Applies To:
Show VersionsBIG-IP AAM
- 13.1.5, 13.1.4, 13.1.3, 13.1.1, 13.1.0
BIG-IP APM
- 13.1.5, 13.1.4, 13.1.3, 13.1.1, 13.1.0
BIG-IP LTM
- 13.1.5, 13.1.4, 13.1.3, 13.1.1, 13.1.0
BIG-IP DNS
- 13.1.5, 13.1.4, 13.1.3, 13.1.1, 13.1.0
BIG-IP ASM
- 13.1.5, 13.1.4, 13.1.3, 13.1.1, 13.1.0
Overview: Device service clustering for vCMP systems
One of the tasks of a vCMP® guest administrator is to configure device service clustering (DSC®). Using DSC, a guest administrator can implement high-availability among two or more guests. Configuring DSC is the same on a vCMP system as on non-virtualized systems, except that the members of a device group are virtual devices (guests) rather than physical devices.
When configuring DSC, a guest administrator creates a device group that consists of vCMP guests as members, where each member is deployed on a separate BIG-IP device.
For example, a Sync-Failover device group in an active-standby configuration can consist of:
- guest_A on device_1 and guest_A on device_2
- guest_B on device_1 and guest_B on device_2
- guest_C on device_1 and guest_C on device_2
Creating a device group that consists of guests on separate appliances ensures that if a device member goes out of service, any active traffic groups on a guest can fail over to another member of the device group.
This illustration shows this DSC configuration. The illustration shows two appliances, with three guests on each appliance. Each guest and its equivalent guest on the other device form a separate Sync-Failover device group.
vCMP guests forming three device groups across two appliances
Required IP addresses for DSC configuration
This table describes the types of IP addresses that a guest administrator specifies when configuring device service clustering (DSC®) on a vCMP system.
Configuration feature | IP addresses required |
---|---|
Device trust | The cluster IP address that the vCMP host administrator assigned to the guest during guest creation. |
Config sync | Any non-floating self IP address on the guest that is associated with an internal VLAN on the host. |
Failover | A unicast non-floating self IP address on the guest that is associated with an internal VLAN on the host (preferably VLAN HA) and the management IP address of the device. |
Connection mirroring | For both the primary and the secondary IP addresses, a non-floating self IP address on the guest that is associated with an internal VLAN on the host. The secondary address is optional. |
Failover methods for vCMP guests
Each traffic group in a device service clustering (DSC®) device group has a property known as a failover method. The failover method dictates the way that the system chooses a target device for failover. Available failover methods that the user can choose from are: load-aware failover, an ordered list, and an HA group.
The specific core allocation for a guest in a Sync-Failover device group determines the particular failover method that is appropriate for a DSC traffic group within the guest:
- Guests in a device group that are identical in terms of core allocation are considered to be homogeneous guests. In this case, an ordered list would be an appropriate failover method, since relative capacity is equal among all guests.
- Guests in a device group that differ from one another in terms of core allocation are considered to be heterogeneous guests. In this case, load-aware failover is an appropriate failover method because the guest administrator can define a relative capacity and relative traffic load for each guest.
An additional type of failover method is an HA group, which applies to both homogeneous and heterogeneous guests.
About HA groups for vCMP systems
For failover configuration, an alternative to using load-aware failover or an ordered list to choose the next-active device for a traffic group is to use an HA group. An HA group is a specification of certain pools or host trunks (or any combination of these) that a guest administrator associates with a traffic group instance. The most common reason to configure an HA group is to ensure that failover is triggered when some number of trunk members become unavailable.
The BIG-IP® system uses an HA group to calculate an overall health score for the instance of a traffic group on a guest. The instance of a traffic group that has the best overall score at any given time becomes or remains the active traffic group instance. With an HA group, the system triggers failover of a traffic group based on changes to trunk or pool health instead of on system, gateway, or VLAN failure.
Because trunks and HA groups are never synchronized among guests as part of a config sync operation, you must assign a separate HA group to each traffic group instance. For example, you could create ha_group_A to reference the host trunk my_trunk and assign the HA group to traffic-group-1 on guest_A. You could then create another HA group, ha_group_B, to also reference my_trunk and assign the HA group to the same traffic group (traffic-group-1)on guest_B.
About connection mirroring for vCMP systems
Connection mirroring is a device service clustering (DSC®) feature that allows a device to mirror its connection and persistence information to another device. Connection mirroring prevents interruption in service during failover. On a vCMP system, the devices that mirror their connections to each other are virtual devices (vCMP guests).
About device group members on FIPS multi-tenancy platforms
Certain platforms on which you can provision Virtual Clustered Mutliprocessing (vCMP) contain a hardware security module (HSM) that supports FIPS multi-tenancy. That is, you can assign a portion of HSM SSL resources to each guest on the system.
If you intend to create a Sync-Failover device group with vCMP guests as members, the FIPS partitions on the guests in the device group must be identical with respect to the number of SSL cores allocated to the guest's FIPS partition and the maximum number of private SSL keys that the guest can store on the HSM.