Following are some appliance descriptions that might appear in the Description column: Running, Offline, Connecting, Synchronizing, Authentication Failed, Shared secret did not match, Not Licensed, SW Revision Mismatch, Downloading Release from Master, and Shutting Down.
Service Status
After you enable DHCP, DNS, TFTP, HTTP (for file distribution), RADIUS, FTP, bloxTools Environment, VitalQIP or IPAM WinConnect services, the Infoblox GUI indicates its status with a green or red icon. Because the status icons for NTP have a different meaning, those meanings are explained in a separate table. DHCP, DNS, TFTP, HTTP (File Distribution) , RADIUS, FTP, bloxTools Environment , VitalQIP, or IPAM WinConnect Icon Color Green Red Meaning A service is enabled and running properly. A service is enabled but not running. (A red status icon can also appear temporarily when a service is enabled and begins running, but the monitoring mechanism has not yet notified the GUI engine.)
182
NIOS 4.3r5
NTP Icon Color Green Yellow Red Gray Meaning The NTP service is enabled and running properly. The NTP service is enabled, and the appliance is synchronizing its time. The NTP service is enabled, but it is not running properly or is out of synchronization. The NTP service is disabled.
The type of information that can appear in the Description column for a service corresponds to the SNMP trap messages. For information about Infoblox SNMP traps, see Chapter 6, Monitoring with SNMP, on page 203.
DB Capacity Used
Status icons for DB Capacity Used indicate the current percentage of the database in use on a selected grid member. The maximum is 100%. Icon Color Green Yellow Meaning Under 85% database capacity is currently in use. Over 85% database capacity is currently in use. When the capacity exceeds 85%, the icon changes from green to yellow and the NIOS appliance sends an SNMP trap.
Disk Usage
This indicates the percentage of the data partition on the hard disk drive currently in use. Icon Color Green Yellow Red Meaning Under 85% capacity Between 85% and 95% capacity Over 95% capacity
FAN
The status icon indicates whether the fan(s) are functioning. The corresponding description displays the fan speed. Icon Color Green Red Meaning All fans are functioning properly. At least one fan is not running.
NIOS 4.3r5
183
HA, LAN1, LAN2, or MGMT Port

The status icons for the HA, LAN/LAN1, LAN2 and MGMT ethernet ports indicate the state of their network connectivity. Icon Color Green Red Meaning The port is properly connected to a network. Its IP address appears in the Description column. The port is not able to make a network connection.
LCD
The LCD status icon indicates its operational status. Icon Color Green Red Meaning The LCD is functioning properly. The LCD process is not running.
Memory Usage
The status icon for memory usage indicates the current percentage of memory in use. Icon Color Green Yellow Red Meaning Under 90% capacity Between 90% and 95% capacity and increased activity Over 95% capacity and increased activity
Note: You can see more details about memory usage through the CLI command: show memory
Power Supply
The Infoblox-1552, -1552-A, and -2000 have redundant power supplies. The power supply icon indicates the operational status of the power supplies. Icon Color Green Red Meaning The power supplies are functioning properly. One power supply is not running. To find out which power supply failed, check the LEDs of the power supplies.
184
NIOS 4.3r5
RAID
This icon indicates the status of the RAID array on the Infoblox-2000. Icon Color Green Yellow Red Meaning The RAID array is functioning properly. A new disk was inserted and the RAID array is rebuilding. The RAID array is degraded. At least one disk is not functioning properly. The GUI lists the disks that are online. Replace only the disks that are offline.
The Grid Manager GUI also displays detailed status of the RAID array. In the event of a disk failure, you must replace the failed disk with one that is qualified and shipped from Infoblox and has the same disk type as the rest of the disks in the array. The appliance displays information about mismatched disks in the Description column. The disk type can be one of the following: IB-Type 1: Infoblox supported disk type IB-Type 2: Infoblox supported disk type Unk: Unknown disk type that Infoblox does not support
All disk drives in the array must have the same disk type for the array to function properly. You can have either IB-Type 1 or IB-Type 2, but you cannot mix both in the array. When you have a mismatched disk in the array, you must promptly replace the disk with a replacement disk from Infoblox to avoid operational issues.
RAID Battery
This icon indicates the status of the disk controller backup battery on the Infoblox-2000. Icon Color Green Red Meaning The battery is charged. The description indicates the estimated number of hours of charge remaining on the battery The battery is not charged.
Temperatures
This icon is always green. The description reports the CPU and system temperatures.
NIOS 4.3r5
185
Replication
The current state of replication between a grid member and master or between the passive and active nodes in an HA pair. Grid Member <> Master Icon Color Green Yellow Meaning Grid communications are operating normally and ongoing database updates are occurring. The member is synchronizing itself with the master, and either complete or partial database replication is occurring. All master candidates receive the complete database. All regular members (that is, members not configured as master candidates) receive the section of the database that applies to themselves. The member and master are not replicating the database between themselves.
Red
HA Pair Passive Node <> Active Node

Icon Color Green Yellow Red Meaning HA communications are operating normally and database replication is occurring. The passive node is synchronizing itself with the active node, and database replication is occurring. The passive and active nodes are not replicating the database between themselves.
186
NIOS 4.3r5
Using a Syslog Server

Syslog is a widely used mechanism for logging system events. NIOS appliances generate syslog messages which you can view through the system log viewer and download to a directory on your management station. In addition, you can configure a NIOS appliance to send the messages to one or more external syslog servers for later analysis. Syslog messages provide information about appliance operations and processes. You can also include audit log messages and specific BIND messages among the messages the appliance sends to the syslog server. You can set syslog parameters at the grid and member levels. At the member level, you can override grid-level syslog settings and enable syslog proxy. The topics in this section include:
Specifying Syslog Servers on page 187 Configuring Syslog for a Grid Member on page 188 Setting DNS Logging Categories on page 189 Viewing the Syslog on page 190 Searching for Text on page 190 Downloading the Syslog File on page 191
Specifying Syslog Servers

To configure a NIOS appliance to send messages to a syslog server: 1. From the Grid perspective, click grid -> Edit -> Grid Properties. or From the Device perspective, click hostname -> Edit -> Device Properties. 2. In the Grid or Device editor, click Monitoring, and then enter the following: Syslog In addition to storing the system log on a grid member, you can configure grid to send the log to an external syslog server. Override grid syslog settings: Select this check box to override grid-level settings and apply member-level settings. Clear it to apply grid-level settings to this member. If Member Type is Riverbed, you must select this check box to override grid-level settings. The appliance automatically configures the syslog size to 20MB for Riverbed members. Syslog size (MBytes): Specify the maximum size of the syslog file. Enter a value from 10 to 300. The default is 300MB. When the syslog file reaches its maximum size, the appliance automatically writes the file into a new file by adding a .0 extension to the first file and incrementing subsequent file extensions by 1. Enable external syslog server: Select this check box to enable the NIOS appliance to send messages to a specified syslog server. Syslog Server Group: To define one or more syslog servers, click Add, enter the following, and then click OK: Server Address: Type the IP address of a syslog server. Connection Type: Specify whether the appliance uses TCP or UDP to connect to the external syslog server. Port: Specify the destination port number. Out Interface: Specify the interface through which the appliance sends syslog messages to the syslog server.
NIOS 4.3r5
187
Severity Filter: Choose a filter from the drop-down list. When you choose a severity level, grid members send messages for that severity level plus all messages for all severity levels above it. The lowest severity level is debug (at the top of the drop-down list), and the highest severity level is emerg (at the bottom of the list). Accordingly, if you choose debug, grid members send all syslog messages to the server. If you choose err, grid members send messages with the severity levels err, crit, alert, and emerg. If you choose emerg, they send only emerg messages. Message Source: Specify which syslog messages the appliance sends to the external syslog server: Internal: The appliance sends syslog messages that it generates. External: The appliance sends syslog messages that it receives from other devices, such as syslog servers and routers. Any: The appliance sends both internal and external syslog messages.
Copy audit log messages to syslog: Select the check box for the NIOS appliance to include audit log messages among the messages it sends to the syslog server. This function can be helpful for monitoring administrative activity on multiple appliances from a central location. Audit Log Facility: Choose the facility where you want the syslog server to sort the audit log messages. 3. Click the Save icon to save your settings.
Configuring Syslog for a Grid Member

You can override grid-level syslog settings and enable syslog proxy for individual members. When you enable syslog proxy, the member receives syslog messages from specified devices, such as syslog servers and routers, and then forwards these messages to an external syslog server. You can also enable appliances to use TCP for sending syslog messages. TCP is more reliable than using UDP; this reliability is important for security, accounting, and auditing messages sent through syslog. To configure syslog parameters for a member: 1. From the Grid perspective, click + (for grid) -> + (for Members) -> member -> Edit -> Member Properties. 2. In the Grid Member editor, click Monitoring, and enter the following: Syslog In addition to storing the system log on a grid member, you can configure a member to send the log to a syslog server. Override grid syslog settings: Select the check box to override grid-level settings and apply member-level settings. Clear it to apply grid-level settings to this member. If Member Type is Riverbed, you must select this check box to override grid-level settings. The appliance automatically configures the syslog size to 20MB for Riverbed members. Syslog size (MBytes): Specify the maximum size of the syslog file. Enter a value from 10 to 300. The default is 300MB. When the syslog file reaches its maximum size, the appliance automatically writes the file into a new file by adding a .0 extension to the first file and incrementing subsequent file extensions by 1. Enable external syslog server: Select this check box to enable the NIOS appliance to send messages to a specified syslog server. Syslog Server Group: To define one or more syslog servers, click Add, enter the following, and then click OK: Server Address: Type the IP address of a syslog server. Connection Type: Specify whether the appliance uses TCP or UDP to connect to the external syslog server. Port: Specify the destination port number. Out Interface: Specify the interface through which the appliance sends syslog messages to the syslog server.
188
NIOS 4.3r5
Severity Filter: Choose a filter from the drop-down list. When you choose a severity level, the NIOS appliance sends messages for that severity level plus all messages for all severity levels above it. The lowest severity level is debug (at the top of the drop-down list), and the highest severity level is emerg (at the bottom of the list). Accordingly, if you choose debug, the single appliance or active node in an HA pair sends all syslog messages to the server. If you choose err, it sends messages with the severity levels err, crit, alert, and emerg. If you choose emerg, it sends only emerg messages. Message Source: Specify which syslog messages the appliance sends to the external syslog server: Internal: The appliance sends syslog messages that it generates. External: The appliance sends syslog messages that it receives from other devices. Any: The appliance sends both internal and external syslog messages.
Enable syslog proxy: Select this check box to enable the appliance to receive syslog messages from other devices, such as syslog servers and routers, and then forward these messages to an external syslog server. Enable listening on TCP: Select this check box if the appliance uses TCP to receive messages from other devices. Port: Enter the number of the port through which the appliance receives syslog messages from other devices. Enable listening on UDP: Select this check box if the appliance uses UDP to to receive messages from other devices. Port: Enter the number of the port through which the appliance receives syslog messages from other devices. Proxy Client Access Control: Click Add, enter the following in the Access Control Item dialog box, and then click OK: IP Address option: Select IP Address if you are adding the IP address of an appliance or select Network if you are adding the network address of a group of appliances. Address: Enter the IP address of the appliance or network. Subnet Mask: If you entered a network IP address, you must also enter its subnet mask.
3. Click the Save icon to save your settings.
Setting DNS Logging Categories

You can specify which of 14 BIND logging message categories you want syslog to capture, and furthermore, you can filter these messages by severity. For information about severity types, refer to Using a Syslog Server on page 187. To specify logging categories: 1. From the Grid perspective, click + (for grid ) -> + (for Services) -> DNS -> Service Properties. or From the Device perspective, click + (for hostname ) -> DNS -> Service Properties. 2. In the Grid DNS Properties editor, click Logging, and then enter the following: Logging Facility: Select a facility from the drop-down list. This is the location on the syslog server to which you want to sort the DNS logging messages. Select one of more of these log categories: Enable General: Records the BIND messages that are not specifically classified. Enable Config: Records the configuration file parsing messages. Enable DNSSEC: Records the DNSSEC-signed responses. Enable Network: Records the network operation messages. Enable Queries: Records the query response messages. Enable Security: Records the approved and denied requests. Enable Transfer-in: Records zone transfer messages from the remote name servers to the appliance. Enable Transfer-out: Records zone transfer messages from the NIOS appliance to remote name servers.
NIOS 4.3r5
189
Enable Update: Records the dynamic update instances. Enable Resolver: Records the DNS resolution instances, including recursive queries from resolvers. Enable Notify: Records the asynchronous zone change notification messages. Enable Lame Servers: Records bad delegation instances. Enable Database: Records BINDs internal database processes. Enable Client: Records client requests. 3. Click the Save icon to save your settings. 4. Click the Restart Services icon if it flashes.
Viewing the Syslog

In addition to saving syslog messages to a remote syslog server, a NIOS appliance also stores the system messages locally. When the syslog file reaches its maximum size, which is 300 MB for Infoblox appliances and Cisco vNIOS virtual appliances, and 20 MB for Riverbed vNIOS virtual appliances, the appliance automatically writes the file into a new file by adding a .0 extension to the first file and incrementing subsequent file extensions by 1. Files are compressed during the rotation process, adding a .gz extension following the numerical increment (file.#.gz). The sequential incrementation goes from zero through nine. When the eleventh file is started, the first log file (file.0.gz) is deleted, and subsequent files are renumbered accordingly. For example, the current log file moves to file.0.gz, the previous file.0.gz moves to file.1.gz, and so on through file.9.gz. A maximum of 10 log files (0-9) are kept. To view syslog messages on a NIOS appliance: 1. From the Grid perspective, click + (for grid ) -> + (for Members) -> member -> File -> System Log -> ip_addr . or From the Device perspective, click hostname -> File -> System Log -> ip_addr . Note: You can also right-click a grid member or independent appliance or HA pair, and then select System Log -> ip_addr in the short-cut menu. The appliance displays the syslog messages for the specified member. 2. To refresh the contents in the System Log File viewer, click View -> Refresh (or press the F5 key). 3. To delete the contents in the System Log File viewer, click View -> Clear. Note that only a superuser can clear the syslog file.
Searching for Text

Instead of paging through the syslog messages to locate messages, you can limit the display to syslog messages with certain text strings. To search for specified text strings: 1. From the Grid perspective, click + (for grid ) -> + (for Members) -> member -> File -> System Log -> ip_addr . or From the Device perspective, click hostname -> File -> System Log -> ip_addr . Note: You can also right-click a grid member or independent appliance or HA pair, and then select System Log -> ip_addr in the short-cut menu. The appliance displays the syslog messages for the specified member. 2. Click the Search icon in the upper right corner of the System Log File viewer. 3. Enter the text string and then click Search. The appliance displays the results of your search in a Search Results panel.
190
NIOS 4.3r5
Downloading the Syslog File

You can download the syslog file to a specified directory, if you want to print and analyze it. To download a syslog file: 1. From the Grid perspective, click + (for grid ) -> + (for Members) -> member -> File -> System Log -> ip_addr . or From the Device perspective, click hostname -> File -> System Log -> ip_addr . Note: You can also right-click a grid member or independent appliance or HA pair, and then select System Log -> ip_addr in the short-cut menu. The appliance displays the syslog messages for the specified member. 2. Click the Download File icon in the upper right corner of the System Log File viewer, navigate to a directory where you want to save it, optionally change the file name (the default names are node_1_sysLog.tar.gz and node_2_sysLog.tar.gz ), and then click OK.
NIOS 4.3r5
191
Monitoring Tools
You can view the audit log, the replication log, and the traffic capture tool in a grid or HA pair to monitor administrator activity, and capture traffic for diagnostic purposes. You can also use CLI commands to monitor certain DNS transactions. This section includes the following topics:
Using the Audit Log on page 192 Using the Replication Log on page 194 Using the Traffic Capture Tool on page 195 Using the Capacity Report on page 196 Monitoring DNS Transactions on page 197
Using the Audit Log

The audit log contains a record of all Infoblox administrative activity. It provides detailed information on changes such as: Date and time stamp of the change. If you have different admin accounts with different time zone settings, the appliance uses the time zone of the admin account that you use to log in to the appliance to display the date and time stamp. Administrator name Changed object name New value of the object. If you change multiple properties of an object, the audit log lists all changes in a comma-separated log entry. You can also search the audit log to find the new value of an object. Write operations such as the addition, modification, and removal of objects. System management operations such as service restarts and appliance reboots. Scheduled tasks such as adding an A record or modifying a fixed address.
The system logs the following successful operations:
When the audit log reaches it maximum size, which is 100 MB, the appliance automatically writes the file into a new file by adding a .0 extension to the first file and incrementing subsequent file extensions by 1. Files are compressed during the rotation process, adding a .gz extension following the numerical increment (file.#.gz). The sequential incrementation goes from zero through nine. When the eleventh file is started, the first log file (file.0.gz) is deleted, and subsequent files are renumbered accordingly. For example, the current log file moves to file.0.gz, the previous file.0.gz moves to file.1.gz, and so on through file.9.gz. A maximum of 10 log files (0-9) are kept. To list the audit log files and their sizes, log in to the Infoblox CLI and execute the show logfiles command. To view the audit log: From the Grid perspective, select grid -> File -> Audit Log. or From the Device perspective, select hostname -> File -> Audit Log . To refresh the audit log view, select View -> Refresh (or press the F5 key). To delete the contents of the audit log file, select View -> Clear. You can also do the following:
You can search for audit logs that pertain to particular DNS and DHCP objects. To search the audit log file: 1. Click the Search icon in the upper right corner of the Audit Log File viewer. 2. In the Search Audit Log dialog box, enter the search criteria as follows: Match Fields: In this section, you specify the fields the appliance uses to filter the Audit Log. Enter the following:
192
NIOS 4.3r5
Monitoring Tools
Admin Name: Enter the name of the administrator to view the Audit Log changes made only by a specific administrator. The name you enter in this field need not be complete. You can use regular expressions to expand your search. For example, you can just enter ad* or adm to search for the admin name administrator. Also, the data you enter is not case sensitive. Message/Value: Enter any word or sentence from the message to be searched or the value of the object that was created, modified, or deleted. The data you enter is not case sensitive. The message you enter in this field need not be complete. You can use regular expressions to expand your search. For example, to find messages with the word created, you can just enter cre or cre*. For example, if you changed the Comment field for an authoritative zone from today is tuesday to today is wednesday, the Audit Log displays this change in the Message column as follows:
comment From: today is tuesday To: today is wednesday
In this case, you can search for the string today is wednesday but you cannot search for To: today is wednesday. You can also search based on the value of the object you changed. For example, if you change the end IP address of a DHCP range from 10.0.20.0 to 10.0.30.0, you can enter 30 in the Message/Value field to find the log for this change. Object Restrictions: In this section, you can specify additional filter criteria to restrict the Audit Log search. Object Type: This drop-down list displays the different types of objects that you can select for the search. You can select No Object Type Restrictions to search all object types or you can select a specific object type. When you select a specific object type, you can enter an object name. Object Name: To restrict the search to a specific object, you can enter a name for the object type you specified. You can enter a partial name and use regular expressions as well. For example, to find a DNS object called test.com, you can just enter tes or te*. Time Range In this section, you can either select from a predefined time range or specify your own custom range. The appliance uses the time zone that it automatically detects from the management system that the admin uses to log in. Or you can override the time zone auto-detection feature at the admin and member level by specifying a time zone. For example, if you are in the Eastern Standard Time zone, then the time range section in the dialog displays the Eastern Standard Time regardless of the grid time zone setting. If you change the time zone on your computer, you must log out and then log back in to the NIOS appliance for the new time zone to take effect. Predefined range: Select one of the following predefined date and time ranges from the drop-down menu: All: Displays all audit log messages logged at all available dates and times. Last Week: Displays all audit log activity that occurred one week before the current time. Last Day: Displays audit log activity that occurred one day (24 hours) before the current time. Last 12 Hours: Displays all audit log activity that occurred 12 hours before the current time. Last 4 Hours: Displays audit log activity that occurred four hours before the current time. Last Hour: Displays all audit log activity that occurred one hour before the current time. Custom range: Click and select one of the following: From: Either select Oldest message or click Specify and then enter the start date and time in the year/month/date and hours:minutes:seconds format. To: Either select Newest message or click Specify and then enter the end date and time in the year/month/date and hours:minutes:seconds format. 3. Click Search The appliance displays the results of your search in a Search Results panel. To download the audit log file, click the Download File icon in the upper right corner of the Audit Log File viewer, navigate to a directory where you want to save it, optionally change the file name (the default name is auditLog.tar.gz ), and click OK.
NIOS 4.3r5
193
Audit Log Format

The format of the audit log is similar to the syslog:
[date and time stamp] [user name]: message
For example:
[2007/05/05 11:13:54.208] [admin]: updated grid time zone
Note: The dates and timestamps in the audit log are determined by the time zone setting of the admin account that you use to log in to the NIOS appliance.
Specifying the Audit Log Type

Select either the Detailed (default) or Brief audit log type as follows: 1. Select Grid -> Edit -> Grid Properties. 2. Click the Grid Properties section to expand it. 3. Select one of the following types in the Audit Log section: Detailed: This is the default type. It is automatically selected. It provides detailed information on all administrative changes such as the date and time stamp of the change, administrator name, changed object name, and the new values of all properties. Brief: Provides information on administrative changes such as the date and time stamp of the change, administrator name, and the changed object name. It does not show the new value of the object. The following are examples of brief audit log messages:
[2007/06/08 12:36:35.768] [admin]: Modified AdminGroup test_group [2007/07/10 12:39:19.424] [admin]: Deleted AuthZone test.com view=default
Using the Replication Log

The Replication Status panel reports the status of the database replication between grid members and master. The Replication Status panel reports the status of the database replication between grid members and master, and between the two nodes in an independent HA pair. You can use this information to check the health of grid and HA pair activity. To view the replication log: From the Grid perspective, click grid -> View -> Replication Status. or From the Device perspective, click hostname -> View -> Replication Status . To refresh the contents in the Replication Log viewer, click View -> Refresh (or press the F5 key).
194
NIOS 4.3r5
Monitoring Tools
Using the Traffic Capture Tool

