Differences

This shows you the differences between two versions of the page.

--- infoblox_uddi:nios_x_servers [2026/01/21 09:19] – bstafford
+++ infoblox_uddi:nios_x_servers [2026/03/07 02:47] (current) – [Repairing NIOS-X Server] bstafford
@@ Line 1: / Line 1: @@
-===== NIOS-X Servers =====
+====== NIOS-X Servers ======
 [[https://docs.infoblox.com/space/BloxOneInfrastructure/873693279/Supported+Platforms+for+NIOS-X+Servers|Supported Platforms for Hosts]]
@@ Line 20: / Line 20: @@
   * Dell VEP-1485 6,800 QPS @85% CHR | 400 LPS
   * B1-105 - 2,000 QPS @85% CHR | 80 LPS
-====== NIOS-X NTP ======
-  * AWS is the timesource for Infoblox Portal.
-=====Universal DDI and Threat Defense =====
 Each NIOS-X server will be the IP of ''ns.b1ddilocal.infoblox.com''.
@@ Line 35: / Line 31: @@
   * BloxOne B1-105 Appliance. Compact. Fanless. Zero-Touch Provisioning. Connected back to CSP automatically. Infoblox add them to the appropriate portal as part of the sales process.
-====== Dig Testing ======
+===== NIOS-X Server Objects =====
+What gets considered as a Server Object when it comes to sizing the number of objects on a NIOS-X Server
+  * DNS Views
+  * DNS Zones
+    * DNS Authoritative Zones
+    * DNS Delegation Zones (Feb 2026, currently counted as NS record)
+    * DNS Forward Zones
+    * DNS Secondary Zones
+    * DNS RPZ Zones (Feb 2026, currently counted as Auth Zone)
+  * DNS Records
+    * A Records
+    * AAAA Records
+    * CAA Records
+    * CNAME Records
+    * DHCID Records
+    * DNAME Records
+    * HTTPS Records
+    * MX Records
+    * NAPTR Records
+    * NS Records
+    * PTR Records
+    * SOA Records
+    * SRV Records
+    * SVCB Records
+    * TXT Records
+    * UNKNOWN Records
+    * RPZ Record (Policy Rule)
+  * Subnets
+  * DHCP Ranges
+  * Leases
+  * Fixed Addresses
+  * Reservations
+      * Note: While the network IP address and broadcast IP address of every subnet in the Infoblox Portal counts towards Management Tokens, they are not counted towards server object count on NIOS-X.
+  * Fingerprints
+  - DHCP Exclusion Ranges
+    - Note: DHCP Exclusion Ranges are not counted as server objects directly
+    - Note: If a DHCP Exclusion Range consists of 20 or fewer IP addresses, then each IP address is represented in the DHCP config as a reservation with a multicast MAC address (03-xx-xx-xx-xx-xx). These reservations are added to the server object count but do NOT get counted for Management Tokens. Only the single Exclusion Range gets counted for Management Tokens.
+    - Note: If the DHCP Exclusion Range consists of 21 or more IP addresses, then the parent range is split into two ranges either side of the Exclusion Range. Both ranges will be added to the server object count but only the single range seen in the Infoblox Portal will be counted for Management Tokens. Only the single Exclusion Range gets counted for Management Tokens.
+A DNS Zone or DNS Record is counted towards the server object count of a NIOS-X server if, and only if, that NIOS-X server is authoritative for that Zone/Record.
+While a secondary zone counts as a “server object”, the contents (records) of that zone do not count towards “server object” of NIOS-X regardless of whether the Infoblox Portal enables visibility of the secondary zone data. Visibility of secondary zone data will impact Management Token count.
+A subnet/range will only be on a NIOS-X server if that NIOS-X server is assigned as the Member server or part of the HA pair assigned to that subnet/range.
+A fixed address, reservation, or DHCP lease will only be on a NIOS-X server if they are in a subnet and/or DHCP range that the NIOS-X server has been assigned to directly or as part of a HA pair.
+For DHCP active-active mode, active-passive mode, advanced active-passive mode, and hub-spoke mode, a lease on the HA pair is added to the server object count on both NIOS-X members in the HA pair. The lease will be considered a single lease when counted as an Active IP address for Management tokens.
+Example: 5 “spoke” sites have 100 leases which means they have 100 lease server objects each. The Hub NIOS-X server will have 500 lease server objects.
+===== Dig Testing =====
 The following should always work
 <code>dig @52.119.41.100 +short A www.infoblox.com</code>
@@ Line 42: / Line 89: @@
 The following will only work when querying from a public IP that is in an External Network definition in your Infoblox Threat Defense Tenant.
 <code>dig @52.119.41.100 +short A www.google.com</code>
-====== Repairing NIOS-X Server ======
+===== NIOS-X API Monitor ======
+You can monitor NIOS-X servers via API. SNMP is not supported. Docs [[infoblox:api#nios-x_host_monitoring|here]].
