Manual Chapter : Creating an Active-Standby Configuration using the Configuration Utility

Applies To:

Show Versions Show Versions

BIG-IP AAM

  • 11.5.10, 11.5.9, 11.5.8, 11.5.7, 11.5.6, 11.5.5, 11.5.4, 11.5.3, 11.5.2, 11.5.1

BIG-IP APM

  • 11.5.10, 11.5.9, 11.5.8, 11.5.7, 11.5.6, 11.5.5, 11.5.4, 11.5.3, 11.5.2, 11.5.1

BIG-IP GTM

  • 11.5.10, 11.5.9, 11.5.8, 11.5.7, 11.5.6, 11.5.5, 11.5.4, 11.5.3, 11.5.2, 11.5.1

BIG-IP LTM

  • 11.5.10, 11.5.9, 11.5.8, 11.5.7, 11.5.6, 11.5.5, 11.5.4, 11.5.3, 11.5.2, 11.5.1

BIG-IP ASM

  • 11.5.10, 11.5.9, 11.5.8, 11.5.7, 11.5.6, 11.5.5, 11.5.4, 11.5.3, 11.5.2, 11.5.1
Manual Chapter

Overview: Creating an active-standby DSC configuration

The most common TMOS device service clustering (DSC) implementation is an active-standby configuration, where a single traffic group is active on one of the devices in the device group and is in a standby state on a peer device. If failover occurs, the standby traffic group on the peer device becomes active and begins processing the application traffic.

To implement this DSC implementation, you can create a Sync-Failover device group. A Sync-Failover device group with two or more members and one traffic group provides configuration synchronization and device failover, and optionally, connection mirroring.

If the device with the active traffic group goes offline, the traffic group becomes active on a peer device, and application processing is handled by that device.

A Sync-Failover device group with one traffic group A two-member Sync-Failover device group for an active-standby configuration

About DSC configuration on a VIPRION system

The way you configure device service clustering (DSC) (also known as redundancy) on a VIPRION system varies depending on whether the system is provisioned to run the vCMP feature.

For non-vCMP systems

For a device group that consists of VIPRION systems that are not licensed and provisioned for vCMP, each VIPRION cluster constitutes an individual device group member. The following table describes the IP addresses that you must specify when configuring redundancy.

Table 1. Required IP addresses for DSC configuration on a non-vCMP system
Feature IP addresses required
Device trust The primary floating management IP address for the VIPRION cluster.
ConfigSync The unicast non-floating self IP address assigned to VLAN internal.
Failover
  • Recommended: The unicast non-floating self IP address that you assigned to an internal VLAN (preferably VLAN HA), as well as a multicast address.
  • Alternative: All unicast management IP addresses that correspond to the slots in the VIPRION cluster.
Connection mirroring For the primary address, the non-floating self IP address that you assigned to VLAN HA. The secondary address is not required, but you can specify any non-floating self IP address for an internal VLAN..

For vCMP systems

On a vCMP system, the devices in a device group are virtual devices, known as vCMP guests. You configure device trust, config sync, failover, and mirroring to occur between equivalent vCMP guests in separate chassis.

For example, if you have a pair of VIPRION systems running vCMP, and each system has three vCMP guests, you can create a separate device group for each pair of equivalent guests. Table 4.2 shows an example.

Table 2. Sample device groups for two VIPRION systems with vCMP
Device groups for vCMP Device group members
Device-Group-A
  • Guest1 on chassis1
  • Guest1 on chassis2
Device-Group-B
  • Guest2 on chassis1
  • Guest2 on chassis2
Device-Group-C
  • Guest3 on chassis1
  • Guest3 on chassis2

By isolating guests into separate device groups, you ensure that each guest synchronizes and fails over to its equivalent guest. The following table describes the IP addresses that you must specify when configuring redundancy:

Table 3. Required IP addresses for DSC configuration on a VIPRION system with vCMP
Feature IP addresses required
Device trust The cluster management IP address of the guest.
ConfigSync The non-floating self IP address on the guest that is associated with VLAN internal on the host.
Failover
  • Recommended: The unicast non-floating self IP address on the guest that is associated with an internal VLAN on the host (preferably VLAN HA), as well as a multicast address.
  • Alternative: The unicast management IP addresses for all slots configured for the guest.
Connection mirroring For the primary address, the non-floating self IP address on the guest that is associated with VLAN internal on the host. The secondary address is not required, but you can specify any non-floating self IP address on the guest that is associated with an internal VLAN on the host.

