F5 Lab 1.4: High Availability Configuration
After network configured on my last article here, next thing is high availability configuration. It's not mandatory to have F5 with high availability deployed especially on lab environment or development, but mostly in production environment it always recommended to have a pair of redundancy devices.
To configure F5 BIG-IP systems as a pair of HA it should be meets some of following requirements:
The failover of F5 device essentially is "moving" traffic group objects from one system to another. The failover can be categorized as two methods Hardwired Failover and Network Failover.
When both method used, hardwired failover always has precedence. So, if the network failover traffic is compromised, the two units do not fail over because the hardwired failover cable still connects them. For more detail of comparison between them, click on this link. In my lab is using virtual edition, so only network failover available.
F5 BIG-IP using Device Service Clustering (DSC) framework for configuration synchronization, mirroring and failover. F5 high availability can be deployed as Active/Active or Active/Standby mode. In this article, I will go first for Active/Standby mode configuration.
1. Create New Dedicated VLAN for HA
Actually I can used existing VLAN for HA communication but for make it isolated with other traffic I used to create dedicated VLAN.
Add new VLAN for HA communication and give appropriate VLAN ID and interface tagging. Create the VLAN on both devices.
2. Create New Self IP For HA
Same as VLAN, actually I can used existing self IP address for HA communication but for make it isolated with other traffic I used to create dedicated self IP. Create the Self IP on both devices.
The thing that should be aware of is Port Lockdown setting for the self IP. It should be not set to Allow None because Allow None behavior is only accept ICMP traffic, mirroring traffic TCP ports 1029 through 1155, and TCP 4353 synchronization traffic as exception. Network failover traffic on UDP port 1026 is should be permitted for failover purposes. I used Allow Default option as the behavior by default allowing the failover traffic or you also can choose Allow Custom and the explicitly allowed the UDP port 1026 in the rule.
3. Configure Config Sync
For device configuration synchronization, it need to explicitly configure the local address which will be the source of the synchronization process. Navigate to Device Management => Devices = Choose on the self device. Click ConfigSync tab menu. Then, I used IP Address of self IP HA VLAN, click "Update".
Configure the ConfigSync on both devices. The difference is only on the IP Address.
4. Configure Network Failover
For failover process in the event of failure on the active device, we need to configure the network failover by specifying the VLAN or via Management Address. Navigate to Device Management => Devices = Choose on the self device. Then, click "Failover Network Tab". On Failover Unicast Configuration, click "Add".
Then, choose the address of the HA VLAN, left the port as default and click "Finished".
Configure the Network Failover on both devices. The difference is only on the IP Address.
5. Create Device Trust
To make all devices synchronized, both device should be perform Device Trust relationship first. Device Trust is how both device authorized each other by exchanging device certificate. Navigate to Device Management => Device Trust => Device Trust Members.
On the Peer and Subordinate Devices, click "Add" on the right hand side.
领英推荐
Fill the device IP address, administrator username and administrator password of the peer device. Then, click "Retrieve Device Information".
If the information is correct, it will show device certificate and if it matches click "Device Certificate Matches".
Then, the hostname of the device will be populated and click "Add Device".
Verify, the peer device is successfully added. In my case bigip2.example.com.
6. Create New Device Group
Navigate to Device Management => Device Groups and then click "Create".
Then on Device Group pop-up configuration, configure some parameters:
Then, click "Finished" and verify the created device group.
After successfully created, the device status will changes to Awaiting Initial Sync. We need to sync the device configuration. Navigate to Device Management => Overview. Select on bigip1.example.com and "Push the selected device configuration to the group, then click "Sync".
After the configuration synced, the status of all devices will change to In Sync.
In device status, bigip1.example.com is Online (Standby), but I want to make the device to be active and the bigip2.example.com to be standby. To address this, login to bigip2.example.com and navigate to Device Management => Traffic Groups => traffic-group-1. Then, click "Force to Standby".
Force to Standby can only initiated from the active device. Then, the failover will occurs and the bigip1.example.com will be active for the traffic-group.
References: