Manual Chapter :
Creating an Active-Active Configuration Using the Setup Utility
Applies To:
Show VersionsBIG-IP AAM
- 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0, 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0
BIG-IP APM
- 17.1.2, 17.1.1, 17.1.0, 17.0.0, 16.1.5, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0, 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0
BIG-IP Analytics
- 17.1.2, 17.1.1, 17.1.0, 17.0.0, 16.1.5, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0, 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0
BIG-IP Link Controller
- 17.1.2, 17.1.1, 17.1.0, 17.0.0, 16.1.5, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0, 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0
BIG-IP LTM
- 17.1.2, 17.1.1, 17.1.0, 17.0.0, 16.1.5, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0, 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0
BIG-IP PEM
- 17.1.2, 17.1.1, 17.1.0, 17.0.0, 16.1.5, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0, 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0
BIG-IP AFM
- 17.1.2, 17.1.1, 17.1.0, 17.0.0, 16.1.5, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0, 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0
BIG-IP DNS
- 17.1.2, 17.1.1, 17.1.0, 17.0.0, 16.1.5, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0, 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0
BIG-IP ASM
- 17.1.2, 17.1.1, 17.1.0, 17.0.0, 16.1.5, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0, 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0
Creating an Active-Active Configuration Using the Setup Utility
Overview: Creating a basic active-active configuration
This implementation describes how to use the Setup utility to configure two new BIG-IP® devices that function as an active-active pair. An
active-active
pair is a pair of BIG-IP devices configured so that both devices are actively processing traffic and are ready to take over one another if failover occurs. The two devices synchronize their configuration data to one another.Access Policy Manager (APM) is not supported in an Active-Active configuration. APM is supported in an Active-Standby configuration with two BIG-IP systems only.
Policy Enforcement Manager (PEM) is not supported in an Active-Active configuration. PEM is supported in an Active-Standby configuration with two BIG-IP systems only.
The same version of BIG-IP system software must be running on all devices in the device group.
Using this implementation, you begin by running the Setup utility on each device to configure its base network components. Base network components include a management port, administrative passwords, and default VLANs and their associated self IP addresses. You also use Setup to configure configuration synchronization and high availability.
You then use the BIG-IP® Configuration utility to:
- Establish trust between the two devices
- Create a Sync-Failover type of device group that contains two member devices
- Create a second traffic group
- Create two iApp™ application services
In this configuration, both devices actively process application traffic, each for a different application. One device processes its application traffic using the configuration objects associated with the default floating traffic group,
traffic-group-1
. By default, this traffic group contains the floating self IP addresses of the default VLANs. The other device processes its application traffic using a second traffic group that you create. If one of the devices becomes unavailable for any reason, the other device automatically begins processing traffic for the unavailable peer, while continuing to process the traffic for its own application.
This illustration shows an example of the device group that this implementation creates, named
Device Group A
. This device group contains two BIG-IP devices, Device 1
and Device 2
.The configuration shows two traffic groups,
traffic-group-1
and traffic-group-2
, each containing failover objects. For traffic-group-1
, Device 1
is the default device. For traffic-group-2
, Device 2
is the default device. If Device 1
becomes unavailable, traffic-group-1
floats to Device 2
. If Device 2
becomes unavailable, traffic-group-2
floats to Device 1
.By implementing this configuration, you ensure that:
- Each device has base network components configured.
- Any objects on a BIG-IP device that you configure for synchronization remain synchronized between the two devices.
- Failover capability and connection mirroring are enabled on each device.
For active-active configurations, you must enable network failover instead of hard-wired serial failover.
Licensing and provisioning the BIG-IP system
Using the Setup utility, you can activate the license and provision the BIG-IP system.
- From a workstation attached to the network on which you configured the management interface, type the following URL syntax where<management_IP_address>is the address you configured for device management:https://<management_IP_address>
- At the login prompt, type the default user nameadmin, and passwordadmin, and clickLog in.The Setup utility screen opens.
- ClickNext.
- ClickActivate.The License screen opens.
- In theBase Registration Keyfield, paste the registration key.
- ClickNextand follow the process for licensing and provisioning the system.When you perform the licensing task so that you can run the F5 cloud ADC, you can accept the default provisioning values.
- ClickNext.This displays the screen for configuring general properties and user administration settings.