DSC prerequisite worksheet

Before you set up device service clustering (DSC), you must configure these BIG-IP components on each device that you intend to include in the device group.

Table 4. DSC deployment worksheet
Configuration component Considerations
Hardware, licensing, and provisioning Devices in a device group must match with respect to product licensing and module provisioning. Heterogeneous hardware platforms within a device group are supported.
BIG-IP software version Each device must be running BIG-IP version 11.x. This ensures successful configuration synchronization.
Management IP addresses Each device must have a management IP address, a network mask, and a management route defined.
FQDN Each device must have a fully-qualified domain name (FQDN) as its host name.
User name and password Each device must have a user name and password defined on it that you will use when logging in to the BIG-IP Configuration utility.
root folder properties The platform properties for the root folder must be set correctly (Sync-Failover and traffic-group-1).
VLANs You must create these VLANs on each device, if you have not already done so:
  • A VLAN for the internal network, named internal
  • A VLAN for the external network, named external
  • A VLAN for failover communications, named HA
Self IP addresses You must create these self IP addresses on each device, if you have not already done so:
  • Two self IP addresses (floating and non-floating) on the same subnet for VLAN internal.
  • Two self IP addresses (floating and non-floating) on the same subnet for VLAN external.
  • A non-floating self IP address on the internal subnet for VLAN HA.
Note: When you create floating self IP addresses, the BIG-IP system automatically adds them to the default floating traffic group, traffic-group-1. To add a self IP address to a different traffic group, you must modify the value of the self IP address Traffic Group property.
Important: If the BIG-IP device you are configuring is accessed using Amazon Web Services, then the IP address you specify must be the floating IP address for high availability fast failover that you configured for the EC2 instance.
Port lockdown For self IP addresses that you create on each device, you should verify that the Port Lockdown setting is set to Allow All, All Default, or Allow Custom. Do not specify None.
Application-related objects You must create any virtual IP addresses and optionally, SNAT translation addresses, as part of the local traffic configuration. You must also configure any iApp application services if they are required for your application. When you create these addresses or services, the objects automatically become members of the default traffic group, traffic-group-1.
Time synchronization The times set by the NTP service on all devices must be synchronized. This is a requirement for configuration synchronization to operate successfully.
Device certificates Verify that each device includes an x509 device certificate. Devices with device certificates can authenticate and therefore trust one another, which is a prerequisite for device-to-device communication and data exchange.

Task summary

Use the tasks in this implementation to create a two-member device group, with one active traffic group, that syncs the BIG-IP configuration to the peer device and provides failover capability if the peer device goes offline. Note that on a vCMP system, the devices in a specific device group are vCMP guests, one per chassis.

Important: When you use this implementation, F5 Networks recommends that you synchronize the BIG-IP configuration twice, once after you create the device group, and again after you specify the IP addresses for failover.

Task list

Specifying an IP address for config sync

Before configuring the config sync address, verify that all devices in the device group are running the same version of BIG-IP system software.
You perform this task to specify the IP address on the local device that other devices in the device group will use to synchronize their configuration objects to the local device.
Note: You must perform this task locally on each device in the device group.
  1. Confirm that you are logged in to the actual device you want to configure.
  2. On the Main tab, click Device Management > Devices. This displays a list of device objects discovered by the local device.
  3. In the Name column, click the name of the device to which you are currently logged in.
  4. From the Device Connectivity menu, choose ConfigSync.
  5. For the Local Address setting, retain the displayed IP address or select another address from the list. F5 Networks recommends that you use the default value, which is the self IP address for VLAN internal. This address must be a non-floating self IP address and not a management IP address.
    Important: If the BIG-IP device you are configuring is accessed using Amazon Web Services, then the internal self IP address that you specify must be the internal private IP addresses that you configured for this EC2 instance as the Local Address.
  6. Click Update.
After performing this task, the other devices in the device group can sync their configurations to the local device.

