Document toolboxDocument toolbox

Managing a Grid

Owned by Panna .
Last updated: Sept 11, 2024 by Shwetha S
18 min read

After you configure a Grid Master and add members, you might need to perform the following tasks:

Changing Grid Properties

You can change a Grid name, its shared secret, and the port number of the VPN tunnels that the Grid uses for communications. Note that changing the VPN port number, time zone, date or time requires a product restart.
To modify the properties of a Grid:

  1. From the Grid tab, select the Grid Manager tab.

  2. Expand the Toolbar and select Grid Properties -> Edit.

  3. In the Grid Properties editor, select the General tab -> click the Basic tab, and then modify any of the following:

    • Grid Name: Type the name of a Grid. The default name is Infoblox.

    • Shared Secret: Type a shared secret that all Grid members use to authenticate themselves when joining the Grid. The default shared secret is test.

    • Shared Secret Retype: Type the shared secret again to confirm its accuracy.

    • Time Zone: Choose the applicable time zone from the drop-down list.

    • Date: Click the calendar icon to select a date or enter the date in YYYY-MM-DD format.

    • Time: Click the clock icon to select a time or enter the time in HH:MM:SS format.

    • VPN Port: Type the port number that the Grid members use when communicating with the Grid Master through encrypted VPN tunnels. The default port number is 1194. For more information about port numbers for grid communication, see Creating a Grid Master.

    • Enable Recycle Bin: Select the checkbox to enable the Recycle Bin. The Recycle Bin stores deleted items when the user deletes Grid, DNS, or DHCP configuration items. Enabling the Recycle Bin allows you to undo deletions and to restore the items on the appliance at a later time. If you do not enable this feature, deleted items from the GUI are permanently removed from the database.

    • Audit Logging: Select one of the following:

      • Detailed: This is the default type. It is automatically selected. It provides detailed information on all administrative changes such as the date and time stamp of the change, administrator name, changed object name, and the new values of all properties.

      • Brief: Provides information on administrative changes such as the date and time stamp of the change, administrator name, and the changed object name. It does not show the new value of the object.

      • WAPI Detailed: Select this option to view detailed WAPI (RESTful API) session information logs for successful WAPI calls such as PUT, POST, and DELETE. You can view the URI, InData and response time for each WAPI call. For more information, see Monitoring Tools.

      • In the Grid Properties editor, select the General tab -> click the Advanced tab (or click Toggle Advanced Mode) and modify any of the following:

        • Enable GUI Redirect from Member: Select this checkbox to allow the appliance to redirect the Infoblox GUI from a Grid member to the Grid Master.

          Note that if read-only API access is enabled for a Grid Master Candidate, then selecting the Enable GUI Redirect from Member checkbox for the Grid Master Candidate does not redirect the Infoblox GUI from the Grid Master Candidate to the Grid Master. For more information about enabling read-only API access on a Grid Master Candidate, see Enabling Read-only API Access on the Grid Master Candidate below.

        • Enable GUI/API Access via both MGMT and LAN1/VIP: Select this checkbox to allow access to the Infoblox GUI and API using both the MGMT and LAN1 ports for standalone appliances and MGMT and VIP ports for an HA pair. This feature is valid only if you have enabled the MGMT port. For information about enabling the MGMT port, see Appliance Management.

          Note that the appliance uses the MGMT port only to redirect the Infoblox GUI from a Grid member to the Grid Master even after you enable the Enable GUI/API Access via both MGMT and LAN1/VIP feature.

    • Show Restart Banner: Select this checkbox to enable the appliance to display the Restart Banner at the top of Grid Manager whenever the appliance notifies you that a service restart is required.

    • Require Name: Select this checkbox to prompt the administrator to input the username before performing the service restart. When you select this checkbox, the appliance displays the Confirm Restart Services dialog box. Enter the username in the Name field and click Restart Services. For information about restarting service, see Restarting Services.

  4. Save the configuration.

If you changed the VPN port number, time zone, date or time, Grid Manager displays a warning indicating that a product restart is required. Click Yes to continue, and then log back in to Grid Manager after the application restarts.

Configuring Security Level Banner

You can publish a security banner that indicates the security level of the Infoblox Grid. It appears on the header and footer of all pages of Grid Manager. The security level can be Top Secret, Secret, Confidential, Restricted, and Unclassified. Each message type is associated with a predefined security level color. You can modify this color at any point of time. Grid Manager automatically uses an appropriate contrasting text font color that goes with the banner color. Only superusers can configure and enable this feature.
To configure the advanced security level banner for a Grid:

  1. From the Grid tab, select the Grid Manager tab.

  2. Expand the Toolbar and select Grid Properties -> Edit.

  3. In the Grid Properties editor, select the Security tab -> Advanced tab.

  4. Complete the following:

    • Enable Security Banner: Select this to enable the display of the security banner.

    • Security Level: From the drop-down list, select the security level for the banner.

    • Security Level Color: The default color is displayed in the drop-down. If necessary, using the drop-down list, select the required color for the security level banner. When you change the security level, Grid Manager resets default color for that level.

    • Classification Message: Enter the message you want to display in the security banner. You can enter up to 190 characters.

  5. Save the configuration.

Security banner appears on the header and footer of the Grid Manager screen including the Login screen.

Configuring Notice and Consent Banner

You can configure and publish a notice and consent banner as the first login screen that includes specific terms and conditions you want end users to accept before they log in to the Infoblox Grid. When an end user tries to access Grid Manager, this banner is displayed as the first screen. The user must accept the terms and conditions displayed on the consent screen before accessing the login screen of Grid Manager. Only superusers can configure and enable this feature.
To configure the notice and consent banner:

  1. From the Grid tab, select the Grid Manager tab.

  2. Expand the Toolbar and select Grid Properties -> Edit.

  3. In the Grid Properties editor, select the Security tab -> Advanced tab, and then complete the following:

    • Enable Notice and Consent Banner: Select the checkbox to enable the display of the notice and consent banner. In the text field, enter the message that you want to be included in the banner. The message cannot exceed 10,000 characters.

  4. Save the configuration.

This banner appears as the first screen when users access Grid Manager. Users must read the terms and conditions and then click Accept on the consent screen before they can access the login screen of Grid Manager.

Configuring Informational Level Banner

You can publish the informational banner for multiple uses, such as to indicate whether the Infoblox Grid is in production or a lab system. The banner can also be used for issuing messages of the day. The informational level banner appears on the header of the Grid Manager screen. You can publish the banner information you want and set the banner color. Grid Manager automatically uses an appropriate contrasting text font color that goes with the banner color. Only superusers can configure and enable this feature.
To configure the advanced informational banner for a Grid:

  1. From the Grid tab, select the Grid Manager tab.

  2. Expand the Toolbar and select Grid Properties -> Edit.

  3. In the Grid Properties editor, select the General tab -> Advanced tab

  4. Complete the following:

    • Enable informational GUI Banner: Select the checkbox to enable the display of the informational banner message.

    • Banner Color: The default color is displayed in the drop-down. If necessary, using the drop-down list, select the required color for the informational level banner.

    • Message: Enter the message you want to display in the informational banner. You can enter up to 190 characters.

  5. Save the configuration.
    Informational banner appears on the header of the Grid Manager screen.

Configuring Recursive Deletions of Networks and Zones

Through Grid Manager, you can configure the group of users that are allowed to delete or schedule the deletion of a network container and its child objects as well as a zone and its child objects. For information about how to delete a network container or zone, see Deleting Network Containers and Removing Zones.
When you select All Users or Superusers, these users can choose to delete a parent object and reparent its child objects, or they can choose to delete a parent object and all its child objects. These options appear only if a network container or a zone has child objects. For information about scheduling recursive deletion of network containers and zones, see Scheduling Recursive Deletions of Network Containers and Zones.
When you select Nobody, all the users can delete the parent object only. All the child objects, if any, are re-parented. For more information about scheduling deletions, see as described in Scheduling Deletions .Note that you can restrict specific users to perform recursive deletions of network containers and zones only through Grid Manager. These settings do not prevent other users from performing recursive deletions through the API.

Note

You must have Read/Write permission to all the child objects in order to delete a parent object. Recursive deletion is applicable to all zone types except stub and forward-mapping zones.

