Applies To:

Show Versions Show Versions

Manual Chapter: Creating an Active-Active Configuration using the Configuration Utility
Manual Chapter
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Overview: Creating an active-active DSC configuration

A common TMOS® device service clustering (DSC™) implementation is an active-standby configuration, where a single traffic group is active on one of the devices in the device group, and is in a standby state on a peer device. Alternatively however, you can create a second traffic group and activate that traffic group on the peer device. In this active-active configuration, the devices each process traffic for a different application simultaneously. If one of the devices in the device group goes offline, the traffic group that was active on that device fails over to the peer device. The result is that two traffic groups become active on one device.

To implement this DSC implementation, you create a Sync-Failover device group. A Sync-Failover device group provides configuration synchronization and device failover, and optionally, connection mirroring.

A Sync-Failover group for an active-active configuration A Sync-Failover group for an active-active configuration

About DSC configuration on a VIPRION system

The way you configure device service clustering (DSC™) on a VIPRION® system varies depending on whether the system is provisioned to run the vCMP® feature.

For non-vCMP systems

On a VIPRION system that is not provisioned for vCMP, the management IP address that you specify for establishing device trust and enabling failover should be the system's primary cluster IP address. This is a floating management IP address.

For vCMP systems

On a vCMP system, the devices in a device group are virtual devices, known as vCMP guests. You configure config sync and failover to occur between equivalent vCMP guests in separate chassis.

For example, if you have a pair of VIPRION systems running vCMP, and each system has three vCMP guests, you can create a separate device group for each pair of equivalent guests. Table 4.2 shows an example.

Table 1. Sample device groups for two VIPRION systems with vCMP
Device groups for vCMP Device group members
Device-Group-A
  • Guest1 on chassis1
  • Guest1 on chassis2
Device-Group-B
  • Guest2 on chassis1
  • Guest2 on chassis2
Device-Group-C
  • Guest3 on chassis1
  • Guest3 on chassis2

By isolating guests into separate device groups, you ensure that each guest synchronizes and fails over to its equivalent guest.

The self IP addresses that you specify per guest for config sync and failover should be the self IP addresses that you previously configured on the guest (not the host). Similarly, the management IP address that you specify per guest for device trust and failover should be the cluster IP address of the guest.

DSC prerequisite worksheet

Before you set up device service clustering (DSC), you must configure these BIG-IP components on each device that you intend to include in the device group.

Table 2. DSC deployment worksheet
Configuration component Considerations
Hardware, licensing, and provisioning Devices in a device group must match as closely as possible with respect to hardware platform, product licensing, and module provisioning. If you want to configure mirroring, ensure that the hardware platforms of the mirrored devices match.
BIG-IP software version Each device must be running BIG-IP version 11.x. This ensures successful configuration synchronization.
Management IP addresses Each device must have a management IP address, a network mask, and a management route defined.
FQDN Each device must have a fully-qualified domain name (FQDN) as its host name.
User name and password Each device must have a user name and password defined on it that you will use when logging in to the BIG-IP Configuration utility.
root folder properties The platform properties for the root folder must be set correctly (Sync-Failover and traffic-group-1).
VLANs You must create these VLANs on each device, if you have not already done so:
  • A VLAN for the internal network, named internal
  • A VLAN for the external network, named external
  • A VLAN for failover communications, named HA
Self IP addresses You must create these self IP addresses on each device, if you have not already done so:
  • Two self IP addresses (floating and non-floating) on the same subnet for VLAN internal.
  • Two self IP addresses (floating and non-floating) on the same subnet for VLAN external.
  • A non-floating self IP address on the internal subnet for VLAN HA.
Note: When you create floating self IP addresses, the BIG-IP system automatically adds them to the default floating traffic group, traffic-group-1. To add a self IP address to a different traffic group, you must modify the value of the self IP address Traffic Group property.
Port lockdown For self IP addresses that you create on each device, you should verify that the Port Lockdown setting is set to Allow All, All Default, or Allow Custom. Do not specify None.
Application-related objects You must create any virtual IP addresses and optionally, SNAT translation addresses, as part of the local traffic configuration. You must also configure any iApps application services if they are required for your application. When you create these addresses or services, the objects automatically become members of the default traffic group, traffic-group-1.
Time synchronization The times set by the NTP service on all devices must be synchronized. This is a requirement for configuration synchronization to operate successfully.
Device certificates Verify that each device includes an x509 device certificate. Devices with device certificates can authenticate and therefore trust one another, which is a prerequisite for device-to-device communication and data exchange.

Task summary

Use the tasks in this implementation to create a two-member device group, with two active traffic groups, that syncs the BIG-IP® configuration to the peer device and provides failover capability if the peer device goes offline. Note that on a vCMP® system, the devices in a specific device group are vCMP guests, one per chassis.

Important: When you use this implementation, F5 Networks recommends that you synchronize the BIG-IP configuration twice, once after you create the device group, and again after you specify the IP addresses for failover.

Task list

Specifying an IP address for config sync

Before configuring the config sync address, verify that all devices in the device group are running the same version of BIG-IP® system software.
You perform this task to specify the IP address on the local device that other devices in the device group will use to synchronize their configuration objects to the local device.
Note: You must perform this task locally on each device in the device group.
  1. Confirm that you are logged in to the actual device you want to configure.
  2. On the Main tab, click Device Management > Devices. This displays a list of device objects discovered by the local device.
  3. In the Name column, click the name of the device to which you are currently logged in.
  4. From the Device Connectivity menu, choose ConfigSync.
  5. For the Local Address setting, retain the displayed IP address or select another address from the list. F5 Networks recommends that you use the default value, which is the self IP address for VLAN internal. This address must be a non-floating self IP address and not a management IP address.
  6. Click Update.
After performing this task, the other devices in the device group can sync their configurations to the local device.

Specifying IP addresses for connection mirroring

Before configuring mirroring addresses, verify that the mirroring peers have the same hardware platform.
This task configures connection mirroring between two devices to ensure that in-process connections are not dropped when failover occurs. You can mirror connections between a maximum of two devices in a device group.
Note: You must perform this task locally on each device in the device group.
  1. Confirm that you are logged in to the actual device you want to configure.
  2. On the Main tab, click Device Management > Devices. This displays a list of device objects discovered by the local device.
  3. In the Name column, click the name of the device to which you are currently logged in.
  4. From the Device Connectivity menu, choose Mirroring.
  5. For the Primary Local Mirror Address setting, retain the displayed IP address or select another address from the list. The recommended IP address is the self IP address for either VLAN HA or VLAN internal.
  6. For the Secondary Local Mirror Address setting, retain the default value of None, or select an address from the list. This setting is optional. The system uses the selected IP address in the event that the primary mirroring address becomes unavailable.
  7. Click Update.

Establishing device trust

Before you begin this task, verify that:

  • Each BIG-IP® device that is to be part of the local trust domain has a device certificate installed on it.
  • The local device is designated as a certificate signing authority.

You perform this task to establish trust among devices on one or more network segments. Devices that trust each other constitute the local trust domain. A device must be a member of the local trust domain prior to joining a device group.

By default, the BIG-IP software includes a local trust domain with one member, which is the local device. You can choose any one of the BIG-IP devices slated for a device group and log into that device to add other devices to the local trust domain. For example, devices A, B, and C each initially shows only itself as a member of the local trust domain. To configure the local trust domain to include all three devices, you can simply log into device A and add devices B and C to the local trust domain. Note that there is no need to repeat this process on devices B and C.

  1. On the Main tab, click Device Management > Device Trust, and then either Peer List or Subordinate List.
  2. Click Add.
  3. Type an IP address, administrator user name, and administrator password for the remote BIG-IP® device. This IP address can be either a management IP address or a self IP address.
  4. Click Retrieve Device Information.
  5. Verify that the certificate of the remote device is correct.
  6. Verify that the name of the remote device is correct.
  7. Verify that the management IP address and name of the remote device are correct.
  8. Click Finished.
The device you added is now a member of the local trust domain.
Repeat this task for each device that you want to add to the local trust domain.

Creating a Sync-Failover device group

This task establishes failover capability between two or more BIG-IP devices. If the active device in a Sync-Failover device group becomes unavailable, the configuration objects fail over to another member of the device group and traffic processing is unaffected. You perform this task on any one of the authority devices within the local trust domain.

Repeat this task for each Sync-Failover device group that you want to create for your network configuration.

