Manual Chapter : Working with Device Groups

Applies To:

Show Versions Show Versions

BIG-IP AAM

  • 11.4.1, 11.4.0

BIG-IP APM

  • 11.4.1, 11.4.0

BIG-IP GTM

  • 11.4.1, 11.4.0

BIG-IP LTM

  • 11.4.1, 11.4.0

BIG-IP AFM

  • 11.4.1, 11.4.0

BIG-IP PSM

  • 11.4.1, 11.4.0

BIG-IP ASM

  • 11.4.1, 11.4.0
Manual Chapter

About Sync-Failover device groups

One of the types of device groups that you can create is a Sync-Failover type of device group. A Sync-Failover device group contains devices that synchronize their configuration data and fail over to one another when a device becomes unavailable. A Sync-Failover device group supports a maximum of eight devices.

A device in the trust domain can be a member of both a Sync-Failover group and a Sync-Only group simultaneously.

For devices in a Sync-Failover group, the BIG-IP system uses both the device group and the traffic group attributes of a folder to make decisions about which devices to target for synchronizing the contents of the folder, and which application-related configuration objects to include in failover.

You can control the way that the BIG-IP chooses a target failover device. This control is especially useful when a device group contains heterogeneous hardware platforms that differ in load capacity, because you can ensure that when failover occurs, the system will choose the device with the most available resource to process the application traffic.

Sample Sync-Failover configuration

You can use a Sync-Failover device group in a variety of ways. This sample configuration shows two separate Sync-Failover device groups in the local trust domain. Device group A is a standard active-standby configuration. Prior to failover, only Bigip1 processes traffic for application A. This means that Bigip1 and Bigip2 synchronize their configurations, and Bigip1 fails over to Bigip2 if Bigip1 becomes unavailable. Bigip1 cannot fail over to Bigip3 or Bigip4 because those devices are in a separate device group.

Device group B is also a standard active-standby configuration, in which Bigip3 normally processes traffic for application B. This means that Bigip3 and Bigip4 synchronize their configurations, and Bigip3 fails over to Bigip4 if Bigip3 becomes unavailable. Bigip3 cannot fail over to Bigip1 or Bigip2 because those devices are in a separate device group.

Example illustration of a Sync-Failover device group Sample Sync-Failover device groups in a trust domain

Sync-Failover device group considerations

The following configuration restrictions apply to Sync-Failover device groups:

  • A specific BIG-IP device in a trust domain can belong to one Sync-Failover device group only.
  • On each device in a Sync-Failover device group, the BIG-IP system automatically assigns the device group name to the root and /Common folders. This ensures that the system synchronizes any traffic groups for that device to the correct devices in the local trust domain.
  • The BIG-IP system creates all device groups and traffic-groups in the /Common folder, regardless of the partition to which the system is currently set.
  • If no Sync-Failover device group is defined on a device, then the system sets the device group value that is assigned to the root and /Common folders to None.
  • By default, on each device, the BIG-IP system assigns a Sync-Failover device group to any sub-folders of the root or /Common folders that inherit the device group attribute.
  • You can configure a maximum of 15 floating traffic groups for a Sync-Failover device group.

Creating a Sync-Failover device group

This task establishes failover capability between two or more BIG-IP devices. If an active device in a Sync-Failover device group becomes unavailable, the configuration objects fail over to another member of the device group and traffic processing is unaffected. You perform this task on any one of the authority devices within the local trust domain.

Repeat this task for each Sync-Failover device group that you want to create for your network configuration.

