Original Publication Date: 07/18/2010
Updated Date: 01/25/2013
This article applies to BIG-IP version 9.x through 10.x. For information about other versions, refer to the following articles:
SOL14135: Defining network resources for BIG-IP high availability features (11.x)
BIG-IP high availability features, such as network mirroring, configuration synchronization, and network failover, allow core system services to be available on one of two BIG-IP high availability systems in the event that the peer system becomes unavailable.
Configuring BIG-IP high availability features is an important step in setting up a high availability pair. This document covers defining the appropriate network resources (IP addresses and VLANs) for BIG-IP high availability features, and how some of the requirements have changed from version to version.
In addition, certain high availability features allow you to configure the management IP address to process the high availability traffic, while other features prohibit the use of the management IP address in certain versions.
The connection and persistence mirroring features duplicate the connection and persistence information from the active to the peer unit. In the event of a failover, the peer system can begin processing connections immediately without interruption.
Uses for network mirroring addresses
F5 recommends that you configure network mirroring addresses for all high availability pairs, even if mirroring is not configured on the system. By default, the BIG-IP system uses the mirroring addresses to perform other high availability operations, such as ConfigSync. The BIG-IP system uses the network mirroring addresses as follows:
The system uses network mirroring addresses for ConfigSync and network failover. There is no option to set separate addresses for these high availability features.
By default, the system uses network mirroring addresses for ConfigSync and network failover. Starting in version 9.4.0, you have the option to set separate ConfigSync and network failover addresses.
By default, network mirroring addresses are used for ConfigSync. In BIG-IP version 10.x, the network failover feature requires separate addresses.
The following table summarizes acceptable mirroring addresses:
|Version||Self IP||Management IP||Configuration utility location|
|10.x||Yes||No||High Availability > Network Mirroring > Mirroring Address|
|9.4.x||Yes||No||High Availability > Redundancy > Connection Mirror Address|
|9.3.x||Yes||Yes||High Availability > Redundancy > Failover Address|
Note: In most versions of the BIG-IP system, you must configure the mirroring IP address using a non-floating self IP address, as opposed to the management IP address. In BIG-IP 9.1.2, 9.2.x, 9.4.x, and 10.x, the BIG-IP system prohibits you from configuring the management IP address as the mirroring address. For more information, refer to SOL7718: The BIG-IP prohibits configuring the mirroring IP address on the same network as the management port.
F5 recommends this because, by default, the system uses mirroring addresses to perform other high availability functions, such as ConfigSync (unless separate addresses are defined for those features).
The BIG-IP LTM state mirroring mechanism is managed by the TMM process, and connection data is synchronized to the standby unit with every packet or flow state update. In some mirroring configurations, this behavior may generate a significant amount of traffic. Utilizing a shared VLAN and shared interfaces for both mirroring and production traffic reduces the overall link capacity for either type of traffic. Due to high traffic volumes, production traffic may interfere with the mirroring traffic (and vice versa), potentially causing latency in mirrored connections or interrupting the network mirror connection between the two BIG-IP devices. If the network mirror connection is interrupted, it can cause loss of mirror information and interfere with the ability of the peer device to take over connections in the event of a failover.
Additionally, in BIG-IP 9.4.0 through 10.x, you can configure explicit ConfigSync addresses and network failover addresses (if network failover is configured) and isolate the ConfigSync and network failover traffic from the network mirroring traffic.
Note: While you can configure multiple self IP addresses on a VLAN that is dedicated to process mirroring traffic, you cannot specify which self IP will be used as the peer's source address. Consequently, this configuration may result in errors when performing a ConfigSync. Therefore, F5 recommends that you configure one self IP address on the VLAN that is dedicated to process mirroring traffic.
You can directly cable network mirroring interfaces on the BIG-IP systems in the failover pair, and F5 highly recommends that you do this when configuring a dedicated VLAN for mirroring. Configuring the pair in this way removes the need to allocate additional ports on surrounding switches, and removes the possibility of switch failure and switch-induced latency. Interfaces used for mirroring should be dedicated to the mirroring VLAN. Tagged interfaces shared with other VLANs could become saturated by traffic on other VLANs.
When the network mirror connection is established, it will traverse one of the child VLANs of the VLAN group. Since both BIG-IP systems are connected to all child VLANs, it is possible for normal ARP behavior to cause the network mirror traffic to move from one child VLAN to another. Movement of a connection from one child VLAN to another in conjunction with VLAN-keyed connections will result in the network mirror connection being reset. Loss of the network mirror connection, even briefly, may cause the loss of some mirroring state on the standby device, and interfere with its ability to take over connections in the event of a failover.
Especially when configured in conjunction with the previous recommendations (primary and alternate mirroring links each directly connected over a separate dedicated VLAN), an alternate mirroring path further ensures reliable mirroring in the event of equipment or cable failure.
Note: Primary and alternate mirroring addresses must be different addresses. For more information about a related known issue, refer to SOL12247: Configuring identical primary and alternate network mirroring addresses corrupts the mirror message queue.
ConfigSync is a high availability process that collects the configuration files and directories from one unit of a redundant pair into an archive file, and then transmits and installs the shared configuration data on the peer.
Defining the ConfigSync addresses for a high availability pair is an optional configuration element. If you have configured network mirroring addresses, the BIG-IP system performs ConfigSync operations using the mirroring addresses. In BIG-IP versions 9.4.2 through 10.x, you can define explicit IP addresses for ConfigSync traffic. This step provides the advantage of separating mirroring traffic from ConfigSync traffic.
The following table summarizes acceptable ConfigSync addresses:
|Version||Self IP||Management IP||Configuration utility location|
|10.x||Yes||Yes||System > High Availability > ConfigSync > ConfigSync Peer Address|
|9.4.x||Yes||Yes||System > High Availability > ConfigSync > ConfigSync Peer Address|
|9.0.0 - 9.3.x||N/A||N/A||N/A|
Define explicit ConfigSync peer addresses for the high availability pair. If your BIG-IP system is configured to mirror a considerable amount of traffic, consider defining an explicit ConfigSync peer address for each system and move the ConfigSync traffic to a separate VLAN.
When BIG-IP redundant systems are configured to use network failover, the systems communicate over the configured failover addresses.
In BIG-IP 9.0.0 through 9.4.x, defining the network failover addresses for a high availability pair is an optional configuration element. By default, the BIG-IP system uses the connection mirror addresses for network failover traffic. In BIG-IP 9.4.2 through 10.x, you can define dedicated IP addresses for network failover traffic. This step provides the advantage of separating mirroring traffic from network failover traffic.
In BIG-IP 10.x, you must define network failover addresses when you enable the network failover feature; the system does not use the mirroring addresses by default.
The following table summarizes acceptable network failover addresses:
|Version||Self IP||Management IP||Configuratin utility location|
|10.x||Yes||Yes||System > High Availability > Network Failover|
|9.4.x||Yes||Yes||System > High Availability > Redundancy > Network Failover|
|9.0.0 - 9.3.x
Network failover recommendations
In BIG-IP 10.x, configuring the Peer Management Address setting is required for network failover.