You can capture the traffic on one or all of the ports on a NIOS appliance, and then view it using a third-party network protocol analyzer application, such as the Ethereal Network Protocol Analyzer. The NIOS appliance saves all the traffic it captures into a .cap file and compresses it into a .tar.gz file. Your management system must have a utility that can extract the .tar file from the .gzip file, and an application that can read the .cap (capture) file format. This section explains the process of first capturing traffic, and then downloading it to your management system. After that, you can extract the traffic capture file and view it with a third-party traffic analyzer application. Note: The NIOS appliance always saves a traffic capture file as tcpdumpLog.tar.gz. If you want to download multiple traffic capture files to the same location, rename each downloaded file before downloading the next. 1. From the Grid perspective, click -> + (for grid) -> + (for Members) -> member -> Tools -> Capture Traffic. or From the Device perspective, click hostname -> Tools -> Capture Traffic. 2. In the Traffic Capture dialog box, select the port on which you want to capture traffic and specify how long the traffic capture tool must run. Note that if you enabled the NIC failover feature, the LAN and LAN2 ports generate the same output. (For information about the NIC failover feature, see NIC Failover on page 150.) : HA port: Select to capture all traffic that the HA port receives and transmits. LAN port: Select to capture all traffic that the LAN port receives and transmits. MGMT port: Select to capture all traffic that the MGMT port receives and transmits. LAN2 port: Select to capture all traffic that the LAN2 port receives and transmits. All ports (promiscuous mode not supported): Select to capture traffic addressed to all ports. Note that the NIOS appliance only captures traffic that is addressed to it. Seconds to run: Specify the number of seconds that you want the traffic capture tool to run. Note: NIOS virtual appliances support capturing traffic only on the LAN port. 3. Click Start. A message appears warning that the use of the traffic capture tool causes a decrease in network service processing and prompts you to confirm your use of the tool. 4. Click Yes. 5. When you want to view the captured traffic, click Download. 6. Another message appears stating that clicking Download causes the traffic capture operation (if it is still ongoing) to stop and asks if you want to proceed. 7. Click OK. 8. Navigate to where you want to save the file, rename it if you want, and then click OK or Save. 9. Use terminal window commands (Linux) or a software application (such as StuffIt or WinZip) to extract the contents of the .tar.gz file. 10. When you see the traffic.cap file in the directory where you extracted the .tar.gz file, open it with the third-party network protocol analyzer application.
NIOS 4.3r5
195
Using the Capacity Report

You can view the capacity usage and object type information of an appliance in the Capacity Report panel. The capacity report displays capacity and object type information of an independent appliance, a grid master, or a grid member. For an HA pair, the report displays information that is on the active node. The top half of the panel displays a capacity summary, and the bottom half displays the object types that the appliance supports and the total counts for each object type. To view the capacity report: From the Grid perspective, click + (for grid) -> + (for Members) -> member -> View -> Capacity Report. or From the Device perspective, select hostname -> View -> Capacity Report. Name: The name of the appliance. Role: The role of the appliance. The value can be Grid Master, Grid Master Candidate, Grid Member, or Standalone. Hardware Type: The type of hardware. For an HA pair, the report displays the hardware type for both the active and passive nodes. Maximum Capacity: The maximum number of objects that the appliance can support. Total Objects: The total number of objects that are currently in the database. % Capacity Used: The percentage of the capacity that is in use. The capacity summary contains the following information:
The report categorizes object types that you can manage through the NIOS appliance. For objects that are only used for internal system operations, the report groups and shows them under the object type Other. The report displays the following information for object types: Object Type: The type of objects. For example, DHCP Lease, Admin Group, or PTR Record. Total: The total number of objects for a specific object type.
You can print the object type information or export it to a CSV file. For information on printing the object types, see Printing from the GUI on page 61; and for information on exporting to a CSV file, see Exporting Data on page 65.
196
NIOS 4.3r5
Monitoring Tools
Monitoring DNS Transactions

The NIOS appliance provides tools for monitoring DNS transactions and mitigating cache poisoning. Cache poisoning can occur when a DNS server accepts maliciously created unauthentic data. The DNS server ends up locally caching the incorrect entries and serving them to users that make the same DNS requests. In a maliciously created situation, the attacker can redirect Internet traffic from the legitimate host to another host that the attacker controls. You can configure the appliance to track invalid DNS responses for recursive DNS queries. The appliance tracks DNS responses that arrive on invalid ports or have invalid TXIDs (DNS transaction IDs). Both invalid ports and invalid TXIDs could be indicators of cache poisoning. An invalid port is a DNS response that arrives from UDP (User Datagram Protocol) port 53 with either one of the following conditions: There are no outstanding DNS requests from the port on which the response arrives The TXID of the DNS response matches the TXID of an outstanding request, however the request was sent from a port other than the port on which the response arrives
An invalid TXID is a DNS response that arrives from UDP port 53, and the TXID does not match the TXID of an outstanding DNS request.
Figure 5.1 illustrates how the appliance detects an invalid port and an invalid TXID. Figure 5.1 Invalid Port and Invalid TXID
A client sends a DNS request to the Infoblox DNS server

Infoblox DNS Server UDP Port 53
2 The Infoblox DNS server sends
a DNS request to an authoritative DNS server
TXID 65534
Port 10024 (Random Port)
UDP Port 53 Authoritative DNS Server
Client
Port 10024
3 DNS server sends a

Port 10028
TXID 65380
valid response to Infoblox DNS server
Malicious Source
The appliance detects an invalid port or TXID, logs the event, and sends an SNMP trap and/or e-mail when the thresholds 4 The malicious server are exceeded sends spoofed DNS responses and guesses the TXID and the UPD port
Both invalid ports and invalid TXIDs could be indicators of DNS cache poisoning, although a small number of them is considered normal in situations where valid DNS responses arrive after the DNS queries had timed out. You can configure the appliance to track these indicators, and you can view their status. You can also configure thresholds for them. When the number of invalid ports or invalid TXIDs exceeds the thresholds, the appliance logs an event in the syslog file and sends an SNMP trap and e-mail notification, if you enable them. You can then configure rate limiting rules to limit incoming traffic or completely block connections from primary sources that send the invalid DNS responses. Rate limiting is a token bucket system that accepts packets from a source based on the rate limit. You can configure the number of packets per minute that the Infoblox DNS server accepts from a specified source. You can also configure the number of packets for burst traffic, which is the maximum number of packets that the token bucket can accept. Once the bucket reaches the limit for burst traffic, it discards the packets and starts receiving new packets according to the rate limit.
The appliance monitors only UDP traffic from remote port 53 for the following reasons: The attacks that the appliance monitors do not happen over TCP. DNS responses are sent only from port 53. The appliance discards DNS responses that are sent from other ports.
To monitor invalid ports and invalid TXIDs on the Infoblox DNS server, follow these procedures: 1. Enable DNS network monitoring and DNS alert monitoring. For information, see Enabling and Disabling DNS Alert Monitoring on page 198. 2. Configure the thresholds for DNS alert indicators. For information, see Configuring DNS Alert Thresholds on page 199. 3. Enable SNMP traps and e-mail notifications. For information, see Configuring SNMP on page 249. 4. Review the DNS alert status. For information, see Viewing DNS Alert Indicator Status on page 199. 5. Identify the source of the attack by reviewing the DNS alert status, syslog file, and SNMP traps. For information on SNMP traps for DNS alerts, see Threshold Crossing Traps on page 224. To mitigate cache poisoning, you can limit incoming traffic or completely block connections from specific sources, as follows: Enable rate limiting on the DNS server. For information, see Enabling and Disabling Rate Limiting from External Sources on page 200. Configure rate limit traffic rules from specific sources. For information, see Configuring Rate Limiting Rules on page 201.
You can verify the rate limiting rules after you configure them. For information, see Viewing Rate Limiting Rules on page 202.
Enabling and Disabling DNS Alert Monitoring

The appliance monitors only UDP traffic on port 53 for recursive queries, and then reports invalid DNS responses. DNS alert monitoring is disabled by default. For an HA pair, you must enable DNS alert monitoring on both the active and passive nodes. To enable DNS network monitoring and DNS alert monitoring: 1. Log in to the Infoblox CLI as a superuser account. 2. Enter the following CLI command:
set monitor dns on
The appliance displays the following:

Turning on DNS Network Monitoring...
3. Enter the following command:

set monitor dns alert on
When you enable DNS alert monitoring and DNS network monitoring is disabled, the appliance automatically enables DNS network monitoring and displays the following:
DNS Network Monitoring is disabled. It must be enabled for alerting to function. Enable DNS Monitoring now? (y or n):
You can also disable DNS network monitoring and DNS alert monitoring using the following commands:
set monitor dns off set monitor dns alert off
Note: When you restart DNS network monitoring, you also reset the SNMP counters for DNS alerts. You can then view the alert status to identify the primary source of invalid DNS responses. For information, see Viewing DNS Alert Indicator Status on page 199.
198
NIOS 4.3r5
Monitoring Tools
Viewing DNS Alert Indicator Status

To view DNS alert indicator status: 1. Log in to the Infoblox CLI as a superuser account. 2. Enter the following CLI command:
show monitor dns alert status
The appliance displays historical alert counts and up to five primary sources that generate invalid DNS responses, as shown in the following example:
Data last updated: Mon Oct 6 14:47:12 2008 DNS Alert1m5m15m60m24hEver ============================================ port8 txid8 12 12121212 12 12121212
There were 80 DNS responses seen in the last minute. 10% were to an invalid port. 10% had an invalid TXID.
Primary sources of invalid responses: 4.4.4.4 (unknown) sent 4 2.2.2.2 (unknown) sent 3 7.7.7.7 (unknown) sent 1
The appliance attempts to resolve the host names of the sources that sent invalid responses. If the appliance cannot resolve a host name, it displays unknown as the host name of the invalid response.
Configuring DNS Alert Thresholds

You can configure thresholds for DNS alerts to control when the appliance tracks DNS attacks and issues SNMP traps and e-mail notifications. Note: Ensure that you enable SNMP traps and e-mail notifications. For information, see Configuring SNMP on page 249. You can configure thresholds for both invalid ports and invalid TXIDs. The default thresholds for both invalid ports and TXIDs are 50%. When the number of invalid ports or invalid TXIDs exceeds the thresholds, the appliance logs the event and sends SNMP traps and notifications. You can configure the thresholds either as absolute packet counts or as percentages of the total traffic during a one minute time interval.
NIOS 4.3r5
199
To configure DNS alert thresholds: 1. Log in to the Infoblox CLI as a superuser account. 2. Enter the following CLI command:
set monitor dns alert modify port | txid over threshold_value packets | percent
where
port | txid = Enter port to set the threshold for invalid ports, or enter txid to set the threshold for invalid
TXIDs.
threshold_value = Enter the number of packets or percentage for the threshold. packets | percent = Enter packets if you want to track the total packet count, or enter percentage if you
want to track a percentage of the total traffic. For a percentage-based threshold, the appliance does not generate a threshold crossing event if the traffic level is less than 100 packets per minute. For example, if you want the appliance to send a DNS alert when the percentage of DNS responses arriving on invalid ports from UDP port 53 exceeds 70% per minute, you can enter the following command:
set monitor dns alert modify port over 70 percent
If you want the appliance to send a DNS alert when the total number of packets with invalid TXIDs from UDP port 53 is over 100 packets per minute, you can enter the following command:
set monitor dns alert modify txid over 100 packets
When there is a DNS alert, the appliance logs an event in the syslog file and sends an SNMP trap and e-mail notification if enabled.
Viewing DNS Alert Thresholds

You can view the DNS alert thresholds. The appliance displays the current thresholds. If you have not configured new thresholds, the appliance displays the default thresholds, which are 50% for both invalid port and TXID. To view the DNS alert thresholds: 1. Log in to the Infoblox CLI as a supreuser account. 2. Enter the following CLI command:
show monitor dns alert
The appliance displays the threshold information as shown in the following example:
DNS Network Monitoring is enabled. Alerting is enabled. DNS Alert Threshold (per minute)
=========================================== port txid over 70% of packets over 100 packets
Enabling and Disabling Rate Limiting from External Sources

You can mitigate cache poisoning on your DNS server by limiting the traffic or blocking connections from external sources. To enable rate limiting from sources: 1. Log in to the Infoblox CLI as a superuser account. 2. Enter the following CLI command:
set ip_rate_limit on
The appliance displays the following:

Enabling rate limiting will discard packets and may degrade performance. Are you sure? (y or n):
200
NIOS 4.3r5
Monitoring Tools
Note: When you enable rate limiting, the appliance discards packets based on the configured rate limiting rules. This might affect the DNS performance when the appliance discards valid DNS responses. 3. Enter y to enable rate limiting. When you enable rate limiting, the appliance applies the rate limiting rules that you configured. You might want to configure the rate limiting rules before enabling rate limiting. For information on how to configure rate limiting rules, see Configuring Rate Limiting Rules on page 201. You can also disable rate limiting by entering the following command:
set ip_rate_limit off
When you disable rate limiting, the appliance stops applying the rate limiting rules.
Configuring Rate Limiting Rules

You configure rate limiting rules to limit access or block connections from external sources. The rules take effect when you enable rate limiting. When adding rules, ensure that you do not include an IP address that matches the IP address of either the grid master or grid member. Doing this could affect VPN connectivity. To configure rate limiting rules: 1. Log in to the Infoblox CLI as a superuser account. 2. Enter the following CLI command:
set ip_rate_limit add source all | ip_address [/mask] limit packets/m [burst burst_packets]
where
all | ip_address = Enter all or 0.0.0.0 if you want to limit all traffic from all sources, or enter the IP
address from which you want to limit the traffic.

[/mask] = Optionally, enter the netmask of the host from which you want to limit the traffic. packets = Enter the number of packets per minute that you want to receive from the source. [burst burst_packets] = Optionally, enter burst and the number of packets for burst traffic. This is the maximum number of packets accepted.
The following are sample commands and descriptions for rate limiting rules: To block all traffic from host 10.10.1.1, enter the following command:
set ip_rate_limit add source 10.10.1.1 limit 0
To limit traffic to five packets per minute from host 10.10.1.2, enter the following command:
set ip_rate_limit add source 10.10.1.2 limit 5/m
To limit the traffic to five packets per minute from host 10.10.2.1/24 with an allowance for burst traffic of 10 packets, enter the following command:
set ip_rate_limit add source 10.10.2.1/24 limit 5/m burst 10
To limit the traffic to 5000 packets per minute from all sources, enter the following command:
set ip_rate_limit add source all limit 5000/m
NIOS 4.3r5
201
Removing Rate Limiting Rules

You can remove the existing rate limiting rules. To remove all the existing rules: 1. Log in to the Infoblox CLI as a superuser account. 2. Enter the following CLI command: To remove the rate limiting rule that limits traffic from all sources, enter:
set ip_rate_limit remove source all
or To remove all of the rate limiting rules from all sources, enter:
set ip_rate_limit remove all
To remove one of the existing rules for an existing host: 1. Log in to the Infoblox CLI as a superuser account. 2. Enter the following CLI command:
set ip_rate_limit remove source ip-address[/mask]
Viewing Rate Limiting Rules

You can view the existing rate limiting rules at any time. To view rate limiting rules: 1. Log in to the Infoblox CLI as a superuser account. 2. Enter the following CLI command:
show ip_rate_limit
The appliance displays the rules, as shown in the following example:

IP rate limiting is enabled. Source Limit Burst ============================================ 10.10.1.1 0 packets/minute 0 packets 10.10.1.2 5 packets/minute 5 packets 10.10.2.1/24 5 packets/minute 10 packets all 5000packets/minute 5000 packets
202
NIOS 4.3r5
Chapter 6 Monitoring with SNMP

This chapter describes how you can use SNMP (Simple Network Management Protocol) to monitor NIOS appliances in your network. It contains the following topics:
Understanding SNMP on page 204 SNMP MIB Hierarchy on page 205 MIB Objects on page 206 Infoblox MIBs on page 207 Loading the Infoblox MIBs on page 207 ibTrap MIB on page 208 ibPlatformOne MIB on page 231 ibDNSOne MIB on page 242 ibIPWC MIB on page 244 Configuring SNMP on page 249 Accepting SNMP Queries on page 249 Setting System Information on page 249 Adding SNMP Trap Receivers on page 250 Configuring SNMP for a Grid Member on page 250
NIOS 4.3r5
203
Monitoring with SNMP
Understanding SNMP
You can use SNMP (Simple Network Management Protocol) to manage network devices and monitor their processes. An SNMP-managed device, such as a NIOS appliance, has an SNMP agent that collects data and stores them as objects in MIBs (Management Information Bases). The SNMP agent can also send traps (or notifications) to alert you when certain events occur within the appliance or on the network. You can view data in the SNMP MIBs and receive SNMP traps on a management system running an SNMP management application, such as HP OpenView, IBM Tivoli NetView, or any of the freely available or commercial SNMP management applications on the Internet.
Figure 6.1 SNMP Overview
Traps Queries NIOS Appliance SNMP Management System
MIB MIB MIB MIB
Agent MIB
You can configure a NIOS appliance as an SNMP-managed device. NIOS appliances support SNMP versions 1 and 2, and adhere to the following RFCs:
RFC 3411, An Architecture for Describing Simple Network Management Protocol (SNMP) Management Frameworks RFC 3412, Message Processing and Dispatching for the Simple Network Management Protocol (SNMP) RFC 3413, Simple Network Management Protocol (SNMP) Applications RFC 3416, Version 2 of the Protocol Operations for the Simple Network Management Protocol (SNMP) RFC 3418, Management Information Base (MIB) for the Simple Network Management Protocol (SNMP) RFC 1155, Structure and identification of Management information for TCP/IP-based internets RFC 1213, Management Information Base for Network Management of TCP/IP-based internets:MIB-II
204
NIOS 4.3r5
SNMP MIB Hierarchy
SNMP MIB Hierarchy

Infoblox supports the standard MIBs defined in RFC-1213, Management Information Base for Network Management of TCP/IP-based internets: MIB-II, in addition to implementing its own enterprise MIBs. The Infoblox MIBs are part of a universal hierarchical structure, usually referred to as the MIB tree. The MIB tree has an unlabeled root with three subtrees. Figure 6.2 illustrates the branch of the MIB tree that leads to the Infoblox enterprise MIBs. Each object in the MIB tree has a label that consists of a textual description and an OID (object identifier). An OID is a unique dotted-decimal number that identifies the location of the object in the MIB tree. Note that all OIDs begin with a dot (.) to indicate the root of the MIB tree. As shown in Figure 6.2, Infoblox is a branch of the Enterprise subtree. IANA (Internet Assigned Numbers Authority) administers the Enterprise subtree, which is designated specifically for vendors who define their own MIBs. The IANA-assigned enterprise number of Infoblox is 7779; therefore, the OIDs of all Infoblox MIB objects begin with the prefix .1.3.6.1.4.1.7779. The Infoblox SNMP subtree branches down through two levels, ibProduct and ibOne, to the Infoblox MIBs: ibTrap, ibPlatformOne, ibDNSone, and ibDHCPOne. The ibTrap MIB defines the traps that NIOS appliances send, and the ibPlatformOne, ibDNSone, and ibDHCPOne MIBs provide information about the appliance. For detailed information about these MIBS, see Infoblox MIBs on page 207.
Figure 6.2 MIB Hierarchy
(.0) International Telegraph and Telephone Consultative Committee (CCITT)
(.1) International Organization for Standardization (ISO) (.1.3) ORG (.1.3.6) U.S. Department of Defense (DOD) (.1.3.6.1) Internet (.1.3.6.1.4) Private (.1.3.6.1.4.1) Enterprise (.1.3.6.1.4.1.7779) Infoblox (.1.3.6.1.4.1.7779.3) Infoblox SNMP Tree (.1.3.6.1.4.1.7779.3.1) ibProduct (.1.3.6.1.4.1.7779.3.1.1) ibOne
(.0) CCITT and ISO
(.1.3.6.1.4.1.7779.3.1.1.1) (.1.3.6.1.4.1.7779.3.1.12) (.1.3.6.1.4.1.7779.3.1.1.3) (.1.3.6.1.4.1.7779.3.1.1.4) ibTrap ibPlatformOne ibDNSOne ibDHCPOne
NIOS 4.3r5
205
MIB Objects
The Infoblox MIB objects were implemented according to the guidelines in RFCs 1155 and 2578. They specify two types of macros for defining MIB objects: OBJECT-TYPE and NOTIFICATION-TYPE. These macros contain clauses that describe the characteristics of an object, such as its syntax and its status. OBJECT-TYPE macros describe MIB objects, and NOTIFICATION-TYPE macros describe objects used in SNMP traps. Each object in the ibPlatformOne, ibDNSone, and ibDHCPOne MIBs contains the following clauses from the OBJECT-TYPE macro: OBJECT-TYPE: Provides the administratively-assigned name of the object. SYNTAX: Identifies the data structure of the object, such as integers, counters, and octet strings. MAX-ACCESS: Identifies the type of access that a management station has to the object. All Infoblox MIB objects provide read-only access. STATUS: Identifies the status of the object. Values are current, obsolete, and deprecated. DESCRIPTION: Provides a textual description of the object. INDEX or AUGMENTS: An object that represents a conceptual row must have either an INDEX or AUGMENTS clause that defines a key for selecting a row in a table. OID: The dotted decimal object identifier that defines the location of the object in the universal MIB tree.
The ibTrap MIB defines the SNMP traps that a NIOS appliance can send. Each object in the ibTrap MIB contains the following clauses from the NOTIFICATION-TYPE macro: NOTIFICATION-TYPE: Provides the administratively-assigned name of the object. OBJECTS: Provides an ordered list of MIB objects that are in the trap. STATUS: Identifies the status of the object. Values are current, obsolete, and deprecated. DESCRIPTION: Provides the notification information.
206
NIOS 4.3r5
Infoblox MIBs
Infoblox MIBs
You can configure a NIOS appliance as an SNMP-managed device so that an SNMP management station can send queries to the appliance and retrieve information from its MIBs. Perform the following tasks to access the Infoblox MIBs: 1. Configure a NIOS appliance to accept queries, as described in Accepting SNMP Queries on page 249. 2. Load the MIB files onto the management system. To obtain the latest Infoblox MIB files: a. c. From the Grid Perspective, select id_grid -> Tools -> Download SNMP MIBs. Click Save. b. In the Save As dialog box, navigate to a directory to which you want to save the MIBs. 3. Use a MIB browser or SNMP management application to query the objects in each MIB. The NIOS appliance allows read-only access to the MIBs. This is equivalent to the Get and Get Next operations in SNMP.
Loading the Infoblox MIBs

If you are using an SNMP manager toolkit with strict dependency checking, you must download the following Infoblox MIBs in the order they are listed: 1. IB-SMI-MIB.txt 2. IB-TRAP-MIB.txt 3. IB-PLATFORMONE-MIB.txt 4. IB-DNSONE-MIB.txt 5. IB-DHCPONE-MIB.txt 6. IB-IPWC-MIB.txt (if you use the Infoblox IPAM WinConnect service) In addition, if the SNMP manager toolkit the you use requires a different MIB file naming convention, you can rename the MIB files accordingly.
NET-SNMP MIBs
NIOS appliances support NET-SNMP (formerly UCD-SNMP), a collection of applications used to implement the SNMP protocol. When you download the Infoblox MIBs from the Infoblox Support site, you can download some of the NET-SNMP MIBs and load them onto your SNMP management system. The NET-SNMP MIBs provide the top-level infrastructure for the SNMP MIB tree. They define, among other things, the objects in the SNMP traps that the agent sends when the SNMP engine starts and stops. For additional information on NET-SNMP and the MIB files distributed with NET-SNMP, refer to http://net-snmp.sourceforge.net/.
RADIUS MIBs
The NIOS appliance supports the RADIUS-ACC-SERVER-MIB and RADIUS-AUTH-SERVER-MIB. You can download these MIBs along with the Infoblox enterprise MIBs. When you install the RADIUS server license on the appliance and configure RADIUS services, the appliance responds to queries for data from the RADIUS MIBs, if configured to do so. For information on these MIBs, refer to RFC 2619, RADIUS Authentication Server MIB and RFC 2621, RADIUS Accounting Server MIB.
NIOS 4.3r5
207
ibTrap MIB
NIOS appliances send SNMP traps when events, internal process failures, or critical service failures occur. The ibTrap MIB defines the types of traps that a NIOS appliance sends and the value that each MIB object represents. The Infoblox SNMP traps report objects which the ibTrap MIB defines. Figure 6.3 illustrates the ibTrap MIB structure. It provides the OID and textual description for each object. Note: OIDs shown in the illustrations and tables in this section do not include the prefix .1.3.6.1.4.1.7779. The ibTrap MIB comprises two trees, ibTrapOneModule and ibNotificationVarBind. The ibTraponeModule tree contains objects for the types of traps that a NIOS appliance sends. The ibNotificationVarBind tree contains objects that the Infoblox SNMP traps report. You cannot send queries for the objects in this MIB module. The objects are used only in the SNMP traps.
Figure 6.3 ibTrapOne MIB Structure

(3.1.1.1) ibTrap MIB
(3.1.1.1.1) ibTrapOneModule (3.1.1.1.1.1.0) ibEquipmentFailureTrap (3.1.1.1.1.2.0) ibProcessingFailureTrap (3.1.1.1.1.3.0) ibThresholdCrossingEvent (3.1.1.1.1.4.0) ibStateChangeEvent (3.1.1.1.1.5.0) ibProcStartStopTrap
(3.1.1.1.2) ibNotificationVarBind (3.1.1.1.2.1.0) ibNodeName (3.1.1.1.2.2.0) ibTrapSeverity (3.1.1.1.2.3.0) ibObjectName (3.1.1.1.2.4.0) ibProbableCause (3.1.1.1.2.5.0) ibSubsystemName (3.1.1.1.2.6.0) ibCurThresholdValue (3.1.1.1.2.7.0) ibThresholdHigh (3.1.1.1.2.8.0) ibThresholdLow (3.1.1.1.2.9.0) ibPreviousState (3.1.1.1.2.10.0) ibCurrentState (3.1.1.1.2.11.0) ibTrapDesc
208
NIOS 4.3r5
Infoblox MIBs
Interpreting Infoblox SNMP Traps

Depending on the SNMP management application that your management system uses, the SNMP traps that you receive might list the OIDs for all relevant MIB objects from both the ibTrapOneModule and ibNotificationVarBind trees. For OIDs that have string values, the trap lists the text. For OIDs that contain integers, you can use the tables in this section to find out the values. Some SNMP management applications list only the object name and the corresponding values in the SNMP trap. Whether your SNMP management application lists OIDs or not, you can use the tables in this section to find out the corresponding values and definitions for each MIB object. The following is a sample trap that a NIOS appliance sends:
418:Jan 31 18:52:26 (none) snmptrapd[6087]: 2008-01-31 18:52:26 10.35.1.156 [UDP: [10.35.1.156]:32772]: DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (1080) 0:00:10.80 SNMPv2-MIB::snmpTrapOID.0 = OID: SNMPv2-SMI::enterprises.7779.3.1.1.1.1.4.0 SNMPv2-SMI::enterprises.7779.3.1.1.1.2.1.0 = STRING: "10.35.1.156" SNMPv2-SMI::enterprises. 7779.3.1.1.1.2.3.0 = STRING: "ntp_sync" SNMPv2-SMI::enterprises.7779.3.1.1.1.2.9.0 = INTEGER: 15 SNMPv2-SMI::enterprises.7779.3.1.1.1.2.10.0 = INTEGER: 16 SNMPv2-SMI::enterprises.7779.3.1.1.1.2.11.0 = STRING: "The NTP service is out of synchronization."
The sample trap lists the OIDs and their corresponding values that can help you identify the cause of the event or problem. You can find the definition for each OID or object and its value using the tables in this section. To identify possible cause and recommended actions for the trap, use the ibTrapDesc tables. For information, see ibTrapDesc (OID 3.1.1.1.2.11.0) on page 218. You can interpret the sample trap as follows: Using the ibTrapOneModule table, you find out that OID 7779.3.1.1.1.1.4.0 represents an Object State Change trap. This type of trap includes the following objects. For each object, the trap displays the OID and its corresponding value. The following is how you can interpret the rest of the trap: ibNodeName (OID 7779.3.1.1.1.2.1.0) Using the ibNotificationVarBind (OID 3.1.1.1.2) table, you find out that OID 7779.3.1.1.1.2.1.0 represents the MIB object ibNodeName, which is the IP address of the appliance on which the trap occurred. Therefore, the statement 7779.3.1.1.1.2.1.0 = STRING: "10.35.1.156" SNMPv2-SMI::enterprises. tells you that the IP address of the appliance on which the trap occurred has an IP address of 10.35.1.156. The statement 7779.3.1.1.1.2.3.0 = STRING: "ntp_sync" SNMPv2-SMI::enterprises. tells you that the MIB object ibOjectName, which is the name of the object for which the trap was generated, has a value of ntp_sync, which represents NTP synchronization issues. ibPreviousState (OID 7779.3.1.1.1.2.9.0) The statement 7779.3.1.1.1.2.9.0 = INTEGER: 15 SNMPv2-SMI::enterprises. tells you that the MIB object ibPreviousState, which indicates the previous state of the appliance, has a value of 15. Using the ibPreviousState and ibCurrentState Values table, you know that 15 represents ntp-sync-up, which means that the NTP server was up and running. The statement 7779.3.1.1.1.2.10.0 = INTEGER: 16 SNMPv2-SMI::enterprises. tells you that the MIB object ibCurrentState, which indicates the current state of the appliance, has a value of 16. Using the ibPreviousState and ibCurrentState Values table, you know that 16 represents ntp-sync-down, which means that the NTP server is now out of sync. The last statement 7779.3.1.1.1.2.11.0 = STRING: "The NTP service is out of synchronization." states the description of the trap. Using the Object State Change Traps table for ibTrapDesc, you can find out the details of the trap description and recommended actions for this problem.
ibObjectName (OID 7779.3.1.1.1.2.3.0)
ibCurrentState (OID 7779.3.1.1.1.2.10.0)
ibTrapDesc (OID 7779.3.1.1.1.2.11.0)
NIOS 4.3r5
209
Types of Traps (OID 3.1.1.1.1)

ibTrapOneModule defines the types of traps that the NIOS appliance can send. There are five types of SNMP traps. Table 6.1 describe the types of traps and their objects in the ibTrapOneModule tree.
Table 6.1 ibTrapOneModule

OID 3.1.1.1.1.1.0 Trap Type Equipment Failure MIB Object ibEquipmentFailureTrap Description The NIOS appliance generates this trap when a hardware failure occurs. This trap includes the following objects: ibNodeName ibTrapSevertiy ibObjectName (equipment name) ibProbableCause ibTrapDesc
For a list of trap descriptions, see Equipment Failure Traps on page 218. 3.1.1.1.1.2.0 Processing and Software Failure ibProcessingFailureTrap The NIOS appliance generates this trap when a failure occurs in one of the software processes. This trap includes the following objects: ibNodeName ibTrapSeverity ibSubsystemName ibProbableCause ibTrapDesc
For a list of trap descriptions, see Processing and Software Failure Traps on page 219.
210
NIOS 4.3r5
Infoblox MIBs
OID 3.1.1.1.1.3.0
Trap Type Threshold Crossing
MIB Object ibThresholdCrossingEvent
Description The NIOS appliance generates this trap when any of the following events occur: System memory or disk usage exceeds 90%. A problem occurs when the grid master replicates its database to its grid members. DHCP address usage crosses a watermark threshold. For more information about tracking IP address usage, see Chapter 18, Managing IP Data IPAM, on page 627. The number or percentage of the DNS security alerts exceeds the thresholds of the DNS security alert triggers. ibNodeName ibObjectName (threshold name) ibCurThresholdvalue ibThresholdHigh ibThresholdLow ibTrapDesc
This trap can include the following objects:
For a list of trap descriptions, see Threshold
Crossing Traps on page 224.

3.1.1.1.1.4.0 Object State Change ibStateChangeEvent The NIOS appliance generates this trap when there is a change in its state, such as: The link to one of the configured ports goes down, and then goes back up again. A failover occurs in an HA (high availability) pair configuration. A member connects to the grid master. An appliance in a grid goes offline. ibNodeName ibObjectName ibPreviousState ibCurrentState ibTrapDesc
This trap includes the following objects:
For a list of possible trap descriptions, see Object
State Change Traps on page 229.
NIOS 4.3r5
211
OID 3.1.1.1.1.5.0
Trap Type Process Started and Stopped
MIB Object ibProcStartStopTrap
Description The NIOS appliance generates this type of trap when any of the following events occur: When you enable HTTP redirection. When you change the HTTP access setting. When you change the HTTP session time out setting. When a failover occurs in an HA pair configuration. ibNodeName ibSubsystemName ibTrapDesc
This trap includes the following objects:
For a list of possible trap descriptions, see Process Started and Stopped Traps on page 230.
212
NIOS 4.3r5
Infoblox MIBs
Trap Binding Variables (OID 3.1.1.1.2)

Each SNMP trap contains information about the event or the problem. The Infoblox SNMP traps include MIB objects and their corresponding values from the ibNotificationVarBind module. Table 6.2 describes the objects in the ibNotificationVarBind module.
Table 6.2 ibNotificationVarBind (OID 3.1.1.1.2)

Note: The OIDs shown in the following table do not include the prefix .1.3.6.1.4.1.7779.. OID 3.1.1.1.2.1.0 Description The IP address of the appliance on which the trap occurs. This may or may not be the same as the appliance that sends the trap. This object is used in all types of traps. The severity of the trap. There are five levels of severity. See Trap Severity (OID 3.1.1.1.2.2.0) on page 214 for details. The name of the object for which the trap was generated. This is used in the Equipment Failure traps, Threshold Crossing Event traps, and the Object State Change traps. The following shows what this object represents depending on the type of traps: 3.1.1.1.2.4.0 3.1.1.1.2.5.0 ibProbableCause ibSubsystemName Equipment Failure traps: The equipment name. Threshold Crossing Event traps: The object name of the trap. State Change traps: The object that changes state.
MIB Object ibNodeName
3.1.1.1.2.2.0 3.1.1.1.2.3.0
ibTrapSeverity ibObjectName
The probable cause of the trap. See ibProbableCause Values on page 215 for the definitions of each value. The subsystem for which the trap was generated, such as NTP or SNMP. This object is used in the Processing and Software Failure traps and the Process Start and Stop traps. See ibSubsystemName Values (OID 3.1.1.1.2.9.0) on page 216 for definitions of each value. The current value of the threshold counter. This object is used in the Threshold Crossing traps. The value for the high watermark. This only applies when the appliance sends a trap to indicate that DHCP address usage is above the configured high watermark value for a DHCP address range. This object is used in Threshold Crossing traps. For additional information, see Setting Watermark Properties on page 637. The value for the low watermark. This only applies when the appliance sends a trap to indicate that DHCP address usage went below the configured low watermark value for a DHCP address range. This object is used in Threshold Crossing traps. For additional information, see Setting Watermark Properties on page 637. The previous state of the appliance. This object is used in the Object State Change traps. See ibPreviousState (OID 3.1.1.1.2.9.0) and ibCurrentState (OID 3.1.1.1.2.10.0) on page 217 for definitions of each value.
3.1.1.1.2.6.0 3.1.1.1.2.7.0
ibCurThresholdValue ibThresholdHigh
3.1.1.1.2.8.0
ibThresholdLow
3.1.1.1.2.9.0
ibPreviousState
NIOS 4.3r5
213
OID 3.1.1.1.2.10.0
MIB Object ibCurrentState
Description The current state of the appliance. This object is used in the Object State Change traps. See ibPreviousState (OID 3.1.1.1.2.9.0) and ibCurrentState (OID 3.1.1.1.2.10.0) on page 217 for the definition of each value. The description of the trap. This object is used in all types of traps. See ibTrapDesc (OID 3.1.1.1.2.11.0) on page 218 for the description, possible cause, and recommended actions for each Infoblox SNMP trap.
3.1.1.1.2.11.0
ibTrapDesc
Trap Severity (OID 3.1.1.1.2.2.0)

The object ibTrapSeverity defines the severity level for each Infoblox SNMP trap. There are five levels of severity. Value 1 2 3 4 Description Undetermined Informational: Event that requires no further action. Minor: Event that does not require user intervention. Major: Event that requires user intervention and assistance from Infoblox Technical Support. Critical: Problem that affects services and system operations, and requires assistance from Infoblox Technical Support.
214
NIOS 4.3r5
Infoblox MIBs
ibProbableCause Values (OID 3.1.1.1.2.4.0)

Table 6.4 lists the values that are associated with the object ibProbableCause (OID 3.1.1.1.2.4.0). These values
provide information about the events, such as software failures, that trigger traps.
Table 6.3 ibProbableCause Values

Value 0 1 2 3 4 5 6 7 11 12 13 15 16 17 18 19 20 23 24 25 26 27 28 29 30 31 32 33 34 OID 3.1.1.2.4.0 ibProbableCause ibClear ibUnknown ibPrimaryDiskFailure ibFanFailure-old ibPowerSupplyFailure ibDBFailure ibApacheSoftwareFailure ibSerialConsoleFailure ibControldSoftwareFailure ibUpgradeFailure ibSNMPDFailure ibSSHDSoftwareFailure ibNTPDSoftwareFailure ibClusterdSoftwareFailure ibLCDSoftwareFailure ibDHCPdSoftwareFailure ibNamedSoftwareFailure ibRadiusdSoftwareFailure ibNTLMSoftwareFailure ibNetBIOSDaemonFailure ibWindowBindDaemonFailure ibTFTPDSoftwareFailure ibQIPRemoteServerSoftwareFailure ibBackupSoftwareFailure ibBackupDatabaseSoftwareFailure ibBackupModuleSoftwareFailure ibBackupSizeSoftwareFailure ibBackupLockSoftwareFailure ibHTTPFileDistSoftwareFailure
NIOS 4.3r5
215
Value 35 36 37 38 39 40 41 42 43 44 46 47 48 3001 3002 3003 3004 3005 3006
OID 3.1.1.2.4.0 ibProbableCause ibOSPFSoftwareFailure ibAuthDHCPNamedSoftwareFailure ibFan1Failure ibFan2Failure ibFan3Failure ibFan1OK ibFan2OK ibFan3OK ibIPWCSoftwareFailure ibFTPDSoftwareFailure ibPowerSupplyOK ibWebUISoftwareFailure ibQIPRemoteServerStopped ibRAIDIsOptimal ibRAIDIsDegraded ibRAIDIsRebuilding ibRAIDStatusUnknown ibRAIDBatteryIsOK ibRAIDBatteryFailed
ibSubsystemName Values (OID 3.1.1.1.2.9.0)

Table 6.4 lists the values that are associated with the object ibSubsystemName (OID 3.1.1.1.2.9.0). These values
provide information about the subsystems that trigger the traps.
Table 6.4 ibSubsystemName Values

OID 3.1.1.1.2.9.0 ibSubsystemName Uses the original ibObjectName and ibSubsystemName when the trap is cleared. N/A N/A N/A N/A Db_jnld
Value 0 1 2 3 4 5
216
NIOS 4.3r5
Infoblox MIBs
Value 6 7 11 12 13 15 16 17 18 19 20 23 24 25 26 27 28 29 30 31 32 33 34 35
OID 3.1.1.1.2.9.0 ibSubsystemName httpd serial_console controld N/A Snmpd Sshd Ntpd Clusterd Lcd Dhcpd Named Radiusd NTLM Netbiosd Winbindd Tftpd QIP N/A N/A N/A N/A N/A HTTPd OSPF
ibPreviousState (OID 3.1.1.1.2.9.0) and ibCurrentState (OID 3.1.1.1.2.10.0)

The ibPreviousState object indicates the state of the appliance before the event triggered the trap. The ibCurrentState object indicates the current state of the appliance. Table 6.5 shows the message and description for each state.
Table 6.5 ibPreviousState and ibCurrentState Values

Value 1 2 3 Description ha-active ha-passive ha-initial Definition The HA pair is in ACTIVE state. The HA pair is in PASSIVE state. The HA pair is in INITIAL state.
NIOS 4.3r5
217
Value 4 5 6 7 8 9 10 11 12 13 14 15 16
Description grid-connected grid-disconnected enet-link-up enet-link-down replication-online replication-offline replication-snapshotting service-up service-down ha-replication-online ha-replication-offline ntp-syn-up ntp-syn-down
Definition The appliance is connected to the grid. The appliance is not connected to the grid. The ethernet port link is active. The ethernet port link is inactive. The replication is online. The replication is offline. The replication is snapshotting. The service is up. The service is down. The HA pair replication is online. The HA pair replication is offline. The NTP server is synchronizing. The NTP server is out of sync.
ibTrapDesc (OID 3.1.1.1.2.11.0)

The ibTrapDesc object lists the trap messages of all Infoblox SNMP traps. This section lists all the SNMP traps by their trap types. Each trap table describes the trap message, severity, cause, and recommended actions. Note: Contact Infoblox Technical Support for assistance when the recommended actions do not resolve the problems.
Equipment Failure Traps

ibTrapDesc OID 3.1.1.1.2.11.0 Primary Drive Full Primary drive is full. Fan Monitoring Fan <n> failure has occurred. Fan <n> is OK. Minor The specified fan failed. The fan number <n> can be 1, 2, or 3. The specified fan is functioning properly. The fan number <n> can be 1, 2, or 3. Inspect the specified fan for mechanical or electrical problems. No action is required. Major The primary disk drive reached 100% of usage. Review the syslog file to identify the possible cause of this problem. ibTrapServerity OID 3.1.1.1.2.2
Description/Cause
Recommended Actions
Informational
Power Supply Failure: monitored at 1 minute A power supply failure has occurred. Major The power supply failed. Inspect the power supply for the possible cause of the failure.
218
NIOS 4.3r5
Infoblox MIBs
ibTrapDesc OID 3.1.1.1.2.11.0
ibTrapServerity OID 3.1.1.1.2.2
Description/Cause
Recommended Actions
RAID monitoring, at 1 minute interval A RAID battery failure has occurred. The systems RAID battery is OK. Major The system RAID battery failed. The alert light is red. The system RAID battery is charging and functioning properly. The alert light changed from red to green. The appliance failed to retrieve the RAID array state. The alert light is red. The RAID system is functioning at an optimal state. The RAID system is degrading. The RAID system is rebuilding. Inspect the battery for the possible cause of the failure. No action is required.
Informational
Unable to retrieve RAID array state!
Undetermined
Review the syslog file to identify the possible cause of this problem.
The systems RAID array is now running in an optimal state. The systems RAID array is in a degraded state. The systems RAID array is rebuilding.
Informational
No action is required.
Major
Review the syslog file to identify the possible cause of this problem. No action is required.
Minor
Processing and Software Failure Traps