The BIG-IP system license is now activated, and the relevant BIG-IP modules are provisioned.
Configuring a device certificate
Import or verify the certificate for the BIG-IP device.
- Do one of the following:
- ClickImport, import a certificate, clickImport, and then clickNext.
- Verify the displayed information for the certificate and clickNext.
Configuring the
management port and administrative user accounts
Configure the management port, time zone, and the administrative user names and passwords.
- On the screen for configuring general properties, for theManagement Port Configurationsetting, selectManual.
- For theManagement Port 1setting, specify an IP address, network mask, and default gateway.You can leave theManagement Port 2setting blank.
- In theHost Namefield, type a fully-qualified domain name (FQDN) for the system.The FQDN can consist of letters, numbers, and/or the characters underscore ( _ ), dash ( - ), or period ( . ).
- For theHost IP Addresssetting, retain the default valueUse Management Port IP Address.
- From theTime Zonelist, select a time zone.The time zone you select typically reflects the location of the F5 system.
- For theRoot Accountsetting, type and confirm a password for therootaccount.Therootaccount provides console access only.
- For theAdmin Accountsetting, type and confirm a password.Typing a password for theadminaccount causes the system to terminate the login session. When this happens, log in to the F5 Configuration utility again, using the new password. The system returns to the appropriate screen in the Setup utility.
- For theSSH Accesssetting, select or clear the check box.
- ClickNext.
- In the Standard Network Configuration area of the screen, clickNext.This displays the screen for enabling configuration synchronization and high availability.
Enabling ConfigSync and high availability
When you perform this task, you set up config sync and connection mirroring, and
you can specify the failover method (network, serial, or both).
- For theConfig Syncsetting, select theDisplay configuration synchronization optionscheck box.This causes an additional ConfigSync screen to be displayed later.
- For theHigh Availabilitysetting, select theDisplay failover and mirroring optionscheck box.This displays theFailover Methodlist and causes additional failover screens to be displayed later.
- From theFailover Methodlist, selectNetwork and serial cable.If you have a VIPRION system, selectNetwork.
- ClickNext.This displays the screen for configuring the default VLANinternal.
Configuring the
internal network
You can use the Setup utility to specify self IP
addresses and settings for a VLAN on the BIG-IP internal network. The default VLAN for
the internal network is named
internal
.- Specify theSelf IPsetting for the internal network:
- In theAddressfield, type a self IP address.
- In theNetmaskfield, type a network mask for the self IP address.
- For thePort Lockdownsetting, retain the default value.
- Specify theFloating IPsetting:
- In theAddressfield, type a floating IP address.This address should be distinct from the address you type for theSelf IPsetting.If the BIG-IP device you are configuring is accessed using Amazon Web Services and the device needs to failover to a device group peer, use the second, Secondary Private IP address for the floating IP address.
- For thePort Lockdownsetting, retain the default value.
- For theVLAN Tag IDsetting, retain the default value,auto.This is the recommended value.
- For theInterfacessetting:
- From theInterfacelist, select an interface number.
- From theTagginglist, selectTaggedorUntagged.SelectTaggedwhen you want traffic for that interface to be tagged with a VLAN ID.
- ClickAdd.
- ClickNext.This completes the configuration of the internal self IP addresses and VLAN, and displays the screen for configuring the default VLANexternal.
Configuring the
external network
You can use the Setup utility to specify self IP
addresses and settings for a VLAN on the BIG-IP external network. The default VLAN for
the external network is named
external
.- Specify theSelf IPsetting for the external network:
- In theAddressfield, type a self IP address.
- In theNetmaskfield, type a network mask for the self IP address.
- For thePort Lockdownsetting, retain the default value.
- In theDefault Gatewayfield, type the IP address that you want to use as the default gateway to VLANexternal.
- Specify theFloating IPsetting:
- In theAddressfield, type a floating IP address.This address should be distinct from the address you type for theSelf IPsetting.If the BIG-IP device you are configuring is accessed using Amazon Web Services and the device needs to failover to a device group peer, use the second, Secondary Private IP address for the floating IP address.
- For thePort Lockdownsetting, retain the default value.
- For theVLAN Tag IDsetting, retain the default value,auto.This is the recommended value.
- For theInterfacessetting:
- From theInterfacelist, select an interface number.
