C1 SD6 Ha Gui Ja

BIG-IP ADMINISTRATOR TRAINING
BIG-IP FUNDAMENTALS CURRICULUM
Deploy an Active-
Standby HA Pair Using
the Configuration Utility
(GUI)
DIGITAL 1
EDUCATION
SERIES
TABLE OF CONTENTS
Requirements for Configuring an Active-Standby HA Pair 3
Existing configuration data and status prior to beginning 4
Phase 1: Configure High Availability Communication Settings 5

Define the self IP for ConfigSync operations 5
Define the self IPs for mirroring 6
Define the self IPs for failover 6
Status after configuring HA communication settings 8
Phase 2: Establish Device Trust 9

Establish and confirm device trust 9
Status after establishing device trust 16
Establish a Device Group 17

Establish a sync-failover device group and confirm members 17
Status after establishing a sync-failover device group 19
Synchronize Configuration Data 21

Perform the initial ConfigSync and confirm HA operation 21
Status after performing the initial ConfigSync 26
DIGITAL 2
EDUCATION
SERIES
DEPLOY AN ACTIVE-STANDBY HA PAIR USING THE

CONFIGURATION UTILITY (GUI)
This document will walk you through an actual deployment of an active-standby HA pair using the Configuration
utility. The document is divided into sections, each of which can be accessed using the table of contents links on the
previous page. This deployment was carried out on BIG-IP version 14.1, although these steps are generally
applicable for BIG-IP v12 and above.
Requirements for Configuring an Active-Standby HA Pair

• Verify that the two BIG-IP systems to be paired match with respect to BIG-IP version, product licensing, and
module provisioning. Depending on the BIG-IP version, the hardware platforms may also need to be the
same. (See K8665: BIG-IP redundant configuration hardware and software parity requirements for details.)
• Verify that a dedicated VLAN for high availability is defined. In this deployment, we are using a VLAN named
HA for all device service clustering functions.
• Verify that both BIG-IP systems are using the same NTP server.
• Verify that the self IP addresses to be used for HA communication are defined and routable between the
BIG-IP devices.
• Administrative access to both BIG-IP systems in one of the following user roles: Administrator, Resource
Administrator
DIGITAL 3
EDUCATION
SERIES
Existing configuration data and status prior to beginning
Existing configuration data and status pertaining to HA prior to beginning the pairing process is shown below.
bigip4.f5trn.com bigip5.f5trn.com
(bigip4) (bigip5)
ONLINE (ACTIVE) ONLINE (ACTIVE)

Standalone Standalone
Self IPs Self IPs

10.10.4.31/16 (VLAN external; non-floating) 10.10.5.31/16 (VLAN external; non-floating)
10.10.4.33 (VLAN external; floating) 10.10.5.33 (VLAN external; floating)
172.16.4.31/16 (VLAN internal; non-floating) 172.16.5.31/16 (VLAN internal; non-floating)
172.16.4.33 (VLAN internal; floating) 172.16.5.33 (VLAN internal; floating)
172.30.4.71/16 (VLAN HA) 172.30.5.71/16 (VLAN HA)
Device Trust Device Trust

Device Name: bigip4.f5trn.com Device Name: bigip5.f5trn.com
Hostname: bigip4.f5trn.com Hostname: bigip5.f5trn.com
Authority Type: Certificate Signing Authority Authority Type: Certificate Signing Authority
Status: Standalone Status: Standalone
Peer Authority Devices: None Peer Authority Devices: None
Device Groups Device Groups

device_trust_group: device_trust_group:
Type: Sync-Only Group Type: Sync-Only Group
Devices: bigip4.f5trn.com (Self) Devices: bigip5.f5trn.com (Self)
HA Communication Settings HA Communication Settings

ConfigSync IP Address: None ConfigSync IP Address: None
Mirroring IP Addresses: None Mirroring IP Addresses: None
Failover IP Addresses: None Failover IP Addresses: None
DIGITAL 4
EDUCATION
SERIES
Phase 1: Configure High Availability Communication

