Forum Discussion

Johnde's avatar
Johnde
Icon for Cirrus rankCirrus
Feb 19, 2020

Need recommendation on Active-Active F5 setup

Hello Experts,   I need few recommendations/inputs from you. Currently i am managing two F5 HA clusters in active-standby mode. Now we have one requirement of deploying one HA cluster at one of o...
application delivery
BIG-IP
F5 HA
LTM
security
  • Mayur_Sutare's avatar
    Mayur_Sutare
    Feb 19, 2020

    Hi John,

     

    It absolutely depend on your requirement and the platform capacity. Just one quick question. do you have hardware or VM series platforms?

     

    Now if you really want to deploy cluster in active-active mode. Below are some deployment related inputs from my end -

     

    1. As you have mentioned you have two subnets to be taken behind F5 i.e. LAN and DMZ. You can configured to take load on LAN on F5-A and DMZ load on other F5.
    2. This can be configured using traffic groups. There is one traffic group by default. You can create new traffic group.
    3. e.g. in traffic group 1, F5-1 will be active and other will be standby and for traffic group 2, F5-2 will be active and other will be standby.
    4. Also there will be failovers like if F5-1 goes down, F5-2 will take traffic on DMZ as well as LAN and vice-a-versa.
    5. You can even configure separate partitions for LAN and DMZ to keep separate configuration and easy to manage. Also have separate route domains. e.g. for LAN 1 and DMZ 2.

     

    This way you can plan your configuration. Actually i have tested exactly same deployment in my LAB setup Let ms know if you have any queries on this.

     

    Mayur

Mayur_Sutare's avatar
Mayur_Sutare
Icon for MVP rankMVP

Hi John,

 

It absolutely depend on your requirement and the platform capacity. Just one quick question. do you have hardware or VM series platforms?

 

Now if you really want to deploy cluster in active-active mode. Below are some deployment related inputs from my end -

 

  1. As you have mentioned you have two subnets to be taken behind F5 i.e. LAN and DMZ. You can configured to take load on LAN on F5-A and DMZ load on other F5.
  2. This can be configured using traffic groups. There is one traffic group by default. You can create new traffic group.
  3. e.g. in traffic group 1, F5-1 will be active and other will be standby and for traffic group 2, F5-2 will be active and other will be standby.
  4. Also there will be failovers like if F5-1 goes down, F5-2 will take traffic on DMZ as well as LAN and vice-a-versa.
  5. You can even configure separate partitions for LAN and DMZ to keep separate configuration and easy to manage. Also have separate route domains. e.g. for LAN 1 and DMZ 2.

 

This way you can plan your configuration. Actually i have tested exactly same deployment in my LAB setup Let ms know if you have any queries on this.

 

Mayur

Johnde's avatar
Johnde
Icon for Cirrus rankCirrus
Feb 19, 2020

Hello Mayur,

 

Thanks for sharing details. I have all VM series F5 and new deployment will also VM series only. I am with your points of configuring two separate partitions and RDs for LAN and DMZ. Both F5s will be there for taking traffic for both lan and dmz.

I am quite curious about managing it. We dont have BigIQ for managing our F5s, we are managing them separately by logging into active gateway using its management interface and post making changes, we do sync it with peer. Now in active-active setup, how can i manage configuration changes effectively? Any suggestions?