Professional Documents
Culture Documents
C1 SD6 Ha Gui Ja
C1 SD6 Ha Gui Ja
C1 SD6 Ha Gui Ja
Deploy an Active-
Standby HA Pair Using
the Configuration Utility
(GUI)
DIGITAL 1
EDUCATION
SERIES
BIG-IP ADMINISTRATOR TRAINING
BIG-IP FUNDAMENTALS CURRICULUM
TABLE OF CONTENTS
Requirements for Configuring an Active-Standby HA Pair 3
Existing configuration data and status prior to beginning 4
DIGITAL 2
EDUCATION
SERIES
BIG-IP ADMINISTRATOR TRAINING
BIG-IP FUNDAMENTALS CURRICULUM
DIGITAL 3
EDUCATION
SERIES
BIG-IP ADMINISTRATOR TRAINING
BIG-IP FUNDAMENTALS CURRICULUM
Existing configuration data and status pertaining to HA prior to beginning the pairing process is shown below.
bigip4.f5trn.com bigip5.f5trn.com
(bigip4) (bigip5)
DIGITAL 4
EDUCATION
SERIES
BIG-IP ADMINISTRATOR TRAINING
BIG-IP FUNDAMENTALS CURRICULUM
On each BIG-IP system that will be included in the active-standby pair, you must define the IP address that will be
used for synchronizing configuration data (ConfigSync). F5 recommends using a non-floating self IP on a dedicated
HA VLAN, as we are doing our deployment below. If a dedicated HA VLAN is not possible, use a non-floating self IP
on a non-client facing VLAN.
1. On bigip4, navigate to Device Management ›› Devices and select bigip4.f5trn.com (Self):
2. Select the ConfigSync tab. From the Local Address list, select a self IP address for the dedicated HA VLAN
or for a non-client facing VLAN, and click the Update button to save the changes:
172.30.4.71 (HA)
DIGITAL 5
EDUCATION
SERIES
BIG-IP ADMINISTRATOR TRAINING
BIG-IP FUNDAMENTALS CURRICULUM
In order to use connection and persistence mirroring, you must specify a primary mirroring IP address, and can
optionally specify a secondary mirroring address to be used as a backup for the primary. If you do need to mirror a
high volume of connection and persistence information, F5 recommends using a dedicated VLAN and dedicated
interfaces. In the example below, the non-floating self IP defined on VLAN HA is specified as the primary mirroring
address, and no secondary mirror address is provided.
3. Select the Mirroring option from the menu. From the Primary Local Mirror Address list, select the non-
floating self IP address for the VLAN named HA, and click the Update button to save the changes:
172.30.4.71 (HA)
There are two types of IP addresses used for failover communication: unicast and multicast. For BIG-IP appliance
platforms, two unicast addresses - a primary and a secondary - are generally sufficient. F5 recommends using the
non-floating self IP for a dedicated HA VLAN as the primary, and the management IP address of the BIG-IP system
as the secondary, as we are doing in our deployment below. For VIPRION platforms, you would also retain the
default multicast address provided by the BIG-IP system during configuration.
4. Select Failover Network from the menu, then click the Add button to add a failover unicast address:
DIGITAL 6
EDUCATION
SERIES
BIG-IP ADMINISTRATOR TRAINING
BIG-IP FUNDAMENTALS CURRICULUM
5. From the Address list, select the self IP address for the dedicated HA VLAN (or a non-client facing VLAN if no
dedicated VLAN is configured), and click the Repeat button to save the changes and add another failover
unicast address:
172.30.4.71 (HA)
6. This time, select Management Address from the Address list, and click the Finished button to save the
changes:
7. Notice the two failover unicast addresses now appear in the list.
172.30.4.71 (HA)
DIGITAL 7
EDUCATION
SERIES
BIG-IP ADMINISTRATOR TRAINING
BIG-IP FUNDAMENTALS CURRICULUM
As the result of configuring HA communication settings, the status of each BIG-IP system remains the same, but
certain underlying configuration data has changed, as highlighted in blue in the table below:
bigip4.f5trn.com bigip5.f5trn.com
(bigip4) (bigip5)
DIGITAL 8
EDUCATION
SERIES
BIG-IP ADMINISTRATOR TRAINING
BIG-IP FUNDAMENTALS CURRICULUM
To establish device trust, on one of the two devices (which we will refer to as the local device), discover the other
(remote) device and add it to the local device trust. In the sample deployment below, we are using bigip4 to discover
bigip5 and add it to the local device trust on bigip4.
1. On bigip4, view the local trust domain before adding bigip5 to the device trust on bigip4. Navigate to Device
Management ›› Device Trust. Notice that the BIG-IP system has Certificate Signing Authority, and that the
status of the trust is Standalone.
2. On bigip5, view the local trust domain before adding bigip5. Navigate to Device Management ›› Device
Trust. Notice that bigip5 also has Certificate Signing Authority, and that the status of the trust is Standalone.
DIGITAL 9
EDUCATION
SERIES
BIG-IP ADMINISTRATOR TRAINING
BIG-IP FUNDAMENTALS CURRICULUM
3. On bigip4, view the device group that manages synchronization of device trust information -
device_trust_group. Navigate to Device Management ›› Overview. Notice that this device group currently
contains just 1 device, bigip4.f5trn.com (Self).
4. On bigip5, view the device group that manages synchronization of device trust information -
device_trust_group. Navigate to Device Management ›› Overview. Notice that this device group also
currently contains just 1 device, bigip5.f5trn.com (Self).
DIGITAL 10
EDUCATION
SERIES
BIG-IP ADMINISTRATOR TRAINING
BIG-IP FUNDAMENTALS CURRICULUM
5. Back on bigip4, navigate to Device Management ›› Device Trust: Device Trust Members. Notice that there
are no peer devices listed. Click the Add button to add bigip5 as a peer authority device.
6. On bigip4, select the Peer option, then enter the IP address and credentials for the remote device, bigip5.
(Note: You must provide credentials for either an Administrator or Resource Administrator user.) Here we
are using the self IP address on our dedicated HA VLAN. (You could use the management IP address instead.)
Click Retrieve Device Information.
172.30.5.71
DIGITAL 11
EDUCATION
SERIES
BIG-IP ADMINISTRATOR TRAINING
BIG-IP FUNDAMENTALS CURRICULUM
7. On bigip4, view the device certificate information for the remote BIG-IP system. If the certificate information is
correct (meaning you are adding the correct device), click the Device Certificate Matches button to continue.
172.30.5.71
DIGITAL 12
EDUCATION
SERIES
BIG-IP ADMINISTRATOR TRAINING
BIG-IP FUNDAMENTALS CURRICULUM
It may take a few moments for the BIG-IP system to complete the Add Device
process in step 8. During this time, the status of both systems may change to
Disconnect (red), Awaiting Initial Sync (blue), and In Sync (green).
8. Give the peer device a Name within the device trust. Here we are using the name bigip5.f5trn.com. Click the
Add Device button to complete the process.
172.30.5.71
9. On bigip4, confirm that bigip5 is now listed as a peer device in its local trust domain.
DIGITAL 13
EDUCATION
SERIES
BIG-IP ADMINISTRATOR TRAINING
BIG-IP FUNDAMENTALS CURRICULUM
10. On bigip5, confirm that bigip4 is now listed as a peer device in its local trust domain.
11. On bigip4 and bigip5, navigate to Device Management ›› Overview. Notice that both are listed as devices in
device_trust_group, and that the device group's status is In Sync. The screen shot below is from bigip4.
DIGITAL 14
EDUCATION
SERIES
BIG-IP ADMINISTRATOR TRAINING
BIG-IP FUNDAMENTALS CURRICULUM
12. On bigip4 and bigip5, select the Advanced view option and examine the values for the Current Commit Time
and Current Commit Originator. Current Commit Originator displays the source of the most recent
configuration change, and Current Commit Time displays the time when this configuration change happened.