Settings
Note: Phase 1 steps can be bypassed if HA communication settings have already been configured on both systems,
as they might be if you used the Setup utility to perform initial configuration. Or, you can use the steps in this phase
to confirm the settings are correct.
Steps 1-7 must be performed on both BIG-IP systems
Define the self IP for ConfigSync operations
On each BIG-IP system that will be included in the active-standby pair, you must define the IP address that will be
used for synchronizing configuration data (ConfigSync). F5 recommends using a non-floating self IP on a dedicated
HA VLAN, as we are doing our deployment below. If a dedicated HA VLAN is not possible, use a non-floating self IP
on a non-client facing VLAN.
1. On bigip4, navigate to Device Management ›› Devices and select bigip4.f5trn.com (Self):
2. Select the ConfigSync tab. From the Local Address list, select a self IP address for the dedicated HA VLAN
or for a non-client facing VLAN, and click the Update button to save the changes:
172.30.4.71 (HA)
DIGITAL 5
EDUCATION
SERIES
Define the self IPs for mirroring
In order to use connection and persistence mirroring, you must specify a primary mirroring IP address, and can
optionally specify a secondary mirroring address to be used as a backup for the primary. If you do need to mirror a
high volume of connection and persistence information, F5 recommends using a dedicated VLAN and dedicated
interfaces. In the example below, the non-floating self IP defined on VLAN HA is specified as the primary mirroring
address, and no secondary mirror address is provided.
3. Select the Mirroring option from the menu. From the Primary Local Mirror Address list, select the non-
floating self IP address for the VLAN named HA, and click the Update button to save the changes:
172.30.4.71 (HA)
Define the self IPs for failover
There are two types of IP addresses used for failover communication: unicast and multicast. For BIG-IP appliance
platforms, two unicast addresses - a primary and a secondary - are generally sufficient. F5 recommends using the
non-floating self IP for a dedicated HA VLAN as the primary, and the management IP address of the BIG-IP system
as the secondary, as we are doing in our deployment below. For VIPRION platforms, you would also retain the
default multicast address provided by the BIG-IP system during configuration.
4. Select Failover Network from the menu, then click the Add button to add a failover unicast address:
DIGITAL 6
EDUCATION
SERIES
5. From the Address list, select the self IP address for the dedicated HA VLAN (or a non-client facing VLAN if no
dedicated VLAN is configured), and click the Repeat button to save the changes and add another failover
unicast address:
172.30.4.71 (HA)
6. This time, select Management Address from the Address list, and click the Finished button to save the
changes:
7. Notice the two failover unicast addresses now appear in the list.
172.30.4.71 (HA)
Repeat steps 1-7 on the other BIG-IP system (bigip5.f5trn.com)
DIGITAL 7
EDUCATION
SERIES
Status after configuring HA communication settings
As the result of configuring HA communication settings, the status of each BIG-IP system remains the same, but
certain underlying configuration data has changed, as highlighted in blue in the table below:
(bigip4) (bigip5)

Standalone Standalone
Self IPs Self IPs

172.30.4.71/16 (VLAN HA) 172.30.5.71/16 (VLAN HA)

Status: Standalone Status: Standalone
Peer Authority Devices: None Peer Authority Devices: None

Devices: bigip4.f5trn.com (Self) Devices: bigip5.f5trn.com (Self)

ConfigSync IP Address: 172.30.4.71 ConfigSync IP Address: 172.30.5.71
Mirroring IP Addresses: 172.30.4.71 (Primary only) Mirroring IP Addresses: 172.30.5.71 (Primary only)
Failover IP Addresses: 172.30.4.71, 192.168.4.31 Failover IP Addresses: 172.30.5.71, 192.168.5.31
This completes the Phase 1 in configuring an active-standby HA pair. You are

