Manual Chapter :
Common elements
file for device groups
Applies To:
Show VersionsBIG-IP APM
- 15.0.1, 15.0.0
Common elements
file for device groups
- Open a browser window and log in toBIG-IP A, using the management IP address.The BIG-IP Configuration utility opens.
- Open a browser window and log in toBIG-IP B, using the management IP address.The BIG-IP Configuration utility opens.
- On the Main tab, click.
- In the Group Name column, view the list of device groups.The list shows all device groups that include the local device as a member, as well as the sync status of each group.
- Type a name for the device group, select the device group typeSync-Only, and type a description for the device group.
- Type a name for the device group, select the device group typeSync-Failover, and type a description for the device group.
- In the Sync Issues area of the screen, find the device group name and click the arrow.This displays detailed information about the sync status of the device group.
- On the Main tab, click.
- On the Device Groups list screen, clickCreate.The New Device Group screen opens.
- In theNamefield, type a name for the device group.
- From theGroup Typelist, select a device group type.We recommend that you chooseSync-Failoverwhenever possible.
- From theGroup Typelist, selectSync Failover.
- In the Device Groups area of the screen, in the Name column, view the list of device groups.
- ClickNext.
- For theMemberssetting, select a host name from theAvailablelist for each BIG-IP device that you want to include in the device group, including the local device. Use the Move button to move the host name to theIncludeslist.TheAvailablelist shows any devices that are members of the device's local trust domain but not currently members of a Sync-Failover device group. A device can be a member of one Sync-Failover group only. Also, for vCMP-provisioned systems on platforms that contain a hardware security module (HSM) supporting FIPS multi-tenancy, the FIPS partitions on the guests in the device group must be identical with respect to the number of SSL cores allocated to the guest's FIPS partition and the maximum number of private SSL keys that the guest can store on the HSM.
- For theMemberssetting, select a host name from theAvailablelist for each BIG-IP device that you want to include in the device group. Use the Move button to move the host name to theIncludeslist.The list shows any devices that are members of the device's local trust domain.
- Select the IP address and host name for each of the two BIG-IP devices that you want the device group to contain.
- For theNetwork Failoversetting, select or clear the check box:
- Select the check box if you want device group members to handle failover communications by way of network connectivity. This is the default value and is required for active-active configurations.
- Clear the check box if you want device group members to handle failover communications by way of serial cable (hard-wired) connectivity.
For active-active configurations, you must select network failover, as opposed to serial-cable (hard-wired) connectivity. - For theNetwork Failoversetting, verify that network failover is enabled.Network failover must be enabled for active-active configurations (that is, device groups that will contain two or more active traffic groups).
- For theAutomatic Syncsetting, select the check box.
- For theAutomatic Syncsetting, specify whether configuration synchronization occurs manually or automatically:
- Select the check box when you want the BIG-IP system to automatically sync the BIG-IP configuration data whenever a config sync operation is required. In this case, the BIG-IP system syncs the configuration data whenever the data changes on any device in the device group.
- Clear the check box when you want to manually initiate each config sync operation. In this case, F5 networks recommends that you perform a config sync operation whenever configuration data changes on one of the devices in the device group.
- From theSync Typelist:
- SelectAutomatic with Incremental Syncwhen you want the BIG-IP system to automatically sync the most recent BIG-IP configuration changes from a device to the other members of the device group. In this case, the BIG-IP system syncs the configuration data whenever the data changes on any device in the device group.
- SelectManual with Incremental Syncwhen you want to manually initiate a config sync operation. In this case, the BIG-IP system syncs the latest BIG-IP configuration changes from the device you choose to the other members of the device group. We strongly recommend that you perform a config sync operation whenever configuration data changes on one of the devices in the device group.
- SelectManual with Full Syncwhen you want to manually initiate a config sync operation. In this case, the BIG-IP system syncs the full set of BIG-IP configuration data from the device you choose to the other members of the device group. We strongly recommend that you perform a config sync operation whenever configuration data changes on one of the devices in the device group.