Since device_trust_group is configured to automatically synchronize device trust configuration data (auto-
sync is enabled), trust configuration data from bigip4 was automatically synchronized to bigip5 at the time
bigip5 was added. This information should be the same on both systems.
DIGITAL 15
EDUCATION
SERIES
BIG-IP ADMINISTRATOR TRAINING
BIG-IP FUNDAMENTALS CURRICULUM
As the result of establishing device trust, the status of each BIG-IP system changes to In Sync, but only with respect
to the device trust (trust domain). Certain underlying configuration data also changes, as highlighted in blue in the
table below:
bigip4.f5trn.com bigip5.f5trn.com
(bigip4) (bigip5)
DIGITAL 16
EDUCATION
SERIES
BIG-IP ADMINISTRATOR TRAINING
BIG-IP FUNDAMENTALS CURRICULUM
On one of the two devices that will be in the active-standby pair, create a sync-failover device group that contains
both members. After the command completes, notice the status of one of the two devices will change from Active to
Standby. In our sample deployment below, bigip4 is used to create the sync-failover device group with bigip4 and
bigip5 as members, and bigip4 becomes the standby device.
13. On bigip4, navigate to Device Management ›› Device Groups. Note that the device group for the device trust
(device_trust_group) is not listed here, even though it does appear on the Device Management ›› Device
Overview page. That is because device_trust_group is hidden from view on this page by default. (In contrast,
you can see it when you list device groups using TMSH.) Click the Create button to create the sync-failover
device group for our active-standby pair.
14. In the General Properties section, give the device group a Name and set the Group Type to Sync-Failover. In
the Configuration section, move bigip4.f5trn.com and bigip5.f5trn.com from the Available list to the
Includes list in the Members setting, and select the Manual with Incremental Sync for Sync Type. Click the
Finished button to complete device group configuration.
DIGITAL 17
EDUCATION
SERIES
BIG-IP ADMINISTRATOR TRAINING
BIG-IP FUNDAMENTALS CURRICULUM
15. On both bigip4 and bigip5, confirm that the Device Group List now contains group bigip4_bigip5_sf_dg, and
that the ConfigSync status of the device group is Awaiting Initial Sync.
16. On bigip4, show the status of the new sync-failover device group. Navigate to Device Management ››
Overview. Select bigip4_bigip5_sf_dg in the Device Groups list. You should see both bigip4 and bigip5
listed as devices. Configuration Time shows Device has not synced with group, as this device group is now
waiting for us to manually synchronize configuration data.
DIGITAL 18
EDUCATION
SERIES
BIG-IP ADMINISTRATOR TRAINING
BIG-IP FUNDAMENTALS CURRICULUM
As the result of establishing the sync-failover device group for our active-standby pair, the status of each BIG-IP
system changes again. Certain underlying configuration data also changes again, as highlighted in blue:
bigip4.f5trn.com bigip5.f5trn.com
(bigip4) (bigip5)
DIGITAL 19
EDUCATION
SERIES
BIG-IP ADMINISTRATOR TRAINING
BIG-IP FUNDAMENTALS CURRICULUM
DIGITAL 20
EDUCATION
SERIES
BIG-IP ADMINISTRATOR TRAINING
BIG-IP FUNDAMENTALS CURRICULUM
The initial ConfigSync operation will push relevant configuration data from one of the devices in the active-standby
pair to the other. In our deployment example below, we included several commands that allow you to compare and
contrast certain HA-related configuration data before and after the initial ConfigSync.
17. On bigip4 and bigip5, on the Device Management ›› Overview screen in the Sync Summary area, notice
that the recommended ConfigSync action is to sync one of the devices to the group. Since both BIG-IP systems
are new and not yet configured for application delivery, it really does not matter which device is used to initiate
the ConfigSync operation.