now ready to move on to Phase 2: Establish Device Trust
DIGITAL 8
EDUCATION
SERIES
Phase 2: Establish Device Trust
Establish and confirm device trust
To establish device trust, on one of the two devices (which we will refer to as the local device), discover the other
(remote) device and add it to the local device trust. In the sample deployment below, we are using bigip4 to discover
bigip5 and add it to the local device trust on bigip4.
1. On bigip4, view the local trust domain before adding bigip5 to the device trust on bigip4. Navigate to Device
Management ›› Device Trust. Notice that the BIG-IP system has Certificate Signing Authority, and that the
status of the trust is Standalone.
2. On bigip5, view the local trust domain before adding bigip5. Navigate to Device Management ›› Device
Trust. Notice that bigip5 also has Certificate Signing Authority, and that the status of the trust is Standalone.
DIGITAL 9
EDUCATION
SERIES
3. On bigip4, view the device group that manages synchronization of device trust information -
device_trust_group. Navigate to Device Management ›› Overview. Notice that this device group currently
contains just 1 device, bigip4.f5trn.com (Self).
4. On bigip5, view the device group that manages synchronization of device trust information -
device_trust_group. Navigate to Device Management ›› Overview. Notice that this device group also
currently contains just 1 device, bigip5.f5trn.com (Self).
DIGITAL 10
EDUCATION
SERIES
5. Back on bigip4, navigate to Device Management ›› Device Trust: Device Trust Members. Notice that there
are no peer devices listed. Click the Add button to add bigip5 as a peer authority device.
6. On bigip4, select the Peer option, then enter the IP address and credentials for the remote device, bigip5.
(Note: You must provide credentials for either an Administrator or Resource Administrator user.) Here we
are using the self IP address on our dedicated HA VLAN. (You could use the management IP address instead.)
Click Retrieve Device Information.
172.30.5.71
DIGITAL 11
EDUCATION
SERIES
7. On bigip4, view the device certificate information for the remote BIG-IP system. If the certificate information is
correct (meaning you are adding the correct device), click the Device Certificate Matches button to continue.
172.30.5.71
DIGITAL 12
EDUCATION
SERIES
It may take a few moments for the BIG-IP system to complete the Add Device
process in step 8. During this time, the status of both systems may change to
Disconnect (red), Awaiting Initial Sync (blue), and In Sync (green).
8. Give the peer device a Name within the device trust. Here we are using the name bigip5.f5trn.com. Click the
Add Device button to complete the process.
172.30.5.71
9. On bigip4, confirm that bigip5 is now listed as a peer device in its local trust domain.
DIGITAL 13
EDUCATION
SERIES
10. On bigip5, confirm that bigip4 is now listed as a peer device in its local trust domain.
11. On bigip4 and bigip5, navigate to Device Management ›› Overview. Notice that both are listed as devices in
device_trust_group, and that the device group's status is In Sync. The screen shot below is from bigip4.
DIGITAL 14
EDUCATION
SERIES
12. On bigip4 and bigip5, select the Advanced view option and examine the values for the Current Commit Time
and Current Commit Originator. Current Commit Originator displays the source of the most recent
configuration change, and Current Commit Time displays the time when this configuration change happened.
Since device_trust_group is configured to automatically synchronize device trust configuration data (auto-
sync is enabled), trust configuration data from bigip4 was automatically synchronized to bigip5 at the time
bigip5 was added. This information should be the same on both systems.
DIGITAL 15
EDUCATION
SERIES
Status after establishing device trust
As the result of establishing device trust, the status of each BIG-IP system changes to In Sync, but only with respect
to the device trust (trust domain). Certain underlying configuration data also changes, as highlighted in blue in the
table below:
(bigip4) (bigip5)

In Sync In Sync
Self IPs Self IPs

172.30.4.71/16 (VLAN HA) 172.30.5.71/16 (VLAN HA)

Status: In Sync Status: In Sync
Peer Authority Devices: bigip5.f5trn.com Peer Authority Devices: bigip4.f5trn.com

Devices: bigip4.f5trn.com (Self), bigip5.f5trn.com Devices: bigip4.f5trn.com, bigip5.f5trn.com (Self)


