First of all we need to make sure
- Our license is valid
GUI - System ›› License
CLI - show /sys license
- Date and time are synced
GUI - System ›› Configuration ›› Device ›› NTP
CLI - tmsh list /sys ntp servers or ntpq -npdate or date -s "Day Month Year HH:mm:ss"
- both devices have a VLAN for the sync, hopefully it's a point to point link connected between both devices
Layer 2 - Network ›› VLAN ›› Create
CLI > tmsh create net vlan Sync interfaces add { 1.1 }Layer 3 - Netwok ›› Self IPs ›› Create
CLI > tmsh create net self Sync vlan Sync allow-service default address 1.1.1.1/30
An important note here is the "Port Lockdown" - make not to use "allow none" as it will not allow sync traffic between the devices. other than that - only the IP\Subnet configuration.
Append the P2P to the cluster mechanism - Device Management ›› Devices ››<DEVICE_NAME> ››Device Connectivity
ConfigSyn (The interface will be used for synchronizing the configuration between the devices)
Failover:
**It is highly recommended to use a "real" network Vlan for the failover interface this way a problem with the Vlan which is actually used for traffic will cause a faileover.
Mirroring ( the interface used to synchronize connection tables between the devices ) :
CLI > tmsh modify cm device <Device_Name> configsync-ip 1.1.1.1 mirror-ip 1.1.1.1 unicast-address { { effective-ip 1.1.1.1 effective-port cap ip 1.1.1.1 } }
I like to resetting the device trust prior configuring the cluster so that any leftovers of privious config will be cleared and the local certificate will be regenerated.
To do so - Device Management ›› Device Trust ›› Reset Device Trust
At this point we are done with the preparations.
From one of the devices go to - Device Management ›› Device Trust : Peer List ›› Create
I Like using the P2P IP's but it's an identifier only so Management IP are good as well.
After clicking "Retrieve Device Information" we should get the 2nd device's certificate, IP and couple more details.
To make sure connectivity is correct, go to Device Management ›› Devices
In case of a problem one of the devices will be red ( disconnected ) in which case check steps above the steps above
Next group the devices - