cancel
Showing results for 
Search instead for 
Did you mean: 
Login & Join the DevCentral Connects Group to watch the Recorded LiveStream (May 12) on Basic iControl Security - show notes included.

Need recommendation on Active-Active F5 setup

Johnde
Cirrus
Cirrus

Hello Experts,

 

I need few recommendations/inputs from you. Currently i am managing two F5 HA clusters in active-standby mode. Now we have one requirement of deploying one HA cluster at one of our site. I am planning to take this new cluster in Active-Active mode. behind F5, there will be two networks one LAN and other DMZ. Can you please let us know some inputs for such requirement if opted for active-active mode.

 

Many thanks in advance.

1 ACCEPTED SOLUTION

Hi John,

 

It absolutely depend on your requirement and the platform capacity. Just one quick question. do you have hardware or VM series platforms?

 

Now if you really want to deploy cluster in active-active mode. Below are some deployment related inputs from my end -

 

  1. As you have mentioned you have two subnets to be taken behind F5 i.e. LAN and DMZ. You can configured to take load on LAN on F5-A and DMZ load on other F5.
  2. This can be configured using traffic groups. There is one traffic group by default. You can create new traffic group.
  3. e.g. in traffic group 1, F5-1 will be active and other will be standby and for traffic group 2, F5-2 will be active and other will be standby.
  4. Also there will be failovers like if F5-1 goes down, F5-2 will take traffic on DMZ as well as LAN and vice-a-versa.
  5. You can even configure separate partitions for LAN and DMZ to keep separate configuration and easy to manage. Also have separate route domains. e.g. for LAN 1 and DMZ 2.

 

This way you can plan your configuration. Actually i have tested exactly same deployment in my LAB setup Let ms know if you have any queries on this.

 

Mayur

View solution in original post

5 REPLIES 5

Hi John,

 

It absolutely depend on your requirement and the platform capacity. Just one quick question. do you have hardware or VM series platforms?

 

Now if you really want to deploy cluster in active-active mode. Below are some deployment related inputs from my end -

 

  1. As you have mentioned you have two subnets to be taken behind F5 i.e. LAN and DMZ. You can configured to take load on LAN on F5-A and DMZ load on other F5.
  2. This can be configured using traffic groups. There is one traffic group by default. You can create new traffic group.
  3. e.g. in traffic group 1, F5-1 will be active and other will be standby and for traffic group 2, F5-2 will be active and other will be standby.
  4. Also there will be failovers like if F5-1 goes down, F5-2 will take traffic on DMZ as well as LAN and vice-a-versa.
  5. You can even configure separate partitions for LAN and DMZ to keep separate configuration and easy to manage. Also have separate route domains. e.g. for LAN 1 and DMZ 2.

 

This way you can plan your configuration. Actually i have tested exactly same deployment in my LAB setup Let ms know if you have any queries on this.

 

Mayur

Hello Mayur,

 

Thanks for sharing details. I have all VM series F5 and new deployment will also VM series only. I am with your points of configuring two separate partitions and RDs for LAN and DMZ. Both F5s will be there for taking traffic for both lan and dmz.

I am quite curious about managing it. We dont have BigIQ for managing our F5s, we are managing them separately by logging into active gateway using its management interface and post making changes, we do sync it with peer. Now in active-active setup, how can i manage configuration changes effectively? Any suggestions?

I would recommend below few points for management perspective -

 

  1. Take access of F5 using either LAN or DMZ floating interface IP. e.g take access using LAN floating interface.
  2. So you will get login to F5-1 by default as F5-1 is acting as ACTIVE for LAN.
  3. Then you can make configuration changes.
  4. If you are doing changes related to DMZ, in that case you need to sync configuration at that point only as you are making changes on F5-1 and F5-2 is acting as ACTIVE for DMZ. In such case, you can keep sync configuration to 'auto' and avoid manual sync everytime to sync DMZ related changes. But thats upto you how you want to keep it.
  5. If F5-1 is down, in that case you will get login to F5-2 using LAN floating as it will act as ACTIVE for LAN as well as DMZ at that moment.

This way, you can manage your F5s efficiently.

 

Hope it helps you!

 

Mayur

Johnde
Cirrus
Cirrus

That's good suggestion. I am pretty clear now with my requirements and the configuration i need to do. Thanks to  .

Really Appreciate your help.

My pleasure buddy!

 

Mayur