DIGITAL 21
EDUCATION
SERIES
BIG-IP ADMINISTRATOR TRAINING
BIG-IP FUNDAMENTALS CURRICULUM
18. On bigip4 and bigip5, navigate to Device Management ›› Traffic Groups. Notice that bigip5's Failover
Status is ACTIVE for 1 of 1 traffic groups - traffic-group-1 - and that traffic-group-1 is currently active on bigip5.
On bigip4, its Failover Status is STANDBY for traffic-group-1.
DIGITAL 22
EDUCATION
SERIES
BIG-IP ADMINISTRATOR TRAINING
BIG-IP FUNDAMENTALS CURRICULUM
19. On bigip4 and bigip5, click on traffic-group-1 and then the Failover Objects tab to view the failover objects in
this traffic group on each system. Notice that the failover objects consist of the two floating self IP addresses
currently defined on each system.
20. On bigip5, initiate a ConfigSync to the other member in the device group – bigip4. Navigate to Device
Management ›› Overview. In the Device Groups section, click on the entry for bigip4_bigip5_sf_dg and, in
the Devices section, click on the radio button for bigip5.f5trn.com (Self). Click the radio button for Push the
selected device configuration to the group, and click the Sync button to begin the ConfigSync operation.
DIGITAL 23
EDUCATION
SERIES
BIG-IP ADMINISTRATOR TRAINING
BIG-IP FUNDAMENTALS CURRICULUM
21. During ConfigSync, the status of the device group may change several times. When the operation completes
successfully, the status of the device group should change to In Sync, as indicated by the summary message
All devices in the device group are in sync. In the Devices section, in the HA Status column, the grey ball
on the icon for bigip4 indicates this device is standby for traffic, while the green ball on the icon for bigip5
indicates this device is active for traffic.
22. Select the Advanced view option. The information displayed indicates that bigip5.f5trn.com is the originator of
the most recent configuration change, and that the last sync type was a manual full load that originated from
bigip5.f5trn.com. Confirm this same information is present on bigip4. (Note: Since we were logged into bigip4
as the default admin user, we are required to log in again as the admin credentials from bigip5 were
synchronized to bigip4, replacing the previous credentials. In other words, the admin password for bigip4 is now
the same as the admin password for bigip5. The same holds true for the root user.)
DIGITAL 24
EDUCATION
SERIES
BIG-IP ADMINISTRATOR TRAINING
BIG-IP FUNDAMENTALS CURRICULUM
23. On bigip5, view the failover objects in traffic-group-1 again. Notice that the list is the same as before the initial
ConfigSync.
24. On bigip4, view the failover objects in traffic-group-1 again. Notice that traffic-group-1's failover objects have
been synchronized with bigip5. The floating self IPs that used to be present on bigip4 have been replaced with
the floating self IPs from bigip5. The result is a single set of floating self IPs that will be shared by the two
devices, and will always resolve to a MAC address associated with the device that is active for the traffic group.
DIGITAL 25
EDUCATION
SERIES
BIG-IP ADMINISTRATOR TRAINING
BIG-IP FUNDAMENTALS CURRICULUM
As the result of performing the initial ConfigSync for our new sync-failover device group, the status of each BIG-IP
system changes again. Certain underlying configuration data also changes again, as highlighted in blue in the table
below:
bigip4.f5trn.com bigip5.f5trn.com
(bigip4) (bigip5)
DIGITAL 26
EDUCATION
SERIES
BIG-IP ADMINISTRATOR TRAINING
BIG-IP FUNDAMENTALS CURRICULUM
This completes the final step in setting up an active-standby pair. We can now
begin configuring for application delivery. As we create virtual servers, pools,
profiles, and more on one of the devices, we will continue to perform manual
ConfigSync operations, as needed, to push that configuration data to the other
device.
DIGITAL 27
EDUCATION
SERIES