  1. On the Main tab, click Device Management > Device Groups.
  2. On the Device Groups list screen, click Create. The New Device Group screen opens.
  3. Type a name for the device group, select the device group type Sync-Failover, and type a description for the device group.
  4. From the Configuration list, select Advanced.
  5. In the Configuration area of the screen, select a host name from the Available list for each BIG-IP device that you want to include in the device group, including the local device. Use the Move button to move the host name to the Includes list. The Available list shows any devices that are members of the device's local trust domain but not currently members of a Sync-Failover device group. A device can be a member of one Sync-Failover group only.
  6. For the Network Failover setting, select or clear the check box:
    • Select the check box if you want device group members to handle failover communications by way of network connectivity.
    • Clear the check box if you want device group members to handle failover communications by way of serial cable (hard-wired) connectivity.
    You must enable network failover for any device group that contains three or more members.
  7. For the Automatic Sync setting, select or clear the check box:
    • Select the check box when you want the BIG-IP system to automatically sync the BIG-IP configuration data whenever configuration data changes on any device in the device group.
    • Clear the check box when you want to manually initiate each config sync operation. In this case, F5 networks recommends that you perform a config sync operation whenever configuration data changes on one of the devices in the device group.
  8. For the Full Sync setting, select or clear the check box:
    • Select the check box when you want all sync operations to be full syncs. In this case, the BIG-IP system syncs the entire set of BIG-IP configuration data whenever a config sync operation is required.
    • Clear the check box when you want all sync operations to be incremental (the default setting). In this case, the BIG-IP system syncs only the changes that are more recent than those on the target device. When you select this option, the BIG-IP system compares the configuration data on each target device with the configuration data on the source device and then syncs the delta of each target-source pair.
    If you enable incremental synchronization, the BIG-IP system might occasionally perform a full sync for internal reasons. This is a rare occurrence and no user intervention is required.
  9. In the Maximum Incremental Sync Size (KB) field, retain the default value of 1024, or type a different value. This value specifies the total size of configuration changes that can reside in the incremental sync cache. If the total size of the configuration changes in the cache exceeds the specified value, the BIG-IP system performs a full sync whenever the next config sync operation occurs.
  10. Click Finished.
You now have a Sync-Failover type of device group containing BIG-IP devices as members.

About Sync-Only device groups

One of the types of device groups that you can create is a Sync-Only device group. A Sync-Only device group contains devices that synchronize configuration data with one another, but their configuration data does not fail over to other members of the device group. A Sync-Only device group supports a maximum of 32 devices.

A device in a trust domain can be a member of more than one Sync-Only device group. A device can also be a member of both a Sync-Failover group and a Sync-Only group simultaneously.

A typical use of a Sync-Only device group is one in which you configure a device to synchronize the contents of a specific folder to a different device group than to the device group to which the other folders are synchronized.

Sample Sync-Only configuration

The most common reason to use a Sync-Only device group is to synchronize a specific folder containing policy data that you want to share across all BIG-IP devices in a local trust domain, while setting up a Sync-Failover device group to fail over the remaining configuration objects to a subset of devices in the domain. In this configuration, you are using a Sync-Only device group attribute on the policy folder to override the inherited Sync-Failover device group attribute. Note that in this configuration, Bigip1 and Bigip2 are members of both the Sync-Only and the Sync-Failover groups.

Sync-Only Device Group Sync-Only Device Group

To implement this configuration, you can follow this process:

  1. Create a Sync-Only device group on the local device, adding all devices in the local trust domain as members.
  2. Create a Sync-Failover device group on the local device, adding a subset of devices as members.
  3. On the folder containing the policy data, use tmsh to set the value of the device group attribute to the name of the Sync-Only device group.
  4. On the root folder, retain the default Sync-Failover device group assignment.

Creating a Sync-Only device group

You perform this task to create a Sync-Only type of device group. When you create a Sync-Only device group, the BIG-IP system can then automatically synchronize certain types of data such as security policies and acceleration applications and policies to the other devices in the group, even when some of those devices reside in another network. You can perform this task on any BIG-IP device within the local trust domain.
  1. On the Main tab, click Device Management > Device Groups.
  2. On the Device Groups list screen, click Create. The New Device Group screen opens.
  3. Type a name for the device group, select the device group type Sync-Only, and type a description for the device group.
  4. From the Configuration list, select Advanced.
  5. For the Members setting, select an IP address and host name from the Available list for each BIG-IP device that you want to include in the device group. Use the Move button to move the host name to the Includes list. The list shows any devices that are members of the device's local trust domain.
  6. For the Automatic Sync setting, select or clear the check box:
    • Select the check box when you want the BIG-IP system to automatically sync the BIG-IP configuration data whenever configuration data changes on any device in the device group.
    • Clear the check box when you want to manually initiate each config sync operation. In this case, F5 networks recommends that you perform a config sync operation whenever configuration data changes on one of the devices in the device group.
  7. For the Full Sync setting, select or clear the check box:
    • Select the check box when you want all sync operations to be full syncs. In this case, the BIG-IP system syncs the entire set of BIG-IP configuration data whenever a config sync operation is required.
    • Clear the check box when you want all sync operations to be incremental (the default setting). In this case, the BIG-IP system syncs only the changes that are more recent than those on the target device. When you select this option, the BIG-IP system compares the configuration data on each target device with the configuration data on the source device and then syncs the delta of each target-source pair.
    If you enable incremental synchronization, the BIG-IP system might occasionally perform a full sync for internal reasons. This is a rare occurrence and no user intervention is required.
  8. In the Maximum Incremental Sync Size (KB) field, retain the default value of 1024, or type a different value. This value specifies the total size of configuration changes that can reside in the incremental sync cache. If the total size of the configuration changes in the cache exceeds the specified value, the BIG-IP system performs a full sync whenever the next config sync operation occurs.
  9. Click Finished.
You now have a Sync-Only type of device group containing BIG-IP devices as members.

Viewing a list of device groups

You can perform this task when you want to display a list of the device groups of which the local device is a member.
  1. On the Main tab, click Device Management > Overview.
  2. In the Device Groups area of the screen, in the Name column, view the list of device groups.
The list shows all device groups that include the local device as a member, as well as the sync status of each group.

Viewing the members of a device group

You can list the members of a device group and view information about them, such as their management IP addresses and host names.
  1. On the Main tab, click Device Management > Device Groups.
  2. In the Group Name column, click the name of the relevant device group.
The screen shows a list of the device group members.

Adding a device to a device group

You must ensure that the device you are adding is a member of the local trust domain.
You can use this procedure to add a member to an existing device group.
  1. On the Main tab, click Device Management > Device Groups.
  2. In the Group Name column, click the name of the relevant device group.
  3. In the Members area of the screen, select a host name from the Available list for each BIG-IP device that you want to include in the device group. Use the Move button to move the host name to the Selected list. The Available list shows any devices that are members of the device's local trust domain but not currently members of a Sync-Failover device group. If you are attempting to add a member to a Sync-Failover group and you do not see the member name in the list, it is possible that the device is already a member of another Sync-Failover device group. A device can be a member of one Sync-Failover group only.
  4. Click Update.

A note about folders and overlapping device groups

Sometimes when one BIG-IP object references another, one of the objects gets synchronized to a particular device, but the other object does not. This can result in an invalid device group configuration.

For example, suppose you create two device groups that share some devices but not all. In the following illustration, Device A is a member of both Device Group 1 and Device Group 2.

One device with membership in two device groups One device with membership in two device groups

Device Group 1 is associated with folder /Common, and Device Group 2 is associated with the folder /Common/my_app. This configuration causes Device A to synchronize all of the data in folder /Common to Device B in Device Group 1. The only data that Device A can synchronize to Device C in Device Group 2 is the data in the folder /Common/my_app, because this folder is associated with Device Group 2 instead of Device Group 1.

Now suppose that you create a pool in the /Common/my_app folder, which is associated with Device Group 2. When you create the pool members in that folder, the BIG-IP system automatically creates the associated node addresses and puts them in folder /Common. This results in an invalid configuration, because the node objects in folder /Common do not get synchronized to the device on which the nodes' pool members reside, Device C. When an object is not synchronized to the device on which its referenced objects reside, an invalid configuration results.