0%

F5 BIG-IP Device Service Clustering

Posted on by Anas
Category: F5

If you have two BIG-IP devices only, you can create either an active-standby or an active-active

With more than two devices, you can create a configuration in which multiple devices are active

device group

device group is a collection of BIG-IP devices that trust each other, can sync and fail over

x

x

x

x

Certificate signing authority

A certificate signing authority can sign x509 certificates for another BIG-IP device that is in the local trust domain already. In a standard redundant system configuration of two BIG-IP devices, both devices are usually certificate signing authority devices. For security reasons, F5 Networks recommends you limit the number of authority devices in a local trust domain to as few as possible

Peer authorities

Peer authority is another device in the local trust domain that can sign certificates if the certificate signing authority is not available. In a standard redundant system configuration of two BIG-IP devices, each device is typically a peer authority for the other.

Subordinate non-authorities

A subordinate device cannot sign a certificate for another device. Subordinate devices provide an additional level of security because in the case where the security of an authority device in a trust domain is compromised, the risk of compromise is minimized for any subordinate device. Designating devices as subordinate devices is recommended for device groups with many member devices, where the risk of compromise is high.

Certificate and Device discovery

Each device in a device group has a x509 certificate installed on it that the device uses to authenticate itself to the other devices in the group, exchange of device properties such as device serial number, IP address and certificate, is known as device discovery. If a device joins a trust domain that already contains three trust domain members, the device exchanges device properties with the three other domain members. The device then has a total of four sets of device properties defined on it: its own device properties, plus the device properties of each peer.

Establishing device trust

To configure the local trust domain to include all three devices, you can simply log into device Bigip_1 and add devices Bigip_2 and Bigip_3 to the local trust domain; there is no need to repeat this process on devices

Traffic group failover

On failover, traffic_group_1 becomes active on another device in the Sync-Failover device group

You can also control the way that the BIG-IP chooses a target failover device. This control is especially useful when a device group contains heterogeneous hardware platforms that differ in load capacity. you can ensure that when failover occurs, the system will choose the device with the most available resource to process the application traffic

Device groups and local trust domain

You can use a Sync-Failover device group in a variety of ways. This sample configuration shows two separate Sync-Failover device groups in the local trust domain.

Device group A
Prior to failover, only Bigip1 processes traffic for application A. This means that Bigip1 and Bigip2 synchronize their configurations, and Bigip1 fails over to Bigip2 if Bigip1 becomes unavailable. Bigip1 cannot fail over to Bigip3 or Bigip4 because those devices are in a separate device group.

Device group B
Bigip3 normally processes traffic for application B. This means that Bigip3 and Bigip4 synchronize their configurations, and Bigip3 fails over to Bigip4 if Bigip3 becomes unavailable. Bigip3 cannot fail over to Bigip1 or Bigip2 because those devices are in a separate device group.

Each traffic group on a device includes application-specific floating IP addresses as its members. Typical traffic group members are: floating self IP addresses, virtual addresses, NAT or SNAT translation addresses, and IP addresses associated with an iApp application service. When a device with active traffic groups becomes unavailable, the active traffic groups become active on other device in the device group. This ensures that application traffic processing continues with little to no interruption

What triggers failover?

The BIG-IP system initiates failover of a traffic group according to any of several events that you define. These events fall into these categories:

System fail-safe

With system fail-safe, the BIG-IP system monitors various hardware components, as well as the heartbeat of various system services. You can configure the system to initiate failover whenever it detects a heartbeat failure.

Gateway fail-safe

With gateway fail-safe, the BIG-IP system monitors traffic between an active BIG-IP® system in a device group and a pool containing a gateway router. You can configure the system to initiate failover whenever some number of gateway routers in a pool of routers becomes unreachable.

VLAN fail-safe

With VLAN fail-safe, the BIG-IP system monitors network traffic going through a specified VLAN. You can configure the system to initiate failover whenever the system detects a loss of traffic on the VLAN and the fail-safe timeout period has elapsed.

HA groups

With an HA group, the BIG-IP system monitors the availability of resources for a specific traffic group. Examples of resources are trunk links, pool members, and VIPRION® cluster members. If resource levels fall below a user-defined level, the system triggers failover.

Auto-failback

When you enable auto-failback, a traffic group that has failed over to another device fails back to a preferred device when that device is available. If you do not enable auto-failback for a traffic group, and the traffic group fails over to another device, the traffic group remains active on that device until that device becomes unavailable.

