Forum Discussion

Shamsul_Alam_34's avatar
Shamsul_Alam_34
Icon for Nimbostratus rankNimbostratus
Jan 03, 2018

How to setup F5 LTM HA network

Hi Expert   I'm new to F5. Can anyone let me know how to connect two F5 LTM for HA setup?. Below are available ports on my F5 LTM. There is a port with the name FAILOVER bottom. How can i connect ...
application delivery
BIG-IP
LTM
  • Hannes_Rapp_162's avatar
    Hannes_Rapp_162
    Jan 04, 2018

    Agree with nitass, don't use failover port. A number of limitations and basically no worthwhile advantages

     

    I'd use both 1G interfaces that are already populated with GbE SFPs for HA, configured as LACP Port Trunk. You will need more SFPs for data though.

     

    Observing the ports available, you cannot evenly allocate remaining ports for segregated client-side and server-side LACP bundles. So I'd bundle 2x 10G interfaces as LACP port trunk for data, and use this 20G link for both, client-side and server-side VLANs.

     

    Here's summary

     

    • 2x 1G interfaces directly to other unit for HA functions. Config sync, Network failover, Traffic mirror
    • 2x 10G to network switch stack. All client-side and serve-side traffic
    • Mgmt to network switch (ideally dedicated management switch). SSH and HTTPS (GUI)
Hannes_Rapp_162's avatar
Hannes_Rapp_162
Icon for Nacreous rankNacreous
Jan 04, 2018

Agree with nitass, don't use failover port. A number of limitations and basically no worthwhile advantages

 

I'd use both 1G interfaces that are already populated with GbE SFPs for HA, configured as LACP Port Trunk. You will need more SFPs for data though.

 

Observing the ports available, you cannot evenly allocate remaining ports for segregated client-side and server-side LACP bundles. So I'd bundle 2x 10G interfaces as LACP port trunk for data, and use this 20G link for both, client-side and server-side VLANs.

 

Here's summary

 

  • 2x 1G interfaces directly to other unit for HA functions. Config sync, Network failover, Traffic mirror
  • 2x 10G to network switch stack. All client-side and serve-side traffic
  • Mgmt to network switch (ideally dedicated management switch). SSH and HTTPS (GUI)
  • Shamsul_Alam_34's avatar
    Shamsul_Alam_34
    Icon for Nimbostratus rankNimbostratus
    Jan 04, 2018

    Excellent!! this what i need. you have explain in perfect manner which i need. Do i need to do anything on switch level for LACP Port Trunk?

     

  • Hannes_Rapp_162's avatar
    Hannes_Rapp_162
    Icon for Nacreous rankNacreous
    Jan 04, 2018

    Refer to vendor guide if you need help. LACP is a popular standard and well documented. If you use Cisco NS, look for Etherchannel LACP implementation guide.

     

    1. You need to bundle together 2 interfaces. Make sure all clientside and serverside vlans you define on BigIP are defined on the Network switch, and then ensure those VLANs are allowed on the aggregated interface itself. Recommend to define all VLANs on BigIP as tagged so you don't have to worry about which VLAN on your switchport trunk is "native".

       

    2. Put all interfaces in LACP-active mode so each interface is able to initiate link aggregation negotiation with its peer. As an alternative, put BigIP interfaces in LACP-passive and NS interfaces in LACP-active if you believe such limitation gives you a security benefit. I'd say the benefit is next to none, but you don't have to follow my advice.

       

    Pretty much the only thing you can mess up here is the cabling. If you have a network switch stack, make sure 1 cable goes into a port of NS-1, and the other cable goes to a port of NS-2 so you have maximum high-availability.

     

    To give an example, this is a good cabling plan for a 2-unit NS stack.

     

    1st LACP bundle

     

    • BigIP-1/Te1 - NS1/Te7
    • BigIP-1/Te2 - NS2/Te7

    2nd LACP bundle

     

    • BigIP-2/Te1 - NS1/Te8
    • BigIP-2/Te2 - NS2/Te8