now ready to move on to Phase 3: Establish a Device Group
DIGITAL 16
EDUCATION
SERIES
Establish a Device Group
Establish a sync-failover device group and confirm members
On one of the two devices that will be in the active-standby pair, create a sync-failover device group that contains
both members. After the command completes, notice the status of one of the two devices will change from Active to
Standby. In our sample deployment below, bigip4 is used to create the sync-failover device group with bigip4 and
bigip5 as members, and bigip4 becomes the standby device.
13. On bigip4, navigate to Device Management ›› Device Groups. Note that the device group for the device trust
(device_trust_group) is not listed here, even though it does appear on the Device Management ›› Device
Overview page. That is because device_trust_group is hidden from view on this page by default. (In contrast,
you can see it when you list device groups using TMSH.) Click the Create button to create the sync-failover
device group for our active-standby pair.
14. In the General Properties section, give the device group a Name and set the Group Type to Sync-Failover. In
the Configuration section, move bigip4.f5trn.com and bigip5.f5trn.com from the Available list to the
Includes list in the Members setting, and select the Manual with Incremental Sync for Sync Type. Click the
Finished button to complete device group configuration.
DIGITAL 17
EDUCATION
SERIES
15. On both bigip4 and bigip5, confirm that the Device Group List now contains group bigip4_bigip5_sf_dg, and
that the ConfigSync status of the device group is Awaiting Initial Sync.
16. On bigip4, show the status of the new sync-failover device group. Navigate to Device Management ››
Overview. Select bigip4_bigip5_sf_dg in the Device Groups list. You should see both bigip4 and bigip5
listed as devices. Configuration Time shows Device has not synced with group, as this device group is now
waiting for us to manually synchronize configuration data.
DIGITAL 18
EDUCATION
SERIES
Status after establishing a sync-failover device group
As the result of establishing the sync-failover device group for our active-standby pair, the status of each BIG-IP
system changes again. Certain underlying configuration data also changes again, as highlighted in blue:
(bigip4) (bigip5)
ONLINE (STANDBY) ONLINE (ACTIVE)

Awaiting Initial Sync Awaiting Initial Sync
Self IPs Self IPs

172.30.4.71/16 (VLAN HA) 172.30.5.71/16 (VLAN HA)


bigip4_bigip5_sf_dg bigip4_bigip5_sf_dg
Type: Sync-Failover Group Type: Sync-Failover Group
Status: Awaiting Initial Sync Status: Awaiting Initial Sync

DIGITAL 19
EDUCATION
SERIES

now ready to move on to Phase 4: Synchronize Configuration Data
DIGITAL 20
EDUCATION
SERIES
Synchronize Configuration Data
Perform the initial ConfigSync and confirm HA operation
The initial ConfigSync operation will push relevant configuration data from one of the devices in the active-standby
pair to the other. In our deployment example below, we included several commands that allow you to compare and
contrast certain HA-related configuration data before and after the initial ConfigSync.
17. On bigip4 and bigip5, on the Device Management ›› Overview screen in the Sync Summary area, notice
that the recommended ConfigSync action is to sync one of the devices to the group. Since both BIG-IP systems
are new and not yet configured for application delivery, it really does not matter which device is used to initiate
the ConfigSync operation.
DIGITAL 21
EDUCATION
SERIES
18. On bigip4 and bigip5, navigate to Device Management ›› Traffic Groups. Notice that bigip5's Failover
Status is ACTIVE for 1 of 1 traffic groups - traffic-group-1 - and that traffic-group-1 is currently active on bigip5.
On bigip4, its Failover Status is STANDBY for traffic-group-1.
DIGITAL 22
EDUCATION
SERIES
19. On bigip4 and bigip5, click on traffic-group-1 and then the Failover Objects tab to view the failover objects in
this traffic group on each system. Notice that the failover objects consist of the two floating self IP addresses
currently defined on each system.
20. On bigip5, initiate a ConfigSync to the other member in the device group – bigip4. Navigate to Device
Management ›› Overview. In the Device Groups section, click on the entry for bigip4_bigip5_sf_dg and, in
the Devices section, click on the radio button for bigip5.f5trn.com (Self). Click the radio button for Push the
selected device configuration to the group, and click the Sync button to begin the ConfigSync operation.
DIGITAL 23
EDUCATION
SERIES
21. During ConfigSync, the status of the device group may change several times. When the operation completes
successfully, the status of the device group should change to In Sync, as indicated by the summary message
All devices in the device group are in sync. In the Devices section, in the HA Status column, the grey ball
on the icon for bigip4 indicates this device is standby for traffic, while the green ball on the icon for bigip5
indicates this device is active for traffic.
22. Select the Advanced view option. The information displayed indicates that bigip5.f5trn.com is the originator of
the most recent configuration change, and that the last sync type was a manual full load that originated from
bigip5.f5trn.com. Confirm this same information is present on bigip4. (Note: Since we were logged into bigip4
as the default admin user, we are required to log in again as the admin credentials from bigip5 were
synchronized to bigip4, replacing the previous credentials. In other words, the admin password for bigip4 is now
the same as the admin password for bigip5. The same holds true for the root user.)
DIGITAL 24
EDUCATION
SERIES
23. On bigip5, view the failover objects in traffic-group-1 again. Notice that the list is the same as before the initial
ConfigSync.
24. On bigip4, view the failover objects in traffic-group-1 again. Notice that traffic-group-1's failover objects have
been synchronized with bigip5. The floating self IPs that used to be present on bigip4 have been replaced with
the floating self IPs from bigip5. The result is a single set of floating self IPs that will be shared by the two
devices, and will always resolve to a MAC address associated with the device that is active for the traffic group.
DIGITAL 25
EDUCATION
SERIES
Status after performing the initial ConfigSync
As the result of performing the initial ConfigSync for our new sync-failover device group, the status of each BIG-IP
system changes again. Certain underlying configuration data also changes again, as highlighted in blue in the table
below:
(bigip4) (bigip5)
ONLINE (STANDBY) ONLINE (ACTIVE)