About pre-configured traffic groups

Each new BIG-IP® device comes with two pre-configured traffic groups:

traffic-group-1

A floating traffic group that initially contains any floating self IP addresses that you create on the device. If the device that this traffic group is active on goes down, the traffic group goes active on another device in the device group.

traffic-group-local-only

A non-floating traffic group that contains the static self IP addresses that you configure for VLANs internal and external. This traffic group never fails over to another device.

Configuration

Prerequisites

You must meet the following prerequisites to use this procedure:

  • You have configured the following configuration elements on all BIG-IP devices:
    • Network components, such as VLANs, Self IP addresses, and routes.
    • Administrative components, such as network time protocol (NTP), the management IP address, and licensing.
  • Each BIG-IP device that will be part of the device group has a device certificate installed on it.

Forcing the system offline

You should force the new BIG-IP system offline to ensure that it does not become active until after it is added to the device group and the configuration is synchronized from the other device(s) in the device group:

Select OK to confirm.

Log in to the Configuration utility.

Go to Device Management > Devices.

Select the host name of the local device.

Select Force Offline.

Configuring the ConfigSync and failover IP addresses

Before creating the device group, you should configure the ConfigSync and failover IP addresses for each BIG-IP system in the device group. The ConfigSync address is the IP address that the system uses when synchronizing configuration with peer devices, and the failover address is the IP address that the system uses for network failover. As a best practice, F5 recommends selecting both the management address and a Traffic Management Microkernel (TMM) network address to use for network failover.

To configure the ConfigSync and failover addresses, perform the following procedure:

Note: You must enable network failover for high availability (HA) configurations (device groups with two or more active traffic groups).

Impact of procedure: Performing the following procedure should not have a negative impact on your system.

  1. Log in to the Configuration utility.
  2. Go to Device Management > Devices.
  3. Select the host name of the local device.
  4. Select the ConfigSync tab.
  5. For Local Address, select the self IP address that you want to use for synchronization.
  6. Select Update.
  7. Select the Failover Network tab.
  8. Select Add.
  9. For Address, select the self IP address you want to use for failover, for Port, type the port you want to use, and then select Repeat.
  10. Select the management address, type 1026 for Port, then select Finished.
  11. Select Finished.
  12. Repeat these steps for each BIG-IP system you want to add to the device group.

Adding a device to the local trust domain

When a BIG-IP device joins the local trust domain, it establishes a trust relationship with peer BIG-IP devices that are members of the same trust domain. For example, if you are creating a device group with four members, you must log in to one of the devices and join the other devices to that system’s local trust domain. The devices can then exchange their device properties and device connectivity information.

Impact of procedure: Performing the following procedure should not have a negative impact on your system.

  1. Log in to the Configuration utility of a device that will be part of the device group.
  2. Go to Device Management > Device Trust > Local Domain.
  3. Select the Device Trust Members tab.
  4. Select Add.
  5. For Device Type, select either Peer or Subordinate, as appropriate.
  6. Type the management IP address, administrator user name, and administrator password for the remote BIG-IP device, and then select Retrieve Device Information.
  7. Verify that the certificate is correct, and then select Device Certificate Matches.
  8. Verify that the remote device name is correct, and then select Add Device.
  9. Repeat these steps for each BIG-IP system to be added to the local trust domain.

Creating a device group

After you’ve added all members to the same local trust domain, you can create a new device group. The device group type can be either Sync-Failover or Sync-Only.

Creating a Sync-Failover device group

A Sync-failover device group contains devices that synchronize configuration data and fail over to one another when the active device becomes unavailable. To create a Sync-Failover device group, perform the following procedure:

Impact of procedure: Performing the following procedure should not have a negative impact on your system.

  1. Log in to the Configuration utility.
  2. Go to Device Management > Device Groups.
  3. Select Create.
  4. Enter the name for the device group.
  5. For Group Type, select Sync-Failover.
  6. Under Configuration, in the Available list, select the name(s) of the members that you want to add to the device group and move them to the Includes list.
  7. For Sync Type, select the appropriate synchronization type. The default is Manual with Incremental Sync.Note: For more information on ConfigSync type options, see Managing Configuration Synchronization in BIG-IP Device Service Clustering Administration. For information about how to locate F5 product manuals, refer to K98133564: Tips for searching AskF5 and finding product documentation.
  8. Confirm the group settings, and then select Finished.

Leave a Reply

Your email address will not be published. Required fields are marked *

*
*