F5 HA – Part I – Fundamentals


At the centre of F5 Clustering stands DSC – an acronym which reads Device Service Clustering; this is also known as CMI which stands for Centralised Management Infrastructure.

As an architecture DSC comprises the following component objects:

  1. Devices
  2. Device Groups
  3. Device Trust and Trust Domain
  4. Traffic Group
  5. Folders and Sub-folders

A device can be either a virtual or physical F5 unit with specific set of identification and connectivity properties. When configuring clustering, devices grouped into a Device Group. In a device group, devices authenticate each other using x509 certificates, forming a trust domain.

There are two types of Device Groups:

  • Sync-Only Device Group
    • Syncs configuration data only between devices within the same or different device groups
    • Supports a maximum of 32 devices
    • A default device_trust_group already exists on the system but not visible on the web GUI until version 11.6.x
    • Configuration is much simpler
Consider this ...
  • Sync-Failover Device Group
    • Syncs configuration data (actual configuration!) including failover objects (see below) between devices within the same device group
    • Supports a maximum of eight devices within the same device group
    • required for HA deployment

Few notes on membership …

  1. A particular device could belong simultaneously to a sync-only and a sync-failover group
  2. However, a device cannot belong to two different sync-failover groups
  3. Though it can belong to two different sync-only groups

A traffic-group, according to F5, is a collection of related configuration objects which together, process a particular type of traffic. These include  Self IPs, Virtual IPs, iApps, (S)NAT and VLANs objects.

  • A Local Traffic group – is local significant only; it has no scope beyond the device where it’s configured. A default local traffic group is created automatically during the initial setup wizard called traffic-group-local-only – it contains the non-floating self IPs associated to the external and internal VLANs.
A local traffic group cannot be manually created!
  • There is also floating traffic groups – as the name suggests, these can be automatically reassigned (float) between devices part of the same device-group. Objects which belong to a floating traffic group are called failover objects.

It is very important to first grasp the concept of traffic-groups in order to later, understand the difference between active-passive vs. active-active HA deployments.

Lastly, Folders and sub-folders allow you to filter configuration sections to be  sync’d between devices in  a granular fashion. You could for instance sync the entire root (all configuration for a specific traffic-group) or a specific folder only, or even sections of the configuration within a specific folder.

By default, the system automatically assigns the device groups to the root and /common folders are 


In order for clustering to work, the following must be true:

  1. Licensing and provisioning must match
  2. Software versions must also match
  3. Hardware specs must be identical for mirroring to work; not a requirement otherwise
  4. All devices must have unique management IPs
  5. NTP must be setup
  6. ConfigSync IP must be configured on all devices; a dedicated link is recommended
  7. Network Failover IP must be configured on all devices;
  8. Optional – configure Mirror IP should you need to sync real-time connection
  9. Make sure all devices can communicate over the following ports (mind your Firewalls!):
    • TCP/443 (SSL)
    • TCP/4353 (iQuery)
    • UDP/1026 (Network Failover)
    • TCP/1028 (Connection & Persistence Mirroring)
    • TCP/22 (SSH)


Thank you,

Rafael A. Couto Cabral • LinkedIn Profile
Cisco​ | F5 | VMware Certified • PRINCE2 Practitioner

Originally posted 2017-10-04 10:30:00.

Related Post

Comments are closed.