- For theAutomatic Syncsetting, select or clear the check box:ActionResultSelect (Enable)Select the check box when you want the BIG-IP system to automatically sync configuration data to device group members whenever a change occurs. When you enable this setting, the BIG-IP system automatically syncs, but does not save, the configuration change on each device (this is the default behavior). To save the updated configuration on each device, you can log in to each device and, at thetmshprompt, typesave sys config. Alternatively, you can change the default behavior so that the system automatically saves configuration changes on target devices after an automatic config sync. You make this change by logging in to one of the devices in the device group and, at thetmshprompt, typingmodify cm device-group.namesave-on-auto-sync trueAutomatically saving configuration changes on target devices can provide a best practice for synchronizing configuration changes throughout a device group; however, in some instances, there is a potential to lose changes made on a local device while a remote peer device in the device group is rebooting. To prevent the possibility of an older configuration on a remote peer device from overwriting the latest changed configuration on a local device, complete the following steps.Enabling thesave-on-auto-syncoption can unexpectedly impact system performance when the BIG-IP system automatically saves a large configuration change to each device.
- Disable automatic sync on all device groups that include the local device with the latest changed configuration.
- Reboot the remote peer device. The device group indicates changes pending.
- Change an object, such as the device description, on the local device if it appears in all device groups, or on a local device in each device group.
- Manually sync the device group to each local device.
- Enable automatic sync on all device groups.
Clear (Disable)Clear the check box when you want to disable automatic sync. When this setting is disabled, you must manually initiate each config sync operation. We recommend that you perform a config sync whenever configuration data changes on one of the devices in the device group. After you perform a manual config sync, the BIG-IP system automatically saves the configuration change on each device group member. - ClickFinished.
- In the Group Name column, click the name of the relevant device group.
- In the Device Groups area of the screen, click the arrow next to the name of the relevant device group.The screen expands to show a summary and details of the sync status of the selected device group, as well as a list of the individual devices within the device group.
- In the Group Name column, click the name of the default device group.
- In the Devices area of the screen, choose a device.
- In the Devices area of the screen, choose the device that shows a sync status ofChanges Pending.
- In the Devices area of the screen, view the sync status of each device:
- If all devices show a sync status of green, the configurations of all device members are synchronized, and you do not need to perform a config sync operation. Here is a sample Overview screen showing a status ofIn Sync:
- If any device shows a sync status ofChanges Pending, you must synchronize the configuration on that device to the other members of the device group. Here is a sample Overview screen showing a status ofChanges Pending:
A status ofChanges Pendingfor a device indicates that the device contains recent configuration changes that have not yet been synchronized to the other members of the device group. - In the Devices area of the screen, in the Sync Status column, view the device that shows a sync status ofChanges Pending.A status ofChanges Pendingfor a device indicates that the device contains recent configuration changes that have not yet been synchronized to the other members of the device group.
- In the Recent Changes area of the screen, chooseBIG-IP A.This device should show a status ofChanges Pending.
- In the Recent Changes area of the screen, chooseBIG-IP B.This device should show a status ofChanges Pending.
- In the Sync Options area of the screen, choose an option:OptionDescriptionPush the selected device configuration to the groupSelect this option when you want to synchronize the configuration of the selected device to the other device group members.Pull the most recent configuration to the selected deviceSelect this option when you want to synchronize the most recent configurations of one or more device group members to the selected device.
- In the Sync Options area of the screen, selectPush the selected device configuration to the group.
- ClickSync.The BIG-IP system syncs the configuration data of the selected device to the other members of the device group.
- ClickSync.The BIG-IP system syncs the configuration data ofBIG-IP Bto the other members of the device group.
- ClickSync.The BIG-IP system syncs the configuration data ofBIG-IP Ato the other members of the device group.
- In the Sync Options area of the screen, selectSync Group to Device.When you selectSync group to device, the selected device in the Device area of the screen represents the target of the data being synchronized.
- In the Group Name column, locate the name of the relevant device group.
- In the ConfigSync Status column, view the status of the device group.
- On the menu bar, clickFailover.
- On the menu bar, clickConfigSync.
- In theLink Down Time on Failoverfield, use the default value of0.0, or specify a new value.This setting specifies the amount of time, in seconds, that interfaces for any external VLANs are down when a traffic group fails over and goes to the standby state. Specifying a value other than0.0for this setting causes other vendor switches to use the specified time to learn the MAC address of the newly-active device.This setting is a system-wide setting, and does not apply to this device group only. Specifying a value in this field causes the BIG-IP system to assign this value to the global bigdb variablefailover.standby.linkdowntime.
- ClickSynchronize To Group.
- Determine which option to select for synchronization.OptionDescriptionSynchronize To GroupSynchronizes the configuration data on the local device to all device group members.Synchronize From GroupSynchronizes the configuration data on other device group members to the local member.
- In the Members area of the screen, select a host name from theAvailablelist for each BIG-IP device that you want to include in the device group. Use the Move button to move the host name to theSelectedlist.TheAvailablelist shows any devices that are members of the device's local trust domain but not currently members of a Sync-Failover device group. If you are attempting to add a member to a Sync-Failover group and you do not see the member name in the list, it is possible that the device is already a member of another Sync-Failover device group. A device can be a member of one Sync-Failover group only.
- Check the box for the member you want to add to the device group.The list displays devices that are members of the device's local trust domain. If you are attempting to add a member to a Sync-Failover group and you do not see the member name in the list, it is possible that the device is already a member of another Sync-Failover device group. A device can be a member of one Sync-Failover group only.
- ClickAdd.The device appears in the list of device group members.
- ForAutomatic Sync, clear or select the check box.
- ForFull Sync, clear or select the check box.
- For theFull Syncsetting, specify whether the system synchronizes the entire configuration during synchronization operations:
- Select the check box when you want all sync operations to be full syncs. In this case, every time a config sync operation occurs, the BIG-IP system synchronizes all configuration data associated with the device group. This setting has a performance impact and is not recommended for most customers.
- Clear the check box when you want all sync operations to be incremental (the default setting). In this case, the BIG-IP system syncs only the changes that are more recent than those on the target device. When you select this option, the BIG-IP system compares the configuration data on each target device with the configuration data on the source device and then syncs the delta of each target-source pair.
If you enable incremental synchronization, the BIG-IP system might occasionally perform a full sync for internal reasons. This is a rare occurrence and no user intervention is required. - From theConfigurationlist, selectAdvanced.
- From theConfigurationlist, selectBasic.
- In theMaximum Incremental Sync Size (KB)field, retain the default value of1024, or type a different value.This value specifies the total size of configuration changes that can reside in the incremental sync cache. If the total size of the configuration changes in the cache exceeds the specified value, the BIG-IP system performs a full sync whenever the next config sync operation occurs.
- ClickSync.
- Verify that the devices are synchronized.For example, log in to another device in the device group and verify that the security policy you created also resides on that system. Clickand see if the policy is listed.
- ClickUpdate.
- ClickSave Changes.
- Display any BIG-IP Configuration utility screen.
- In the upper left corner of the screen, view the status of the device group:
- If the sync status is green (In Sync), the local device is synchronized with all device group members, and you do not need to perform a config sync operation.
- If the sync status is yellow (Changes Pending), the BIG-IP configuration on the local device is out of sync with one or more device group members, or device trust is not fully established. You must therefore ensure that a config sync operation occurs for the relevant device group. If theAutomatic Syncsetting is enabled for the device group, the BIG-IP system synchronizes the configuration automatically, and no user action is required.
- For each device, sync the configuration:
- On the Main tab, click.
- In the Device Groups area of the screen, in the Name column, select the name of the relevant device group.The screen expands to show a summary and details of the sync status of the selected device group, as well as a list of the individual devices within the device group.
- In the Devices area of the screen, in the Sync Status column, select a device.
- From theSyncoptions list, select a sync option.OptionDescriptionSync Device to GroupSelect this option to synchronize the configuration of the selected device to the device group.Sync Group to DeviceSelect this option to synchronize the configuration of the device group to the selected device.
- ClickSync.
- Locate thePartitionlist in the upper right area of the BIG-IP Configuration utility screen, to the left of theLog outbutton.
- From thePartitionlist, select the partition in which you want to create local traffic objects.
- From thePartitionlist, confirm or select partitionCommon.
- In theDescriptionfield, type a description of the device group.This setting is optional.