ibTrapDesc OID 3.1.1.1.2.11.0 Named Daemon Failure A named daemon monitoring failure has occurred. DHCP Daemon Failure A DHCP daemon monitoring failure has occurred. Critical The dhcpd process failed. Review the syslog file to identify the possible cause of this problem. Critical The named process failed. Review the syslog file to identify the possible cause of this problem. ibTrapServerity OID 3.1.1.1.2.2
Description/Cause
Recommended Actions
NIOS 4.3r5
219
Description/Cause
Recommended Actions
VitalQIP Remote Server Failure A VitalQIP remote server failure has occurred. Critical The qip-msgd or the qip-rmtd process failed. Review the syslog file to identify the possible cause of this problem.
VitalQIP Remote Server Stopped VitalQIP DNS manually stopped. Critical The VitalQIP DNS service was manually stopped. To start the DNS service, use the
start_service or restart_service
command in the VitalQIP chroot environment. VitalQIP DHCP manually stopped. Critical The VitalQIP DHCP service was manually stopped. To start the DHCP service, use the
start_service or restart_service
command in the VitalQIP chroot environment. VitalQIP DNS and DHCP manually stopped. SSH Daemon Failure An SSH daemon failure has occurred. Major The sshd process failed. Review the syslog file to identify the possible cause of this problem. Critical Both the VitalQIP DNS and DHCP services were manually stopped. To start the DNS and DHCP services, use the start_service command in the VitalQIP chroot environment.
NTP Daemon Failure, monitored every 10 minutes An NTP daemon failure has occurred. Cluster Daemon Failure A cluster daemon failure has occurred. LCD Daemon Failure An LCD daemon failure has occurred. Major The LCD process failed. The alert light is yellow. 1. Inspect the LCD panel for the possible cause of this problem. 2. Review the syslog file to identify the possible cause of this problem. Apache Software httpd failure, monitored every 2 minutes An Apache software failure has occurred. Serial Console Failure An Infoblox serial console software failure has occurred. Major The Infoblox serial console failed. Review the syslog file to identify the possible cause of this problem. Critical The request to monitor the Apache server failed. Review the syslog file to identify the possible cause of this problem. Critical The clusterd process failed. Review the syslog file to identify the possible cause of this problem. Major The ntpd process failed. Review the syslog file to identify the possible cause of this problem.
220
NIOS 4.3r5
Infoblox MIBs
Description/Cause
Recommended Actions
Controld Software Failure A controld failure has occurred. Critical The controld process failed. Review the syslog file to identify the possible cause of this problem.
SNMP Sub-agent Failure An SNMP server failure has occurred. TFTPD and FTPD Failure A TFTPD daemon failure has occurred. An FTPD daemon failure has occurred. Critical Critical The tftpd process failed. The ftpd process failed. Review the syslog file to identify the possible cause of this problem. Review the syslog file to identify the possible cause of this problem. Major The one-subagent process failed. Review the syslog file to identify the possible cause of this problem.
HTTP File Distribution, monitored at 10 second intervals An HTTP file distribution daemon failure has occurred. Critical The HTTP file distribution process failed. Review the syslog file to identify the possible cause of this problem.
auth_named Process Failure An auth named server failure has occurred. Critical The auth_named server failed. Review the syslog file to identify the possible cause of this problem.
IPWC Processes, monitored at 30 second intervals for IB-250 and 10 second intervals for other appliances An IPAM WinConnect server failure has occurred. Critical The IPWC (IPAM WinConnect) 6server failed. Review the syslog file to identify the possible cause of this problem.
DNS ONE quagga Processes (zebra & ospfd) An OSPF routing daemon failure has occurred. Critical Either the zebra process or the ospfd process failed. Review the syslog file to identify the possible cause of this problem.
NIOS 4.3r5
221
ibTrapDesc OID 3.1.1.1.2.11.0 radiusd Monitoring A RADIUS daemon monitoring failure has occurred. Backup Failure Backup failed.
Description/Cause
Recommended Actions
Critical
The radiusd process failed.
Not implemented.
The backup failed. One of the following could be the cause of the failure: The appliance could not access a backup directory. The IPAM WinConnect backup failed. The backup was interrupted by one of the following signals: SIGINT, SIGHUP, or SIGTERM. Incorrect login or connection failure in an FTP backup. The backup failed to create temporary files.
Database Backup Failure Database backup failed. Backup Module Failure Module backup failed. Not implemented. The backup of productspecific files failed. Review the syslog file to identify the possible cause of this problem. Not implemented. The db_dump process failed. Review the syslog file to identify the possible cause of this problem.
222
NIOS 4.3r5
Infoblox MIBs
Description/Cause
Recommended Actions
Backup File Size Exceeded File size exceeded the quota. Backup failed. Another backup is in progress. Backup will not be performed. Not implemented. The backup failed because the file size exceeded the limit of 5GB. The backup failed because of an attempt to back up or merge files while another backup or restore was in progress. Limit the size of the backup file to less than 5GB.
Not implemented.
Wait until the backup or restore is complete before starting another backup.
Watchdog Process Monitoring WATCHDOG: Critical
<registered client name> failed on <server IP address>
The watchdog process detected a registered client failure on a specific server. The <registered client name> could be one of the following: Clusterd timeout thread DB Sentinel run_server loop Process manager main loop Clusterd monitor Disk monitor
NIOS 4.3r5
223
Threshold Crossing Traps
Description/Cause
Recommended Actions
System Memory Usage System has run out of memory. Major The appliance ran out of memory. The appliance encountered this problem when one of the following occurred: The total free memory on the appliance was less than or equal to 0%. The total physical memory was less than the total free memory. The percentage of free memory compared to the total physical memory was less than 5%, and the free swap percentage was less than 80%. The percentage of free memory compared to the total physical memory was less than 5%, plus the numbers of both swap INs and swap OUTs were greater than or equal to 3,200. The percentage of free memory compared to the total physical memory was between 5% and 10%, the free swap percentage was greater than or equal to 80%, plus the numbers of both swap INs and swap OUTs were greater than or equal to 3,200. The percentage of free memory compared to the total physical memory was greater than 10%, the free swap percentage was less than 80%, plus the numbers of both swap INs and swap OUTs were greater than or equal to 3,200. Review the syslog file to identify the possible cause of this problem.
Note: Free memory = free physical RAM + free cache buffers. The high threshold for swap pages is 3,200.
224
NIOS 4.3r5
Infoblox MIBs
ibTrapDesc OID 3.1.1.1.2.11.0 System memory usage is over 90%.
ibTrapServerity OID 3.1.1.1.2.2 Minor
Description/Cause The memory usage on the appliance exceeded 90%. The appliance encountered this problem when one of the following occurred: The percentage of free memory compared to the total physical memory was less than 5%, and the free swap percentage was less than 90%. The percentage of free memory compared to the total physical memory was less than 5%, plus the number of swap INs was less than 3,200 and the number of swap OUTs was greater than or equal to 3,200. The percentage of free memory compared to the total physical memory was between 5% and 10%, and the free swap percentage was less than 80%. The percentage of free memory compared to the total physical memory was greater than 5%, plus the number of swap INs was less than 3,200 and the number of swap OUTs was greater than or equal to 3,200.
Recommended Actions Review the syslog file to identify the possible cause of this problem.
Note: Free memory = free physical RAM + free cache buffers. The high threshold for swap pages is 3,200.
System memory is OK.
Minor
The memory usage on the system is back to normal from the previous state.
NIOS 4.3r5
225
Description/Cause
Recommended Actions
Primary Hard Drive Usage (monitored every 30 seconds) System primary hard disk usage is over 90%. Minor The primary hard disk usage exceeded 90%. The alert light is yellow. The primary hard disk usage exceeded 95%. The alert light is red. The primary hard disk usage is 85% or lower. The alert light is green. Review the syslog file to identify the possible cause of this problem. Review the syslog file to identify the possible cause of this problem. No action is required.
Primary drive is full. Major
Primary drive usage is OK.
Minor
Replication Statistics Monitoring Grid queue replication problem. Not implemented. The system encountered this problem when all of the following conditions occurred: The node was online. The number of the replication queue being sent from the master column was greater than 0, or the number of the queue received was greater than 0. It was more than 10 minutes since the last replication queue was sent and monitored. Review the syslog file to identify the possible cause of this problem.
226
NIOS 4.3r5
Infoblox MIBs
Description/Cause
Recommended Actions
DHCP Range Threshold Crossing DHCP threshold crossed: Member: Not implemented. The system encountered this problem when one of the following conditions occurred: The address usage in the DHCP range was greater than the high watermark. The address usage in the DHCP range was less than the low watermark. Review the syslog file to identify the possible cause of this problem.
<DHCP server node VIP>

Network:
<network>/ <network view> Range: <DHCP range>/ <network view>

High Watermark:
<high watermark percentage> (95%

by default) Low Watermark:
<low watermark percentage> (0% by

default) Current Usage:
<current usage percentage>

Active Leases:
<number of active leases>

Available Leases:
<number of available leases>

Total Addresses:
<total addresses>
DHCP DDNS Updates Deferred DHCP DNS updates deferred: Retried at least once: <number of Not implemented. The DNS updates were deferred because of DDNS update errors. Review the syslog file to identify the possible cause of this problem.
retries>
Maximum number of deferred updates since start of problem episode (or restart): <max
number>
NIOS 4.3r5
227
Description/Cause
Recommended Actions
Database Capacity Usage Over 85% database capacity used. Database capacity used is OK. DNS Monitor DNS Monitor Major DNS security alert. There were actual DNS responses to {invalid ports | with invalid TXID} in the last minute, comprising percent% of all responses. Primary sources: ip_address sent count, ip_address sent count. where 1. Review the following: DNS alert status syslog file 2. Limit access or block connections from the primary sources. For information, see Minor The appliance database usage exceeded 85%. The appliance database usage is less than 85%. Increase the database capacity.
Minor
actual is the total number of

DNS responses arrive on invalid ports or have invalid TXIDs.
Configuring Rate Limiting Rules on page 201.
percent% is the percentage of invalid DNS responses over the total number of DNS responses. ip_address is the IP address of the primary source that generated the invalid DNS responses. count is the number of invalid responses generated by the specified IP address.
Example: DNS security alert. There were 1072 DNS responses to invalid ports in the last minute, comprising 92% of all responses. Primary sources: 10.0.0.0 sent 1058, 2.2.2.2 sent 14.
228
NIOS 4.3r5
Infoblox MIBs
Object State Change Traps
ibTrapDesc OID 3.1.1.1.2.11.0 Service Shutdown Shutting down services due to database snapshot.
Description/Cause
Recommended Actions
Not implemented.
The appliance is shutting down its services while synchronizing the database with the grid master. The appliance is shutting down its services while synchronizing the database with the grid master.
Shutting down services due to database snapshot.
Not implemented.
Network Interfaces Monitoring LAN port link is down. Please check the connection. HA port link is down. Please check the connection. MGMT port link is down. Please check the connection. LAN port link is up. HA port link is up. MGMT port link is up. Major The LAN port is up, but the link is down. The HA port is up, but the link is down. The MGMT port is enabled, but the link is down. The LAN port link is up and running. The HA port link is up and running. The MGMT port link is up and running. Check the LAN link connection.
Major
Check the HA link connection.
Major
Check the MGMT link connection.
Major Major Major
No action is required. No action is required. No action is required.
HA State Change from Initial to Active The node has become ACTIVE. Not implemented. A node in an HA pair becomes active. The HA pair starts up. No action is required.
HA State Change from Passive to Active The node has become ACTIVE. Not implemented. The node changed from a passive to an active node. No action is required.
HA State Change from Initial to Passive
NIOS 4.3r5
229
ibTrapDesc OID 3.1.1.1.2.11.0 The node has become PASSIVE.
ibTrapServerity OID 3.1.1.1.2.2 Not implemented.
Description/Cause A node in an HA pair becomes passive. The HA pair starts up, and the node is not a grid master candidate.
Recommended Actions No action is required.
Node Connected to Grid The grid member is connected to the grid master. Not implemented. The grid member joined the grid, and it is not a grid master candidate. No action is required.
Node Disconnected to Grid The grid member is not connected to the grid master. Not implemented. The grid member lost its connection to the grid master. No action is required.
Replication State Monitoring HA replication online. HA replication offline. Not implemented. Not implemented. The replication queue is online. The replication queue is offline. No action is required. No action is required.
NTP is out of sync, monitored every 30 seconds The NTP server is out of synchronization. Major The Infoblox NTP server and the external NTP server are not synchronized. Review the syslog file to identify the possible cause of this problem.
Replication State Monitoring Replication queue is offline. Not implemented. The replication queue is offline. No action is required.
Process Started and Stopped Traps

ibTrapDesc OID 3.1.1.1.2.11.0 Httpd Start The process started normally. Httpd Stop The process stopped normally. Informational The httpd process stopped. No action is required. Informational The httpd process started. No action is required. ibTrapServerity OID 3.1.1.1.2.2
Description/Cause
Recommended Actions
230
NIOS 4.3r5
Infoblox MIBs
ibPlatformOne MIB
The ibPlatformOne MIB provides information about the CPU temperature of the appliance, the replication status, the average latency of DNS requests, DNS security alerts, as well as the CPU and memory utilization of the appliance. Figure 6.4 illustrates the structure of the PlatformOne MIB. (Note that the OIDs in the illustration do not include the prefix .1.3.6.1.4.1.7779.) The ibPlatformOne MIB branches out into the following subtrees: ibCPUTemperature tracks the CPU temperature of the appliance. ibClusterReplicationStatusTable provides information in tabular format about the replication status of the appliance. See ibClusterReplicationStatusTable on page 233 for more information. ibNetworkMonitor provides information about the average latency of authoritative and nonauthoritative replies to DNS queries for different time intervals. It also provides information about invalid DNS responses that arrive on invalid ports or have invalid DNS transaction IDs. See ibNetwork Monitor on page 233 for more information. ibHardwareType provides information about the hardware platform. For an Infoblox appliance, it provides the model number of the Infoblox hardware platform. For virtual appliances, it identifies whether the hardware platform is a Riverbed or Cisco device. For Riverbed devices, it displays the model number as well. ibHardwareId provides the hardware iD of the NIOS appliance. ibSerialNumber provides the serial number of the Infoblox hardware platform. ibNiosVersion provides the version of the NIOS software. ibSystemMonitor provides information about the CPU and memory utilization of the appliance.
NIOS 4.3r5
231
Figure 6.4 PlatformOneMIB Structure

(3.1.1.2) ibPlatformOne MIB (3.1.1.2.1) ibPlatformOneModule (3.1.1.2.1.7) (3.1.1.2.1.3) (3.1.1.2.1.1) (3.1.1.2.1.5) ibNiosVersion ibNetworkMonitor ibCPUTemperature ibHardwareId (3.1.1.2.1.8) (3.1.1.2.1.6) (3.1.1.2.1.4) (3.1.1.2.1.2) ibSystemMonitor ibSerialNumber ibHardwareType ibClusterReplicationStatusTable (3.1.1.2.1.3.1) (3.1.1.2.1.8.1) ibNetworkMonitorDNS (3.1.1.2.1.2.1) ibSystemMonitorCpu ibClusterReplicationStatusEntry (3.1.1.2.1.3.1.1) (3.1.1.2.1.8.1.1) ibNetworkMonitorDNSActive ibSystemMonitorCpuUsage (3.1.1.2.1.2.1.1) ibNodeIPAddress (3.1.1.2.1.8.2) (3.1.1.2.1.3.1.2) ibSystemMonitorMem ibNetworkMonitorDNSNonAA (3.1.1.2.1.2.1.2) ibNodeReplicationStatus (3.1.1.2.1.8.2.1) (3.1.1.2.1.3.1.3) ibSystemMonitorMemUsage ibNetworkMonitorDNSAA (3.1.1.2.1.2.1.3) ibNodeQueueFromMaster (3.1.1.2.1.3.1.4) ibNetworkMonitorDNSSecurity (3.1.1.2.1.2.1.4) ibNodeLastRepTimeFromMaster (3.1.1.2.1.3.1.4.1) ibNetworkMonitorDNSSecurityInvalidPort (3.1.1.2.1.2.1.5) ibNodeQueueToMaster (3.1.1.2.1.2.1.6) ibNodeLastRepTimeToMaster (3.1.1.2.1.3.1.4.2) ibNetworkMonitorDNSSecurityInvalidTxid (3.1.1.2.1.3.1.4.3) ibNetworkMonitorDNSSecurityInvalidPortOnly (3.1.1.2.1.3.1.4.4) ibNetworkMonitorDNSSecurityInvalidTxidOnly (3.1.1.2.1.3.1.4.5) ibNetworkMonitorDNSSecurityInvalidTxidAndPort
232
NIOS 4.3r5
Infoblox MIBs
ibClusterReplicationStatusTable
This table provides information about the grid replication status.
Table 6.6 ibClusterReplicationStatusTable Objects

Object ibClusterReplicationStatusEntry ibNodeIPAddress ibNodeReplicationStatus ibNodeQueueFromMaster ibNodeLastRepTimeFromMaster ibNodeQueueToMaster ibNodeLastRepTimeToMaster Description A conceptual row that provides information about the grid replication status. IP address of a grid member Replication status of the grid member Sent queue size from master Last sent time from master Receive queue size from master Last receive time from master
ibNetwork Monitor
As shown in Figure 6.4, the ibNetwork Monitor has one subtree, ibNetworkMonitorDNS, that branches out into the following: ibNetworkMonitorDNSActive reports on whether DNS latency monitoring is enabled. This is the only object in this branch. When you send a query for this object, the appliance responds with either active or nonactive. ibNetworkMonitorDNSNonAA provides information about the average latency of nonauthoritative replies to DNS queries for 1-, 5-, 15-, and 60-minute intervals. ibNetworkMonitorDNSAA provides information about the average latency of authoritative replies to DNS queries for 1-, 5-, 15-, and 60-minute intervals. ibNetworkMonitorDNSSecurity provides information about the invalid DNS responses that arrive on invalid ports or have invalid DNS transaction IDs. ibNetworkMonitorDNSSecurity branches out into the following: ibNetworkMonitorDNSSecurityInvalidPort ibNetworkMonitorDNSSecurityInvalidTxid ibNetworkMonitorDNSSecurityInvalidPortOnly ibNetworkMonitorDNSSecurityInvalidTxidOnly ibNetworkMonitorDNSSecurityInvalidTxidAndPort For information, see Table 6.9 on page 237.
NIOS 4.3r5
233
Figure 6.5 ibNetworkMonitorDNSNonAA and ibNetworkMonitorDNSAA Subtrees

(3.1.1.2.1.3.1.2) ibNetworkMonitorDNSNonAA (3.1.1.2.1.3.1.2.1) ibNetworkMonitorDNSNonAAT1 (3.1.1.2.1.3.1.2.1.1) ibNetworkMonitorDNSNonAAT1AvgLatency (3.1.1.2.1.3.1.2.1.2) ibNetworkMonitorDNSNonAAT1Count (3.1.1.2.1.3.1.2.2) ibNetworkMonitorDNSNonAAT5 (3.1.1.2.1.3.1.2.2.1) ibNetworkMonitorDNSNonAAT5AvgLatency (3.1.1.2.1.3.1.2.2.2) ibNetworkMonitorDNSNonAAT5Count (3.1.1.2.1.3.1.2.3) ibNetworkMonitorDNSNonAAT15 (3.1.1.2.1.3.1.2.3.1) ibNetworkMonitorDNSNonAAT15AvgLatency (3.1.1.2.1.3.1.2.3.2) ibNetworkMonitorDNSNonAAT15Count (3.1.1.2.1.3.1.2.4) ibNetworkMonitorDNSNonAAT60 (3.1.1.2.1.3.1.2.4.1) ibNetworkMonitorDNSNonAAT60AvgLatency (3.1.1.2.1.3.1.2.4.2) ibNetworkMonitorDNSNonAAT60Count (3.1.1.2.1.3.1.2.5) ibNetworkMonitorDNSNonAAT1440 (3.1.1.2.1.3.1.2.5.1) ibNetworkMonitorDNSNonAAT1440AvgLatency (3.1.1.2.1.3.1.2.5.2) ibNetworkMonitorDNSNonAAT1440Count (3.1.1.2.1.3.1.3) ibNetworkMonitorDNSAA (3.1.1.2.1.3.1.3.1) ibNetworkMonitorDNSAAT1 (3.1.1.2.1.3.1.3.1.1) ibNetworkMonitorDNSAAT1AvgLatency (3.1.1.2.1.3.1.3.1.2) ibNetworkMonitorDNSAAT1Count (3.1.1.2.1.3.1.3.2) ibNetworkMonitorDNSNonAAT5 (3.1.1.2.1.3.1.3.2.1) ibNetworkMonitorDNSAAT5AvgLatency (3.1.1.2.1.3.1.3.2.2) ibNetworkMonitorDNSAAT5Count (3.1.1.2.1.3.1.3.3) ibNetworkMonitorDNSAAT15 (3.1.1.2.1.3.1.3.3.1) ibNetworkMonitorDNSAAT15AvgLatency (3.1.1.2.1.3.1.3.3.2) ibNetworkMonitorDNSAAT15Count (3.1.1.2.1.3.1.3.4) ibNetworkMonitorDNSAAT60 (3.1.1.2.1.3.1.3.4.1) ibNetworkMonitorDNSAAT60AvgLatency (3.1.1.2.1.3.1.3.4.2) ibNetworkMonitorDNSAAT60Count (3.1.1.2.1.3.1.3.5) ibNetworkMonitorDNSAAT1440 (3.1.1.2.1.3.1.3.5.1) ibNetworkMonitorDNSAAT1440AvgLatency (3.1.1.2.1.3.1.3.5.2) ibNetworkMonitorDNSAAT1440Count
234
NIOS 4.3r5
Infoblox MIBs
Table 6.7 describes the objects in ibNetworkMonitorDNSNonAA. You can send queries to retrieve values for these
objects.
Table 6.7 ibNetworkMonitorDNSNonAA Objects

Object ibNetworkMonitorDNSNonAAT1 ibNetworkMonitorDNSNonAAT1AvgLatency ibNetworkMonitorDNSNonAAT1Count ibNetworkMonitorDNSNonAAT5 Description File that contains the objects for monitoring the average latency of nonauthoritative replies to queries during the last minute. Indicates the average latency in microseconds of nonauthoritative replies to queries during the last minute. Indicates the number of queries used to calculate the average latency of nonauthoritative replies during the last minute. File that contains the objects for monitoring the average latency of nonauthoritative replies to queries during the last five minutes. Indicates the average latency in microseconds of nonauthoritative replies to queries during the last five minutes. Indicates the number of queries used to calculate the average latency of nonauthoritative replies during the last five minutes. File that contains the objects for monitoring the average latency of nonauthoritative replies to queries during the last 15 minutes. Indicates the average latency in microseconds of nonauthoritative replies to queries during the last 15 minutes. Indicates the number of queries used to calculate the average latency of nonauthoritative replies during the last 15 minutes. File that contains the objects for monitoring the average latency of nonauthoritative replies to queries during the last 60 minutes. Indicates the average latency in microseconds of nonauthoritative replies to queries during the last 60 minutes. Indicates the number of queries used to calculate the average latency of nonauthoritative replies during the last 60 minutes. File that contains the objects for monitoring the average latency of nonauthoritative replies to queries during the last 1440 minutes. Indicates the average latency in microseconds of nonauthoritative replies to queries during the last 1440 minutes. Indicates the number of queries used to calculate the average latency of nonauthoritative replies during the last 1440 minutes.
ibNetworkMonitorDNSNonAAT5AvgLatency ibNetworkMonitorDNSNonAAT5Count ibNetworkMonitorDNSNonAAT15 ibNetworkMonitorDNSNonAAT15AvgLatency ibNetworkMonitorDNSNonAAT15Count ibNetworkMonitorDNSNonAAT60 ibNetworkMonitorDNSNonAAT60AvgLatency ibNetworkMonitorDNSNonAAT60Count ibNetworkMonitorDNSNonAAT1440
ibNetworkMonitorDNSNonAAT1440AvgLatency ibNetworkMonitorDNSNonAAT1440Count
NIOS 4.3r5
235
Table 6.8 describes the objects in ibNetworkMonitorDNSAA. You can send queries to retrieve values for these
objects.
Table 6.8 ibNetworkMonitorDNSAA Objects

Object ibNetworkMonitorDNSAAT1 ibNetworkMonitorDNSAAT1AvgLatency ibNetworkMonitorDNSAAT1Count ibNetworkMonitorDNSAAT5 ibNetworkMonitorDNSAAT5AvgLatency ibNetworkMonitorDNSAAT5Count ibNetworkMonitorDNSAAT15 ibNetworkMonitorDNSAAT15AvgLatency ibNetworkMonitorDNSAAT15Count ibNetworkMonitorDNSAAT60 ibNetworkMonitorDNSAAT60AvgLatency ibNetworkMonitorDNSAAT60Count ibNetworkMonitorDNSAAT1440 ibNetworkMonitorDNSAAT1440AvgLatency ibNetworkMonitorDNSAAT1440Count Description File that contains the objects for monitoring the average latency of authoritative replies to queries during the last minute. Indicates the average latency in microseconds of authoritative replies to queries during the last minute. Indicates the number of queries used to calculate the average latency of authoritative replies during the last minute. File that contains the objects for monitoring the average latency of authoritative replies to queries during the last five minutes. Indicates the average latency in microseconds of authoritative replies to queries during the last five minutes. Indicates the number of queries used to calculate the average latency of authoritative replies during the last five minutes. File that contains the objects for monitoring the average latency of authoritative replies to queries during the last 15 minutes. Indicates the average latency in microseconds of authoritative replies to queries during the last 15 minutes. Indicates the number of queries used to calculate the average latency of authoritative replies during the last 15 minutes. File that contains the objects for monitoring the average latency of authoritative replies to queries during the last 60 minutes. Indicates the average latency in microseconds of authoritative replies to queries during the last 60 minutes. Indicates the number of queries used to calculate the average latency of authoritative replies during the last 60 minutes. File that contains the objects for monitoring the average latency of authoritative replies to queries during the last 1440 minutes. Indicates the average latency in microseconds of authoritative replies to queries during the last 1440 minutes. Indicates the number of queries used to calculate the average latency of authoritative replies during the last 1440 minutes.
236
NIOS 4.3r5
Infoblox MIBs
Table 6.9 describes the objects in ibNetworkMonitorDNSSecurity. You receive SNMP traps with these objects when
you enable the following: SNMP traps DNS network monitoring DNS alert monitoring
Table 6.9 ibNetworkMonitorDNSSecurity Objects

Object ibNetworkMonitorDNSSecurityInvalidPort Description Tracks the number of invalid DNS responses that arrive on invalid ports. For information about invalid ports, see Monitoring DNS Transactions on page 197. This object contains a subtree with six objects that track invalid ports within a certain time interval. For information, see Table 6.10. ibNetworkMonitorDNSSecurityInvalidTxid Tracks the number of invalid TXIDs (DNS transaction IDs). For information about invalid TXIDs, see Monitoring DNS Transactions on page 197. This object contains a subtree with six objects that track invalid TXIDs within a certain time interval. For information, see Table 6.11. ibNetworkMonitorDNSSecurityInvalidPortOnly Tracks the number of DNS responses with both of the following conditions: ibNetworkMonitorDNSSecurityInvalidTxidOnly Arrive on invalid ports Have valid TXIDs
Tracks the number of DNS responses with both of the following conditions: Arrive on valid ports Have Invalid TXIDs
ibNetworkMonitorDNSSecurityInvalidTxidAndPort
Tracks the number of DNS responses with both of the following conditions: Arrive on invalid ports Have invalid TXIDs
NIOS 4.3r5
237
Table 6.10 describes the objects in ibNetworkMonitorDNSSecurityInvalidPort. Table 6.10 ibNetworkMonitorDNSSecurityInvalidPort Objects
Object ibNetworkMonitorDNSSecurityInvalidPort1 ibNetworkMonitorDNSSecurityInvalidPort5 ibNetworkMonitorDNSSecurityInvalidPort15 ibNetworkMonitorDNSSecurityInvalidPort60 ibNetworkMonitorDNSSecurityInvalidPort1440 ibNetworkMonitorDNSSecurityInvalidPortCount Description Tracks the number of invalid DNS responses that arrive on invalid ports in the last one minute. Tracks the number of invalid DNS responses that arrive on invalid ports in the last five minutes. Tracks the number of invalid DNS responses that arrive on invalid ports in the last 15minutes. Tracks the number of invalid DNS responses that arrive on invalid ports in the last 60 minutes. Tracks the number of invalid DNS responses that arrive on invalid ports in the last 24 hours. Tracks the total number of invalid DNS responses that arrive on invalid ports.
Table 6.11 describes the objects in ibNetworkMonitorDNSSecurityInvalidTxid. Table 6.11 ibNetworkMonitorDNSSecurityInvalidTxidObjects

Object ibNetworkMonitorDNSSecurityInvalidTxid1 ibNetworkMonitorDNSSecurityInvalidTxid5 ibNetworkMonitorDNSSecurityInvalidTxid15 ibNetworkMonitorDNSSecurityInvalidTxid60 ibNetworkMonitorDNSSecurityInvalidTxid1440 ibNetworkMonitorDNSSecurityInvalidTxidCount Description Tracks the number of DNS responses that have invalid DNS transaction IDs in the last one minute. Tracks the number of DNS responses that have invalid DNS transaction IDs in the last five minutes. Tracks the number of DNS responses that have invalid DNS transaction IDs in the last 15 minutes. Tracks the number of DNS responses that have invalid DNS transaction IDs in the last 60 minutes. Tracks the number of DNS responses that have invalid DNS transaction IDs in the last 24 hours. Tracks the total number of DNS responses that have invalid DNS transaction IDs.
ibSystemMonitor
As shown in Figure 6.4, the ibSystemMonitor object has the following subtrees: ibSystemMonitorCpu: Contains ibSystemMonitorCpuUsage that reports the CPU usage of the appliance. ibSystemMonitorMem: Contains ibSystemMonitorMemUsage that reports the memory usage of the appliance.
238
NIOS 4.3r5
Infoblox MIBs
ibDHCPOne MIB
The ibDHCPOne MIB provides information about address usage within a subnet, DHCP lease statistics, and DHCP packet counts. Figure 6.6 illustrates the structure of the ibDHCPOne MIB. (Note that the OIDs shown in the illustration do not include the prefix .1.3.6.1.4.1.7779.) It has three subtrees: ibDHCPSubnetTable, ibDHCPLeaseTable, and ibDHCP Statistics.
Figure 6.6 DHCPone MIB

(3.1.1.4) ibDHCPOne MIB (3.1.1.4.1) ibDHCPModule (3.1.1.4.1.1) ibDHCPSubnetTable (3.1.1.4.1.1.1) ibDHCPSubnetEntry (3.1.1.4.1.1.1.1) ibDHCPSubnetNetworkAddress (3.1.1.4.1.1.1.2) ibDHCPSubnetNetworkMask (3.1.1.4.1.1.1.3) ibDHCPSubnetPercentUsed (3.1.1.4.1.2) ibDHCPLeaseTable (3.1.1.4.1.2.1) ibDHCPLeaseEntry (3.1.1.4.1.2.1.1) ibDHCPLeaseAddress (3.1.1.4.1.2.1.2) ibDHCPLeaseMACAddress (3.1.1.4.1.2.1.3) ibDHCPLeaseStart (3.1.1.4.1.2.1.4) ibDHCPLeaseEnd (3.1.1.4.1.2.1.5) ibDHCPLeaseBindState (3.1.1.4.1.2.1.6) ibDHCPLeaseNextBindState (3.1.1.4.1.2.1.7) ibDHCPLeaseClientHostName (3.1.1.4.1.2.1.8) ibDHCPLeaseUID (3.1.1.4.1.3) ibDHCPStatistics (3.1.1.4.1.3.1) ibDhcpTotalNoOfDiscovers (3.1.1.4.1.3.2) ibDhcpTotalNoOfRequests (3.1.1.4.1.3.3) ibDhcpTotalNoOfReleases (3.1.1.4.1.3.4) ibDhcpTotalNoOfOffers (3.1.1.4.1.3.5) ibDhcpTotalNoOfAcks (3.1.1.4.1.3.6) ibDhcpTotalNoOfNacks (3.1.1.4.1.3.7) ibDhcpTotalNoOfDeclines (3.1.1.4.1.3.8) ibDhcpTotalNoOfInforms (3.1.1.4.1.3.9) ibDhcpTotalNoOthers
NIOS 4.3r5
239
The ibDHCPSubnetTable provides statistical data about the DHCP operations of the appliance. It contains the following objects:
Table 6.12 ibDHCPSubnetTable

Object ibDHCPSubnet Entry ibDHCPSubnetNetworkAddress ibDHCPSubnetNetworkMask ibDHCPSubnetPercentUsed Description File that contains the objects for monitoring DHCP operations on the appliance. The subnetworks, in IP address format, that have IP addresses for lease. A subnetwork may have many address ranges for lease. The subnet mask in dotted decimal format. The percentage of dynamic DHCP addresses leased out at this time for each subnet. Fixed addresses are always counted as leased for this calculation, if the fixed addresses are within a leased address range.
Following is an example of the table as viewed through a MIB browser:
Figure 6.7 MIB Browser View 1
The ibDHCPLeaseTable provides statistics about the DHCP leases. It contains the following objects:
Table 6.13 ibDHCPLeaseTable

Object ibDHCPLeaseEntry ibDHCPLeaseAddress ibDHCPLeaseMACAddress ibDHCPLeaseStart ibDHCPLeaseEnd ibDHCPLeaseBindState Description File that contains the objects that provide information about DHCP leases. The IP address issued by DHCP. The MAC Address of the DHCP client. The start time of the DHCP lease. The end time of the DHCP lease. The IP address binding state of the DHCP lease. The binding state is used by the DHCP failover protocol and indicates, among other things, whether an IP address is in use, has been released, or is available for allocation. Next Binding state of DHCP lease.
ibDHCPLeaseNextBindState
240
NIOS 4.3r5
Infoblox MIBs
Object ibDHCPLeaseClientHostName ibDHCPLeaseUID
Description Client provided host name during DHCP registration. Client provided UID during DHCP registration. (The UID is a number that uniquely identifies the client machine.)
ibDHCP Statistics maintains counters for different types of packets. The counters always start with zero when you enable DHCP. Therefore the numbers reflect the total number of packets received since DHCP was enabled on the NIOS appliance. The ibDHCPStatistics module contains the following objects:
Table 6.14 ibDHCPStatistics

Object ibDhcpTotalNoOfDiscovers Description The number of DHCPDISCOVER messages that the appliance received. Clients broadcast DHCPDISCOVER messages when they need an IP address and network configuration information. The number of DHCPREQUEST messages that the appliance received. A client sends a DHCPREQUEST message requesting configuration information, after it receives the DHCPOFFER message. The number of DHCPRELEASE messages that the appliance received from its clients. A client sends a DHCP release when it terminates its lease on an IP address. The number of DHCPOFFER messages that the appliance has sent to clients. The appliance sends a DHCPOFFER message to a client. It contains an IP address and configuration information. The number of DHCPACK messages that the appliance sent to clients. It sends a DHCPACK message to a client to confirm that the IP address offered is still available. The number of DHCPNACK messages that the appliance sent to clients. It sends a DHCPNACK message to withdraw its offer of an IP address. The number of DHCPDECLINE messages that the appliance received. A client sends a DHCPDECLINE message if it determines that an offered IP address is already in use. The number of DHCPINFORM messages that the appliance received. A client sends a DHCPINFORM message when it has an IP address but needs information about the network. The total number of DHCP messages other than those used in negotiation, such as DHCPFORCERENEW, DHCPKNOWN, and DHCPLEASEQUERY.
ibDhcpTotalNoOfRequests
ibDhcpTotalNoOfReleases
ibDhcpTotalNoOfOffers
ibDhcpTotalNoOfAcks
ibDhcpTotalNoOfNacks ibDhcpTotalNoOfDeclines
ibDhcpTotalNoOfInforms
ibDhcpTotalNoOfOthers
NIOS 4.3r5
241
ibDNSOne MIB
The ibDNSOne MIB provides statistical information about the DNS processes and about the views and zones in the database. Figure 6.7 illustrates the structure of the ibDNSOne MIB. (Note that the OIDs shown in the illustration do not include the prefix 1.3.6.1.4.1.7779.) The ibDNSOne MIB contains two subtrees, ibZoneStatisticsTable and the ibZonePlusViewStatisticsTable.
Figure 6.8 ibDNSOne MIB

(3.1.1.3) ibDNSOne MIB (3.1.1.3.1) ibDnsModule (3.1.1.3.1.1) ibZoneStatisticsTable (3.1.1.3.1.1.1) ibZoneStatisticsEntry (3.1.1.3.1.1.1.1) ibBindZoneName (3.1.1.3.1.1.1.2) ibBindZoneSuccess (3.1.1.3.1.1.1.3) ibBindZoneReferral (3.1.1.3.1.1.1.4) ibBindZoneNxRRset (3.1.1.3.1.1.1.5) ibBindZoneNxDomain (3.1.1.3.1.1.1.6) ibBindZoneRecursion (3.1.1.3.1.1.1.7) ibBindZoneFailure (3.1.1.3.1.2) ibZonePlusViewStatisticsTable (3.1.1.3.1.2.1) ibZonePlusViewStatisticsEntry (3.1.1.3.1.2.1.1) ibZonePlusViewName (3.1.1.3.1.2.1.2) ibZonePlusViewSuccess (3.1.1.3.1.2.1.3) ibZonePlusViewReferral (3.1.1.3.1.2.1.4) ibZonePlusViewNxRRset (3.1.1.3.1.2.1.5) ibZonePlusViewNxDomain (3.1.1.3.1.2.1.6) ibZonePlusViewRecursion (3.1.1.4.1.2.1.7) ibZonePlusViewFailure (3.1.1.4.1.2.1.8) ibBindViewName
The ibZoneStatisticsTable provides statistical data about the DNS operations on the appliance. The syntax of these objects uses a Counter64 format. In some cases, the counter format may not be compatible with SNMP toolkits that use a 32-bit counter. Ensure that you reconfigure or update these tools to use the Counter64 format. The following table lists the objects and descriptions:
Table 6.15 ibZoneStatisticsTable

Object ibBindZoneName ibBindZoneSuccess ibBindZoneReferral ibBindZoneNxRRset Description DNS Zone name. The number of successful responses since the DNS process started. The number of DNS referrals since the DNS process started. The number of DNS queries received for non-existent records.
242
NIOS 4.3r5
Infoblox MIBs
Object ibBindZoneNxDomain ibBindZoneRecursion ibBindZoneFailure
Description The number of DNS queries received for non-existent domains. The number of queries received using recursion since the DNS process started. The number of failed queries since the DNS process started.
The ibZonePlusViewStatisticsTable provides statistical data about DNS views and their zones. The following table lists the objects and their OIDS:
Table 6.16 ibZonePlusViewStatisticsTable

Object ibZonePlusViewName ibZonePlusViewSuccess ibZonePlusViewReferral ibZonePlusViewNxRRset ibZonePlusViewNxDomain ibZonePlusViewRecursion ibZonePlusViewFailure ibBindViewName Description The zone name. The first one in the default view is the global summary statistics. Index name for global statistics is summary. Number of successful responses since the DNS process started. Number of DNS referrals Number of DNS queries received for non-existent records. Number of DNS queries received for non-existent domains. Number of DNS recursive queries received Number of failed queries View name. This is blank for default view
Following is an example of the table as viewed through a MIB browser:
Figure 6.9 MIB Browser View 2
NIOS 4.3r5
243
ibIPWC MIB
The ibIPWC MIB defines the objects in the WinConnect MIB module as well as the types of traps that an IPAM WinConnect server sends. If you use the Infoblox IPAM WinConnect service, you must download the ibIPWC MIB. (For information about IPAM WinConnect, see Chapter 22, IPAM WinConnect, on page 711.) Figure 6.10 illustrates the structure of the IPWC MiB. The OIDs in the illustration do not include the prefix 1.3.6.4.1.25558. where 25558 is the IANA-assigned enterprise number for Ipanto. (Note that Ipanto is the former name of WinConnect.) The ibIPWC MIB branches out into two subtrees: ssp: The ssp tree contains objects that provide information about the WinConnect server and its client. ssp branches out into two subtrees, sipd and aipd. See tables 6.18 to 6.23 for information about the objects and their definitions in the sipd and aipd trees. traps: The traps tree provides information about the SNMP traps that the IPAM WinConnect server sends. See Table 6.23 for a list of traps that the WinConnect server generates.
Figure 6.10 ibIPWC MIB structure

ibIPWC MIB ipanto (1) ssp (1.1) sipd (1.1.1) process (1.1.1.1) port (1.1.1.2) sslPort (1.1.1.3) uid (1.1.1.4) suid (1.1.2) license (1.1.2.1) date (1.1.2.2) hostcount (1.1.3) client (1.1.3.1) ipSrc (1.1.3.2) user (1.1.3.3) agent (1.1.4) db (1.1.5) error (1.1.6) job (1.1.7) backup (1.2) aipd (1.2.1) type (1.2.2) name (2) traps See Table 6.24 for details of the traps and descriptions.
See Table 6.21 for details of the agent tree.
See Tables 6.22 and 6.23 for details of the db tree and its subtrees.
244
NIOS 4.3r5
Infoblox MIBs
The sipd tree contains objects that provide information about the WinConnect server and its client. Table 6.17 lists the objects and their descriptions in the sipd tree.
Table 6.17 sipd

Object process Description Contains objects that provide information about the WinConnect server process. This subtree contains four objects: license port: The server port of the WinConnect server. sslPort: The SSL port of the WinConnect server. uid: The WinConnect server process ID. suid: The unique ID of the WinConnect server.
Contains objects that provide licensing information about the WinConnect server. This subtree contains two objects: date: DEPRECATED. hostCount: The number of licensed hosts.
client db error
Contains objects that provide information about the WinConnect client. See Table 6.19 for details. Contains objects that provide information about the WinConnect database. See Table 6.21 for details. Contains objects that provide information about the error messages that the WinConnect server generates. This subtree contains two objects: description: The error description. code: The error code. name: The scheduled job name. date: The date of the last WinConnect server backup.
job backup
Contains one object: Contains one object:
The aipd tree contains information about objects that provide information about the WinConnect connector. Table 6.18 lists the objects and their descriptions in the aipd tree.
Table 6.18 aipd

Object type name Description The WinConnect connector type. The WinConnect connector name.
NIOS 4.3r5
245
The client tree under sipd contains objects that provide information about the WinConnect client. Table 6.19 lists the objects and their descriptions in the client tree.
Table 6.19 client

Object ipSrc user Description The IP address of the client server. Contains two objects: agent name: The WinConnect user name. sessionType: The user session type.
Contains objects that provide information about the WinConnect connector. See Table 6.20 for details.
The agent tree under client contains objects that provide information about the WinConnect connector. Table 6.20 lists the objects and their descriptions in the agent tree.
Table 6.20 agent

Object type name service Description The WinConnect connector type. The WinConnect connector name. Contains three objects: type: The managed service type. name: The managed service name. access: The managed service access.
The db tree under sipd contains objects that provide information about the WinConnect database. Table 6.21 lists the objects and their descriptions in the db tree.
Table 6.21 db
Object organization dhcp dns Description The organization that owns the object in the WinConnect database. Contains objects that provide information about the IP addresses in the database. See Table 6.22 for details. Contains one object: subnet zone: The DNS zone. Contains one object: name: The zone name in the WinConnect database. Contains three objects: clockskew address: The subnet address. mask: The subnet mask. rate: The occupation rate of the subnet.
DEPRECATED.
246
NIOS 4.3r5
Infoblox MIBs
The dhcp tree under db contains objects that provide information about the IP addresses in the WinConnect database. Table 6.22 lists the objects and their descriptions in the dhcp tree.
Table 6.22 dhcp

Object host Description Contains two objects: pool activeCount: The number of active hosts in the WinConnect database. totalCount: The total number of hosts in the WinConnect database. start: The start IP address of the address pool. end: The end IP address of the address pool. rate: The occupation rate of the address pool.
Contains three objects:
The WinConnect server generates traps to notify the SNMP monitoring device of events. Table 6.23 lists the types of traps that the WinConnect server sends.
Table 6.23 traps

Object start stop licenseInvalid licenseDateExpired licenseDateWarning licenseHostExceeded licenseHostWarning clockSkewWarning clockSkewExceeded clockSkewError dbIntegrityError userlogin userlogout userAuthFailed agentLogin agentAuthFailed userAuthFailureExceeded synchroStartMaster synchroStartSlave Description WinConnect is ready to reply to client requests. WinConnect cannot accept client requests or connections. DEPRECATED. DEPRECATED. DEPRECATED. The maximum number of host licenses has been reached. 90% of the host licenses have been assigned. DEPRECATED. WinConnect detected a clock skew error. DEPRECATED. WinConnect detected that the database is corrupted, or WinConnect cannot determine the integrity of the database. A user started a session. A user ended a session. WinConnect failed to authenticate the user. The WinConnect connector connected to WinConnect. The WinConnect connector failed to connect to WinConnect. The maximum number of user authentication has been reached. DEPRECATED. DEPRECATED.
NIOS 4.3r5
247
Object sychroSuccess synchroFailed serviceStarted serviceStopped controlStart controlStop controlRestart controlReload unreachable poolCapacityWarning poolCapacityFull subnetCapacityWarning subnetCapacityFull jobErrorGeneration jobWarningGeneration jobErrorExecution discoverWarning restoreError restoreSuccess backupError backupSuccess cwServerSynchro applySubnetTemplateSuccess applySubnetTemplateFailure
Description DEPRECATED. DEPRECATED. The WinConnect connector informed WinConnect that the current service status is running. The WinConnect connector informed WinConnect that the current service status is stopped. A user requested to start a specific service. A user requested to stop a specific service. A user requested to restart a specific service. A user requested to reload a DNS zone. WinConnect could not contact the WinConnect connector. Over 90% of the IP addresses in the address pool have been assigned. 100% of the IP addresses in the address pool have been assigned. Over 90% of the subnet has been assigned. 100% of the subnet has been assigned. The command for a scheduled job failed and generated an error. Check the logs on the WinConnect server for the error. A scheduled job completed with warning. Check the logs on the WinConnect server for the warning. A scheduled job execution failed. The command for network discovery completed with a warning. Check the logs on the WinConnect server for the warning. The restore process completed with errors. Check the logs on the WinConnect server for the errors. The restore process completed successfully. The backup process completed with errors. Check the logs on the WinConnect server for the errors. The backup process completed successfully. The synchronization process with the CiscoWorks server is starting. WinConnect successfully applied the subnet template. WinConnect failed to apply the subnet template.
248
NIOS 4.3r5
Configuring SNMP
Configuring SNMP
Perform the following tasks to configure SNMP on the NIOS appliance: Enable the NIOS appliance to accept queries and define the community string that management systems must specify when they send queries to the appliance. Specify the management systems to which the appliance sends traps.
For a grid, you can perform these tasks at the grid level and at the member level. You can define SNMP settings for an entire grid, and when necessary, define different SNMP settings for a member. SNMP settings for a member override SNMP settings for a grid. You can also set up SNMP on an independent appliance or HA pair.
Accepting SNMP Queries

You can allow specific management systems to send queries to a NIOS appliance. When you do, you must specify a community string. The appliance accepts queries only from management systems that provide the correct community string. To configure a grid or an independent NIOS appliance or HA pair to accept SNMP queries: 1. From the Grid perspective, click + (for grid) -> + (for Members) -> member -> Edit -> Member Properties. or From the Device perspective, click Device -> host_name -> Edit -> Device Properties. 2. In the Grid or Device editor, click Monitoring, and then enter the following: Enable queries: Select this check box for grid members or an independent appliance or HA pair to accept queries from SNMP management systems. Community String: Enter a text string that the management system must send together with its queries to the grid or the independent appliance or HA pair. A community string is similar to a password in that the appliance accepts queries only from management systems that send the correct community string. Note that this community string must match exactly what you enter in the management system. 3. Click the Save icon to save your settings.
Setting System Information

You can enter values for the following managed objects in MIB-II, the standard MIB defined in RFC 1213: sysContact sysLocation sysName sysDescr
After you enter these values on the appliance, administrators can send queries for these values from management systems that are allowed to send queries to the appliance. To enter system information: 1. From the Grid perspective, click + (for grid) -> + (for Members) -> member -> Edit -> Member Properties. or From the Device perspective, click Device -> host_name -> Edit -> Device Properties. 2. In the Grid or Device editor, click Monitoring, and then enter the following: Set objects: Select check box. sysContact: Enter the name of the contact person for the appliance. sysLocation: Enter the physical location of the appliance.
NIOS 4.3r5
249
sysName: Enter the fully qualified domain name of the appliance. sysDescr: Enter useful information about the appliance, such as the software version it is running. 3. Click the Save icon to save your settings.
Adding SNMP Trap Receivers

You can enable a NIOS appliance to send traps to specific management systems or trap receivers. It sends traps whenever certain events occur, as described in ibTrap MIB on page 208. To configure an SNMP trap receiver for a grid or an independent appliance or HA pair: 1. From the Grid perspective, click + (for grid) -> + (for Members) -> member -> Edit -> Member Properties. or From the Device perspective, click Device -> host_name -> Edit -> Device Properties. 2. In the Grid or Device editor, click Monitoring, and then enter the following: Enable traps: Select the check box to enable grid members or an independent appliance or HA pair to send traps to specified SNMP management systems. Community String: Enter a text string that the NIOS appliance sends to the management system together with its traps. Note that this community string must match exactly what you enter in the management system. Trap Receiver Group: Type an address of an SNMP management system to which you want the SNMP agent on grid members and independent appliances to send traps in the IP Address field, and then click Add. (You can enter more than one trap receiver.) To remove an IP address from the list, select the address, and then click Delete. 3. Click the Save icon to save your settings.
Configuring SNMP for a Grid Member

