Forum Discussion

Cirrus

Feb 19, 2020

Need recommendation on Active-Active F5 setup

Hello Experts, I need few recommendations/inputs from you. Currently i am managing two F5 HA clusters in active-standby mode. Now we have one requirement of deploying one HA cluster at one of o...

Mayur_Sutare
Feb 19, 2020
Hi John,

It absolutely depend on your requirement and the platform capacity. Just one quick question. do you have hardware or VM series platforms?

Now if you really want to deploy cluster in active-active mode. Below are some deployment related inputs from my end -

As you have mentioned you have two subnets to be taken behind F5 i.e. LAN and DMZ. You can configured to take load on LAN on F5-A and DMZ load on other F5.
This can be configured using traffic groups. There is one traffic group by default. You can create new traffic group.
e.g. in traffic group 1, F5-1 will be active and other will be standby and for traffic group 2, F5-2 will be active and other will be standby.
Also there will be failovers like if F5-1 goes down, F5-2 will take traffic on DMZ as well as LAN and vice-a-versa.
You can even configure separate partitions for LAN and DMZ to keep separate configuration and easy to manage. Also have separate route domains. e.g. for LAN 1 and DMZ 2.

This way you can plan your configuration. Actually i have tested exactly same deployment in my LAB setup Let ms know if you have any queries on this.

Mayur

Mayur_Sutare

MVP

Feb 19, 2020

I would recommend below few points for management perspective -

Take access of F5 using either LAN or DMZ floating interface IP. e.g take access using LAN floating interface.
So you will get login to F5-1 by default as F5-1 is acting as ACTIVE for LAN.
Then you can make configuration changes.
If you are doing changes related to DMZ, in that case you need to sync configuration at that point only as you are making changes on F5-1 and F5-2 is acting as ACTIVE for DMZ. In such case, you can keep sync configuration to 'auto' and avoid manual sync everytime to sync DMZ related changes. But thats upto you how you want to keep it.
If F5-1 is down, in that case you will get login to F5-2 using LAN floating as it will act as ACTIVE for LAN as well as DMZ at that moment.

This way, you can manage your F5s efficiently.

Hope it helps you!

Mayur

Recent Discussions

Under Attack? F5 Will Help You.
Contacting F5 Support?

DevCentral Quicklinks

* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com

Discover DevCentral Connects

* Podcasts
* Social Channels
* Video Streaming

Forum Discussion

Need recommendation on Active-Active F5 setup

Recent Discussions

Creating Policy using Terraform

Alert Mail when virtual server down trubleshooting

How to disable RC4 Cipher on SSL

Big-IQ + LetsEncrypt wildcard

DEVICE-0202 Error while adding rSeries as a provider in CM

Related Content

Re activate license failed

F5 Active Standby Node Configuration

Activate serverssl profile in iRule

Especial Load Balancing Active-Passive Scenario (I)

In an active/standby setup of ASM, with sync only device group, do signature updates sync up?

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS