I. THE BUILDING BLOCKS
At the centre of F5 Clustering stands DSC – an acronym which reads Device Service Clustering; this is also known as CMI which stands for Centralised Management Infrastructure.
As an architecture DSC comprises the following component objects:
- Device Groups
- Device Trust and Trust Domain
- Traffic Group
- Folders and Sub-folders
A device can be either a virtual or physical F5 unit with specific set of identification and connectivity properties. When configuring clustering, devices grouped into a Device Group. In a device group, devices authenticate each other using x509 certificates, forming a trust domain.
There are two types of Device Groups:
- Sync-Only Device Group
- Syncs configuration data only between devices within the same or different device groups
- Supports a maximum of 32 devices
- A default device_trust_group already exists on the system but not visible on the web GUI until version 11.6.x
- Configuration is much simpler
- Sync-Failover Device Group
- Syncs configuration data (actual configuration!) including failover objects (see below) between devices within the same device group
- Supports a maximum of eight devices within the same device group
- required for HA deployment
A traffic-group, according to F5, is a collection of related configuration objects which together, process a particular type of traffic. These include Self IPs, Virtual IPs, iApps, (S)NAT and VLANs objects.
- A Local Traffic group – is local significant only; it has no scope beyond the device where it’s configured. A default local traffic group is created automatically during the initial setup wizard called traffic-group-local-only – it contains the non-floating self IPs associated to the external and internal VLANs.
- There is also floating traffic groups – as the name suggests, these can be automatically reassigned (float) between devices part of the same device-group. Objects which belong to a floating traffic group are called failover objects.
It is very important to first grasp the concept of traffic-groups in order to later, understand the difference between active-passive vs. active-active HA deployments.
Lastly, Folders and sub-folders allow you to filter configuration sections to be sync’d between devices in a granular fashion. You could for instance sync the entire root (all configuration for a specific traffic-group) or a specific folder only, or even sections of the configuration within a specific folder.
In order for clustering to work, the following must be true:
- Licensing and provisioning must match
- Software versions must also match
- Hardware specs must be identical for mirroring to work; not a requirement otherwise
- All devices must have unique management IPs
- NTP must be setup
- ConfigSync IP must be configured on all devices; a dedicated link is recommended
- Network Failover IP must be configured on all devices;
- Optional – configure Mirror IP should you need to sync real-time connection
- Make sure all devices can communicate over the following ports (mind your Firewalls!):
- TCP/443 (SSL)
- TCP/4353 (iQuery)
- UDP/1026 (Network Failover)
- TCP/1028 (Connection & Persistence Mirroring)
- TCP/22 (SSH)
Rafael A. Couto Cabral • LinkedIn Profile
Cisco | F5 | VMware Certified • PRINCE2 Practitioner
Originally posted 2017-10-04 10:30:00.