+===== NIOS-X Server Size =====
+Changing the size of a NIOS-X server by editing it has no impact on the operations of that NIOS-X server (i.e. no config changes, no service reboots, etc)
+===== NIOS-X Server Deployment =====
+==== Best Practice ====
+Configure DNS server profiles to "Minimize responses".
+==== NIOS-X Serve Not Connecting to Cloud ====
+If the appliance is not connecting to the cloud, check the local UI and see if NTP is happy. If it is not, change NTP from ntp.ubuntu.com to ntp.ubuntu.org (or something else) and see if that helps.
+Remember that the appliance needs to figure out whether it should connect to US POP or EU POP. Therefore it must be able to resolve TXT for ''eu-com-1.realm-discovery.csp.infoblox.com''.
+<code>dig TXT eu-com-1.realm-discovery.csp.infoblox.com
+eu-com-1.realm-discovery.csp.infoblox.com. 300 IN TXT "activation=grpc.csp.eu.infoblox.com:443"
+eu-com-1.realm-discovery.csp.infoblox.com. 300 IN TXT "csp=csp.eu.infoblox.com"
+eu-com-1.realm-discovery.csp.infoblox.com. 300 IN TXT "ngp-cp=cp.noa.eu.infoblox.com:443"</code>
+FYI:
+  * Platform Management - Handles communication between NIOS-X and Infoblox Portal
+  * Application Management - Handles various services running on NIOS-X itself
+==== Dell VEP ====
+You do not use the join token with the Dell VEPs. You first create a host in CSP and then the Dell VEP will use ZTP to connect (with it’s service tag).
+==== NIOS-X in Public Cloud====
+Note that due to the custom OS, certain VM sizes do not support deployment. These include "Standard_F4als_v6", "als_v6" series, "Standard_D2ads_v5", "ads_v6" series, "Ebsv5", "Ebdsv6", "Lsv2", "Lsv3", "Lasv3", among others.
+Azure
+* 1x Standard F8s v2 (8 vcpus, 16 GB memory) ($142 per month in Sep 2022)
+[[https://docs.infoblox.com/space/BloxOneInfrastructure/204801210/EC2+Instances+Using+AMI+in+AWS+Deployment|As per docs]], AWS Xen-based instances are not supported (because they create interface names with capital letters) for NIOS-X deployments. Supported instance types include:
+  * General purpose: M1, M2, M3, M4, T1, T2
+  * Compute optimized: C1, C3, C4
+  * Memory optimized: R3, R4, X1, X1e
+  * Storage optimized: D2, H1, I2, I3
+  * Accelerated computing: F1, G3, P2, P3
+==== Deploying new Host ====
+When deploying BloxOne Hosts, allow 30 minutes for the device to register properly.
+Join Tokens are secrets used to connect the Docker/OVA image to the Infoblox Portal. Used once. Can create multiple ones for different users and we can revoke them. A single token can join multiple hosts. Hardware devices from Infoblox have their own way of authenticating.
+If you are deploying a Data Connector host (VMware), increase the disk size of the BloxOne host to 750 GB before booting it for the first time.
+==== Multiple Interfaces ====
+[[https://docs.infoblox.com/space/BloxOneInfrastructure/119996611/Setting+IP+Interfaces|Setting up Interface]]
+WAN interface means the interface can be used to phone home to the Infoblox Portal. LAN interface means that the interface will not be used for Infoblox Portal connectivity.
+If a physical or virtual server has multiple interfaces configured, syslog traffic will always be sent through the MGMT/WAN interface on the host. You cannot modify this interface. [[https://docs.infoblox.com/space/BloxOneDDI/186714477/Local+Logging+(DNS)|as per the docs]]
+==== Enabling Services ====
+When you enable services on a NIOS-X host, the docker image is downloaded from the cloud to the NIOS-X hosts. This is why it can take a while to deploy (especially on slow networks). Disabling service will cause the container to be removed. It might be able to use cached image if you restart quickly. If it has been a while, the download image will have been purged.
+==== Performance ====
+The following is not official guidance. Just observations.
+  * Minimum BloxOne Host specs: 3 cores and 4GB of memory
+  * Tested to a maximum of 80% CPU
+  * DHCP standalone performance is 150 LPS
+  * Add one core and you get another 50 LPS
+  * No appreciable benefit beyond 4 cores
+  * Peak performance is around 500 LPS
+  * DNS QPS is 15k
+  * For each core, add 5k
+  * Tested to 75k QPS (to compare to a 1425)
+==== Admin Interface of Appliance ====
+To access the HTTPS interface of an On-Prem Host, the username is **admin** and the password is the last 8 characters of the Product serial number. If the device is a Dell VEP, the serial is the service tag on the back of the Dell Device and is possibly only 7 characters long.
+If you boot a B1-105 box and it gets DCHP, if you then reboot and there is no DHCP, it gets 192.168.1.2/24. However, the WEB GUI WILL NOT BE AVILABLE. This means we can stage all appliances on DHCP, ship to partner and get them to install. Remember to give the 105 appliances lots of time after booting before the Web GUI will appear (20 minutes).