- From theTagginglist, selectTaggedorUntagged.SelectTaggedwhen you want traffic for that interface to be tagged with a VLAN ID.
- ClickAdd.
- ClickNext.This completes the configuration of the external self IP addresses and VLAN, and displays the screen for configuring the default VLANHA.
Configuring the
network for high availability
To configure a network for high availability,
specify self IP addresses and settings for VLAN
HA
, which is the VLAN that the system
will use for failover and connection mirroring. - For theHigh Availability VLANsetting, retain the default value,Create VLAN HA.
- Specify theSelf IPsetting for VLANHA:
- In theAddressfield, type a self IP address.
- In theNetmaskfield, type a network mask for the self IP address.
- For theVLAN Tag IDsetting, retain the default value,auto.This is the recommended value.
- For theInterfacessetting,
- From theInterfacelist, select an interface number.
- From theTagginglist, selectUntagged.
- ClickAdd.
- ClickNext.This configures the self IP address and VLAN that the system will use for high availability and displays the default IP address that the system will use for configuration synchronization.
Configuring a
ConfigSync address
Use this task to specify the address that you
want the system to use for configuration synchronization.
- From theLocal Addresslist, select a self IP address.Do not select a management IP address.
- ClickNext.This displays the screen for configuring unicast and multicast failover addresses.
Configuring
failover and mirroring addresses
Follow these task steps to specify the unicast IP
addresses of the local device that you want the system to use for failover. Typically,
you specify the self IP address for the local VLAN
HA
, as well as the IP address for the
management port of the local device. If you are configuring a VIPRION system, configure
a multicast failover address as well. When
configuring failover and mirroring IP addresses, you select addresses of the local
device only. Later, during the process of device discovery, the two devices in the
device group discover each other's addresses.
- Locate the Failover Unicast Configuration area of the screen.
- Under Local Address, confirm that there are entries for the self IP addresses that are assigned to theHAandinternalVLANs and for the local management IP address for this device. If these entries are absent, click theAddbutton to add the missing entries to the list of Failover Unicast Addresses.
- For theAddresssetting, select the address for the VLAN you need to add (eitherHAorinternal).
- In thePortfield, type a port number or retain the default port number,1026.
- ClickRepeatto add additional self IP addresses, or clickFinished.
- Repeat these steps to add a management IP address.
- ClickNext.
- From thePrimary Local Mirror Addresslist, retain the default value, which is the self IP address for VLANHA.
- From theSecondary Local Mirror Addresslist, select the address for VLANinternal.
- ClickFinished.This causes you to leave the Setup utility.
Establishing device trust
Before you begin this task, verify that:
- Each BIG-IP device that is to be part of the local trust domain has a device certificate installed on it.
- The local device is designated as a certificate signing authority.
You perform this task to establish trust among devices on one or more network segments. Devices that trust each other constitute the
local trust domain
. A device must be a member of the local trust domain prior to joining a device group.By default, the BIG-IP software includes a local trust domain with one member, which is the local device. You can choose any one of the BIG-IP devices slated for a device group and log into that device to add other devices to the local trust domain. For example, devices
Bigip_1
, Bigip_2
, and Bigip_3
each initially shows only itself as a member of the local trust domain. To configure the local trust domain to include all three devices, you can simply log into device Bigip_1
and add devices Bigip_2
and Bigip_3
to the local trust domain; there is no need to repeat this process on devices Bigip_2
and Bigip_3
.- On the Main tab, click.
- ClickAdd.
- From theDevice Typelist, selectPeerorSubordinate.
- Type a device IP address, administrator user name, and administrator password for the remote BIG-IP device with which you want to establish trust. The IP address you specify depends on the type of BIG-IP device:
- If the BIG-IP device is an appliance, type a management IP address (IPv4 or IPv6) for the device.
- If the BIG-IP device is a VIPRION device that is not licensed and provisioned for vCMP, type a primary cluster management IP address (IPv4 or IPv6) for the cluster.
- If the BIG-IP device is a VIPRION device that is licensed and provisioned for vCMP, then type a cluster management IP address (IPv4 or IPv6) for the guest.
- If the BIG-IP device is an Amazon Web Services EC2 device, type one of the Private IP addresses created for this EC2 instance.
- ClickRetrieve Device Information.