  1. On the Main tab, click Device Management > Device Groups.
  2. On the Device Groups list screen, click Create. The New Device Group screen opens.
  3. Type a name for the device group, select the device group type Sync-Failover, and type a description for the device group.
  4. In the Configuration area of the screen, select a host name from the Available list for each BIG-IP device that you want to include in the device group, including the local device. Use the Move button to move the host name to the Selected list. The Available list shows any devices that are members of the device's local trust domain but not currently members of a Sync-Failover device group. A device can be a member of one Sync-Failover group only.
  5. For the Network Failover setting:
    • Select the Enabled check box if you want device group members to handle failover communications by way of network connectivity.
    • Clear the Enabled check box if you want device group members to handle failover communications by way of serial cable (hard-wired) connectivity.
    Serial failover is not available for device groups with more than two members.
  6. Click Finished.
You now have a Sync-Failover type of device group containing BIG-IP devices as members.

Configuring failover settings for a device group

When you configure failover settings for a device group, you can specify whether you want the BIG-IP® system to use a serial cable or the network for failover operations. You can also specify, on failover, the amount of time allowed for other vendor switches to learn the MAC address of the newly-active device.

Note: You can use serial failover when the device group contains two devices only. For a group with more than two devices, network failover is required. Also, if the hardware platform is a VIPRION® platform, you must use network failover.
Important: Perform the following procedure on only one of the two devices.
  1. On the Main tab, click Device Management > Device Groups.
  2. In the Group Name column, click the name of the relevant device group.
  3. On the menu bar, click Failover.
  4. For the Network Failover setting:
    • Select the Enabled check box if you want device group members to handle failover communications by way of network connectivity.
    • Clear the Enabled check box if you want device group members to handle failover communications by way of serial cable (hard-wired) connectivity.
    Serial failover is not available for device groups with more than two members.
  5. In the Link Down Time on Failover field, use the default value of 0.0, or specify a new value. This setting specifies the amount of time, in seconds, that interfaces for any external VLANs are down when a traffic group fails over and goes to the standby state. Specifying a value other than 0.0 for this setting causes other vendor switches to use the specified time to learn the MAC address of the newly-active device.
    Important: This setting is a system-wide setting. Specifying a value in this field causes the BIG-IP system to assign this value to the global bigdb variable failover.standby.linkdowntime.
  6. Click Save Changes.

Syncing the BIG-IP configuration to the device group

Before you sync the configuration, verify that the devices targeted for config sync are members of a device group and that device trust has been established.
This task synchronizes the BIG-IP® configuration data from the local device to the devices in the device group. This synchronization ensures that devices in the device group operate properly. When synchronizing self IP addresses, the BIG-IP system synchronizes floating self IP addresses only.
Important: You perform this task on either of the two devices, but not both.
  1. On the Main tab, click Device Management > Overview.
  2. In the Device Groups area of the screen, in the Name column, select the name of the relevant device group. The screen expands to show a summary and details of the sync status of the selected device group, as well as a list of the individual devices within the device group.
  3. In the Devices area of the screen, in the Sync Status column, select the device that shows a sync status of Changes Pending.
  4. In the Sync Options area of the screen, select Sync Device to Group.
  5. Click Sync. The BIG-IP system syncs the configuration data of the selected device in the Device area of the screen to the other members of the device group.
Except for non-floating self IP addresses, the entire set of BIG-IP configuration data is replicated on each device in the device group.

Specifying IP addresses for failover

This task specifies the local IP addresses that you want other devices in the device group to use for failover communications with the local device. You must perform this task locally on each device in the device group.
Note: The failover addresses that you specify must belong to route domain 0.
  1. Confirm that you are logged in to the actual device you want to configure.
  2. On the Main tab, click Device Management > Devices. This displays a list of device objects discovered by the local device.
  3. In the Name column, click the name of the device to which you are currently logged in.
  4. From the Device Connectivity menu, choose Failover.
  5. For the Failover Unicast Configuration settings, retain the displayed IP addresses. You can also click Add to specify additional IP addresses that the system can use for failover communications. F5 Networks recommends that you use the self IP address assigned to the HA VLAN.
  6. If the BIG-IP® system is running on a VIPRION® platform, then for the Use Failover Multicast Address setting, select the Enabled check box.
  7. If you enable Use Failover Multicast Address, either accept the default Address and Port values, or specify values appropriate for the device. If you revise the default Address and Port values, but then decide to revert to the default values, click Reset Defaults.
  8. Click Update.
After you perform this task, other devices in the device group can send failover messages to the local device using the specified IP addresses.

