F5 Logo MyF5
Search
  1. MyF5 Home
  2. BIG-IP TMOS: Tunneling and IPsec
  3. Common elements file for device groups
Manual Chapter : Common elements file for device groups

Applies To:

Show Versions Show Versions

BIG-IP AAM

  • 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0, 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0

BIG-IP APM

  • 17.0.0, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0, 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0

BIG-IP Link Controller

  • 17.0.0, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0, 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0

BIG-IP LTM

  • 17.0.0, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0, 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0

BIG-IP AFM

  • 17.0.0, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0, 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0

BIG-IP ASM

  • 17.0.0, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0, 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0
Manual Chapter

Common elements file for device groups

  1. Open a browser window and log in to
    BIG-IP A
    , using the management IP address.
    The BIG-IP Configuration utility opens.
  2. Open a browser window and log in to
    BIG-IP B
    , using the management IP address.
    The BIG-IP Configuration utility opens.
  3. On the Main tab, click
    Device Management
    Device Groups
    .
  4. In the Group Name column, view the list of device groups.
    The list shows all device groups that include the local device as a member, as well as the sync status of each group.
  5. Type a name for the device group, select the device group type
    Sync-Only
    , and type a description for the device group.
  6. Type a name for the device group, select the device group type
    Sync-Failover
    , and type a description for the device group.
  7. In the Sync Issues area of the screen, find the device group name and click the arrow.
    This displays detailed information about the sync status of the device group.
  8. On the Main tab, click
    Device Management
    Overview
    .
  9. On the Device Groups list screen, click
    Create
    .
    The New Device Group screen opens.
  10. In the
    Name
     field, type a name for the device group.
  11. From the
    Group Type
     list, select a device group type.
    We recommend that you choose
    Sync-Failover
     whenever possible.
  12. From the
    Group Type
     list, select
    Sync Failover
    .
  13. In the Device Groups area of the screen, in the Name column, view the list of device groups.
  14. Click
    Next
    .
  15. For the
    Members
     setting, select a host name from the
    Available
     list for each BIG-IP device that you want to include in the device group, including the local device. Use the Move button to move the host name to the
    Includes
     list.
    The
    Available
     list shows any devices that are members of the device's local trust domain but not currently members of a Sync-Failover device group. A device can be a member of one Sync-Failover group only. Also, for vCMP-provisioned systems on platforms that contain a hardware security module (HSM) supporting FIPS multi-tenancy, the FIPS partitions on the guests in the device group must be identical with respect to the number of SSL cores allocated to the guest's FIPS partition and the maximum number of private SSL keys that the guest can store on the HSM.
  16. For the
    Members
     setting, select a host name from the
    Available
     list for each BIG-IP device that you want to include in the device group. Use the Move button to move the host name to the
    Includes
     list.
    The list shows any devices that are members of the device's local trust domain.
  17. Select the IP address and host name for each of the two BIG-IP devices that you want the device group to contain.
  18. For the
    Network Failover
     setting, select or clear the check box:
    • Select the check box if you want device group members to handle failover communications by way of network connectivity. This is the default value and is required for active-active configurations.
    • Clear the check box if you want device group members to handle failover communications by way of serial cable (hard-wired) connectivity.
    For active-active configurations, you must select network failover, as opposed to serial-cable (hard-wired) connectivity.
  19. For the
    Network Failover
     setting, verify that network failover is enabled.
    Network failover must be enabled for active-active configurations (that is, device groups that will contain two or more active traffic groups).
  20. For the
    Automatic Sync
     setting, select the check box.
  21. For the
    Automatic Sync
     setting, specify whether configuration synchronization occurs manually or automatically:
    • Select the check box when you want the BIG-IP system to automatically sync the BIG-IP configuration data whenever a config sync operation is required. In this case, the BIG-IP system syncs the configuration data whenever the data changes on any device in the device group.
    • Clear the check box when you want to manually initiate each config sync operation. In this case, F5 networks recommends that you perform a config sync operation whenever configuration data changes on one of the devices in the device group.
  22. From the
    Sync Type
     list:
    • Select
      Automatic with Incremental Sync
       when you want the BIG-IP system to automatically sync the most recent BIG-IP configuration changes from a device to the other members of the device group. In this case, the BIG-IP system syncs the configuration data whenever the data changes on any device in the device group.
    • Select
      Manual with Incremental Sync
       when you want to manually initiate a config sync operation. In this case, the BIG-IP system syncs the latest BIG-IP configuration changes from the device you choose to the other members of the device group. We strongly recommend that you perform a config sync operation whenever configuration data changes on one of the devices in the device group.
    • Select
      Manual with Full Sync
       when you want to manually initiate a config sync operation. In this case, the BIG-IP system syncs the full set of BIG-IP configuration data from the device you choose to the other members of the device group. We strongly recommend that you perform a config sync operation whenever configuration data changes on one of the devices in the device group.
  23. For the
    Automatic Sync
     setting, select or clear the check box:
    Action
    Result
    Select (Enable)
    Select the check box when you want the BIG-IP system to automatically sync configuration data to device group members whenever a change occurs. When you enable this setting, the BIG-IP system automatically syncs, but does not save, the configuration change on each device (this is the default behavior). To save the updated configuration on each device, you can log in to each device and, at the
    tmsh
     prompt, type
    save sys config
    . Alternatively, you can change the default behavior so that the system automatically saves configuration changes on target devices after an automatic config sync. You make this change by logging in to one of the devices in the device group and, at the
    tmsh
     prompt, typing
    modify cm device-group
    name
     save-on-auto-sync true
    .
    Enabling the
    save-on-auto-sync
     option can unexpectedly impact system performance when the BIG-IP system automatically saves a large configuration change to each device.
    Automatically saving configuration changes on target devices can provide a best practice for synchronizing configuration changes throughout a device group; however, in some instances, there is a potential to lose changes made on a local device while a remote peer device in the device group is rebooting. To prevent the possibility of an older configuration on a remote peer device from overwriting the latest changed configuration on a local device, complete the following steps.
    1. Disable automatic sync on all device groups that include the local device with the latest changed configuration.
    2. Reboot the remote peer device. The device group indicates changes pending.
    3. Change an object, such as the device description, on the local device if it appears in all device groups, or on a local device in each device group.
    4. Manually sync the device group to each local device.
    5. Enable automatic sync on all device groups.
    Clear (Disable)
    Clear the check box when you want to disable automatic sync. When this setting is disabled, you must manually initiate each config sync operation. We recommend that you perform a config sync whenever configuration data changes on one of the devices in the device group. After you perform a manual config sync, the BIG-IP system automatically saves the configuration change on each device group member.
  24. Click
    Finished
    .
  25. In the Group Name column, click the name of the relevant device group.
  26. In the Device Groups area of the screen, click the arrow next to the name of the relevant device group.
    The screen expands to show a summary and details of the sync status of the selected device group, as well as a list of the individual devices within the device group.
  27. In the Group Name column, click the name of the default device group.
  28. In the Devices area of the screen, choose a device.
  29. In the Devices area of the screen, choose the device that shows a sync status of
    Changes Pending
    .
  30. In the Devices area of the screen, view the sync status of each device:
    • If all devices show a sync status of green, the configurations of all device members are synchronized, and you do not need to perform a config sync operation. Here is a sample Overview screen showing a status of
      In Sync
      :
    • If any device shows a sync status of
      Changes Pending
      , you must synchronize the configuration on that device to the other members of the device group. Here is a sample Overview screen showing a status of
      Changes Pending
      :
    A status of
    Changes Pending
     for a device indicates that the device contains recent configuration changes that have not yet been synchronized to the other members of the device group.
  31. In the Devices area of the screen, in the Sync Status column, view the device that shows a sync status of
    Changes Pending
    .
    A status of
    Changes Pending
     for a device indicates that the device contains recent configuration changes that have not yet been synchronized to the other members of the device group.
  32. In the Recent Changes area of the screen, choose
    BIG-IP A
    .
    This device should show a status of
    Changes Pending
    .
  33. In the Recent Changes area of the screen, choose
    BIG-IP B
    .
    This device should show a status of
    Changes Pending
    .
  34. In the Sync Options area of the screen, choose an option:
    Option
    Description
    Push the selected device configuration to the group
    Select this option when you want to synchronize the configuration of the selected device to the other device group members.
    Pull the most recent configuration to the selected device
    Select this option when you want to synchronize the most recent configurations of one or more device group members to the selected device.
  35. In the Sync Options area of the screen, select
    Push the selected device configuration to the group
    .
  36. Click
    Sync
    .
    The BIG-IP system syncs the configuration data of the selected device to the other members of the device group.
  37. Click
    Sync
    .
    The BIG-IP system syncs the configuration data of
    BIG-IP B
     to the other members of the device group.
  38. Click
    Sync
    .
    The BIG-IP system syncs the configuration data of
    BIG-IP A
     to the other members of the device group.
  39. In the Sync Options area of the screen, select
    Sync Group to Device
    .
    When you select
    Sync group to device
    , the selected device in the Device area of the screen represents the target of the data being synchronized.
  40. In the Group Name column, locate the name of the relevant device group.
