Forum Discussion
jfrizzell_43066
Nimbostratus
NimbostratusLTM Connection to Dual Switches
Hello Everyone,
I am hoping that someone can help me understand which connection type is best for F5. We currently have two F5's in an active/failover cluster. In our environment, we are going away from access ports with single HTTP/HTTPS VIP to multiple VLANs. As part of this setup, I have done the following:
- Created 4 VLANs
- Created Self-IPs on each unit, plus one Floating IP
The current network setup is displayed in the attached Diagram-1, which has LTM-01 and LTM-02 split between multiple switches. Here is what I have done to test the new VLAN setup. On both switches, I have set the ports connecting to 1.4 on both LTM to down. I created trunk ports on both switches connecting to ports1.3. I was successful in reaching the self-IPs and the HTTP/HTTPS VIPs.
Is it preferable to leave the LTM ports as connected in Diagram-1 and change the access ports to trunk ports? Doing so would leave me with 4 trunk ports.
OR
Should I re-cable according to Diagram-2 and configure the switch with port channels?
I am just looking for the best performance and redundancy. Any feedback would be greatly appreciated.
Thanks,
Jeremy
25 Replies
TechgeeegHi Jeremy,
(I am considering that you have configured the fail-over via serial as well as the network)
I will not prefer the connectivity as shown in diagram-2 you have to keep it distributed between switches 1 and 2 as shown in Diagram-1. let us say that the switch on which the Active unit is connected Fails what will happen in this situation, your Fail-over unit will not switch to the Active mode as it will continue getting the signal from the serial cable. Also failing of the switch should not cause the units to fail-over. So what will happen in this case is that all of your traffic processing will be stuck unless you do something manually. You should strictly follow what you have shown in diagram1.
Regards,
mikand_61525Cant you change when the HA will fail then?
Like if F5_1 can reach 0/2 servers (server1 on switch1 connected to F5_1 and server2 on switch2 connected to F5_2 and switch1 is connected to switch2) while F5_2 can reach 2/2 then it should failover (even if the serial is still functional given that the serial is being used)?
Nathan_Houck_65I believe Diagram two looks like it should suffice, but make sure you use Vlan Failover so the bigips will failover if the switch its connected to goes down.
hoolioCirrostratus
I'd suggest HA groups over VLAN failsafe as the former provides faster failover and more intelligence to prevent failover loops if both units experience the same failsafe event.
Manual Chapter: Understanding Fast Failover
http://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/tmos-redundant-systems-config-11-1-0/8.html?sr=18822521
Aaron- TechgeeegMikand I really want to understand the scenario you are explaining here can you make it more detailed as I really didn't get your reply completely.....
Nathan are you really sure the devices will fail over in case the switches will go down i believe both the switches may acquire the Active state..... - mikand_61525Techgeeeg: I think hoolio just explained that.
Instead of relying on if the serial cable functions or not you can use various monitors to decide when the F5 unit should failover or not.
If you for example have this setup:
F5_1 -> switch1 -> server1
F5_2 -> switch2 -> server2
and then have cables between switch1 - switch2 you could end up with a situation where F5_1 is active but switch1 is broken. In this situation server1 cannot reach F5_1 nor F5_2 while server2 can reach F5_2 but for no good since this unit is still passive (and just ignores the packets).
If you now use some monitors to trigger the HA instead of the status of the serial cable you would see that F5_1 cant reach server1 nor server2, BUT... F5_2 can at least reach server2. So in this particular case I would prefer that F5_2 becomes active (and sends some snmp trap thats something bad happend since all redundancy is now lost for the moment). - TechgeeegThanks Mikand I got it now... but this setup seems like a work around solution and I feel like you have to un necessarily setup alot of thing in the shape of monitors to achieve the working setup in all situations. Also in case if there is any problem with server 2 and server 1 is very much fine health wise then failing of switch one along with server2 will leave the setup no where.... so what do you think now diagram 1 is a better design or diagram 2 should be followed?????
jfrizzell_43066Thanks for all the feedback so far on this topic. To give you an idea of our failover, we use serial and LAN. I can remove the serial and use the LAN if that seems best.- mikand_61525Techgeeeg: Unfortunately I cant open your drawings here - is it possible for you to publish them on bayimg.com or similar (and post links)?
If you have F5_2 as current active and server2 dies this is a non issue since F5_2 will be able to reach server1 since the flow will then be: F5_2 -> switch2 -> switch1 -> server1, sure non-optimal but still functional. Not until switch2 fails there is a need to (in this case) perform a failover so F5_1 becomes active.
Setting up failover can, depending on surrounding design, get you into one or another trap. CARP (as example) often doesnt failover at all if none of the machines in the failover-cluster have 100% reachability for the hosts the boxes monitor. This is why you should think twice when you setup failover along with which monitors to use along with in which scenarios to failover. Even if F5 have statesync there is always a posibility of lost packets in the network when failover occurs so a rule of thumb is often to not failover unless your really need to. - TechgeeegWell mikand i prefer you better have a look at both of the diagrams. Then i believe you reply will be more acurate and i would love to understand you point behind diagram 2 as a better option over option1. The query basically came from mikand and i am refering to the diagrams attached here nothing else .... and i believe you can open the two diagrams....