Creating a second traffic group for the device group

This task creates a second active floating traffic group to process application traffic. The default floating traffic group (traffic-group-1) processes application traffic for the local device.
Note: For this implementation, name this traffic group traffic-group-2.
  1. On the Main tab, click Network > Traffic Groups.
  2. On the Traffic Groups list screen, click Create.
  3. Type the name traffic-group-2 for the new traffic group.
  4. Select the remote device as the default device for the new traffic group, and optionally specify a MAC masquerade address.
  5. Select or clear the check box for the Auto Failback setting.
    • If you select the check box, it causes the traffic group to be active on its default device whenever that device is as available, or more available, than another device in the group.
    • If you clear the check box, it causes the traffic group to remain active on its current device until failover occurs again.
  6. Confirm that the displayed traffic group settings are correct.
  7. Click Finished.
You now have a second floating traffic group on the local device (in addition to the default floating traffic group) so that once the traffic group is activated on the remote devices, devices in the device group can process traffic for different applications.

Assigning traffic-group-2 to a floating virtual IP address

This task assigns your new traffic group to the device group's internal virtual IP address.
  1. On the Main tab, click Local Traffic > Virtual Servers > Virtual Address List. The Virtual Address List screen opens.
  2. In the Name column, click the virtual address that you want to assign to the traffic group. This displays the properties of that virtual address.
  3. From the Traffic Group list, select traffic-group-2 (floating).
  4. Click Update.
The device's floating virtual IP address is now a member of your second traffic group. The virtual IP address can now fail over to other devices in the traffic group.

Assigning traffic-group-2 to a floating self IP address

This task assigns your floating self IP address to traffic-group-2.
  1. On the Main tab, click Network > Self IPs. The Self IPs screen opens.
  2. In the Name column, click the floating self IP address assigned to VLAN internal. This displays the properties of that self IP address.
  3. From the Traffic Group list, select traffic-group-2 (floating).
  4. Click Update.
The device's floating self IP address is now a member of your second traffic group. The self IP address can now fail over to other devices in the traffic group.

Syncing the BIG-IP configuration to the device group

Before you sync the configuration, verify that the devices targeted for config sync are members of a device group and that device trust has been established.
This task synchronizes the BIG-IP® configuration data from the local device to the devices in the device group. This synchronization ensures that devices in the device group operate properly. When synchronizing self IP addresses, the BIG-IP system synchronizes floating self IP addresses only.
Important: You perform this task on either of the two devices, but not both.
  1. On the Main tab, click Device Management > Overview.
  2. In the Device Groups area of the screen, in the Name column, select the name of the relevant device group. The screen expands to show a summary and details of the sync status of the selected device group, as well as a list of the individual devices within the device group.
  3. In the Devices area of the screen, in the Sync Status column, select the device that shows a sync status of Changes Pending.
  4. In the Sync Options area of the screen, select Sync Device to Group.
  5. Click Sync. The BIG-IP system syncs the configuration data of the selected device in the Device area of the screen to the other members of the device group.
Except for non-floating self IP addresses, the entire set of BIG-IP configuration data is replicated on each device in the device group.

Forcing a traffic group to a standby state

This task causes the selected traffic group on the local device to switch to a standby state. By forcing the traffic group into a standby state, the traffic group becomes active on another device in the device group. For device groups with more than two members, you can choose the specific device to which the traffic group fails over. This task is optional.

  1. Log in to the device on which the traffic group is currently active.
  2. On the Main tab, click Network > Traffic Groups.
  3. In the Name column, locate the name of the traffic group that you want to run on the peer device.
  4. Select the check box to the left of the traffic group name. If the check box is unavailable, the traffic group is not active on the device to which you are currently logged in. Perform this task on the device on which the traffic group is active.
  5. Click Force to Standby. This displays target device options.
  6. Choose one of these actions:
    • If the device group has two members only, click Force to Standby. This displays the list of traffic groups for the device group and causes the local device to appear in the Next Active Device column.
    • If the device group has more than two members, then from the Target Device list, select a value and click Force to Standby.
The selected traffic group is now active on another device in the device group.

Implementation result

You now have a Sync-Failover device group set up with an active-active DSC™ configuration. In this configuration, each device has a different active traffic group running on it. That is, the active traffic group on one device is the default traffic group (named traffic-group-1), while the active traffic group on the peer device is a traffic group that you create. Each traffic group contains the floating self IP and virtual IP addresses specific to the relevant application.

If one device goes offline, the traffic group that was active on that device becomes active on the other device in the group, and processing for both applications continues on one device.

Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)