- Verify that the certificate of the remote device is correct, and then clickDevice Certificate Matches.
- In theNamefield, verify that the name of the remote device is correct.
- ClickAdd Device.
After you perform this task, the local device is now a member of the local trust domain. Also, the BIG-IP system automatically creates a special Sync-Only device group for the purpose of synchronizing trust information among the devices in the local trust domain, on an ongoing basis.
Repeat this task to specify each device that you want to add to the local trust domain.
Creating a Sync-Failover device group
This task establishes failover capability between two or more BIG-IP devices. If an active device in a Sync-Failover device group becomes unavailable, the configuration objects fail over to another member of the device group and traffic processing is unaffected. You perform this task on any one of the authority devices within the local trust domain.
Repeat this task for each Sync-Failover device group that you want to create for your network configuration.
- On the Main tab, click.
- On the Device Groups list screen, clickCreate.The New Device Group screen opens.
- In theNamefield, type a name for the device group.
- From theGroup Typelist, selectSync-Failover.
- In theDescriptionfield, type a description of the device group.This setting is optional.
- From theConfigurationlist, selectAdvanced.
- For theMemberssetting, select a host name from theAvailablelist for each BIG-IP device that you want to include in the device group, including the local device. Use the Move button to move the host name to theIncludeslist.TheAvailablelist shows any devices that are members of the device's local trust domain but not currently members of a Sync-Failover device group. A device can be a member of one Sync-Failover group only. Also, for vCMP-provisioned systems on platforms that contain a hardware security module (HSM) supporting FIPS multi-tenancy, the FIPS partitions on the guests in the device group must be identical with respect to the number of SSL cores allocated to the guest's FIPS partition and the maximum number of private SSL keys that the guest can store on the HSM.
- From theSync Typelist:
- SelectAutomatic with Incremental Syncwhen you want the BIG-IP system to automatically sync the most recent BIG-IP configuration changes from a device to the other members of the device group. In this case, the BIG-IP system syncs the configuration data whenever the data changes on any device in the device group.
- SelectManual with Incremental Syncwhen you want to manually initiate a config sync operation. In this case, the BIG-IP system syncs the latest BIG-IP configuration changes from the device you choose to the other members of the device group. We strongly recommend that you perform a config sync operation whenever configuration data changes on one of the devices in the device group.
- SelectManual with Full Syncwhen you want to manually initiate a config sync operation. In this case, the BIG-IP system syncs the full set of BIG-IP configuration data from the device you choose to the other members of the device group. We strongly recommend that you perform a config sync operation whenever configuration data changes on one of the devices in the device group.
- In theMaximum Incremental Sync Size (KB)field, retain the default value of1024, or type a different value.This value specifies the total size of configuration changes that can reside in the incremental sync cache. If the total size of the configuration changes in the cache exceeds the specified value, the BIG-IP system performs a full sync whenever the next config sync operation occurs.
- For theNetwork Failoversetting, select or clear the check box:
- Select the check box if you want device group members to handle failover communications by way of network connectivity. This is the default value and is required for active-active configurations.
- Clear the check box if you want device group members to handle failover communications by way of serial cable (hard-wired) connectivity.
For active-active configurations, you must select network failover, as opposed to serial-cable (hard-wired) connectivity. - In theLink Down Time on Failoverfield, use the default value of0.0, or specify a new value.This setting specifies the amount of time, in seconds, that interfaces for any external VLANs are down when a traffic group fails over and goes to the standby state. Specifying a value other than0.0for this setting causes other vendor switches to use the specified time to learn the MAC address of the newly-active device.This setting is a system-wide setting, and does not apply to this device group only. Specifying a value in this field causes the BIG-IP system to assign this value to the global bigdb variablefailover.standby.linkdowntime.
- ClickFinished.
Creating an iApp application for the local device
Use this procedure to create a set of related configuration objects on the system
(that is, an application).
- On the Main tab, click.
- ClickCreate.
- In theNamefield, type the name for your application service.
- From theTemplatelist, select a template.
- From the Template Selection list, selectAdvanced.This causes additional settings to appear.
- For theConfigure Sync and/or Failover for this application?setting, selectYes.
- For theTraffic Groupsetting, ensure that theInherit traffic group from current partition / pathfield andtraffic-group-1are selected.
