-
pdfcrowd.comopen in browser PRO version Are you a developer? Try
out the HTML to PDF API
Home Articles Loadbalancers F5 BIG-IP BigIP F5 LTM - High
Availability / DSC (v11.x)
HAProxy ReportingGet live and historic reports for
the haproxy load balancer.
Home Articles Contact
Us
Tools
-
pdfcrowd.comopen in browser PRO version Are you a developer? Try
out the HTML to PDF API
BigIP F5 LTM - HighAvailability / DSC (v11.x)Written on 29 July
2014. Posted in F5 BIG-IP
One of the new features, within v11.x of the Trac
ManagementOperating System (TMOS) is Device Service Clustering
(DSC). Over theprevious HA (High Availability) features within
v10.x, i.e active-standby,connection mirroring etc., DSC also
provides the ability to perform,
multi-node clustering,Active-Active (and Active-Standby)
setup,greater granularity over which data is synchronized
SCOPEWithin this article we will explain the key components to
DSC, theconguration steps and also the main commands used to
troubleshootproblems.
COMPONENTS
ARTICLE INFO
VENDOR BigIPF5
PLATFORM LTMVERSION 11.x
HAProxyReporting
Get live and historic reportsfor the haproxy load
balancer.
-
pdfcrowd.comopen in browser PRO version Are you a developer? Try
out the HTML to PDF API
DSC is built upon 5 main components. They are,
Devices - Represents either a physical or virtual instance of a
BigIPsystem.Device Groups - A group of devices that synchronize and
(based onthe device group type) also failover their conguration.
There are 2types of device groups,
Sync-Failover - Both the conguration data and the
failoverobjects are synchronized ; Utilizes trac groups (i.e
failoverobjects).Sync-Only - Only the conguration data is
synchronised.
Trac Groups - A collection of failover objects (i.e virtual
server, selfIP) that runs on one of the devices within the
(Sync-Failover) DeviceGroup. Should the device become unavailable
the failover object is theserved by the other device within the
Device Group.Device Trust - Represents a trust relationship between
devices alsoknown as a trust domain. This is achieved via certicate
basedauthentication. Device Trust is a prerequisite for both device
groupsand trac groups.
Note : The initial trust of each device is performed over
themanagement interface.
Folders - Folders contain conguration objects for the
necessarypartition in which they reside. This provides greater
granularity over
-
pdfcrowd.comopen in browser PRO version Are you a developer? Try
out the HTML to PDF API
what conguration that you decide to synchronize between
devices.Both the default and the top level folder is root.
Note : Each of these items can be located via the GUI under
'DeviceManagement'.
SYNCHRONIZATIONUnlike v10.x and below, TMOS v11 now uses rsync
internally to perform
-
pdfcrowd.comopen in browser PRO version Are you a developer? Try
out the HTML to PDF API
synchronization between devices. Also unlike v10 which used
tcp/443 forsynchronizing data, v11 uses tcp/4353.
The available options and also the ways in which you can issue
asynchronization.
OPTIONS
The various options for synchronization can be found under
'DeviceGroups' and 'Devices'.
DEVICE GROUPS
Automatic Sync (via Properties Panel) - Automatically
synchronizeobjects between devices based on the modied time. The
mostrecently modied object is synchronized to the other device.
Becausethe modied time is used as the trigger NTP (i.e time
synchronization)must be congured.Full Sync (via Properties Panel) -
Rather then only synchronizing theconguration objects that have
been modied, the wholeconguration is synchronized.Network Failover
(via Failover Panel) - Determines whether a networkprobe is sent
between the devices to ensure neighbor status. This isinstead of
uses cable based failover*.
* As cable based failover mandates only 1 device can ever be
active cablebased failover doesn't support an Active-Active based
setup (i.e more then
-
pdfcrowd.comopen in browser PRO version Are you a developer? Try
out the HTML to PDF API
based failover doesn't support an Active-Active based setup (i.e
more then2 trac groups).