Specifying an IP address for connection mirroring

You can specify the local self IP address that you want other devices in a device group to use when mirroring their connections to this device. Connection mirroring ensures that in-process connections for an active traffic group are not dropped when failover occurs. You typically perform this task when you initially set up device service clustering (DSC).

Note: You must perform this task locally on each device in the device group.
  1. Confirm that you are logged in to the actual device you want to configure.
  2. On the Main tab, click Device Management > Devices. This displays a list of device objects discovered by the local device.
  3. In the Name column, click the name of the device to which you are currently logged in.
  4. From the Device Connectivity menu, choose Mirroring.
  5. For the Primary Local Mirror Address setting, retain the displayed IP address or select another address from the list. The recommended IP address is the self IP address for either VLAN HA or VLAN internal.
    Important: If the BIG-IP device you are configuring is accessed using Amazon Web Services, then the self IP address you specify must be one of the private IP addresses that you configured for this EC2 instance as the Primary Local Mirror Address.
  6. For the Secondary Local Mirror Address setting, retain the default value of None, or select an address from the list. This setting is optional. The system uses the selected IP address in the event that the primary mirroring address becomes unavailable.
  7. Click Update.
In addition to specifying an IP address for mirroring, you must also enable connection mirroring on the relevant virtual servers on this device.

Specifying the HA capacity of a device

Before you perform this task, verify that this device is a member of a device group and that the device group contains three or more devices.

You perform this task when you have more than one type of hardware platform in a device group and you want to configure load-aware failover. Load-aware failover ensures that the BIG-IP system can intelligently select the next-active device for each active traffic group in the device group when failover occurs. As part of configuring load-aware failover, you define an HA capacity to establish the amount of computing resource that the device provides relative to other devices in the device group.

Note: If all devices in the device group are the same hardware platform, you can skip this task.
  1. On the Main tab, click Device Management > Devices. This displays a list of device objects discovered by the local device.
  2. In the Name column, click the name of the device for which you want to view properties. This displays a table of properties for the device.
  3. In the HA Capacity field, type a relative numeric value. You need to configure this setting only when you have varying types of hardware platforms in a device group and you want to configure load-aware failover. The value you specify represents the relative capacity of the device to process application traffic compared to the other devices in the device group.
    Important: If you configure this setting, you must configure the setting on every device in the device group.
    If this device has half the capacity of a second device and a third of the capacity of a third device in the device group, you can specify a value of 100 for this device, 200 for the second device, and 300 for the third device. When choosing the next active device for a traffic group, the system considers the capacity that you specified for this device.
  4. Click Update.
After you perform this task, the BIG-IP system uses the HA Capacity value to calculate the current utilization of the local device, to determine the next-active device for failover of other traffic groups in the device group.

Establishing device trust

Before you begin this task, verify that:

  • Each BIG-IP device that is to be part of the local trust domain has a device certificate installed on it.
  • The local device is designated as a certificate signing authority.

You perform this task to establish trust among devices on one or more network segments. Devices that trust each other constitute the local trust domain. A device must be a member of the local trust domain prior to joining a device group.

By default, the BIG-IP software includes a local trust domain with one member, which is the local device. You can choose any one of the BIG-IP devices slated for a device group and log into that device to add other devices to the local trust domain. For example, devices A, B, and C each initially shows only itself as a member of the local trust domain. To configure the local trust domain to include all three devices, you can simply log into device A and add devices B and C to the local trust domain. Note that there is no need to repeat this process on devices B and C.

  1. On the Main tab, click Device Management > Device Trust, and then either Peer List or Subordinate List.
  2. Click Add.
  3. Type a device IP address, administrator user name, and administrator password for the remote BIG-IP device with which you want to establish trust. The IP address you specify depends on the type of BIG-IP device:
    • If the BIG-IP device is a non-VIPRION device, type the management IP address for the device.
    • If the BIG-IP device is a VIPRION device that is not licensed and provisioned for vCMP, type the primary cluster management IP address for the cluster.
    • If the BIG-IP device is a VIPRION device that is licensed and provisioned for vCMP, type the cluster management IP address for the guest.
    • If the BIG-IP device is an Amazon Web Services EC2 device, type one of the Private IP addresses created for this EC2 instance.
  4. Click Retrieve Device Information.
  5. Verify that the certificate of the remote device is correct.
  6. Verify that the name of the remote device is correct.
  7. Verify that the management IP address and name of the remote device are correct.
  8. Click Finished.
The device you added is now a member of the local trust domain.
Repeat this task for each device that you want to add to the local trust domain.

Creating a Sync-Failover device group

This task establishes failover capability between two or more BIG-IP devices. If an active device in a Sync-Failover device group becomes unavailable, the configuration objects fail over to another member of the device group and traffic processing is unaffected. You perform this task on any one of the authority devices within the local trust domain.

Repeat this task for each Sync-Failover device group that you want to create for your network configuration.

  1. On the Main tab, click Device Management > Device Groups.
  2. On the Device Groups list screen, click Create. The New Device Group screen opens.
  3. Type a name for the device group, select the device group type Sync-Failover, and type a description for the device group.
  4. From the Configuration list, select Advanced.
  5. In the Configuration area of the screen, select a host name from the Available list for each BIG-IP device that you want to include in the device group, including the local device. Use the Move button to move the host name to the Includes list. The Available list shows any devices that are members of the device's local trust domain but not currently members of a Sync-Failover device group. A device can be a member of one Sync-Failover group only.
  6. For the Network Failover setting, select or clear the check box:
    • Select the check box if you want device group members to handle failover communications by way of network connectivity. This choice is required for active-active configurations.
    • Clear the check box if you want device group members to handle failover communications by way of serial cable (hard-wired) connectivity.
    For active-active configurations, you must select network failover, as opposed to serial-cable (hard-wired) connectivity.
  7. For the Automatic Sync setting, select or clear the check box:
    • Select the check box when you want the BIG-IP system to automatically sync the BIG-IP configuration data whenever a config sync operation is required. In this case, the BIG-IP system syncs the configuration data whenever the data changes on any device in the device group.
    • Clear the check box when you want to manually initiate each config sync operation. In this case, F5 networks recommends that you perform a config sync operation whenever configuration data changes on one of the devices in the device group.
  8. For the Full Sync setting, select or clear the check box:
    • Select the check box when you want all sync operations to be full syncs. In this case, the BIG-IP system syncs the entire set of BIG-IP configuration data whenever a config sync operation is required.
    • Clear the check box when you want all sync operations to be incremental (the default setting). In this case, the BIG-IP system syncs only the changes that are more recent than those on the target device. When you select this option, the BIG-IP system compares the configuration data on each target device with the configuration data on the source device and then syncs the delta of each target-source pair.
    If you enable incremental synchronization, the BIG-IP system might occasionally perform a full sync for internal reasons. This is a rare occurrence and no user intervention is required.
  9. In the Maximum Incremental Sync Size (KB) field, retain the default value of 1024, or type a different value. This value specifies the total size of configuration changes that can reside in the incremental sync cache. If the total size of the configuration changes in the cache exceeds the specified value, the BIG-IP system performs a full sync whenever the next config sync operation occurs.
  10. Click Finished.
You now have a Sync-Failover type of device group containing BIG-IP devices as members.

Syncing the BIG-IP configuration to the device group

Before you sync the configuration, verify that the devices targeted for config sync are members of a device group and that device trust is established.
This task synchronizes the BIG-IP configuration data from the local device to the devices in the device group. This synchronization ensures that devices in the device group operate properly. When synchronizing self IP addresses, the BIG-IP system synchronizes floating self IP addresses only.
Important: You perform this task on either of the two devices, but not both.
  1. On the Main tab, click Device Management > Overview.
  2. In the Device Groups area of the screen, in the Name column, select the name of the relevant device group. The screen expands to show a summary and details of the sync status of the selected device group, as well as a list of the individual devices within the device group.
  3. In the Devices area of the screen, in the Sync Status column, select the device that shows a sync status of Changes Pending.
  4. In the Sync Options area of the screen, select Sync Device to Group.
  5. Click Sync. The BIG-IP system syncs the configuration data of the selected device in the Device area of the screen to the other members of the device group.
Except for non-floating self IP addresses, the entire set of BIG-IP configuration data is replicated on each device in the device group.

