Forum Discussion
HA Groups vs VLAN Failsafe vs Neither
We don’t currently make use of VLAN failsafe or HA groups in two of our 3 LTM appliance HA pairs. I’ve been doing some reading to try to determine what the best path is for us. I’m predominantly concerned with physical switch failure. If we have some sort of routing or VTP problem I'm unsure how VLAN failsafe or HA groups will help. From what I can find it seems like HA Groups is the preferred method in TMOS v10 and newer. What I’m wondering, is that if you have a configuration like the below figure 1 where each F5 is connected to both switches do you really need either VLAN failsafe/HA Groups? In figure 2, I would definitely think you would want either VLFS or HA Groups configured because losing a switch means an F5 is without connectivity. Looking for feedback and thoughts on this or if there is a definite way to configure VLFS or HAG based on each config. The documentation is pretty light on how either feature should be used based on the network design.
1)
2)
- Stefan_KlotzCumulonimbus
Hi Steve,
our preferred design option is to connect the LB via a LACP channel to a VRF switch stack. So if one switch fails you are just loosing bandwidth. And if the whole switch stack fails, then the LB is "isolated" and the network heartbeat will activate the second LB.
If there isn't a VRF switch available/possible, we recommend to patch all cables of the LB to just one switch, but still using a channel/trunk.
We also separate the heartbeat to a dedicated physical interface and to avoid the unlikely event of breaking all cables of the production channel/trunk, we configure a HA-group with active bonus for it.
VLFS is not used from us at all, as we had bad experiences with it in the past. Not sure how stable this is in one of the latest v11 versions, but we are totally fine with our above mentioned design.
Ciao Stefan :)
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com