Bigip Active/Standby HA

Summary step

  1. Create high availability VLAN and self ip on both bigip1 and bigip2.
  2. Create HA configuration on both bigip1 and bigip2 such as config sync and failover network.
  3. HA cluster setup such as include peer into trust domain and include trusted peer into the same device group.

Create vlan and self ip on bigip1 and bigip2

root@(bigip1)(cfg-sync Standalone)(Active)(/Common)(tmos)# /net vlan
root@(bigip1)(cfg-sync Standalone)(Active)(/Common)(tmos.net.vlan)# create ha-vlan tag 999 interfaces add { 1.5 }
root@(bigip1)(cfg-sync Standalone)(Active)(/Common)(tmos.net.vlan)# /net self
root@(bigip1)(cfg-sync Standalone)(Active)(/Common)(tmos.net.self)# create ha-ip vlan ha-vlan address 192.168.32.1/24
root@(bigip1)(cfg-sync Standalone)(Active)(/Common)(tmos.net.self)# modify ha-ip allow-service default


[root@bigip2:Active:Standalone] config # tmsh
root@(bigip2)(cfg-sync Standalone)(Active)(/Common)(tmos)# /net vlan
root@(bigip2)(cfg-sync Standalone)(Active)(/Common)(tmos.net.vlan)# create ha-vlan tag 999 interfaces add { 1.5 }
root@(bigip2)(cfg-sync Standalone)(Active)(/Common)(tmos.net.self)# create ha-ip vlan ha-vlan address 192.168.32.2/24
root@(bigip2)(cfg-sync Standalone)(Active)(/Common)(tmos.net.self)# modify ha-ip allow-service default

The allow-service should not be none, otherwise the peer cannot be discovered, need to set to default at least

Test ping to each other:

root@(bigip1)(cfg-sync Standalone)(Active)(/Common)(tmos.net.self)# ping 192.168.32.2
PING 192.168.32.2 (192.168.32.2) 56(84) bytes of data.
64 bytes from 192.168.32.2: icmp_seq=1 ttl=255 time=10.0 ms
64 bytes from 192.168.32.2: icmp_seq=2 ttl=255 time=6.02 ms
64 bytes from 192.168.32.2: icmp_seq=3 ttl=255 time=6.00 ms
64 bytes from 192.168.32.2: icmp_seq=4 ttl=255 time=5.99 ms


root@(bigip2)(cfg-sync Standalone)(Active)(/Common)(tmos.net.self)# ping 192.168.32.1
PING 192.168.32.1 (192.168.32.1) 56(84) bytes of data.
64 bytes from 192.168.32.1: icmp_seq=1 ttl=255 time=6.70 ms
64 bytes from 192.168.32.1: icmp_seq=2 ttl=255 time=5.50 ms
64 bytes from 192.168.32.1: icmp_seq=3 ttl=255 time=6.02 ms
64 bytes from 192.168.32.1: icmp_seq=4 ttl=255 time=5.45 ms
64 bytes from 192.168.32.1: icmp_seq=5 ttl=255 time=6.02 ms

Preparing for HA
Assign interface and address for config sync and unicast failover respectively.

root@(bigip1)(cfg-sync Standalone)(Active)(/Common)(tmos.net.self)# /cm device
root@(bigip1)(cfg-sync Standalone)(Active)(/Common)(tmos.cm.device)# modify bigip1 configsync-ip 192.168.32.1 unicast-address { { ip 192.168.32.1 } }


root@(bigip2)(cfg-sync Standalone)(Active)(/Common)(tmos.net.self)# /cm device
root@(bigip2)(cfg-sync Standalone)(Active)(/Common)(tmos.cm.device)# modify bigip2.cyruslab.net configsync-ip 192.168.32.2 unicast-address { { ip 192.168.32.2 } }

Cluster setup
On bigip1 add bigip2.cyruslab.net into device trust peer list.

root@(bigip1)(cfg-sync Standalone)(Active)(/Common)(tmos.cm.device)# /cm trust-domain
root@(bigip1)(cfg-sync Standalone)(Active)(/Common)(tmos.cm.trust-domain)# modify /Common/Root ca-devices add { 10.10.10.2 } name bigip2.cyruslab.net username admin password admin

The command line requires you to put in the hostname / fqdn but in gui this is not necessary, only the peer’s management ip and credential are required.

Create a device group to include bigip1 and bigip2.cyruslab.net

root@(bigip1)(cfg-sync In Sync (Trust Domain Only))(Active)(/Common)(tmos.cm.trust-domain)# /cm device-group
root@(bigip1)(cfg-sync In Sync (Trust Domain Only))(Active)(/Common)(tmos.cm.device-group)# create ha devices add { bigip1 bigip2.cyruslab.net } type sync-failover full-load-on-sync true network-failover enabled auto-sync disabled
root@(bigip1)(cfg-sync Awaiting Initial Sync)(Standby)(/Common)(tmos.cm.device-group)#

Soon after the sync-failover device group was created, bigip1 becomes standby and bigip2 becomes active.

In this command line I have enabled full sync and network failover, and I disabled the automatic sync feature. I will have to do a manual config sync whenever i made changes to the active bigip.

Now go to the active bigip – bigip2.cyruslab.net to sync config to group.

root@(bigip2)(cfg-sync Awaiting Initial Sync)(Active)(/Common)(tmos.net.self)# run /cm config-sync to-group ha
root@(bigip2)(cfg-sync Awaiting Initial Sync)(Active)(/Common)(tmos.net.self)#
root@(bigip2)(cfg-sync Awaiting Initial Sync)(Active)(/Common)(tmos.net.self)#
root@(bigip2)(cfg-sync Awaiting Initial Sync)(Active)(/Common)(tmos.net.self)#
root@(bigip2)(cfg-sync Awaiting Initial Sync)(Active)(/Common)(tmos.net.self)#
root@(bigip2)(cfg-sync Awaiting Initial Sync)(Active)(/Common)(tmos.net.self)#
root@(bigip2)(cfg-sync In Sync)(Active)(/Common)(tmos.net.self)#

As observed above, config becomes in sync after a while.

Advertisements
This entry was posted in F5, General stuffs, High Availability and tagged , , , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s