Forum Discussion

James_Brown's avatar
James_Brown
Icon for Nimbostratus rankNimbostratus
Feb 12, 2020

LTM Traffic Groups Failover - Is Layer 2 needed?

Dear All,

 

For years we have connected Active-Standby LTMs with a common VLAN for VIP-Bound traffic (and responses). We use traffic groups with a shared "floating ip" which is meant to float across to the standby unit in the same VLAN following an HA Event. Our failover heartbeats happen separately across dedicated sync cables and a management port. VIPs are pointed at the LTM's floating IP address using static routes, which minimises ARP during a failover.

 

I have been busy building an EVPN fabric and I would now like to consider the options for migrating the LTM Active-Standby pair onto it. My preference would be to connect the two LTMs to separate leafs and use Cisco's HMM track to inject the static routes into BGP when the connected LTM becomes active (i.e. starts responding to the floating IP). This is how Cisco recommend connecting a load-balancer to an EVPN fabric (see "Firewall Failover with Static Routes").

 

Ideally I would like to remove the L2 common VLAN between the Active and Standby unit, but still float a single IP address between the devices.

 

  1. Could you advise if the LTM will allow a floating traffic-group IP to be floated to a unit which isn't in the same L2 broadcast domain?
  2. Does the LTM issue a GARP when taking over the floating IP?
  3. I guess that if the above isn't possible, an MLAG/VPC up to a leaf pair would be the way to go and just connect both F5s to the same leaf pair.

 

The question about L2 connectivity between LTM units has been asked before, but I didn't see any firm answers.

 

Thanks in advance.

 

James.

 

 

 

 

 

 

 

 

  • > Could you advise if the LTM will allow a floating traffic-group IP to be floated to a unit which isn't in the same L2 broadcast domain?

     

    Yes - L2 adjacency is not required. Typically you are relying on ARP upstream of the BigIP, so the L2 is the same, but this is not required, as long as the upstream devices can sent the traffic to the currently active BigIP correctly.

    Network-based HA and config-sync communications are routable. The HA vlan is intended to prevent HA and mirror traffic from impacting service traffic by isolating it from the internal/external networks.

    However, you generally do want to have the BigIP peers having the same views and connectivity into the network for seamless failover, and the inter-device communication needs to be fast enough to prevent unexpected failovers. By default, the heartbeat timeout is 3 seconds.

     

    K7249: Configuring the network failover timer

     

    > Does the LTM issue a GARP when taking over the floating IP?

     

    The LTM does GARP for the floating self-IP and all virtual IPs when failover occurs.

     

    > I guess that if the above isn't possible, an MLAG/VPC up to a leaf pair would be the way to go and just connect both F5s to the same leaf pair.

     

    if you have Advanced Routing licensed, you can advertise Floating Self-IPs/Virtual IPs via BGP directly from the BigIP

     

    AskF5 | Manual Chapter: Dynamic Routing