DEVICES
Cong Sync (via Device Connectivity) - Denes which interface is
usedfor synchronization. Its recommended by F5 that this is a
dedicatedlink.Failover (via Device Connectivity) - Denes which port
is used for thenetwork failover probes.Mirroring (via Device
Connectivity) - Denes which interfaces are usedfor mirroring. It is
recommended that a secondary address is alsocongured to provide
redundancy should the primary fail.
ISSUING A SYNC
Manual DSC synchronization can be performed via either the
commandline or the WebUI. To perform a manual synchronization
within the WebUIgo to 'Device Management / Overview'. From this
screen you will bepresented with an overview of the synchronization
state across yourdevices and device groups.
The will also see the following options,
Sync Device to Group - Synchronizes any objects that have
beenrecently modied to the other devices within the device
group.Sync Group to Device - Synchronizes any objects that have
been
-
pdfcrowd.comopen in browser PRO version Are you a developer? Try
out the HTML to PDF API
recently modied from the devices within the group.Overwrite
Conguration - When performing the above action(s)synchronize the
conguration regardless of when it has beenmodied.
DEPLOYMENT MODESThere are 2 main types of deployment modes with
DSC, Active-Standbyand Active-Active.
ACTIVE-STANDBY
With an Active-Standby based deployment trac is only processed
by asingle device. This is achieved via single trac group, which
all failoverobjects (virtual servers, self-ips etc) reside within.
This trac group is thenactive on one of the nodes. Should this node
fail its HA checks the tracgroup will be marked as standby and the
trac group on the other nodepromoted to active.
-
pdfcrowd.comopen in browser PRO version Are you a developer? Try
out the HTML to PDF API
ACTIVE-ACTIVE
With an Active-Active based deployment trac is processed by
bothdevices. This is achieved via 2 Trac Groups, (based on the
example below)one Trac Group is placed as active on Node 1 and the
other as active onNode 2. Your failover objects are then assigned
to either of the tracgroups, i.e Virtual Server A in trac group 1
and then Virtual Server B inTrac Group 2.
This results in Node 1 processing trac for Virtual Server A, and
Node 2processing trac for Virtual Server B.
Note : It is important to ensure that both nodes are running
under 50%capacity. This ensures if either of the devices fail then
at the point all tracis processed by the single node that the
devices capacity is not reached.
-
pdfcrowd.comopen in browser PRO version Are you a developer? Try
out the HTML to PDF API
CONFIGURATIONThe rst step in conguring DSC is to congure a Trust
Domain. Then wecongure the trac groups for either a active-active
or active-standby
-
pdfcrowd.comopen in browser PRO version Are you a developer? Try
out the HTML to PDF API
deployment.
DEVICE TRUST
1. Goto 'Device Management' / 'Device Trust' / 'Peer List'.2.
Click 'Add'.3. Enter the IP and credentials of the peer device.4.
Click 'Retrieve Device Information'
DEVICE GROUP
1. Goto 'Device Management' / 'Device Groups'.2. Click
'Create'.3. Enter name, select 'Sync-Failover' as the 'Group Type',
and then add all
devices to the 'Included' members list.4. Enable 'Network
Failover'.
SYNCHRONIZE
1. Goto 'Device Management' / 'Overview'.2. Click 'Sync Device
to Group'.3. Click 'Sync'.4. Wait for the Sync Status of both
devices to turn green.
Note : To congure the IP used for CongSync and Mirroring, along
withthe the IP, VLAN and Port for Network Failover go to 'Device
Management'
-
pdfcrowd.comopen in browser PRO version Are you a developer? Try
out the HTML to PDF API
/ 'Devices' / '' / Device Connectivity.ACTIVE-STANDBY
Once the trust domain is congured the oating IP for each VLAN
needs tobe congured.