  41. In the ConfigSync Status column, view the status of the device group.
  42. On the menu bar, click
    Failover
    .
  43. On the menu bar, click
    ConfigSync
    .
  44. Click
    Synchronize To Group
    .
  45. Determine which option to select for synchronization.
    Option
    Description
    Synchronize To Group
    Synchronizes the configuration data on the local device to all device group members.
    Synchronize From Group
    Synchronizes the configuration data on other device group members to the local member.
  46. In the Members area of the screen, select a host name from the
    Available
     list for each BIG-IP device that you want to include in the device group. Use the Move button to move the host name to the
    Selected
     list.
    The
    Available
     list shows any devices that are members of the device's local trust domain but not currently members of a Sync-Failover device group. If you are attempting to add a member to a Sync-Failover group and you do not see the member name in the list, it is possible that the device is already a member of another Sync-Failover device group. A device can be a member of one Sync-Failover group only.
  47. Check the box for the member you want to add to the device group.
    The list displays devices that are members of the device's local trust domain. If you are attempting to add a member to a Sync-Failover group and you do not see the member name in the list, it is possible that the device is already a member of another Sync-Failover device group. A device can be a member of one Sync-Failover group only.
  48. Click
    Add
    .
    The device appears in the list of device group members.
  49. For
    Automatic Sync
    , clear or select the check box.
  50. For
    Full Sync
    , clear or select the check box.
  51. For the
    Full Sync
     setting, specify whether the system synchronizes the entire configuration during synchronization operations:
    • Select the check box when you want all sync operations to be full syncs. In this case, every time a config sync operation occurs, the BIG-IP system synchronizes all configuration data associated with the device group. This setting has a performance impact and is not recommended for most customers.
    • Clear the check box when you want all sync operations to be incremental (the default setting). In this case, the BIG-IP system syncs only the changes that are more recent than those on the target device. When you select this option, the BIG-IP system compares the configuration data on each target device with the configuration data on the source device and then syncs the delta of each target-source pair.
    If you enable incremental synchronization, the BIG-IP system might occasionally perform a full sync for internal reasons. This is a rare occurrence and no user intervention is required.
  52. From the
    Configuration
     list, select
    Advanced
    .
  53. From the
    Configuration
     list, select
    Basic
    .
  54. In the
    Maximum Incremental Sync Size (KB)
     field, retain the default value of
    1024
    , or type a different value.
    This value specifies the total size of configuration changes that can reside in the incremental sync cache. If the total size of the configuration changes in the cache exceeds the specified value, the BIG-IP system performs a full sync whenever the next config sync operation occurs.
  55. Click
    Sync
    .
  56. Verify that the devices are synchronized.
    For example, log in to another device in the device group and verify that the security policy you created also resides on that system. Click
    Security
    Application Security
    Security Policies
     and see if the policy is listed.
  57. Click
    Update
    .
  58. Click
    Save Changes
    .
  59. Display any BIG-IP Configuration utility screen.
  60. In the upper left corner of the screen, view the status of the device group:
    • If the sync status is green (
      In Sync
      ), the local device is synchronized with all device group members, and you do not need to perform a config sync operation.
    • If the sync status is yellow (
      Changes Pending
      ), the BIG-IP configuration on the local device is out of sync with one or more device group members, or device trust is not fully established. You must therefore ensure that a config sync operation occurs for the relevant device group. If the
      Automatic Sync
       setting is enabled for the device group, the BIG-IP system synchronizes the configuration automatically, and no user action is required.
  61. For each device, sync the configuration:
    1. On the Main tab, click
      Device Management
      Overview
      .
    2. In the Device Groups area of the screen, in the Name column, select the name of the relevant device group.
      The screen expands to show a summary and details of the sync status of the selected device group, as well as a list of the individual devices within the device group.
    3. In the Devices area of the screen, in the Sync Status column, select a device.
    4. From the
      Sync
       options list, select a sync option.
      Option
      Description
      Sync Device to Group
      Select this option to synchronize the configuration of the selected device to the device group.
      Sync Group to Device
      Select this option to synchronize the configuration of the device group to the selected device.
    5. Click
      Sync
      .
  62. Locate the
    Partition
     list in the upper right area of the BIG-IP Configuration utility screen, to the left of the
    Log out
     button.
  63. From the
    Partition
     list, select the partition in which you want to create local traffic objects.
  64. From the
    Partition
     list, confirm or select partition
    Common
    .
  65. In the
    Description
     field, type a description of the device group.
    This setting is optional.
Contact Support Contact Support

Have a Question?

Support and Sales >

About F5

Education

F5 Sites

Support Tasks




©2023 F5, Inc. All rights reserved.


Trademarks Policies Privacy California Privacy Do Not Sell My Personal Information