+==== Docker Installation ====
+<code>systemctl enable docker.service
+systemctl start docker.service
+curl -O https://s3.amazonaws.com/ib-noa-prod.csp.infoblox.com/BloxOne_OnPrem_Docker_3.3.5.tar.gz
+docker load -i BloxOne_OnPrem_Docker_3.3.5.tar.gz
+docker image ls
+docker run -d --name blox.noa --network=host --restart=always\
+-v /var/run/docker.sock:/var/run/docker.sock \
+-v /var/lib/infoblox/certs:/ver/lib/infoblox/certs \
+-v /etc/onprem.d/:/etc/onprem.d/ \
+infobloxcto/onprem.agent:3.3.5 --jointoken <join_token>
+docker ps</code>
+You must use "blox.noa" as the container name. **DO NOT** change this.
+To be fully compatible with the NIOS-X services, you must update the Docker daemon settings and set the log driver to "json-file." For more information, refer to the [[https://docs.docker.com/config/containers/logging/configure/.|Docker documentation]].
+==== Azure ====
+Official documentation on deploying BloxOne in Azure is [[https://docs.infoblox.com/space/BloxOneCloud/35397814|here]].
+First thing is to get working on azure-vhd-utilsLinux.
+<code>sudo apt install make gcc golang-go golint git
+git clone  https://github.com/microsoft/azure-vhd-utils
+cd azure-vhd-utils
+make
+sudo cp azure-vhd-utils /usr/bin/</code>
+Notes:
+  * You can use the market place to deploy BloxOne but you can't sepecify Availability Zones with it.
+  * Download the BloxOne Image from the Infoblox CSP portal (Administration > Downloads).
+  * In Azure, create a Create Resource Group
+  * In Azure, Create Storage account in that resource group (e.g. called NameOfYourStorageAccount). Select appropriate region and the resource group you just created. Set redundancy to Standard && Locally-redundant storage (LRS). Then review and create.
+  * In Azure, Create container in that storage account (e.g. called mycontainer1)
+  * Upload from Linux with the azure-vhd-utils tool using the instructions [[https://docs.infoblox.com/space/BloxOneCloud/35397814|here]].
+  * ''azure-vhd-utils upload --localvhdpath <local_path> --stgaccountname <storage_account> --stgaccountkey <account_key>
+--containername <container_name> --blobname bloxone.vhd''
+  * Once uploaded, follow the guide [[https://docs.infoblox.com/space/BloxOneCloud/35397814|here]] to use the uploaded "blob" to create an image, use the image to create a VM and then deploy the VM.
+For uploading the BloxOne image, it needs to be uncompressed from ~3Gb to ~60Gb first.
+Run PowerShell as administrator and convert the downloaded VHD file from dynmaic-size to fixed-size with:
+<code>Convert-VHD -Path C:\Users\name\Downloads\b1dynamic.vhd -DestinationPath C:\Users\Downloads\b1fixed.vhd -VHDType Fixed</code>
+===== NIOS-X OS =====
+March 2026 saw the release of NIOS-X 4.0.0 image. This runs Ubuntu 24.04. Older 3.x images run Ubuntu 20.04.3 (with extended security support).
+Servers running 3.x cannot upgrade to 4.0. The VM must be redeployed. Hardware must be flashed from USB. B1-105 does not support new image.
+===== Repairing NIOS-X Server =====
 The B1-105 appliance can be rebuilt using the ISO image that is available for the Dell VEP servers.
-===== Prepare USB Boot Drive =====
+==== Prepare USB Boot Drive ====
   * Download the ISO image from the CSP portal (CSP > Administration > Downloads > On-Prem Hosts). You want the Dell VEP 1425/1485 image.
   * Use that ISO image and create a bootable USB stick with it. The commands below use the 7-Zip command-line utility tool to do this.
@@ Line 62: / Line 226: @@
 Check that the host serial is in the CSP still and that its state is one of the following: "Pending/Awaiting Approval/Review Details".
-===== Resetting the BIOS =====
+==== Resetting the BIOS ====
 Now we reset the BIOS.
@@ Line 73: / Line 237: @@
   * When prompted with ''Save & Exit?'', select Yes and press Enter.
-===== Installing the ISO Image  =====
+==== Installing the ISO Image  ====
 Now we install the ISO image.
@@ Line 90: / Line 254: @@
-===== Approving the Appliance  =====
+==== Approving the Appliance  ====
 After you have successfully installed the ISO image and connected the physical appliance to the Cloud Services Portal, the appliance will automatically enter the Awaiting Approval state. You will be able to log in to the Cloud Services Portal and approve. After approval it would take 30 minutes or so to complete to ONLINE status.
 It is important to make sure we give ample amount of time for the appliance to complete each of its milesstones as said above or else we may not achieve the desired results.