ASSIGN TRAFFIC GROUP 1
1. Goto 'Network' / 'Self IPs'.2. Create a oating Self IP for
each VLAN (i.e Internal and External).3. For each self IP created
congure the 'Trac Group' as 'trac-group1-
oating'.
In this example we will only be using a single Trac Group,
because of thisany virtual servers that are created will be placed
into the default (singletrac group).
Note : Should you require MAC Masquerading, a single trac group
canstill be used. However this will result in the same MAC address
beingadvertised for all Self-IPs within the trac group which may
complicatefuture troubleshooting.
ACTIVE-ACTIVE
Once the trust domain is congured the oating IP for each VLAN
needs tobe congured. Once done an additional trac group is also
created.
-
pdfcrowd.comopen in browser PRO version Are you a developer? Try
out the HTML to PDF API
ASSIGN TRAFFIC GROUP 1
1. Goto 'Network' / 'Self IPs'.2. Create a oating Self IP for
each VLAN (i.e Internal and External).3. For each self IP created
congure the 'Trac Group' as 'trac-group1-
oating'.
CREATE TRAFFIC GROUP 2
1. Goto 'Device Management' / 'Trac Groups'.2. Create a new Trac
Group called 'trac-group-2' using all the default
settings.
DEMOTE TRAFFIC GROUP 2
1. Select 'trac-group-2' from the list and select 'Force to
Standby'.
The trac group list will now show your current device running 1
tracgroup as active and 1 trac group as standby.
ASSIGN TRAFFIC GROUP 2
1. Via 'Local Trac / Virtual Servers / Virtual Address List'
select theVirtual Server that you want to assign to
'trac-group-2'.
2. Via 'Local Trac / Virtual Servers / Virtual Server List'
select your
-
pdfcrowd.comopen in browser PRO version Are you a developer? Try
out the HTML to PDF API
Virtual Server. Within the trac group section select
'trac-group-2'.
ENABLE SNAT
1. Under 'Source Address Translation' select Automap*.
Once complete the default trac-group will be active on one node
andtrac-group-2 will be active on the node.
*As the SelfIP is assigned to trac-group-1 without Automap the
tracwould be sent through the wrong device.
VE ISSUESWhen conguring DSC on Virtual LTMs (when using the
steps above) youmay nd that both sides show as disconnected. I have
only found this in thelab for VE devices on both v11.4 and
v11.5.
To resolve this you will need to change each of the devices
certicates to aself-signed certicate and also perform the steps in
a slighty dierentorder.
STEPS
Below provides a summary of the required steps.
1. Generate new self signed cert for each device - Goto
Device
-
pdfcrowd.comopen in browser PRO version Are you a developer? Try
out the HTML to PDF API
Management / Device Trust / Local Domain. Select Generate
NewSelf-Sign Authority.
2. Create Sync Interface - Create a new VLAN that will be used
forsynchronization, mirroring, and network failover on both
devices.
3. Congure CongSync/Mirroring - Congure the interfaces that will
beused for mirroring, cong sync and network failover on both
devices.
4. Congure Device Group - Create a Sync-Failover device group
onNode 1 and only add local device. Enable Network Failover.
5. Congure Trust - On Node 1 congure the Trust Domain.6. Update
Device Group - On Node 1 add the remote peer to the device
group.7. Trac Group Assignment - Assign the trac groups
accordingly.8. Synchronize - One Node 1 perform an initial
synchronization via Sync
Device to Group in "Device Management' / 'Overview".
TROUBLESHOOTING
CHECKS
If your are facing issues with your HA setup, the following
should bechecked,
Verify NTP is working correctly.Check connectivity between peer
addresses.Check Self IPs used as peer addresses reside in route
domain 0.
-
pdfcrowd.comopen in browser PRO version Are you a developer? Try
out the HTML to PDF API
Ensure the following protocols/ports are permitted between
nodes.Note : No matter which Port lockdown setting used these ports
arepermitted.