You can override grid-level SNMP settings for individual members. To modify the SNMP settings for a grid member: 1. From the Grid perspective, click + (for grid) -> + (for Members) -> member -> Edit -> Member Properties. 2. In the Grid Member editor, click Monitoring, and then enter the following: Override grid SNMP settings: Select the check box to override grid-level SNMP settings and apply member-level settings. Enable queries: Select the check box for the member to accept queries from SNMP management systems. Clear the check box to disable the member from accepting SNMP queries. Community String: Type a community stringwhich is very much like a passwordthat SNMP management systems must send when querying the member.
Enable traps: Select the check box to enable the grid member to send traps to specified SNMP management systems. Clear the check box to disable the member from sending SNMP traps. Community String: Type a community stringwhich is very much like a passwordthat the grid member must include when sending traps to the specified SNMP management systems. Trap Receiver Group: Type the IP address of an SNMP management system to which you want the grid member to send traps in the IP Address field, and then click Add. To remove an IP address from the list, select the address, and then click Delete. sysContact: Enter the name of the contact person for the appliance. sysLocation: Enter the physical location of the appliance. sysName: Enter the fully qualified domain name of the appliance. sysDescr: Enter useful information about the appliance, such as the software version it is running.
Set objects: Select this check box.
3. Click the Save icon to save your settings.
250
NIOS 4.3r5
Chapter 7 Changing Software and Merging Files

You can perform software upgrades and downgrades for your NIOS appliance. You can also merge data files from previous versions of the DNSone module to a NIOS appliance running DNSone 3.2 or later. This chapter explains how to perform these procedures:
Upgrading NIOS Software on page 252 Downgrading Software on page 252 Reverting to the Previously Running Software Version on page 252 Backing Up and Restoring a Configuration File on page 253 Backing Up Files on page 253 Automatically Backing Up a Data File on page 254 Downloading a Backup File on page 255 Restoring a Configuration File on page 257 Loading a Configuration File on a Different Appliance on page 258 Downloading a Support Bundle on page 259
NIOS 4.3r5
251
Changing Software and Merging Files
Upgrading NIOS Software

Infoblox frequently releases updated NIOS software. Contact Infoblox Support to learn what file name to use when downloading the new upgrade file, or watch your e-mail for periodic notifications that a new software upgrade is available. To get the latest upgrades, your local network must be capable of downloading a file from the Internet. To upgrade an independent appliance or HA pair, see Upgrading Software on an Independent Appliance or HA Pair on page 297. To upgrade a grid, see Upgrading NIOS Software on a Grid on page 341.
Downgrading Software
Each Infoblox appliance model has a minimum required release of Infoblox software. Before downgrading an appliance, refer to the document, Minimum Required Release Software for Hardware Platforms, that was shipped with your product. The downgrade procedure is for single independent appliances only. Infoblox does not support software downgrades for grid members, but you can revert to the last grid upgrade file (see the next section) on a grid master. Caution: Although the downgrade process preserves license information and basic network settings, it does not preserve data. After you complete the downgrade procedure, all data in the database is lost. To downgrade software on a single independent appliance running NIOS 4.0 or later: 1. For an appliance running DNSone with Grid: From the Grid perspective, click Grid -> Downgrade. or For an appliance running DNSone: From the Device perspective, click Device -> Downgrade. 2. Read the warning carefully, and then click OK to confirm your decision to downgrade. 3. Navigate to the downgrade image file, and then click OK. 4. Clear the Java cache on your system. 5. Close the browser, open another browser instance, and then log back in.
Reverting to the Previously Running Software Version

You can revert to the previous version of software that was running on your NIOS appliance. The NIOS appliance stores the previous version in its backup software partition. You can see if there is a software version to which you can revert and what that version is in the Alternate Revision column in the Upgrade Status viewer. From the Grid or Device perspective, click View -> Upgrade Status. Be aware that when you revert to this software, any configurations made to the currently running software are lost. So that you can later determine what configuration changes are missing, you can back up the current data before you revert. To revert to a version of software running previously on a grid or on an independent appliance or HA pair: 1. From the Grid or Device perspective, click Grid or Device -> Revert. 2. Read the warning carefully, and then click OK to confirm your decision to revert. 3. Close the Java application and restart it. Clearing the Java cache is unnecessary because JWS automatically updates its cache with the application for the currently running version of software. 4. Log back in to the grid master, independent appliance, or independent HA pair.
252
NIOS 4.3r5
Backing Up and Restoring a Configuration File

You can back up your system files locally on the appliance or use TFTP (Trivial File Transfer Protocol), FTP (File Transfer Protocol), or SCP (Secure Copy ) to back them up to a remote server. The backup file is a .tar.gz file that contains the configuration settings, data set, and TFTP files. For information about the TFTP feature, see Chapter 20, File Distribution Services, on page 673. These sections describe how to use the backup and restore functions:
Backing Up Files on page 253 Automatically Backing Up a Data File on page 254 Downloading a Backup File on page 255 Restoring a Configuration File on page 257 Loading a Configuration File on a Different Appliance on page 258
Note: Infoblox highly recommends you always back up the current configuration file before upgrading, restoring, or reverting the software on the appliance.
Backing Up Files
You can back up system files periodically and on demand. You can then restore the files on the same appliance or on a different appliance. For information about restoring files, see Restoring a Configuration File on page 257. You can configure the appliance to automatically back up the files on a weekly, daily, or hourly basis. Infoblox recommends that you back up the system files during off-hours to minimize any effect on network services. By default, the automatic backup function is turned off. You must log in with a superuser account to back up files. You can back up system files as follows: To a local directory or the management system used to operate the appliance To a TFTP server To an FTP server. This option requires that you have a valid user name and password for the server prior to attempting to back up. To an SSH server that supports SCP. This option requires that you have a valid user name and password for the server prior to attempting to back up.
Local Backup
When you back up the system files locally, the appliance uses the following format to name the file: year_month_day_time. For example, 2008_11_30_23_00 translates to November 30th, 2008 at 11:00 PM. The appliance saves up to 20 configuration files, regardless of how often files are saved (weekly, hourly, or daily. The size of the configuration file should be factored because the storage limit on an appliance is 5 Gb (gigabytes). If your configuration file is 500 Mb (megabytes), then the appliance stores 10 configuration files. When uploading configuration files on to a TFTP, FTP, or SCP server, you must consider the file size on that server as well.
Using TFTP
TFTP is a client-server protocol that uses UDP as its transport protocol. It does not provide authentication or encryption, therefore it does not require a user name or password. When you back up the system files to a TFTP server, you merely have to select the backup file you want to download, enter the name that it is stored under on the FTP server and the server IP address.
NIOS 4.3r5
253
Using FTP
FTP is a client-server protocol used to exchange files over TCP-based networks. The appliance, as the FTP client, connects to a remote FTP server that you identify. When you use FTP to back up the system files, the password and file contents are transmitted in clear text and may be intercepted by other users. When you back up the system files to an FTP server, the appliance, as the FTP client, logs on to the FTP server. You must specify the user name and password the appliance uses to log on to the FTP server. The user account must have write permission to the directory to which the appliance uploads the backup file.
Using SCP
SCP is more secure than TFTP and FTP. It uses the SSH protocol to provide authentication and security. You can use SCP to back up the NIOS system files to a server running SSHv2. When you use SCP to back up the system files to an SSH server, you must specify the user name and password the appliance uses to log on to the server. The user account must have write permission to the directory to which the appliance uploads the backup file. In addition, make sure that you enter the correct IP address of the SSH server; the appliance does not check the credentials of the SSH server to which it connects.
Automatically Backing Up a Data File

Infoblox recommends that you back up your configuration files regularly, and the easiest way to accomplish this task is to configure the appliance to back up the configuration file automatically. You can choose when and how often files are backed up: weekly, daily, or hourly. When you automatically back up a configuration file on the appliance, the file is named with the format: year_month_day_time. The default time for an automatic backup is 3:00 AM. Configuration files should be backed up during the slowest period of network activity. To automatically back up a database file on an independent appliance or grid master: 1. From the Grid perspective, click grid -> Edit -> Grid Properties. or From the Device perspective, click hostname -> Edit -> Device Properties. 2. In the Grid (or Device) editor, click Scheduled Backups. 3. In the Scheduled Backups section, enter the following information: Backup: Choose the destination of the backup file from the first drop-down list (LOCAL, TFTP, FTP, SCP) and how often to back up the file from the second drop-down list (Weekly, Daily, Hourly). By default, a grid master generates a backup file and saves it locally in its own storage daily at 3:00 AM. Be aware that backing up the grid and saving it locally on an hourly basis increases the turnover of files stored on the grid master. Backing it up hourly to a remote server increases the overall amount of traffic on your network. Weekday: (Weekly Only) Choose a day from the Weekday drop-down list, an hour from the Hours drop-down list, and a minute from the Minutes drop-down list. The grid master then creates a backup file at that time and day every week. Hours [0-23]: (Weekly and Daily) Type the hour when you want the grid master to create a backup file. Minutes [0-59]: (Weekly, Daily, Hourly) Type the minute when you want the grid master to create a backup file. User Name: (FTP and SCP) Type the user name for your FTP or SCP account. Password: (FTP and SCP) Type the password for your FTP or SCP account. Retype Password: (FTP and SCP) Type the password for your FTP or SCP account again to confirm its accuracy. Backup Host IP: (FTP, TFTP, and SCP) Type the IP address of the FTP or TFTP or SCP server where you want the grid master to send the backup file.
254
NIOS 4.3r5
Directory Path: Type a directory path, for example: /archive/backups. The directory and file names cannot have spaces. The directory path must contain forward slashes (/). The folder or directory you type must already exist on the specified server. Disable schedule backups: Select this check box if you want to disable automatic backups from occurring, but want to save the settings for future use. 4. Click the Save icon.
Downloading a Backup File

You can save an existing backup file, or create and save a new one to your local management system, TFTP server, FTP server, or SCP server. To back up a grid or an independent appliance or HA pair to your management system: 1. For a grid: From the Grid perspective, click Grid -> Backup -> to Local File. or For an independent appliance or HA pair: From the Device perspective, click Device -> Backup -> to Local File. 2. To back up the current configuration and data set, choose None, and then click OK. To download a previously made backup file (automatically created through the scheduled backup feature), choose the backup file name, and then click OK. 3. Navigate to the directory on your local management system where you want to save the backup file, rename the file if you like (by default, it is named databse.tar.gz), and then click Save or OK. To back up a grid or an independent appliance or HA pair to a TFTP server: From the Grid perspective, click Grid -> Backup -> to TFTP Server. or From the Device perspective, click Device -> Backup -> to TFTP Server. 1. Enter the following in the TFTP Backup dialog box: Existing backup files: To back up the current configuration and data set, choose None. To download a previously made backup file (made using the scheduled backup feature), choose the backup file name. File name on TFTP server: You can enter a file name or leave this field blank if you are downloading a previously made backup file and want to use that name. A NIOS appliance names backup files by concatenating the grid name or hostname with the date and time it creates the file. If you enter a file name, it cannot contain spaces. IP address of TFTP Server: Type the IP address of the TFTP server. 2. To download the specified backup file to the specified TFTP server, click OK. To back up a grid or an independent appliance or HA pair to an FTP server: 1. From the Grid perspective, click Grid -> Backup -> to FTP Server. or From the Device perspective, click Device -> Backup -> to FTP Server. 2. Enter the following in the FTP Backup dialog box: Existing backup files: To back up the current configuration and data set, choose None. To download a previously made backup file (made using the scheduled backup feature), choose the backup file name. File name on FTP server: You can enter the directory path and name for the backup file. If you enter a directory path and file name, the directory and file names must not contain spaces and you must use forward slashes; for example, archive/backup. If you do not specify a directory path, the appliance uploads the backup file to the root directory. You can leave this field blank if you are downloading a previously generated backup file and want to use that name. A NIOS appliance names backup files by concatenating the grid name or host name with the date and time it creates the file. IP address of FTP server: Type the IP address of the FTP server.
NIOS 4.3r5
255
Username on FTP server: Type the user name for your FTP account. This account must have write permission to the directory to which the appliance uploads the backup file. Password on FTP server: Type the password for your FTP account in this field and in the Re-type Password on FTP server field. 3. To download the specified backup file to the specified FTP server, click OK. To backup a grid or an independent appliance or HA pair to an SCP server: 1. From the Grid perspective, click Grid -> Backup -> to SCP Server. or From the Device perspective, click Device -> Backup -> to SCP Server. 2. Enter the following in the SCP Backup dialog box: Existing backup files: To back up the current configuration and data set, choose None. To download a previously made backup file (made using the scheduled backup feature), choose the backup file name. File name on SCP server: You can enter the directory path and name for the backup file. If you enter a directory path and file name, the directory and file names must not contain spaces and you must use forward slashes; for example, archive/backup. If you do not specify a directory path, the appliance uploads the backup file to the root directory. You can leave this field blank if you are downloading a previously made backup file and want to use that name. A NIOS appliance names backup files by concatenating the grid name or hostname with the date and time it creates the file. IP address of SCP server: Type the IP address of the SCP server. Username on SCP server: Type the user name for your SCP account. This account must have write permission to the directory to which the appliance uploads the backup file. Password on SCP server: Type the password for your SCP account in this field and in the Re-type Password on SCP server field. 3. To download the specified backup file to the specified SCP server, click OK.
256
NIOS 4.3r5
Restoring a Configuration File

You can restore a configuration file from an appliance running software modules v.3.1r4 or later, or v3.2, to an appliance running software modules v3.2.x and later. You can restore an existing configuration file on the appliance from which it originated, or restore a configuration file from a different appliance (referred to as a forced restore). The procedure presented below allows you to restore a configuration file from the same appliance it was originally backed up. To load a configuration file backed up from a different appliance, see Loading a Configuration File on a Different Appliance on page 258. You must log in with a superuser account to back up and restore files. There are three ways to restore a configuration file: From a local directory or the management system used to operate the appliance. From a TFTP server. From a remote server using FTP. This option requires that you have a valid user name and password for the FTP server prior to attempting to back up or restore.
To restore a configuration file to the same independent appliance or grid master: 1. From the Grid perspective, click Grid -> Restore Grid -> From Local File or From TFTP Server or From FTP Server or From Grid Master. or From the Device perspective, click Device -> Restore Device -> From Local File or From TFTP Server or From FTP Server or From Grid. 2. Do one of the following: From Local File: Navigate to the location of the configuration file, select the file, and then click OK. or From TFTP Server: In the Restore Grid From TFTP dialog box, enter the following, and then click OK: or From FTP Server: In the Restore Grid From FTP dialog box, enter the following, and then click OK: or From Grid Master: Select a configuration file from the drop-down list, and then click OK. 3. When the Confirm Grid Restore message appears, click OK to load the configuration file. After the file loads, the appliance reboots. 4. Close your current browser window or JWS (Java Web Start) application, wait a few minutes, and then reconnect to the NIOS appliance. FTP Server IP address: Type the IP address of the FTP server in whose root directory the backup file is stored. File Name: Type the name of the backup file. Do not include .tar.gz at the end of the file name. User Name: Type the name of the FTP server account. Password: Type the password of the FTP server account. Retype Password: To ensure accuracy, type the account password again. File Path: Type the directory path to where the backup file is stored. TFTP Server IP Address: Type the IP address of the TFTP server in whose root directory the backup file is stored. File Name: Type the name of the backup file. (Because the file must be in .tar.gz format, the file type is included as a read-only extension of the file name.) File Path: Type the directory path to where the backup file is stored.
NIOS 4.3r5
257
Loading a Configuration File on a Different Appliance

When you force restore a NIOS appliance, you load a configuration file saved from one appliance onto a different appliance. To restore a configuration file to the same appliance or grid master, use the Restore function explained in Restoring a Configuration File on page 257. To load a configuration file from one appliance onto a different appliance: 1. From the Grid perspective, click Grid -> Force Restore Grid -> From Local File or From TFTP Server or From FTP Server or From Grid Master. or From the Device perspective, click Device -> Force Restore Device -> From Local File or From TFTP Server or From FTP Server or From Grid. 2. Do one of the following: From Local File: In the Force Restore Grid From Local File dialog box, indicate whether you want the appliance to keep its current grid master IP settings or to obtain its IP settings from the backup, and then click OK. Navigate to the location of the configuration file, select the file, and then click OK. or From TFTP Server: In the Force Restore Grid From TFTP dialog box, enter the following, and then click OK: or From FTP Server: In the Force Restore Grid From FTP dialog box, enter the following, and then click OK: or From grid: In the Force Restore From Grid Master dialog box, enter the following, and then click OK: Select a backup file from the drop-down list, and then click OK. Grid Master IP Address Option: Indicate whether you want the appliance to keep its current grid master IP settings or to obtain its IP settings from the backup. FTP Server IP address: Type the IP address of the FTP server in whose root directory the backup file is stored. File Name: Type the name of the backup file. Do not include .tar.gz at the end of the file name. User Name: Type the name of the FTP server account. Password: Type the password of the FTP server account. Retype Password: To ensure accuracy, type the account password again. File Path: Type the directory path to where the backup file is stored. Grid Master IP Address Option: Indicate whether you want the appliance to keep its current grid master IP settings or to obtain its IP settings from the backup. TFTP Server IP Address: Type the IP address of the TFTP server in whose root directory the backup file is stored. File Name: Type the name of the backup file. (Because the file must be in .tar.gz format, the file type is included as a read-only extension of the file name.) File Path: Type the directory path to where the backup file is stored. Grid Master IP Address Option: Indicate whether you want the appliance to keep its current grid master IP settings or to obtain its IP settings from the backup.
3. When the Confirm Grid Restore confirmation message appears, click OK to load the backup file. After the file loads, the appliance reboots. 4. Close your current browser window or JWS (Java Web Start) application, wait a few minutes, and then reconnect to the NIOS appliance.
258
NIOS 4.3r5
Downloading a Support Bundle
Downloading a Support Bundle

When you need assistance troubleshooting a NIOS appliance, you can log in to the appliance as a superuser, download the support bundle of the appliance and send it to Infoblox Support for analysis. A support bundle is a tar.gz file that contains configuration files and the appliance system files. You can download a support bundle for an independent appliance and for each member in a grid. When you download a support bundle for an HA pair, it includes the files of both nodes in the HA pair. By default, the appliance includes the following files in the support bundle: core files, log files, VitalQIP files (if a VitalQIP license is installed on the appliance). Because core files can be quite large and take a significant amount of time to download, Infoblox recommends that you include core files in the support bundle only when requested by Infoblox Support. To download a support bundle: 1. From the Grid perspective, click + (for grid ) -> + (for Members ) -> grid_member -> Tools -> Download Support Bundle. or From the Device perspective, click hostname -> Tools -> Download Support Bundle. 2. In the Download Support Bundle dialog box, select which files you would like to include in the support bundle, and then click OK: Core Files: Infoblox recommends that you include these files only when requested by Infoblox Support. Log Files: Infoblox recommends that you always include these files in the support bundle. QIP: If a VitalQIP license is installed on the appliance, include the VitalQIP files in the support bundle. 3. In the Save as... dialog box, navigate to where you want to save the file and change the file name. Do not change the .tar.gz file extension in the file name. 4. Send this file to Support in an e-mail message.
NIOS 4.3r5
259
260
NIOS 4.3r5
Part 2 Appliance Deployment

This section provides information about deploying and managing independent appliances and grids. It includes the following chapters: Chapter 8, "Deploying Independent Appliances", on page 263 Chapter 9, "Deploying a Grid", on page 299
NIOS 4.3r5
261
262
NIOS 4.3r5
Chapter 8 Deploying Independent Appliances

This chapter explains how to deploy single independent appliances and independent HA pairs. Independent appliances run NIOS without the Grid upgrade and are deployed independently from a grid. The user guide or installation guide that ships with your product explains how to connect ethernet cables and power cords before configuring a NIOS appliance as a single independent appliance and an independent HA pair. Refer to these guides when necessary as you read this chapter. There is also cabling information for Infoblox-500, -1000, and -1200 appliances in Connecting the Ethernet Cables on page 825. The topics in this chapter include:
Independent Deployment Overview on page 264 Deploying a Single Independent Appliance on page 265 Method 1 Using the LCD on page 266 Method 2 Using the CLI on page 266 Method 3 Using the Infoblox NIOS Startup Wizard on page 268 Method 4 Using the GUI on page 269 Configuration Example: Deploying a NIOS Appliance for External DNS on page 270 Deploying an Independent HA Pair on page 277 Method 1 Using the Infoblox NIOS Startup Wizard on page 279 Method 2 Using the GUI on page 281 Configuration Example: Configuring an HA Pair for Internal DNS and DHCP on page 283 Verifying the Deployment on page 295 Single Independent Appliance on page 295 Independent HA Pair on page 295 Forcing an HA Failover on page 295 Infoblox Tools for Migrating Data on page 296 Upgrading Software on an Independent Appliance or HA Pair on page 297 Acquiring Software Upgrade Files on page 297 Distributing Software Upgrade Files on page 297 Running the Software Upgrade on page 297
NIOS 4.3r5
263
Deploying Independent Appliances
Independent Deployment Overview

You can deploy NIOS appliances collectively in a grid or independently (in what is sometimes referred to as a stand-alone deployment). Although grids offer many advantages for large organizations, an independent deployment might be sufficient for smaller sites. For example, if your ISP hosts one name server to respond to external DNS queries, it might be enough to deploy a single independent NIOS appliance as the other name server, as shown in Figure 8.1. Note: You cannot deploy a NIOS virtual appliance as a single, independent appliance.
Figure 8.1 Single Independent Appliance as an External DNS Server

The primary and secondary name servers provide DNS protocol redundancy. If one of them cannot respond to a query for the corp100.com domain, the other can.
Internet ISP Site
The ISP hosts a secondary DNS server for the corp100.com domain.
A NIOS appliance is the primary DNS server for the corp100.com domain. It answers queries from the Internet for public-facing servers in the DMZ network. Firewall
DMZ
Switch Internal Network LAN or LAN1 Port Servers for Public Access
domain name = corp100.com
Using primary and secondary name servers provides DNS protocol redundancy and configuring two DHCP servers as DHCP failover peers provides DHCP protocol redundancy. However, you can only have hardware redundancy if you deploy appliances in an HA (high availability) pair. Should the active node in an HA pair fail, the passive node becomes active and begins serving data, as shown in Figure 8.2.
Figure 8.2 Independent HA Pair

Internet ISP Site Secondary DNS Server Firewall Active Node Switch Internal Network LAN (LAN1) and HA Ports Passive Node Servers for Public Access If the active node fails, the passive node becomes active and continues serving DNS. This is the same situation as that in Figure 8.1, but the primary DNS server is an independent HA pair to provide hardware redundancy.
LAN (LAN1) and HA Ports
Primary DNS Server (Independent HA Pair)
DMZ
The following sections describe the procedures for deploying independent appliances singly and in HA pairs.
264
NIOS 4.3r5
Deploying a Single Independent Appliance

