Forum Discussion

TJ_Vreugdenhil's avatar
TJ_Vreugdenhil
Icon for Cirrus rankCirrus
Jan 05, 2018

Config-sync only certain BIG-IP folders

Hey guys -

We have F5 platforms at each datacenter using a OTV link to extend Layer 2 services.

We would like to be able to synchronize everything in the /Common folder/partition. But create a site specific folder or partition that does not get synchronized. Reading the snippet below, it seems like this is doable using folders. But it is not clear to me how to actually assign a folder to a specific traffic-group, and then to a specific sync-only device group?

Any help on the configuration steps to accomplish this? (BIG-IP 12.1.2) 

Folders
A folder is a container for BIG-IP configuration objects. You can use folders to set up synchronization and failover of configuration data in a device group. You can sync all configuration data on a BIG-IP device, or you can sync and fail over objects within a specific folder only.

https://support.f5.com/csp/article/K13946
application delivery
BIG-IP
config sync
device-group
folder
LTM
traffic-group

9 Replies

Sort By
  • nitass_89166's avatar
    nitass_89166
    Icon for Noctilucent rankNoctilucent
    Jan 06, 2018

    can you try something like this?

    // active

[root@bip1a:Active:In Sync] config  tmsh list sys folder /Common/local
sys folder local {
    device-group none
    inherited-devicegroup false
    inherited-traffic-group false
    traffic-group traffic-group-local-only
}
[root@bip1a:Active:In Sync] config  tmsh create ltm pool /Common/local/localpool_test
[root@bip1a:Active:In Sync] config  tmsh list ltm pool /Common/local/*
ltm pool local/localpool_test { }
[root@bip1a:Active:In Sync] config 

// standby

[root@bip1b:Standby:In Sync] config  tmsh list sys folder /Common/local
sys folder local {
    device-group none
    inherited-devicegroup false
    inherited-traffic-group false
    traffic-group traffic-group-local-only
}
[root@bip1b:Standby:In Sync] config  tmsh list ltm pool /Common/local/*
01020036:3: The requested Pool (/Common/local/*) was not found.
[root@bip1b:Standby:In Sync] config

    normally i use sync only device group to sync object among big-ip in different ha pair e.g. fips key across 2 pairs of big-ip.

    • TJ_Vreugdenhil's avatar
      TJ_Vreugdenhil
      Icon for Cirrus rankCirrus
      Jan 07, 2018

      Thanks Nitass, that is helpful!

       

      So we really have a pair of F5 devices at each datacenter.

       

      So would I have to do something like this?

       

      DC1 device-group 1 sync-failover (DC1-bigip1, DC1-bigip2)

       

      DC2 device-group 2 sync-failover (DC2-bigip3, DC2-bigip4)

       

      device-group 3 sync-only (DC1-bigip1, DC1-bigip2, DC2-bigip3, DC2-bigip4)

       

      device-group 4 (DC1 site local) sync-only DC1-bigip1, DC1-bigip2

       

      device-group 5 (DC2 site local) sync-only (DC2-bigip3, DC2-bigip4)

       

      traffic-group-4 (device-group-4 ) virtual-address 4

       

      traffic-group-2 (device-group 1, device-group 2) virtual-address 1 virtual-address 2

       

      Also, is there an easy way to create the local datacenter's VIP, self IP's, pool, etc inside the "local" folder via the GUI? Or do the configuration objects have to be created or moved using the CLI/TMSH if you want them in a certain folder?

       

      Thanks!

       

    • nitass_89166's avatar
      nitass_89166
      Icon for Noctilucent rankNoctilucent
      Jan 08, 2018

      DC1

       

      device-group 1

       

      sync-failover (DC1-bigip1, DC1-bigip2)

       

      DC2

       

      device-group 2

       

      sync-failover (DC2-bigip3, DC2-bigip4)

       

      doesn't failover happen inside each dc e.g. bigip1 to bigip2 or vice versa, bigip3 to bigip3 or vice versa? if you want to synchronize some object among all 4 bigip, you can create sync only device group with all 4 bigip as members. whatever object with this sync only device group will be synchronized to all the bigip e.g. certificate, private key.

       

      is there an easy way to create the local datacenter's VIP, self IP's, pool, etc inside the "local" folder via the GUI?

       

      you can use full path when creating object in gui e.g. /Common/local/localpool_test as a pool name.

       

  • nitass's avatar
    nitass
    Icon for Employee rankEmployee
    Jan 06, 2018

    can you try something like this?

    // active

[root@bip1a:Active:In Sync] config  tmsh list sys folder /Common/local
sys folder local {
    device-group none
    inherited-devicegroup false
    inherited-traffic-group false
    traffic-group traffic-group-local-only
}
[root@bip1a:Active:In Sync] config  tmsh create ltm pool /Common/local/localpool_test
[root@bip1a:Active:In Sync] config  tmsh list ltm pool /Common/local/*
ltm pool local/localpool_test { }
[root@bip1a:Active:In Sync] config 

// standby

[root@bip1b:Standby:In Sync] config  tmsh list sys folder /Common/local
sys folder local {
    device-group none
    inherited-devicegroup false
    inherited-traffic-group false
    traffic-group traffic-group-local-only
}
[root@bip1b:Standby:In Sync] config  tmsh list ltm pool /Common/local/*
01020036:3: The requested Pool (/Common/local/*) was not found.
[root@bip1b:Standby:In Sync] config

    normally i use sync only device group to sync object among big-ip in different ha pair e.g. fips key across 2 pairs of big-ip.

    • TJ_Vreugdenhil's avatar
      TJ_Vreugdenhil
      Icon for Cirrus rankCirrus
      Jan 07, 2018

      Thanks Nitass, that is helpful!

       

      So we really have a pair of F5 devices at each datacenter.

       

      So would I have to do something like this?

       

      DC1 device-group 1 sync-failover (DC1-bigip1, DC1-bigip2)

       

      DC2 device-group 2 sync-failover (DC2-bigip3, DC2-bigip4)

       

      device-group 3 sync-only (DC1-bigip1, DC1-bigip2, DC2-bigip3, DC2-bigip4)

       

      device-group 4 (DC1 site local) sync-only DC1-bigip1, DC1-bigip2

       

      device-group 5 (DC2 site local) sync-only (DC2-bigip3, DC2-bigip4)

       

      traffic-group-4 (device-group-4 ) virtual-address 4

       

      traffic-group-2 (device-group 1, device-group 2) virtual-address 1 virtual-address 2

       

      Also, is there an easy way to create the local datacenter's VIP, self IP's, pool, etc inside the "local" folder via the GUI? Or do the configuration objects have to be created or moved using the CLI/TMSH if you want them in a certain folder?

       

      Thanks!

       

    • nitass's avatar
      nitass
      Icon for Employee rankEmployee
      Jan 08, 2018

      DC1

       

      device-group 1

       

      sync-failover (DC1-bigip1, DC1-bigip2)

       

      DC2

       

      device-group 2

       

      sync-failover (DC2-bigip3, DC2-bigip4)

       

      doesn't failover happen inside each dc e.g. bigip1 to bigip2 or vice versa, bigip3 to bigip3 or vice versa? if you want to synchronize some object among all 4 bigip, you can create sync only device group with all 4 bigip as members. whatever object with this sync only device group will be synchronized to all the bigip e.g. certificate, private key.

       

      is there an easy way to create the local datacenter's VIP, self IP's, pool, etc inside the "local" folder via the GUI?

       

      you can use full path when creating object in gui e.g. /Common/local/localpool_test as a pool name.

       

    • TJ_Vreugdenhil's avatar
      TJ_Vreugdenhil
      Icon for Cirrus rankCirrus
      Sep 01, 2018

      Nice find. That was exactly what I was going for. I didn't end up doing it for a client to avoid administration complexity. It's easy to understand if you set it up yourself, but if a new resource came in, they may not know or remember to create objects in the correct folder.

       

    • TJ_Vreugdenhil's avatar
      TJ_Vreugdenhil
      Icon for Cirrus rankCirrus
      Sep 01, 2018

      Actually, the article is close to what we were going for. But a little different. Either way, it's a good reference.