The appliance puts all deleted objects in the Recycle Bin, if enabled. You can restore the objects if necessary. When you restore a parent object from the Recycle Bin, all its contents, if any, are re-parented to the restored parent object. For information about the Recycle Bin, see Finding and Restoring Data.
To configure the group of users to perform recursive deletions:

  1. From the Grid tab, select the Grid Manager tab.

  2. Expand the Toolbar and select Grid Properties -> Edit.

  3. In the Grid Properties editor, select the General tab -> Advanced tab.

  4. Under Present the option of recursive deletion of networks or zones to, select one of the following:

    • All Users: Select this to allow all users, including superusers and limited-access users, to choose whether they want to delete the parent object and its contents or the parent object only when they delete a network container/network or a zone. This is selected by default.

    • Superuser: Select this to allow only superusers to choose whether they want to delete the parent object and its contents or the parent object only when they delete a network container/network or a zone.

    • Nobody: When you select this, users can only delete the parent object (network container or zone). All child objects, if any, are re-parented.

  5. Save the configuration.

Setting the MTU for VPN Tunnels

You can configure the VPN MTU (maximum transmission unit) for any appliance with a network link that does not support the default MTU size (1500 bytes) and that cannot join a Grid because of this limitation. If an appliance on such a link attempts to establish a VPN tunnel with a Grid Master to join a Grid, the appliance receives a PATH-MTU error, indicating that the path MTU discovery process has failed. For information about the MTU discovery process, see RFC 1191, Path MTU Discovery.
To avoid this problem, you can set a VPN MTU value on the Grid Master for any appliance that cannot link to it using a 1500-byte MTU. When the appliance contacts the master during the key exchange handshake that occurs during the Grid-joining operation, the master sends the appliance the MTU setting to use.
To set the VPN MTU for a Grid member:

  1. From the Grid tab, select the Grid Manager tab -> Members tab -> Grid_member checkbox -> Edit icon.

  2. Select the Network -> Advanced tab of the Grid Member Properties editor.

  3. In the VPN MTU field, enter a value between 600 and 1500.

  4. Save the configuration and click Restart if it appears at the top of the screen.

Removing a Grid Member

You might want or need to remove a member from a Grid, perhaps to disable it or to make it an independent appliance or an independent HA pair. Before you remove a member, make sure that it is not assigned to serve any zones or networks.
To remove a Grid member, from the Grid tab, select the Grid Manager tab -> Members tab -> Grid_member checkbox, and click the Delete icon.

Promoting a Grid Master Candidate

To promote a Master candidate to a Grid Master, you must have previously designated a Grid member as a Master Candidate. Select the Master Candidate option in the General tab of the Grid Member Properties editor to designate the member as a Master Candidate. You can designate any member as a Master Candidate. The Grid Master Candidate gets a complete copy of the Grid database. Therefore, Infoblox recommends that you configure the same appliance models for the Grid Master and Grid Master Candidates. By default, Grid Master promotion uses UDP port 1194. Make sure that UDP 2114 and UDP 1194 ports are open between the Grid members and newly designated Grid Master. During a Grid Master promotion, the newly-promoted Grid Master continuously contacts all Grid members, including the original Grid Master on UDP port 2114 until it reaches them. It notifies all Grid members that it is the new Grid Master. The Grid Members restart and then attempt to establish normal Grid communications (via BloxSync) with the newly promoted Grid Master. Before promoting a Master Candidate, check your firewall rules to ensure that the Master Candidate can communicate with all the Grid members. For information about grid communications, see About Grids.

Note

Before a Grid Master Candidate promotion, ensure that valid client SSL certificates are installed. For more information about installing certificates, see Managing Certificates.

Testing the Connection of the Master Candidate with the Grid Members

Before promoting a Grid Master Candidate, you can check whether the Grid Master Candidate is connected to the rest of the Grid members by scheduling a test promotion. You can do this either by using Grid Manager or by using the NIOS CLI. For information about scheduling a test promotion using the NIOS CLI, see show test_promote_master and set test_promote_master.

The connection of the Grid Master Candidate to the rest of the Grid members is checked by sending specifically crafted test packets from the Grid Master Candidate and checking whether the Grid members are able to receive these packets.

