Forum Discussion
NimbostratusInitial deployment question
So I inherited these two Big IP LTM products. In the past I have used Cisco Content Switches and they made sense. This is my first time working with the F5's and the documentation so far have been of no help. It is really the worst documenation so far right after Citrix.
Any ways I want to basically setup the two devices in Active/Active mode and per documentation I do not see any option for HA Wizzard. So far I have just configured the Management IP's on the two, I was able to setup a trust between the two but the configuration sync kept saying pending. I do not see any option under "Platform --> System to change the Unit ID's and the mode". It does not say anything about the licensing in the documentation so I don't think it is a licensing issue.
So can some one please point me in the right direction in accomplishing this for starters:
1- Setup the two devices in active/active mode (as I don't even see the options any where)
2- Tell me what exactly Interface Mirroring will do for me I know it is supposed to duplicate traffic to another interface why would I want to do that? Is it like port span to capture packets or something?
3- I know I have to enable network failover so ok I do that do I need to connect the TMM switch ports for the failover options to show up or like connect the two interfaces via cross over cable like 1.1 of Unit 1 to 1.1 of Unit 2?
Thank you.
36 Replies
What_Lies_Bene1Cirrostratus
1) Active/active mode is no longer recommended by F5, I wouldn't recommend it myself either. Is there a specific reason you want active/active?
2) Yes, it's just like SPAN.
3) You can use any TMM interface (or VLAN using a TMM interface) or (the mgmt interfaces (I think)) for network failover.
Relevant options should be under System > High Availability but I'm assuming you're not seeing that. System > Platform should have a High Availability option you can set to Redundant Pair which might make it appear.
System > License should let you know if your license is valid.
It would help if you could tell us what model the devices are and what software version please.- nitass
Employee
1- Setup the two devices in active/active mode (as I don't even see the options any where)it is done by creating more than one traffic group.
Manual: BIG-IP Device Service Clustering: Administration
http://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/bigip-device-service-clustering-11-2-1.html
3- I know I have to enable network failover so ok I do that do I need to connect the TMM switch ports for the failover options to show up or like connect the two interfaces via cross over cable like 1.1 of Unit 1 to 1.1 of Unit 2?if you have only two units, you can use cross over cable connecting them back to back.
hope this helps. 
mali77_57143Thank you to both of you for the replies. I'll work on your recommendations on Monday. In the mean time here is the info on the F5's
BIG-IP 1600
Version 11.2.0
When I go to System and License it shows this:
Licensed Date Dec 29, 2011
Active Modules •Local Traffic Manager, 1600(Perpetual) (xxxxxxxxxx)
◦Local Traffic Manager Module
◦ADD IPV6 GATEWAY
◦ADD RATE SHAPING
◦ADD RAMCACHE
◦50 MBPS COMPRESSION
◦SSL 500 TPS Per Core
◦ADD SSL CMP
◦ADD ANTI-VIRUS CHECKS
◦ADD BASE ENDPOINT SECURITY CHECKS
◦ADD FIREWALL CHECKS
◦ADD NETWORK ACCESS
◦ADD SECURE VIRTUAL KEYBOARD
◦ADD WEB APP
◦ADD MACHINE CERTIFICATE CHECKS
◦ADD PROTECTED WORKSPACE
◦ADD REMOTE DESKTOP
◦ADD APP TUNNEL
Optional Modules •Access Policy Manager, 1600 (Base CCU)
•Access Policy Manager, 1600 (Max CCU)
•ADD CLIENT AUTHENTICATION
•ADD ROUTING BUNDLE
•ADD SSL MAX TPS
•Appliance Mode (TMSH Only, No Root or Bash Access)
•Application Security Manager, 1600 Bundle
•DNS Services
•Global Traffic Manager Module
•IPI Subscription, 1Yr, 1600
•IPI Subscription, 3Yr, 1600
•Link Controller Module
•Maximum Compression
•Message Security Manager
•Protocol Security Manager Module
•WAN Optimization Module
•WAN Optimization, 1600 Bundle
•WebAccelerator, 1600 Bundle
Inactive Modules- mali77_57143Posted By What Lies Beneath on 10/19/2012 02:05 PM
1) Active/active mode is no longer recommended by F5, I wouldn't recommend it myself either. Is there a specific reason you want active/active?
2) Yes, it's just like SPAN.
3) You can use any TMM interface (or VLAN using a TMM interface) or (the mgmt interfaces (I think)) for network failover.
Relevant options should be under System > High Availability but I'm assuming you're not seeing that. System > Platform should have a High Availability option you can set to Redundant Pair which might make it appear.
System > License should let you know if your license is valid.
It would help if you could tell us what model the devices are and what software version please.
1- Any specific reason Active/Active mode is not recommended I wanted to do that for load balancing too, but it is not a big deal.2- So I guess port mirroring is needed if we want to capture packets as I would on a switch?
3- Ok so I took 1.4 from both devices and connected the cross over cable. I will use that for the failover however I still do not see any option's that I mentioned I have screen shots attached
- What_Lies_Bene1Hey. That's quite a nicely loaded device you've got there. Latest OS and lots of modules licensed. Note with v11 you don't need a crossover cable as it supports auto MDI/MDX. To the other questions;
1) It was overly complex and very hard to configure. I believe the Device Service Clustering feature provides the same kind of functionality but with less complexity and greater scalability.
2) Yes and no, you can capture packets directly on the device using tcpdump, ssldump and other tools but you might have a reason to want to copy them to an IDS or some other monitoring system.
3) I'll get back to you. - nitass3- Ok so I took 1.4 from both devices and connected the cross over cable. I will use that for the failover however I still do not see any option's that I mentioned I have screen shots attachedwhat option are you looking for? if network failover, it is at device management > device groups > (group name) > failover.
root@(ve11a)(cfg-sync Changes Pending)(Active)(/Common)(tmos) list cm device-group dg all-properties cm device-group dg { app-service none asm-sync disabled auto-sync disabled description none devices { ve11a.acme.com { } ve11b.acme.com { } } full-load-on-sync true network-failover enabled partition Common type sync-failover } - What_Lies_Bene1I so need to get my hands on a v11 box!
hoolioAsk your SE for a couple of VE lab keys. You can run all modules on any supported version. Email me if you get stuck: aaron at f5 dot com
Aaron- mali77_57143Posted By What Lies Beneath on 10/22/2012 08:18 AM
I so need to get my hands on a v11 box!Tell you what I'd be happy to let you work on mine if you want this way you we both can benefit, let me know what do you think....? Seriously Cisco's Content switches were so much easier lol.
I am attaching Device Management screen shots. Both devices are showing offline
- What_Lies_Bene1
Aaron, thank you, I don't have an SE right now so I'll probably drop you an email.
Mali, please note you missed the 'redaction' of the DG name on the second image in the file, you might want to fix that. I've used CSS and ACE and didn't like either much, especially CSS; I hear Local Director was their last good product! =]