UDP/1026 (network failover)TCP/1028 (connection &
persistence mirroring)TCP/4353 (CMI peer communication)
Reset and Rebuild your Trust Domain.
COMMANDS
tmsh run /cm sniff-updatestmsh run /cm config-synctmsh run /cm
watch-devicegroup-devicetmsh run /cm watch-sys-devicetmsh run /cm
watch-trafficgroup-device
tmsh show /cm traffic-grouptmsh show /cm sync-status
REFERENCEShttp://support.f5.com/kb/en-us/solutions/public/13000/900/sol13946.html
Comments Community
-
pdfcrowd.comopen in browser PRO version Are you a developer? Try
out the HTML to PDF API
Join the discussion
Reply
guest1234 12 days ago
Hello,
What if the peer VLAN has gone down and both f5 boxes are in
standby mode. Is there any workaround for the F5 HAfeature that
when the pool is not reachable for both devices, not to make the 2
boxes enter the standby mode.
Reply
guest123 22 days ago
hi can we configure high availability between a hardware and a
VM bigip LTM ? thank you
Reply
Rick Porter 22 days ago> guest123Yep as long the software
versions are the same your be fine
Reply
guest123 > Rick Porterthank you for your reply.. can i use
any BigIP Virtual edition with any bigIP hardware box ?
cnoyes72 3 months ago
Recommend
Share
Share
Share
Share
-
pdfcrowd.comopen in browser PRO version Are you a developer? Try
out the HTML to PDF API
Reply
I get "This device is not found" when trying to add the peer
unit's management IP to the peer list. ping it so I'm not sure what
the problem could be.
Reply
Vijay 3 months ago
Thanks...good to watch about F5.. iam just a beginner
Reply
stfu 3 months ago
Early in the article the port for syncing data is not correct -
should be 4353.
Reply
Rick Porter 3 months ago> stfuGreat. Thanks for letting me
know. This has been updated.
Share
Share
Share
Share
-
pdfcrowd.comopen in browser PRO version Are you a developer? Try
out the HTML to PDF API
2 comments 8 months ago
Rick Porter Article has been updated.....
How do I create an IPSO backup via clish ?1 comment 8 months
ago
Aman Singh what is the difference between clish and
supershell?
SubscribeAdd Disqus to your sitedPrivacy
-
pdfcrowd.comopen in browser PRO version Are you a developer? Try
out the HTML to PDF API
blog comments powered byDISQUS
back totop
ABOUT THE AUTHOR
R DONATO
-
pdfcrowd.comopen in browser PRO version Are you a developer? Try
out the HTML to PDF API
Ricky Donato is the Founder and Chief Editor ofFir3net.com. He
currently works as a NetworkSecurity engineer and has a keen
interest inautomation and the cloud.
You can nd Ricky on Twitter @f3lix001
LATEST ARTICLES
What is HTTP Strict Transport Security (HSTS) ?
How do I Ignore Case in VIM ?
Cisco - What is vPC (Virtual Port Channel)
Python - Show dierences between 2 Lists
Python - Split a String into a Dictionary
JQuery - Hide id if Class is Visible
What is Auto-Scaling?
POPULAR ARTICLES
Check Point Commands
Proxy ARP SPLAT
IPSO - Commands
How to set the Time / Date and Timezone in CentOS
ASA 8.3 - Auto NAT Examples
Conguring Windows 2008 R2 as an NTP Server
vSphere - Creating User and Group Permissions
-
pdfcrowd.comopen in browser PRO version Are you a developer? Try
out the HTML to PDF API
Python - Check for Items across Sets
HTTP Pipelining vs Domain Sharding
BIGIP - Advanced Firewall Manager (AFM)
Juniper Netscreen Commands
VI shows the error Terminal too wide within Solaris
Conguring Wireless Connectivity within Backtrack4 r2
About Sitemap Partners Login
Built with HTML5 and CSS3 Secured by Incapsula