LTM Connection to Dual Switches

Well mikand i prefer you better have a look at both of the diagrams. Then i believe you reply will be more acurate and i would love to understand you point behind diagram 2 as a better option over option1. The query basically came from mikand and i am refering to the diagrams attached here nothing else .... and i believe you can open the two diagrams....

So I posted the diagrams on bayimg and the links are below:

 

http://bayimg.com/KAMpmaada (Diagram-1)

 

http://bayimg.com/KamPnaADA (Diagram-2)

 

 

Techgeeeg - I setup the the switching and LTM's as shown in diagram-1, but had a an issue. As I described in the original post, the two switch ports connecting to LTM-01 & LTM-02 1.1 are configured as trunks worked great. To finish the configuration off, I had configured the remaining switch ports that connect to LTM-01 & LTM-02 1.2 as trunk ports and enabled them. The two switches correctly went through spanning-tree and placed ports as active/blocked. After enable all four ports, I made a connection to the website and the load time was 6 seconds. I disabled the two ports on the switch that lead to LTM-01 & LTM-02 1.2 and the load time was less than 1 second. I tried this a number times of disabled the two ports and adding it back, but the result was exactly the same, that being load delay. Any ideas on why this might be occurring?

 

 

I spoke with F5 support and the engineer told me to go with Diagram-2 and enable failsafe. Basically, the failsafe method checks to ensure that the VLAN is continuously passing traffic and if it doesn't, the F5 will failover. Additionally, he said the best method for failover detection was the serial cable.

 

 

At this point, I am struggling with which option I should take as I see valid arguments for both sides.

jfrizzell: Thanks

 

 

Techgeeeg: No need to be upset when you ask for advice. I have seen others in this forum which successfully uploaded pictures in such way that one wont need to first manually download them in order to see them.

 

 

The good thing with diagram2 is that you will utilize LACP which will in total raise total throughput (but verify how the LACP hashing is performed and choose srcip+srcport+dstip+dstport to fully utilize all cables involved in the LACP-group - if you use standard which is just srcmac+dstmac then only one cable will be used between the F5 and each server (for all sessions)).

 

 

On the other hand you need to failover if switch1 dies and F5_1 was active for the moment (dies not only at connectivity level but can die from missconfiguration and other stuff aswell).

 

 

You seem to have 4 interfaces on your LTM's... is it possible for you to use all 4?

 

 

So the setup would be:

 

 

LTM01: int0

 

LACP (towards switch1)

 

LTM01: int1

 

 

LTM01: int2

 

LACP (towards switch2)

 

LTM01: int3

 

 

LTM02: int0

 

LACP (towards switch1)

 

LTM02: int1

 

 

LTM02: int2

 

LACP (towards switch2)

 

LTM02: int3

 

 

SW01: int47

 

LACP (towards switch2)

 

SW01: int48

 

 

SW02: int47

 

LACP (towards switch2)

 

SW02: int48

You'd also have to check if LACP is supported across the two separate switches that you're using... Most likely not though. Very few do.

 

 

However if you're using something like Cisco 3750 series switches (e.g. 2x 3750E's) you can stack them to make a single LOGICAL switch, AND you can perform LACP across both of them... (LACP balancing modes on the 3750 are a bit limited though. Most of the 'cheaper' ones default to mac headers rather than using IP src/dest/ports and full IP hashing may not be available - Can't remember the complete list the 3750 supports).

 

 

However assuming you have the extra ports on the BigIP units you could do diagram 1 WITH lACP to each port... best of both worlds and rely on spanning tree for link availability (However that does mean you need a reconvergence when you lose a link which may be more disruption than you think is worth it).

 

 

I'l re-iterate what Nathan and Aaron said above.. use VLAN failsafe to ensure the units LTM failover if you lose VLAN connectivity for any reason.

 

 

 

[Note. You don't specify whether the switches are Layer-2 only, or if you have SVI's on them. You may want to think about GLBP vs HSRP for instance. Or even whether spending extra on something like a 6506 would be better economy than two separate switches in data centre, or even 2x6506's :) ].

 

 

H

Looking at the F5 support page, just reading that vPC support starts in BIG-IP version 10.1.0 and we are currently running a older version. This is the reason why the vPC would not work.

Jfrizzell , yes you have to create a trunk and place both the ports in the trunk group you will be creating. Also as you have said above you checked out the things with F5 Support and the things were having delay with the first diagram setup and it started working fine in the second setup. Well to me this is a work around that if the support is saying you to go with the second diagram only because it is working fine and the reason of the setup not working on diagram is never found out....

Techgeeeg:

 

 

I knew there was a disconnect somewhere. I am going to remove the tagged ports and then create trunks for each port and try again. I will keep you posted on the results. Keeping with diagram-1, I will probably add what Hamish recommend with the additional ports and LACP when I can free up those additional ports.

Ah... vPC's to BigIP's work fine... They don't even know that there's a vPC involved because the vPC is at the Nexus end. The BigIP end if just a normal BigIP LACP trunk.

 

 

FWIW I have vPC's to lots of devices (Including BigIP LTM's, Checkpoint VSX's) from nexus 7010's on both 10Gb and 1Gb links. They work fine. A little strange when debugging, because they show a few funny bots about MAC addresses and the ports they see it down, but that's at he nexus end.

 

 

Also be careful of the terminology between Cisco and F5 equipment. A Cisco Trunk is F5 VLAN Tagging. A Cisco Port-Channel (Or even ether channel depending on IOS/NX-OS version) is an F5 Trunk... So if you just say 'Trunk' it's a bit ambiguous (And very prone to confusion. try getting some Cisco and F5 guys together in a room to talk about link aggregation and watch the confusion start :)

 

 

H

Hamish: I think most manageable switches do support LACP these days (which is the IEEE standard for bundling interfaces).

 

 

Only ones who usually doesnt are the non-manageable switches (but there exists also non-manageable switches which have "LACP passive" (or "LACP active" for that matter) set to be able to bundle interfaces without the need to manually configure the device).

 

jfrizzell: Your config from switch-01, is that a copperport (RJ45)?

 

 

Because "speed 1000" can be problematic due to the fact that the IEEE standard says you need to use auto/auto regarding speed/duplex when it comes to gbit and higher speeds. I have seen this confusion happen between a cisco switch and a hp switch - which was fixed once you set auto/auto on both ends (even if it felt wrong compared to how bad autoneg worked back in the 10/100 days for some equipment :P).