F5 BigIP Cluster

Here is a sort of "Best practices guide" for a Cluster configuration on F5's Big-IP devices, I will refer to the configuration of two devices but same applyed to a larger cluster.

First of all we need to make sure

  • Our license is valid
GUI - System ›› License
CLI - show /sys license 
  • Date and time are synced 
GUI - System ›› Configuration ›› Device ›› NTP
CLI - tmsh list /sys ntp servers or ntpq -npdate or date -s "Day Month Year HH:mm:ss"
  • both devices have a VLAN for the sync, hopefully it's a point to point link connected between both devices

Layer 2 - Network ›› VLAN ›› Create

CLI > tmsh create net vlan Sync interfaces add { 1.1 }
Layer 3 - Netwok ›› Self IPs ›› Create

CLI > tmsh create net self Sync vlan Sync allow-service default address
An important note here is the "Port Lockdown" - make not to use "allow none" as it will not allow sync traffic between the devices. other than that - only the IP\Subnet configuration.

Append the P2P to the cluster mechanism - Device Management ›› Devices ››<DEVICE_NAME> ››Device Connectivity 
ConfigSyn (The interface will be used for synchronizing the configuration between the devices) 

**It is highly recommended to use a "real" network Vlan for the failover interface this way a problem with the Vlan which is actually used for traffic will cause a faileover.

Mirroring ( the interface used to synchronize connection tables between the devices ) :

CLI > tmsh modify cm device <Device_Name> configsync-ip mirror-ip unicast-address { { effective-ip effective-port cap ip } }

I like to resetting the device trust prior configuring the cluster so that any leftovers of privious config will be cleared and the local certificate will be regenerated.
To do so - Device Management ›› Device Trust  ›› Reset Device Trust

At this point we are done with the preparations.

From one of the devices go to -  Device Management ›› Device Trust : Peer List ›› Create
I Like using the P2P IP's but it's an identifier only so Management IP are good as well.

After clicking "Retrieve Device Information" we should get the 2nd device's certificate, IP  and couple more details. 
To make sure connectivity is correct, go to Device Management ›› Devices 
In case of a problem one of the devices will be red ( disconnected )  in which case check steps above the steps above

Next group the devices - Device Management ›› Device Groups
    CLI - tmsh create cm device-group sync-fail devices add { <Device_Names> } network-failover enabled
    The Type should be Sync-Failover and both devices are selected.

    Now one of the devices will become standby ( If not - check steps above)

    Now all we have to do is initiate a sync between the devices - Device Management ›› Overview  ›› Sync
    CLI - run cm config-sync to-group sync-fail
    Select the device containing the newest configuration, select "Sync Device to Group" and click "Sync"

    I like to create a more proactive configuration by adding a pool which consists of a couple of servers as the representation of the LAN and the ISP \ FW as the representation of the WAN, so as long as this pool is active we have both LAN and WAN connectivity from the device and if the pool fails F5 lost WAN\LAN access so we need to failover.
    Then add the pool as a trigger for a failover - System ›› High Availability 
    CLI - create sys ha-group HA active-bonus 0 enabled pools add { <Pool_Name> { weight 80 } }
    *The highest Weight will become active

    Hope this post was helpful, If it was please consider a donation:
    BTC Address: 1CnyMpjd1RntRDxSus2hu2aDMyzL4Kj29N
    LTC Address: LUqrKbzGihTU2GEnL3EwsuuLHCsxCJMdtR


    Post a Comment