To test the connection of the Grid Master Candidate with the Grid members, complete the following:

  1. From the Grid tab -> Grid Manager tab, expand the Toolbar, and then click GMC Promote Test.

  2. In the GMC Promote Test editor, complete the following:

    1. Click the Schedule icon at the top of the wizard, and in the Schedule Change panel, complete one of the following:

      • To run the test promotion immediately, select Now.

      • To schedule the test promotion to run later, select Later, and then enter a date, a time, and select the time zone.

    2. From the Select GMC drop-down list, select the Grid Master Candidate that you want to promote to Grid Master.

    3. In the Timeout (secs) field, set the timeout for the packet to be received in seconds. That is, if the packet is not received by the Grid members within this timeout, the connection is deemed to have failed.

    4. Select the Continuous Testing checkbox if you want the Grid Master Candidate to send packets to the selected Grid members on a continual basis. The maximum period of time for which packets can be sent is 120 seconds.

    5. In the Members table, select the Grid members to which the Grid Master Candidate must establish a connection.

  3. Click Start to start the test promotion. You can click Stop at any time to stop the test promotion.

  4. Click GMC Promotion Test Results to view the status of the test promotion.

Notes

  • You cannot upgrade the Grid during a test promotion. 

  • You can do a test promotion of only one Grid Master Candidate at a time.

  • If new members are added when a test promotion is in progress, connection of the new members to the Grid Master Candidate will not be tested.

  • If Threat Protection is enabled in the Grid and the member running the Threat Protection service is in the list of tested members, you must set the value in the Timeout field to at least 30 seconds. This is because Threat Protection needs to publish a new rule that allows traffic to pass from tested members. If you set a lower timeout value, the packets may be dropped, and the test will report that the member cannot connect to the tested Grid Master Candidate.

  • Communication between DUT and Grid Master is not tested because of firewall complications and running the OpenVPN connection. Communication is supposed to be already checked and DUT is already connected to Grid Master.

  • You cannot run continuous testing when a regular test is in progress and you cannot run a regular test when continuous testing is in progress.

  • If multiple public cloud instances such as AWS, Azure, GCP and so on are configured as the Grid Master Candidate, ensure that these instances are able to communicate with other public cloud instances. Otherwise, the Grid Master Candidate promote test does not work.

  • When you configure a Grid Master Candidate which includes an External NTP server and when you promote a Grid Master Candidate to Grid Master, the External NTP is enabled in the Grid Master Candidate. In case you try to edit the member properties an error message is displayed. Therefore, Infoblox recommends that you remove the External NTP configuration before you promote the Grid Master Candidate.  

Promoting the Master Candidate

To promote a Master Candidate, you can make a direct serial connection to the console port on the active node of an HA Candidate or to the console port on a single Candidate. You can also make a remote serial connection (using SSH v2) to the candidate. Enter the following Infoblox CLI command to promote a Master Candidate:
set promote_master.
You can do one of the following to promote a Master Candidate:

  • Immediately notify all Grid members about the promotion.

  • Set a sequential notification to provide wait time for Grid members to join the new Grid Master. Staggering the restarts of Grid members can minimize DNS outages. The sequential order for Grid members to join the new Grid Master begins with the old Grid Master and then the Grid members in FQDN order. The default delay time is 120 seconds. You can configure the delay time from a minimum of 30 seconds up to 600 seconds.

To promote a Master Candidate, do the following:

  1. Establish a serial connection (through a serial console or remote access using SSH) to the Master Candidate. For information about making a serial connection, as described in Method 2-Using the CLI, see Deploying a Single Independent Appliance.

  2. At the CLI prompt, use the command set promote_master to promote the Master Candidate and send notifications to all Grid members immediately, or promote the Master Candidate to the Grid Master immediately and specify the delay time for the Grid members to join the new Grid Master. For more information about the command, refer to the Infoblox CLI Guide.

  3. To verify the new master is operating properly, log in to the Infoblox Grid Manager on the new master using the VIP address for an HA master or the IP address of the LAN1 port for a single master.

  4. Check the icons in the Status column. Also, select the master, and then click the Detailed Status icon in the table toolbar. You can also check the status icons of the Grid members to verify that all Grid members have connected to the new master. If you have configured delay time for Grid member notification, it will take some time for some members to connect to the new master. You can also check your firewall rules and log in to the CLI to investigate those members.

Reconnecting Groups After Grid Master Candidate Promotion

This feature gives you more control over the Grid Master Candidate promotion, minimizes service outages by allowing you to group the members and schedule a time for the groups to reconnect to the newly promoted Grid Master. As soon as the scheduled time arrives, members of Grid Master Candidate groups will re-connect to the newly promoted master.

To schedule a group reconnection to the newly promoted Grid Master Candidate, do the following:

  1. From the Grid tab -> Grid Manager tab, expand the Toolbar, and then click GMC Group Promotion.

  2. In the GMC Group Promotion Schedule editor, specify the following:

    • Activate GMC Group Promotion Schedule: Select this option to enable the scheduled reconnection of the group after the Grid Master Candidate is promoted.

    • Click the + icon and specify the following in Add GMC Group Wizard:

      • Name: Provide the group’s name.

      • Promotion Policy: Select either Simultaneously or Sequentially, as required.
        Simultaneously: Select this option to simultaneously reconnect the group members after the Grid Master Candidate promotion at the same time.
        Sequentially: Select this option to sequentially reconnect the group members after Grid Master Candidate promotion in a sequence. Note that when you select sequentially, each group member joins the Grid master in a sequence with an interval of 30 seconds.

      • Time Zone: Select a time zone that applies to the start time you enter. If this time zone is different
        from the Grid time zone, the appliance converts the time you enter here based on the Grid time
        zone, after you save this schedule. When you display this schedule again, it displays the
        converted time. Selecting the time zone here does not affect any time zone settings in the Grid.
        (For information about setting the Grid and member time zones, see Managing Time Settings). After the Grid Master Candidate promotion, members will reconnect based on the selected time zone.

      • Date: Enter a start date of the group members reconnecting after Grid Master Candidate promotion in YYYY-MM-DD (year-month-day) format. You can click the calendar icon to select a date from the calendar widget.

      • Time: Enter a start time of the group members reconnecting after Grid Master Candidate promotion in hh:mm:ss AM/PM (hour:minute:second in AM or PM) format. You can select a time from the drop-down list.

      • Comment: Enter your comments.

      • Click Next.

      • In the Members Assignment wizard, select the Grid member(s) to add to the newly created group.

  3. Save and close the wizard.

 

To modify an existing group, on the GMC Group Promotion Schedule editor:

  1. Click Edit icon, and modify the changes in Add GMC Group Wizard.

  2. Save and close the wizard.

To delete an existing Grid Master Candidate group, do the following in the GMC Group Promotion Schedule editor:

  1. Click the Delete icon.

  2. In the Delete Confirmation dialog box, click Yes.

 

After enabling the Grid Master Candidate group promotion, use the set promote_master CLI command to start the Grid Master Candidate promotion.
Use the set gmc_promotion disable CLI command to disable the Activate GMC Group Promotion Schedule option. Note that, this command can be executed on Grid Master and Grid Master Candidate. For more information see, set gmc_promotion.

Enabling Read-only API Access on the Grid Master Candidate

You can enable read-only API access on the Grid Master Candidate to provide additional scalability of read/write API requests on the Grid Master, which in turn improves the performance of the Grid Master. The read-only API access is disabled by default for new installations. When you enable read-only API access on an HA Grid Master Candidate, you can access the API service only on the active node. If the API service is disabled for an admin group, the users in the admin group cannot access read-only API service on the Grid Master Candidate, even though read-only API access is enabled for the Grid Master Candidate. Also, the users in the admin group should have at least read-only permission to access the API service.

The appliance logs all API logins in the audit log and syslog. You can view the audit log and syslog of the Grid Master Candidate under the Administration -> Logs tab.

To enable read-only API access on the Grid Master Candidate:

  1. From the Grid tab, select the Grid Manager tab -> Members tab -> Grid_Master_Candidate checkbox, and then click the Edit icon.

    • In the Grid Member Properties editor, select the General tab -> Basic tab, and then do the following:
      Read Only API access: This field is displayed only when the Grid member is designated as a Master Candidate. Select this checkbox to enable read-only API access on the Grid Master Candidate. Enabling this checkbox will only allow read-only API access and not write API access. Note that if you enable this checkbox, you cannot access the GUI using the IP address of the Grid Master Candidate.

  2. Save the configuration.