To deploy a single independent NIOS appliance, you cable its LAN or LAN1 port to the network and change its default IP settings so that it can connect to its surrounding IP address space. The default LAN settings are as follows: IP address: 192.168.1.2 Netmask: 255.255.255.0 Gateway: 192.168.1.1
Note: On Infoblox-500, -1000, and -1200 appliances, the LAN port is labeled LAN. On Infoblox-250, -550, -550-A, -1050, -1050-A, -1550, -1550-A, -1552, -1552-A, and -2000 appliances, use the port labeled LAN1. Infoblox provides the following methods for performing a basic configuration to deploy a single independent appliance:
Method 1 Using the LCD

Requirements: Physical access to a powered up NIOS appliance Advantage: You do not need any other equipment.
Method 2 Using the CLI

Requirements: A serial connection from your management system to the console port on the NIOS appliance (You can also enable remote console access so that you can use the CLI over a network connection. For information, see Enabling Remote Console Access on page 139.) Advantage: You do not have to change the IP address of the management system to connect to the NIOS appliance.
Method 3 Using the Infoblox NIOS Startup Wizard

Requirements: An HTTPS connection from your management system to the LAN or LAN1 port on the NIOS appliance Advantage: The wizard provides step-by-step guidance for changing not only IP settings for the LAN or LAN1 port, but also changing the appliance host name and admin password, setting the system clock, andif using NTP (Network Time Protocol)enabling the NIOS appliance to be an NTP server.
Method 4 Using the GUI

Requirements: An HTTPS connection from your management system to the LAN or LAN1 port on the NIOS appliance Advantage: If you have logged in previously and disabled the startup wizard, you can still use the GUI to configure the LAN network settings.
These methods are explained in the following subsections. After you set the network settings, you can then migrate data and settings from legacy DNS and DHCP servers to the NIOS appliances. Several tools and methods are available for migrating data and configuration settings. For a list of the available options, see Infoblox Tools for Migrating Data on page 296.
NIOS 4.3r5
265
Method 1 Using the LCD

NIOS appliances have an LCD and navigation buttons on the front panel that allow you to view system status and license information as well as configure network settings for the LAN or LAN1 port.
Figure 8.3 Infoblox LCD and Navigation Buttons

The LCD panel is on the front of a NIOS appliance.
Infoblox
LCD Navigation Buttons
You can deploy a single independent NIOS appliance by setting its LAN or LAN1 port IP address, netmask, and gateway through the LCD. This is the simplest method because you do not need anything other than physical access to the appliance to complete the initial configuration. 1. Connect the power cable from the NIOS appliance to a power source and turn on the power. At startup, the Infoblox logo appears in the LCD on the front panel of the appliance. Then the LCD scrolls repeatedly through a series of display screens. 2. To change the network settings for the LAN or LAN1 port, press one of the navigation buttons. The LCD immediately goes into input mode, in which you can enter the IP address, netmask, and gateway for the LAN or LAN1 port. 3. Use the navigation buttons to enter an IP address, netmask, and gateway address for the LAN or LAN1 port. 4. Cable the LAN or LAN1 port of the NIOS appliance to a network as described in Independent Appliance Cabling Using the LAN or Serial Port on page 825.
Method 2 Using the CLI

The Infoblox CLI allows you to make an initial network configuration through the set network command. To access the CLI, make a direct serial connection from your management system. Note: You can also access the CLI from a remote location using an SSHv2 client. By default, remote console access that is, SSHv2 (Secure Shell version 2) accessis disabled. You must first enable remote console access through the GUI or CLI, and then you can make an SSHv2 connection to the appliance. 1. Connect a console cable from the console port on your workstation to the male DB-9 console port on the NIOS appliance. The DB-9 pin assignments follow the EIA232 standard. You can use the RJ-45 rollover cable and two female RJ-45-to-female DB-9 adapters that ship with the appliance, or a female DB-9-to-female DB-9 null modem cable.
266
NIOS 4.3r5
Figure 8.4 Console Connection

Male DB-9 Console Port Management System RJ-45 Rollover Cable with Two RJ-45-to-Female DB-9 Adapters (Ships with Every Appliance) or Female DB-9-to-Female DB-9 Null Modem Cable Male DB-9 Console Port NIOS appliance To Power Source
2. Using a serial terminal emulation program such as Hilgraeve Hyperterminal (provided with Windows operating systems), launch a session. The connection settings are: Bits per second: 9600 Data bits: 8 Parity: None Stop bits: 1 Flow control: Xon/Xoff 3. Log in using the default user name and password admin and infoblox . User names and passwords are case-sensitive. 4. To change the network settings from the default, enter the set network command. Then enter information as prompted to change the IP address, netmask, and gateway for the LAN or LAN1 port. Note: In the following commands, the variable ip_addr1 is the IP address of the LAN or LAN1 port and ip_addr2 is the IP address of the gateway for the subnet on which you set the ip_addr1 address.
Infoblox > set network NOTICE: All HA configuration is performed from the GUI. This interface is used only to configure a standalone node or to join a grid. Enter IP address: ip_addr1 Enter netmask: [Default: 255.255.255.0]: netmask Enter gateway address [Default: n.n.n.1]: ip_addr2 Become grid member? (y or n): n
After you confirm your network settings, the Infoblox application automatically restarts. 5. Cable the LAN or LAN1 port to a network as described in Independent Appliance Cabling Using the LAN or Serial Port on page 825.
NIOS 4.3r5
267

When you first make an HTTPS connection to a NIOS appliance, the Infoblox NIOS Startup Wizard appears. To ease the initial configuration process, the wizard guides you through various deployment options and basic network settings, and presents opportunities for changing the password of the superuser admin and for setting the system clock. To make an HTTPS connection to the appliance, you must be able to reach its IP address from your management system. Note: If you have already set the IP address of the LAN or LAN1 port through the LCD or CLI so that you can reach it over the networkand you have already cabled the appliance to the networkyou can skip the first step. 1. If you have not changed the default IP address (192.168.1.2/24) of the LAN or LAN1 port through the LCD or CLI and the subnet to which you connect the appliance does not happen to be 192.168.1.0/24put your management system in the 192.168.1.0/24 subnet and connect an ethernet cable between your management system and the NIOS appliance. 2. Open a web browser and make an HTTPS connection to the IP address of the LAN or LAN1 port. (To reach the default IP address, enter: https://192.168.1.2) Several certificate warnings appear during the login process. This is normal because the preloaded certificate is self-signed (and, therefore, is not in the trusted certificate stores in your browser, Java application, and Java Web Start application) and has the hostname www.infoblox.com, which does not match the destination IP address you entered in step 1. To stop the warning messages from occurring each time you log in to the GUI, you can generate a new self-signed certificate or import a third-party certificate with a common name that matches the FQDN (fully qualified domain name) of the appliance. This is a very simple process. For information about certificates, see Managing Certificates on page 51. 3. Click LAUNCH DEVICE MANAGER. 4. Log in to the NIOS appliance. The default login name and password are admin and infoblox. For detailed information about logging in to the GUI, see Accessing the Infoblox GUI on page 41. The Infoblox NIOS Startup Wizard appears. The first screen provides basic information about the wizard, and the second screen displays license agreement information. 5. Beginning on the third screen, enter the following, where ip_addr1 and netmask are the IP address and netmask of the LAN or LAN1 port ip_addr2 is the IP address of the gateway for the subnet on which the LAN or LAN1 port is set hostname is a valid domain name for the appliance string is a single alphanumeric string (no spaces) for a password that is at least four characters long ip_addr3 is the IP address of an NTP server: Wizard Screen Deployment Type Independent Device Deployment Type Network Settings Enter or Select Independent Device or HA Pair Independent Device IP Address: ip_addr1 Netmask: netmask Gateway: ip_addr2 Host Name: hostname Admin Account Password Change Admin Password: (select), string
268
NIOS 4.3r5
Wizard Screen Time Settings
Enter or Select Enable NTP: (select) NTP Server List: ip_addr3 (click Add) Time zone: (choose the time zone for the location of the appliance)
Note: The startup wizard provides options such as not changing the default password and manually entering the time and date. However, changing the password and using an NTP server provide increased security and accuracy (respectively), and so these choices are presented above. The last screen of the startup wizard states that the changed settings require the application to restart. When you click Finish, it restarts. 6. Open a new web browser instance and make an HTTPS connection to the new IP address of the LAN or LAN1 port. 7. Log back in using the default user name (admin ) and your new password. When you log in the second time, you access the Infoblox GUI application. For system requirements to use the GUI, see Management System Requirements on page 41.

To deploy a single independent appliance through the GUI, make an HTTPS connection to the appliance and then bypass the startup wizard. (The following procedure assumes that the appliance has the DNSone package installed.) 1. If you have not changed the default IP address (192.168.1.2/24) of the LAN or LAN1 port through the LCD or CLI and the subnet to which you connect the appliance does not happen to be 192.168.1.0/24put your management system in the 192.168.1.0/24 subnet and connect an ethernet cable between your management system and the NIOS appliance. Note: The ethernet ports on the Infoblox-250, -550, -550-A, -1050, -1050-A, -1550, -1550-A, -1552, -1552-A, and -2000 appliances are autosensing, so you can use either a straight-through or cross-over ethernet cable for this connection. For the Infoblox-500, -1000, and -1200 appliances, use a cross-over ethernet cable to connect the appliance to your management system and a straight-through ethernet cable to connect the appliance to a switch. 2. Open a web browser and make an HTTPS connection to the IP address of the LAN or LAN1 port. To reach the default IP address, enter: https://192.168.1.2 . For detailed information on logging in to the GUI, see Accessing the Infoblox GUI on page 41. 3. Click LAUNCH DEVICE MANAGER. 4. Log in using the default user name (admin ) and password (infoblox ). The Infoblox NIOS Startup Wizard appears. 5. To bypass the wizard, click Cancel or the Close button (). 6. From the Device perspective, click infoblox.localdomain -> Edit -> Device Properties. 7. In the Device editor, click Device Properties, and then enter the following network settings: Host Name: Type the FQDN (fully qualified domain name) of the appliance. (V)IP Address: Type the IP address of the LAN or LAN1 port. Subnet Mask: Choose the netmask for the subnet to which the LAN or LAN1 port connects. Gateway: Type the IP address of the default gateway of the subnet to which the LAN or LAN1 port connects. Comment: Enter information about the appliance, such as its location. 8. Click Save, and then close the management window. 9. Initiate a new management session, and log in to the appliance using its new IP address.
Configuration Example: Deploying a NIOS Appliance for External DNS

In this example, you configure the NIOS appliance as the external primary DNS server for corp100.com. Its FQDN (fully-qualified domain name) is ns1.corp100.com. The interface IP address of the LAN1 port is 10.1.5.2/24. Because this is a private IP address, you must also configure the firewall to perform NAT (network address translation), mapping the public IP address 1.1.1.2 to 10.1.5.2. Using its public IP address, ns1 can communicate with appliances on the public network. The FQDN and IP address of the external secondary DNS server are ns2.corp100.com and 2.2.2.2. The ISP hosts this server. The primary and secondary servers answer queries for the following public-facing servers in the DMZ: www.corp100.com mail.corp100.com ftp.corp100.com
When you create the corp100.com zone on the NIOS appliance, you import zone data from the legacy DNS server at 10.1.5.3.
Figure 8.5 Example 1 Network Diagram

NTP Server 3.3.3.3 The device is in the Pacific time zone (UMT-8:00) External Secondary DNS Server ns2: 2.2.2.2 NAT on Firewall 1.1.1.2 > 10.1.5.2 1.1.1.5 > 10.1.5.5 1.1.1.6 > 10.1.5.6 1.1.1.7 > 10.1.5.7
Internet ISP
ethernet1 1.1.1.1/24 Firewall
ethernet2 10.1.5.1/24 NIOS appliance External Primary DNS Server ns1: 10.1.5.2 Switch Legacy Primary DNS Server ns1: 10.1.5.3 (Replaced by the NIOS appliance)
www 10.1.5.5
ftp 10.1.5.7
DMZ Network 10.1.5.0/24
To Internal Network
mail 10.1.5.6
The NIOS appliance is the external primary DNS server for the corp100.com domain. It answers queries from the Internet for the three public-facing servers in the DMZ network:
www.corp100.com mail.corp100.com ftp.corp100.com
270
NIOS 4.3r5
Cable the Appliance to the Network and Turn On Power

Connect an ethernet cable from the LAN1 port of the NIOS appliance to a switch in the DMZ network and turn on the power. For information about installing and cabling the appliance, refer to the user guide or installation guide that ships with the product.
Specify Initial Network Settings

Before you can configure the NIOS appliance through the GUI, you must be able to make a network connection to it. The default network settings of the LAN1 port are 192.168.1.2/24 with a gateway at 192.168.1.1 (the HA and MGMT ports do not have default network settings). To change these settings to suit your network, use either the LCD or the console port. In this example, you change the IP address/netmask of the LAN1 port to 10.1.5.2/24, and the gateway to 10.1.5.1.
LCD
The NIOS appliance has an LCD and navigation buttons on its front panel. At startup, the Infoblox logo appears in the LCD on the front panel of the appliance. Then the LCD scrolls repeatedly through a series of display screens. 1. To change the network settings from the default, press one of the navigation buttons. The LCD immediately goes into input mode, in which you can enter the IP address, netmask, and gateway for the LAN1 port. 2. Use the navigation buttons to enter the following information: IP Address: 10.1.5.2 Netmask: 255.255.255.0 Gateway: 10.1.5.1
Console Port
The NIOS appliance has a male DB-9 console port on the front panel. You can log in to the appliance through this port and specify initial network settings using the Infoblox CLI. 1. Connect a console cable from the console port of the management system to the console port of the NIOS appliance. 2. Access the Infoblox CLI. For more information about the Infoblox CLI, refer to the Infoblox CLI Guide. 3. To change the network settings from the default, enter the set network command. Then enter information as prompted to change the IP address, netmask, and gateway for the LAN1 port.
Infoblox > set network NOTICE: All HA configuration is performed from the GUI. This interface is used only to configure a standalone node or to join a grid. Enter IP address: 10.1.5.2 Enter netmask: [Default: 255.255.255.0]: Enter gateway address [Default: 10.1.5.1]: Become grid member? (y or n): n
After you confirm your network settings, the appliance automatically restarts.
NIOS 4.3r5
271
Specify Appliance Settings

When you make the initial HTTPS connection to the NIOS appliance, you see the Appliance Startup Wizard, which guides you through the basic deployment of the appliance on your network. Use the wizard to enter the following information: Deployment: single independent appliance Host name: ns1.corp100.com Password: SnD34n534 NTP (Network Time Protocol) server: 3.3.3.3; time zone: (UMT 8:00 Pacific Time (US and Canada), Tijuana
1. Open a browser window and enter https://10.1.5.2. 2. Accept the certificate when prompted. Several certificate warnings appear during the login process. This is normal because the preloaded certificate is self-signed (and, therefore, is not in the trusted certificate stores in your browser, Java application, and Java Web Start application) and has the hostname www.infoblox.com, which does not match the destination IP address you entered in step 1. To stop the warning messages from occurring each time you log in to the GUI, you can generate a new self-signed certificate or import a third-party certificate with a common name that matches the FQDN (fully-qualified domain name) of the appliance. This is a very simple process. For information about certificates, see Managing Certificates on page 51. 3. Click LAUNCH DEVICE MANAGER. 4. If the browser prompts you for an application to use, see Accessing the Infoblox GUI on page 41. 5. Log in using the default user name and password admin and infoblox. Note: User names and passwords are case-sensitive. 6. The Infoblox Appliance Startup Wizard opens with a splash screen that provides basic information about the wizard, and then displays license agreement information. Beginning on the third screen, enter the following: Wizard Screen Deployment type Node type Node information Default password Time settings Enter or Select Standalone Standalone appliance Host name: ns1.corp100.com Change admins password: (select), SnD34n534 Enable NTP: (select) NTP Server: 3.3.3.3 (click Add) Time zone: (UMT 8:00 Pacific Time (US and Canada), Tijuana
The last screen of the wizard states that the changed settings require the application to restart. When you click Finish, the Infoblox GUI application restarts. 7. Log back in to the appliance. When you log in the second time, you access the Infoblox GUI application. For system requirements to use the GUI, see Management System Requirements on page 41.
272
NIOS 4.3r5
Define a NAT Address

Because the firewall translates the public IP address 1.1.1.2 to the interface IP address 10.1.5.2, all DNS queries originating outside the firewall use 1.1.1.2 (not 10.1.5.2) to reach the NIOS appliance. Accordingly, you must configure the appliance to indicate to other external DNS servers that its address is 1.1.1.2. 1. From the Device perspective, click ns1.corp100.com -> Edit -> Device Properties. 2. In the Device editor, click NAT and enter the following: Enable NAT compatibility: Select check box. Group: None NAT (V)IP Address: 1.1.1.2 3. Click the Save icon. The glue record is an A record for a name server. The appliance automatically generates the A record for ns1.corp100.com using either the interface address or NAT address (if configured). To verify that the A record uses the NAT address (1.1.1.2) instead of the interface address (10.1.5.2): 1. Click DNS to open the DNS perspective, and then click DNS Members -> + (for Infoblox) -> ns1.corp100.com -> Edit -> Member DNS Properties. 2. In the Member DNS Properties editor, click General. 3. In the table labelled Possible views for member, select the default view and click Modify. 4. In the Select Member Address dialog box, select NAT IP address. 5. Click the Save and Restart Services icons.
Enable Zone Transfers on the Legacy Name Server

To allow the appliance to import zone data from the legacy server at 10.1.5.3, you must configure the legacy server to allow zone transfers to the appliance at 10.1.5.2.
Legacy BIND Server

1. Open the named.conf file using a text editor and change the allow-transfer statement as shown below: For All Zones To set the allow-transfer statement as a global statement in the named.conf file for all zones:
options { zone-statistics yes; directory "/var/named/named_conf"; version ""; recursion yes; listen-on { 127.0.0.1; 10.1.5.3; }; allow-transfer {10.1.5.2; }; transfer-format many-answers; };
For a Single Zone To set the allow-transfer statement in the named.conf file for the corp100.com zone:
zone "corp100.com" in { type master; allow-transfer {10.1.5.2;}; notify yes; };
2. After editing the named.conf file, restart DNS service for the change to take effect.
NIOS 4.3r5
273
Legacy Windows 2000/2003 Server

1. Click Start -> All Programs -> Administrative Tools -> DNS. 2. Click + (for ns1) -> + (for Forward Lookup Zones) -> corp100.com. 3. Right-click corp100.com, and then select Properties -> Zone Transfers. 4. On the Zone Transfers page in the corp100.com Properties dialog box, enter the following: 5. Allow zone transfers: Select check box. 6. Only to the following servers: Select. 7. IP address: Enter 10.1.5.2, and then click Add. 8. To save the configuration change and close the corp100.com Properties dialog box, click OK.
Import Zone Data

You can import zone data from a legacy server or manually enter it. When you import both forward- and reverse-mapping zone data, the NIOS appliance automatically creates Infoblox host records if corresponding A and PTR records are present. You can then modify the host records to add MAC addresses. However, if you only import forward-mapping zone data, the NIOS appliance cannot create host records from just the A records. In that case, because you cannot later convert A records to host records, it is more efficient to create the corp100.com zone, and define host records manually. Infoblox host records are data models that represent IP devices within the Infoblox semantic database. The NIOS appliance uses a host object to define A, PTR, and CNAME resource records in a single object as well as a DHCP fixed address if you include a MAC address in the host object definition. The host object prevents costly errors because you only maintain a single object for multiple DNS records and a DHCP fixed address. Therefore, it is advantageous to use host records instead of separate A, PTR, and CNAME records. Note: If you only have forward-mapping zones on your legacy servers and you want to add reverse-mapping zones and automatically convert A records to host records in the imported forward-mapping zones and create reverse host records in corresponding reverse-mapping zones, create the reverse-mapping zones on the NIOS appliance and then import the forward-mapping zones data. The NIOS appliance automatically converts the imported A records to host records in the forward-mapping zones and creates reverse host records in the reverse-mapping zones. You also have the option of using the Data Import Wizard for loading DNS and DHCP configurations and data. For large data sets, this option is an efficient approach. To download the Data Import Wizard, visit www.infoblox.com/support, log in with your support account, and then click the Data Import Wizard hyperlink in the DNSone section. In this example, when you create the corp100.com forward-mapping zone, you import zone data for the existing corp100.com zone from the legacy server at 10.1.5.3. When you create the 1.1.1.0/24 reverse-mapping zone, you also import the reverse-mapping zone records from the legacy server. After the appliance has both the forward- and reverse-mapping zone data, it converts the A and PTR records to Infoblox host records. 1. Open a browser window, and log in to the appliance at https://10.1.5.2, using the user name admin and the password SnD34n534. 2. From the DNS perspective, click the DNS Views tab -> + (for DNS Views) -> + (for default) -> Forward Mapping Zones -> Edit -> Add Forward Mapping Zone -> Authoritative. 3. In the Authoritative Zone Properties section of the Add Forward Authoritative Zone editor, enter the following: Name: corp100.com Comment: External DNS zone 4. In the Primary Server Assignment section, click Select Member to open the Select Grid Member dialog box. 5. Select ns1.corp100.com, and then click OK to close the dialog box. 6. In the Secondary Server Assignment section, click Add in the External Secondaries table to open the Zone External Secondary Server Item dialog box.
274
NIOS 4.3r5
7. Enter the following information, and then click OK to close the dialog box: Name: ns2.corp100.com IP Address: 2.2.2.2 Stealth: Clear check box. 8. Click the Save and Restart Services icons. 9. Edit the zone that you just created as follows: in the DNS Views panel of the DNS perspective, click + (for Forward Mapping Zones) -> corp100.com -> Edit -> Authoritative Zone Properties. Note: To import zone data, you must first create a zone, save it, and then edit it. 10. In the Forward Authoritative Zone editor, click Settings and enter the following: E-mail address: admin@corp100.com Import zone from: Select check box, and enter 10.1.5.3 in the adjacent text field. 11. Click the Save icon. 12. After successfully importing the zone data, click corp100.com in the DNS Views panel. You can see all the imported forward-mapping zone data in the Records panel. Because you have not yet imported the reverse-mapping zone data, most of the records appear as A records. 13. From the DNS perspective, click DNS Views -> + (for DNS Views) -> + (for default) -> Reverse Mapping Zones -> Edit -> Add Reverse Mapping Zone -> Authoritative. 14. In the Authoritative Zone Properties section of the Add Reverse Authoritative Zone editor, enter the following: Network Address: 1.1.1.0 Subnet Mask: /24 (255.255.255.0) Comment: External DNS zone 15. In the Primary Server Assignment section, click Select Member to open the Select Grid Member dialog box. 16. Select ns1.corp100.com, and then click OK to close the dialog box. 17. In the Secondary Server Assignment section, click Add in the External Secondaries table to open the Zone External Secondary Server dialog box. 18. Enter the following information, and then click OK to close the dialog box: Name: ns2.corp100.com IP Address: 2.2.2.2 Stealth: Clear check box. 19. Click the Save icon. 20. In the DNS Views panel of the DNS perspective, click + (for Reverse Mapping Zones) -> 1.1.1.in-addr.arpa -> Edit -> Authoritative Zone Properties. 21. In the Authoritative Reverse Zone editor, click Settings and enter the following: E-mail address: admin@corp100.com Import zone from: Select check box, and enter 10.1.5.3 in the adjacent text field. 22. Click the Save and Restart Services icons. 23. Click 1.1.1.in-addr.arpa -> View -> Records. You can see all the imported reverse-mapping zone data in the Records panel. 24. Click corp100.com in the Forward Mapping Zones list. Because you have now imported both the forward- and reverse-mapping zone data, most of the records appear as host records. 25. Finally, you must remove the ns1 host record for the legacy server (value 1.1.1.3). To remove it, select ns1 (the host record for 1.1.1.3), and then click Edit -> Remove.
NIOS 4.3r5
275
Designate the New Primary on the Secondary Name Server (at the ISP Site)
In this example, the external secondary name server is maintained by an ISP, so you must contact your ISP administrator to change the IP address of the primary (or master) name server. (If you have administrative access to the secondary name server, you can make this change yourself.) Because a firewall performing NAT exists between the secondary and primary name servers, specify the NAT address 1.1.1.2 for the primary name server instead of 10.1.5.2.
Secondary BIND Server

1. Open the named.conf file using a text editor and set ns1 (with NAT address 1.1.1.2) as the primary (or master) from which ns2 receives zone transfers in the named.conf file for the corp100.com zone:
zone "corp100.com" in { type slave; masters {1.1.1.2;}; notify yes; file /var/named/db.corp100.com; };
2. After editing the named.conf file, restart DNS service for the change to take effect.
Secondary Windows 2000/2003 Server

1. Click Start -> All Programs -> Administrative Tools -> DNS. 2. Click + (for ns2) -> + (for Forward Lookup Zones) -> corp100.com. 3. Right-click corp100.com, and then select Properties -> General. 4. On the General page in the corp100.com Properties dialog box, enter the following: Zone file name: corp100.com.dns IP address: Enter 1.1.1.2, and then click Add. In the IP Address field, select 1.1.1.3 (the NAT IP address of the legacy DNS server), and then click Remove. 5. To save the configuration change and close the corp100.com Properties dialog box, click OK.
Configure NAT and Policies on the Firewall

Change the NAT and policy settings on the firewall to allow bidirectional DNS traffic to and from ns1.corp100.com and NTP traffic from ns1.corp100.com to the NTP server at 3.3.3.3. For example, enter the following commands on a Juniper firewall running ScreenOS 4.x or later:
set set set set set set address dmz ns1 10.1.5.2/32 address untrust ntp_server 3.3.3.3/32 interface ethernet1 mip 1.1.1.2 host 10.1.5.2 policy from dmz to untrust ns1 any dns permit policy from untrust to dmz any mip(1.1.1.2) dns permit policy from dmz to untrust ns1 ntp_server ntp permit
At this point, the new DNS server can take over DNS service from the legacy server. You can remove the legacy server and unset any firewall policies permitting traffic to and from 10.1.5.3.
276
NIOS 4.3r5
Deploying an Independent HA Pair

An independent HA (high availability) pair provides hardware redundancy for the source of your network identity services. The two nodes that form an HA pairidentified as Node 1 and Node 2are in an active/passive configuration. The active node receives, processes, and responds to all service requests. The passive node constantly keeps its database synchronized with that of the active node, so it can take over service if a failover occurs. (A failover is basically the reversal of the active/passive roles of each node; that is, when a failover occurs, the previously active node becomes passive and the previously passive node becomes active.) Events can trigger a failover or you can deliberately force it to happen (see Forcing an HA Failover on page 295). So that the two physical nodes can appear as a single entity on the network, they share a single VIP (virtual IP) address and virtual MAC address. The VIP and virtual MAC addresses link to the HA port on each node. Whichever node is currently active is the one whose HA port owns the VIP and virtual MAC addresses. If a failover occurs, these addresses shift from the HA port of the previous active node to the HA port of the new active node (see Figure 8.6).
Figure 8.6 VIP Address and Virtual MAC Address and HA Failover
Infoblox HA Pair bloxSYNC Node 1 Active HA Port VIP and Virtual MAC Address Encrypted VPN Tunnel Node 2 Passive HA Port
The clients always make service requests toand receive replies fromthe VIP and virtual MAC address.
The HA ports on each node of an HA pair share the VIP (virtual IP) address and virtual MAC address. Because Node 1 is currently active, it owns these addresses.
Network Clients
After an HA Failover
Node 1 Passive HA Port VIP and Virtual MAC Address Node 2 Active HA Port
The clients still make service requests toand receive replies fromthe same VIP and virtual MAC address.
After an HA failover occurs, Node 2 becomes the active node. Because Node 2 is now active, it now owns the VIP address and virtual MAC address.
Network Clients
NIOS 4.3r5
277
The two nodes in an HA pair include a VRID (virtual router ID) in all VRRP advertisements and use it to recognize VRRP advertisements intended just for themselves. Only another appliance on the same subnet configured to use the same VRID responds to the announcements. The VRID must be a unique number between 1 and 255 for the subnet on which the HA pair is located. (There is no default VRID number.) For more information, see RFC 3768, Virtual Router Redundancy Protocol (VRRP), and also VRRP Advertisements on page 311.
Figure 8.7 VRRP Advertisements with a Unique VRID

After you finish configuring Node 1 of the HA pair to use VRID 10a number that is unique for this subnetit starts listening for VRRP advertisements with that VRID. When it does not receive any for three seconds, it becomes the active node in the HA pair and begins multicasting VRRP advertisements with a VRID 10 from its HA port. VRRP Advertisements After you finish configuring Node 2 to join the HA pair, it initiates a connection with Node 1. The two appliances establish a VPN tunnel between themselves, using the HA connection name and shared secret to authenticate each other. Node 2 downloads the database from Node 1 and learns its VRID. Node 2 then begins listening for VRRP advertisements on its HA port. When it receives an advertisement from Node 1, Node 2 recognizes it and becomes the passive node.
Any device on that subnet that is not configured to listen for VRRP advertisements with VRID 10 drops the packet.
Node 1 (Active) Switch
MATCH! Node 2 (Passive)
Subnet
To deploy an independent HA pair, you cable the HA and LAN (or LAN1) or LAN2 ports to the network and configure the IP settings for these ports and the VIP address within the same subnet. Note: On Infoblox-500, -1000, and -1200 appliances, the LAN port is labeled LAN . On Infoblox-250, -550, -550-A, -1050, -1050-A, -1550, -1550-A, -1552, -1552-A, and -2000 appliances, use the port labeled LAN1. The default LAN or LAN2 settings are as follows: IP address: 192.168.1.2 Netmask: 255.255.255.0 Gateway: 192.168.1.1.
Infoblox provides two methods for configuring an HA pair:

Requirements: HTTPS connections from your management system to the ethernet ports on the two appliances Advantage: The startup wizard provides step-by-step guidance for configuring the network settings of the VIP address and HA and LAN (or LAN1) ports on both nodes, for setting the host name, admin password, and system clock, andif using NTP (Network Time Protocol)for enabling the HA pair as an NTP server.

Requirements: HTTPS connections from your management system to the ethernet ports on the two appliances Advantage: If you have logged in previously and disabled the startup wizard, you can still use the GUI to configure an independent HA pair.
These methods are explained in the following subsections.


When you first make an HTTPS connection to the NIOS appliance, the Infoblox NIOS Startup Wizard appears. To ease the initial configuration process, the wizard guides you through various deployment options, basic network settings, and opportunities for changing the password of the superuser admin and for setting the system clock.
Configuring the Connecting Switch

To ensure that VRRP (Virtual Router Redundancy Protocol) works properly, configure the following settings on the network switch to which you cable the two nodes: Portfast: enable Trunking: disable Port list: disable Port channeling: disable
Note: By default, a NIOS appliance automatically negotiates the optimal connection speed and transmission type (full or half duplex) on the physical links between its LAN (or LAN1), HA, and MGMT ports and the ethernet ports on the connecting switch. If the two appliances fail to auto-negotiate the optimal settings, see Modifying Ethernet Port Settings on page 148 for steps you can take to resolve the problem.
Putting Both Nodes on the Network

1. Use one of the methods described in Deploying a Single Independent Appliance on page 265 to configure the network settings of the LAN or LAN1 port of each node so that they are on the same subnet and you can reach them across the network. 2. Cable the LAN (or LAN1) port and the HA port on each node to the network switch. Note: The ethernet ports on the Infoblox-250, -550, -550-A, -1050, -1050-A, -1550, -1550-A, -1552, -1552-A, and -2000 appliances are autosensing, so you can use either a straight-through or cross-over ethernet cable for these connections. For the Infoblox-500, -1000, and -1200 appliances, use straight-through ethernet cables to connect an appliance to a switch. 3. Cable your management system to the network switch.
Configuring Node 1
1. Open a web browser and make an HTTPS connection to the IP address of the LAN or LAN1 port of Node 1. Several certificate warnings appear during the login process. This is normal because the preloaded certificate is self-signed (and, therefore, is not in the trusted certificate stores in your browser, Java application, and Java Web Start application) and has the hostname www.infoblox.com, which does not match the destination IP address you entered in step 1. To stop the warning messages from occurring each time you log in to the GUI, you can generate a new self-signed certificate or import a third-party certificate with a common name that matches the FQDN (fully qualified domain name) of the appliance. This is a very simple process. For information about certificates, see Managing Certificates on page 51. 2. Click LAUNCH DEVICE MANAGER. 3. Log in to Node 1. For detailed information about logging in to the GUI, see Accessing the Infoblox GUI on page 41. The Infoblox NIOS Startup Wizard appears. The first screen provides basic information about the wizard, and the second screen displays license agreement information. 4. Beginning on the third screen, enter the following, where string1 is a text string that the two nodes use to authenticate each other when establishing a VPN tunnel for ensuing bloxSYNC traffic. (The default grid name is Infoblox.) string2 is a text string that both nodes use as a shared secret to authenticate each other when establishing a VPN tunnel for ensuing bloxSYNC traffic. (The default shared secret is test.)
vip_addr and netmask are the VIP (virtual IP) address and its netmask. ip_addr1 is the IP address of the gateway for the subnet on which the LAN or LAN1 port is set. hostname is a valid domain name for the appliance. ip_addr2-5 are the IP addresses of the LAN and HA ports for Nodes 1 and 2. number is the VRID (virtual router ID). This must be a unique VRID numberfrom 1 to 255for this subnet. string3 is a single alphanumeric string (no spaces) for a password that is at least four characters long. ip_addr6 is the IP address of an NTP (Network Time Protocol) server. Wizard Screen Deployment Type Independent Device Deployment Type HA Pair Settings Node 1 Network Settings Enter or Select Independent Device or HA Pair HA Node 1 HA Pair Name: string1 Shared Secret: string2 VIP Address: vip_addr Netmask: netmask Gateway: ip_addr1 Host Name: hostname Node 1: LAN/LAN1 Address: ip_addr2 HA Address: ip_addr3 Node 2: LAN/LAN1 Address: ip_addr4 HA Address: ip_addr5 Virtual Router ID: number Admin Account Password Time Settings Change Admin Password: (select), string3 Enable NTP: (select) NTP Server List: ip_addr6 (click Add) Time zone: (choose the time zone for the location of the appliance)
Note: The startup wizard provides options such as not changing the default password and manually entering the time and date. However, changing the password and using an NTP server improve security and accuracy (respectively), and so these choices are presented above. The last screen of the startup wizard states that the changed settings require the appliance to restart. When you click Finish, the appliance restarts.
280
NIOS 4.3r5
Configuring Node 2
1. Open a new browser instance and make an HTTPS connection to the IP address of the LAN or LAN1 port of Node 2. 2. The Infoblox NIOS Startup Wizard opens with a splash screen that provides basic information about the wizard, and then displays license agreement information. Beginning on the third wizard screen, enter the following to set up Node 2 (the variables are explained in the previous section for Node 1): Wizard Screen Deployment Type Independent Device Deployment Type Node 2 Network Settings Enter or Select Independent Device or HA Pair HA Node 2 IP Address: ip_addr4 Netmask: netmask Gateway: ip_addr1 HA Pair Properties Virtual IP Address: vip_addr HA Pair Name: string1 Shared Secret: string2 The setup of the HA pair is complete. When you next make an HTTPS connection to the HA pair, use the VIP address.

To deploy an independent HA pair through the GUI, you need to make an HTTPS connection to each appliance and then bypass the startup wizard. (The following procedure assumes that the appliance has the DNSone package installed.)
Configuring the Connecting Switch

To ensure that VRRP (Virtual Router Redundancy Protocol) works properly, configure the following settings on the network switch to which you cable the two nodes: Portfast: enable Trunking: disable Port list: disable Port channeling: disable
Note: By default, a NIOS appliance automatically negotiates the optimal connection speed and transmission type (full or half duplex) on the physical links between its LAN (or LAN1), HA, and MGMT ports and the ethernet ports on the connecting switch. If the two appliances fail to auto-negotiate the optimal settings, see Modifying Ethernet Port Settings on page 148 for steps you can take to resolve the problem.
Putting Both Nodes on the Network

1. Use one of the methods described in Deploying a Single Independent Appliance on page 265 to configure the network settings of the LAN/LAN1 or LAN2 port of each node so that they are on the same subnet and you can reach them across the network. 2. Cable the LAN (or LAN1) or LAN2 port and the HA port on each node to a switch on the network. Note: The ethernet ports on a NIOS appliance are autosensing, so you can use either a straight-through or cross-over ethernet cable for these connections. For the Infoblox-500, -1000, and -1200 appliances, use straight-through ethernet cables to connect an appliance to a switch. 3. Connect your management system to the network.
Configuring Node 1
1. Open a web browser and make an HTTPS connection to the IP address of the LAN or LAN1 port of Node 1. 2. Click LAUNCH DEVICE MANAGER. 3. Log in to Node 1. For detailed information about logging in to the GUI, see Accessing the Infoblox GUI on page 41. The Infoblox NIOS Startup Wizard appears. 4. To bypass the wizard and access the Device Manager GUI, click Cancel or the Close button (). 5. From the Device perspective, click hostname -> Edit -> Device Properties. Note: (For the DNSone with Grid package) From the Grid perspective, click + (for Infoblox) -> + (for Members) -> hostname -> Edit -> Member Properties. 6. In the Device editor, click Device Properties, and then enter the following network settings: Host Name: Type the FQDN (fully qualified domain name) for the HA pair. (V)IP Address: Type the VIP (virtual IP) address for the HA pair. Subnet Mask: Choose the netmask for the subnet to which the VIP address connects. Gateway: Type the IP address of the default gateway of the subnet to which the VIP address connects. Comment: Type a comment that provides some useful information about the HA pair, such as its location. High-availability Pair: (select) Virtual Router ID: Enter a unique VRID numberfrom 1 to 255for the local subnet. Note: The VIP address and the IP addresses for all the following ports must be in the same subnet. Node #1: LAN Address: Enter an IP address for the LAN (or LAN1) port of Node 1. HA Address: Enter an IP address for the HA port of Node 1. LAN Address: Enter an IP address for the LAN (or LAN1) port of Node 2. HA Address: Enter an IP address for the HA port of Node 2.
Node #2:
7. In the Device editor, click High Availability Connection, and then enter the following settings: Name: Type a name for the HA pair. (The default name is Infoblox.) Shared Secret: Type the shared secret that both nodes use to authenticate each other when establishing a VPN tunnel for ensuing bloxSYNC traffic. (The default shared secret is test.) Retype Shared Secret: Retype the shared secret you entered in the Shared Secret field. VPN Port Number: Leave as the default number (1194), or enter a different number for the two nodes to use when building a VPN tunnel between themselves. 8. Click Save. The management window closes.
282
NIOS 4.3r5
Configuration Example: Configuring an HA Pair for Internal DNS and DHCP
Configuring Node 2
1. Open a web browser and make an HTTPS connection to the IP address of the LAN or LAN1 port of Node 2. 2. Click LAUNCH DEVICE MANAGER. 3. Log in to Node 2. The Infoblox NIOS Startup Wizard appears. 4. To bypass the wizard, click Cancel or the Close button (). 5. From the Device perspective, click hostname -> Edit -> Join HA Pair. Note: For the DNSone with Grid package, from the Grid perspective, click + (for Infoblox) -> + (for Members) -> hostname -> Edit -> Join Grid. 6. In the Join HA Pair dialog box, enter the following network settings: Virtual IP of HA Pair: Type the VIP (virtual IP) address for the HA pair. HA Connection Name: Type the same text string that you typed in the Name field in the High Availability Connection section of the Device editor on Node 1. The default HA connection name is Infoblox. Shared Secret: Type the shared secret that both nodes use to authenticate each other when establishing a VPN tunnel for ensuing bloxSYNC traffic. The default shared secret is test. Retype Shared Secret: Retype the shared secret you entered in the Shared Secret field. VPN Port Number: Leave as the default number (1194), or enter a different number for the two nodes to use when building a VPN tunnel between themselves. 7. Click Save. The management window closes.
Configuration Example: Configuring an HA Pair for Internal DNS and DHCP

In this example, you set up an HA pair of NIOS appliances to provide internal DNS and DHCP services. The HA pair answers internal queries for all hosts in its domain (corp100.com). It forwards internal queries for external sites to ns1.corp100.com at 10.1.5.2 and ns2.corp100.com at 2.2.2.2. It also uses DHCP to provide dynamic and fixed addresses. The HA pair consists of two appliances (nodes). The IP addresses of the VIP (virtual IP) address of the HA pair and the HA and LAN1 ports on each node, are as follows: HA Pair IP Addresses VIP 10.1.4.10 (the address that the active node of the HA pair uses) Node 1 LAN1 10.1.4.6 HA 10.1.4.7 Node 2 LAN1 10.1.4.8 HA 10.1.4.9
The virtual router ID number for the HA pair is 150. The ID number must be unique for this network segment. When you create the corp100.com zone on the HA pair, you import DNS data from the legacy server at 10.1.4.11.
NIOS 4.3r5
283
Figure 8.8 Example 2 Network Diagram
Internet ISP NOTE: The first six hexadecimal characters of all MAC addresses in the example are 00:00:00:00. Only the last six hexadecimal characters are shown here. External Secondary DNS Server ns2: 2.2.2.2 ethernet2 10.1.5.1/24 ethernet3 10.1.6.2/24
www 10.1.5.5 55:55:55:55 DMZ Network 10.1.5.0/24
ftp 10.1.5.7 77:77:77:77
ethernet1 1.1.1.1/24 Firewall Relay Agent on e2 interface)
External Primary DNS Server ns1: 10.1.5.2
mail 10.1.5.6 66:66:66:66
MGT Network 10.1.1.0/24 10.1.1.10 10.1.1.50 Address Range printer1 10.1.1.2 aa:aa:aa ethernet0 10.1.6.1/24 ethernet1 10.1.1.1/24 HA Pair Internal Primary DNS Server DHCP, IPAM ns3 VIP: 10.1.4.10 ethernet4 10.1.4.1/24 Server Network 10.1.4.0/24
Dev Network 10.1.2.0/24 10.1.2.10 10.1.2.50 printer2 10.1.2.2 bb:bb:bb
ethernet2 10.1.2.1/24
storage1 proxymail 10.1.4.2 10.1.4.f dd:dd:dd:dd ff:ff:ff:ff storage2 proxyweb 10.1.4.3 10.1.4.5 ee:ee:ee:ee 11:11:11:11 An HA pair of NIOS appliances provides internal DNS services. It answers internal queries for all hosts in its domain. It forwards internal queries for external sites to ns1 and ns2. It also serves DHCP, providing both dynamic and fixed addresses. For information on configuring the NIOS appliance external primary DNS server, see Configuration Example: Deploying a NIOS Appliance for External DNS on page 270. Address Range
Legacy Primary DNS Server ns3: 10.1.4.11 (Replaced by the HA Pair)
Cable Appliances to the Network and Turn On Power

Connect ethernet cables from the LAN1 and HA ports on both NIOS appliances to a switch in the Server network and t

Язык

Добро пожаловать в Scribd!

NIOS_AdminGuide_4

Загружено:

Сведения о документе

Дата загрузки

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Описание:

Авторское право:

Доступные форматы

NIOS_AdminGuide_4

Загружено:

Описание:

Авторское право:

Доступные форматы

Похожие издания

Infoblox Administrator Guide

NIOS 4.3 for Infoblox Core Network Services Appliances

Part 1 Appliance Administration

Chapter 2 Infoblox GUI. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39

Infoblox Administrator Guide (Rev. A)

Chapter 3 Managing Administrators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69

Infoblox Administrator Guide (Rev. A)

Chapter 4 Managing Appliance Operations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121

Infoblox Administrator Guide (Rev. A)

Chapter 5 Monitoring the Appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181

Infoblox Administrator Guide (Rev. A)

Chapter 6 Monitoring with SNMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203

Chapter 7 Changing Software and Merging Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 251

Part 2 Appliance Deployment

Infoblox Administrator Guide (Rev. A)

Chapter 9 Deploying a Grid . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 299

Part 3 Service Configuration

Infoblox Administrator Guide (Rev. A)

Chapter 11 Shared Records. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 455

Chapter 12 Configuring DNS Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 467

Infoblox Administrator Guide (Rev. A)

Chapter 13 Configuring IP Routing Options. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 485

Chapter 14 Managing DHCP Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 495

Infoblox Administrator Guide (Rev. A)

Chapter 15 Configuring DHCP Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 525

Chapter 16 Using Network Discovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 563

Chapter 17 Configuring DDNS Updates from DHCP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 581

Chapter 18 Managing IP Data IPAM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 627

Chapter 19 NAC Foundation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 649

Chapter 20 File Distribution Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 673

Infoblox Administrator Guide (Rev. A)

Chapter 21 RADIUS Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 681

Chapter 22 IPAM WinConnect . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 711

Infoblox Administrator Guide (Rev. A)

Chapter 23 VitalQIP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 715

Chapter 24 bloxTools Environment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 731

Part 4 API Interface

Part 5 Reference Material

Appendix B Regular Expressions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 767

Appendix C Open Source Copyright and License Statements . . . . . . . . . . . . . . . . . . . . 769

Appendix D Hardware Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 821

Appendix E vNIOS Appliance Limitations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 833

Infoblox Administrator Guide (Rev. A)

Infoblox Administrator Guide (Rev. A)

Infoblox Administrator Guide (Rev. A)

Part 1 Appliance Administration Chapter 1, Overview, on page 31

Chapter 2, Infoblox GUI, on page 39 Chapter 3, Managing Administrators, on

Chapter 4, Managing Appliance Operations, on page 121

Chapter 5, Monitoring the Appliance, on

Chapter 6, Monitoring with SNMP, on page

Part 3 Service Configuration Chapter 10, Managing DNS Data, on page

Infoblox Administrator Guide (Rev. A)

Chapter 11, Shared Records, on page 455

Chapter 12, Configuring DNS Services, on

Chapter 13, Configuring IP Routing Options,

Chapter 14, Managing DHCP Data, on page

Chapter 15, Configuring DHCP Services, on

Chapter 16, Using Network Discovery, on