Specifying IP addresses for failover communication

You typically perform this task during initial Device Service Clustering (DSC) configuration, to specify the local IP addresses that you want other devices in the device group to use for continuous health-assessment communication with the local device or guest. You must perform this task locally on each device in the device group.

Important: If the system is running vCMP, you must log in to each guest to perform this task.
Note: The IP addresses that you specify must belong to route domain 0.
  1. Confirm that you are logged in to the actual device you want to configure.
  2. On the Main tab, click Device Management > Devices. This displays a list of device objects discovered by the local device.
  3. In the Name column, click the name of the device to which you are currently logged in.
  4. From the Device Connectivity menu, choose Failover.
  5. For the Failover Unicast Configuration settings, click Add for each IP address on this device that other devices in the device group can use to exchange failover messages with this device. The unicast IP addresses you specify depend on the type of device:
    Platform Action
    Appliance without vCMP Type a static self IP address associated with an internal VLAN (preferably VLAN HA) and the static management IP address currently assigned to the device.
    Appliance with vCMP Type a static self IP address associated with an internal VLAN (preferably VLAN HA) and the unique management IP address currently assigned to the guest.
    VIPRION without vCMP Type a static self IP address associated with an internal VLAN (preferably VLAN HA). If you choose to specify unicast addresses only (and not a multicast address), you must also type the existing, static management IP addresses that you previously configured for all slots in the cluster. If you choose to specify one or more unicast addresses and a multicast address, then you do not need to specify the existing, per-slot static management IP addresses when configuring addresses for failover communication.
    VIPRION with vCMP Type a self IP address that is defined on the guest and associated with an internal VLAN on the host (preferably VLAN HA). If you choose to specify unicast failover addresses only (and not a a multicast address), you must also type the existing, virtual static management IP addresses that you previously configured for all slots in the guest's virtual cluster. If you choose to specify one or more unicast addresses and a multicast address, you do not need to specify the existing, per-slot static and virtual management IP addresses when configuring addresses for failover communication.
    Important: Failover addresses should always be static, not floating, IP addresses.
  6. To enable the use of a failover multicast address on a VIPRION platform (recommended), then for the Use Failover Multicast Address setting, select the Enabled check box.
  7. If you enabled Use Failover Multicast Address, either accept the default Address and Port values, or specify values appropriate for the device. If you revise the default Address and Port values, but then decide to revert to the default values, click Reset Defaults.
  8. Click Update.
After you perform this task, other devices in the device group can send failover messages to the local device using the specified IP addresses.

Syncing the BIG-IP configuration to the device group

Before you sync the configuration, verify that the devices targeted for config sync are members of a device group and that device trust is established.
This task synchronizes the BIG-IP configuration data from the local device to the devices in the device group. This synchronization ensures that devices in the device group operate properly. When synchronizing self IP addresses, the BIG-IP system synchronizes floating self IP addresses only.
Important: You perform this task on either of the two devices, but not both.
  1. On the Main tab, click Device Management > Overview.
  2. In the Device Groups area of the screen, in the Name column, select the name of the relevant device group. The screen expands to show a summary and details of the sync status of the selected device group, as well as a list of the individual devices within the device group.
  3. In the Devices area of the screen, in the Sync Status column, select the device that shows a sync status of Changes Pending.
  4. In the Sync Options area of the screen, select Sync Device to Group.
  5. Click Sync. The BIG-IP system syncs the configuration data of the selected device in the Device area of the screen to the other members of the device group.
Except for non-floating self IP addresses, the entire set of BIG-IP configuration data is replicated on each device in the device group.

Implementation result

You now have a Sync-Failover device group set up with an active-standby DSC configuration. This configuration uses the default floating traffic group (named traffic-group-1), which contains the application-specific floating self IP and virtual IP addresses, and is initially configured to be active on one of the two devices. If the device with the active traffic group goes offline, the traffic group becomes active on the other device in the group, and application processing continues.