In Sync In Sync
Self IPs Self IPs

172.30.4.71/16 (VLAN HA) 172.30.5.71/16 (VLAN HA)


bigip4_bigip5_sf_dg bigip4_bigip5_sf_dg
Type: Sync-Failover Group Type: Sync-Failover Group

DIGITAL 26
EDUCATION
SERIES
This completes the final step in setting up an active-standby pair. We can now
begin configuring for application delivery. As we create virtual servers, pools,
profiles, and more on one of the devices, we will continue to perform manual
ConfigSync operations, as needed, to push that configuration data to the other
device.
DIGITAL 27
EDUCATION
SERIES

C1 SD6 Ha Gui Ja

Uploaded by

Copyright:

Available Formats

You might also like

C1 SD6 Ha Gui Ja

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

C1 SD6 Ha Gui Ja

Uploaded by

Copyright:

Available Formats

BIG-IP ADMINISTRATOR TRAINING

BIG-IP FUNDAMENTALS CURRICULUM

Phase 1: Configure High Availability Communication Settings 5

Phase 2: Establish Device Trust 9

Establish a Device Group 17

Synchronize Configuration Data 21

DEPLOY AN ACTIVE-STANDBY HA PAIR USING THE

Requirements for Configuring an Active-Standby HA Pair

Existing configuration data and status prior to beginning

ONLINE (ACTIVE) ONLINE (ACTIVE)

Self IPs Self IPs

Device Trust Device Trust

Device Groups Device Groups

HA Communication Settings HA Communication Settings

Phase 1: Configure High Availability Communication

Steps 1-7 must be performed on both BIG-IP systems

Define the self IP for ConfigSync operations

Define the self IPs for mirroring

Define the self IPs for failover

Repeat steps 1-7 on the other BIG-IP system (bigip5.f5trn.com)

Status after configuring HA communication settings

ONLINE (ACTIVE) ONLINE (ACTIVE)

Self IPs Self IPs

Device Trust Device Trust

Device Groups Device Groups

HA Communication Settings HA Communication Settings

This completes the Phase 1 in configuring an active-standby HA pair. You are

Phase 2: Establish Device Trust

Establish and confirm device trust

Status after establishing device trust

ONLINE (ACTIVE) ONLINE (ACTIVE)

Self IPs Self IPs

Device Trust Device Trust

Device Groups Device Groups

HA Communication Settings HA Communication Settings

This completes the Phase 2 in configuring an active-standby HA pair. You are

Establish a Device Group

Establish a sync-failover device group and confirm members

Status after establishing a sync-failover device group

ONLINE (STANDBY) ONLINE (ACTIVE)

Self IPs Self IPs

Device Trust Device Trust

Device Groups Device Groups

HA Communication Settings HA Communication Settings

This completes the Phase 3 in configuring an active-standby HA pair. You are

Synchronize Configuration Data

Perform the initial ConfigSync and confirm HA operation

Status after performing the initial ConfigSync

ONLINE (STANDBY) ONLINE (ACTIVE)

Self IPs Self IPs

Device Trust Device Trust

Device Groups Device Groups

HA Communication Settings HA Communication Settings

You might also like