- Configure remaining settings as needed.
- At the bottom of the screen clickFinishedto save your changes.
You now have an iApp application service, which is associated with the traffic group
assigned to the
root
folder,
traffic-group-1
.Creating a traffic group for a remote device
If you intend to specify a MAC masquerade address when creating a traffic group, you must first create the address, using an industry-standard method for creating a locally-administered MAC address.
Perform this procedure to create a traffic group to run on the remote BIG-IP device. You create this traffic group on the local device. Later, you move the traffic group to the remote device by forcing this traffic group on the local device to a standby state.
- On the Main tab, click.
- On the lower half of the screen, verify that the list shows the default floating traffic group (traffic-group-1) for the local device.
- On the Traffic Groups screen, clickCreate.
- Type the nametraffic-group-2for the new traffic group.
- Type a description of the new traffic group.
- ClickNext.
- In theMAC Masquerade Addressfield, type a MAC masquerade address.When you specify a MAC masquerade address, you reduce the risk of dropped connections when failover occurs. This setting is optional.
- ClickNext.
- Select or clear the check boxAlways Failback to First Device if it is Available:
- Select the check box to cause the traffic group, after failover, to fail back to the first device in the traffic group's ordered list when that device (and only that device) is available. If that device is unavailable, no failback occurs and the traffic group continues to run on the current device.
- Clear the check box to cause the traffic group, after failover, to remain active on its current device until failover occurs again.
- ClickNext.
- Make sure that the displayed traffic group settings are correct.
- ClickFinished.
You now have a floating traffic group for which the default device is the peer device.
Creating an iApp application for a remote device
Use this procedure when you want to create an application to run on a remote device
and associate it with the traffic group named
traffic-group-2
that you previously created.- On the Main tab, click.
- ClickCreate.
- From theTemplatelist, select a template.
- From the Template Selection list, selectAdvanced.This causes additional settings to appear.
- In theNamefield, type the name for your application service.
- For theConfigure Sync and/or Failover for this application?setting, selectYes.
- For theTraffic Groupsetting, clear theInherit traffic group from current partition / pathfield and from the list, selecttraffic-group-2.
- Configure remaining settings as needed.
- At the bottom of the screen clickFinishedto save your changes.
You now have an iApp application associated with
traffic-group-2
.Forcing a traffic group to a standby state
You perform this task when you want the selected traffic group on the local device to fail over
to another device (that is, switch to a
Standby
state). Users
typically perform this task when no automated method is configured for a traffic
group, such as auto-failback or an HA group. By forcing the traffic group into a
Standby
state, the traffic group becomes active on another device
in the device group. For device groups with more than two members, you can choose
the specific device to which the traffic group fails over. - Log in to the device on which the traffic group is currently active.
- On the Main tab, click.
- In the Name column, locate the name of the traffic group that you want to run on the peer device.
- Select the check box to the left of the traffic group name.If the check box is unavailable, the traffic group is not active on the device to which you are currently logged in. Perform this task on the device on which the traffic group is active.
- ClickForce to Standby.This displays target device options.
- Choose one of these actions:
- If the device group has two members only, clickForce to Standby. This displays the list of traffic groups for the device group and causes the local device to appear in the Next Active Device column.
- If the device group has more than two members, then from theTarget Devicelist, select a value and clickForce to Standby.
The selected traffic group is now in a standby state on the local device and active
on another device in the device group.
Syncing the BIG-IP configuration to the device group
Before you sync the configuration, verify that the devices targeted for config sync are members of a device group and that device trust is established.
This task synchronizes the BIG-IP configuration data from the local device to the devices in the device group. This synchronization ensures that devices in the device group operate properly. When synchronizing self IP addresses, the BIG-IP system synchronizes floating self IP addresses only.
You perform this task on either of the two
devices, but not both.
- On the Main tab, click.
- In the Device Groups area of the screen, click the arrow next to the name of the relevant device group.The screen expands to show a summary and details of the sync status of the selected device group, as well as a list of the individual devices within the device group.
- In the Devices area of the screen, choose the device that shows a sync status ofChanges Pending.
- In the Sync Options area of the screen, selectPush the selected device configuration to the group.
- ClickSync.The BIG-IP system syncs the configuration data of the selected device to the other members of the device group.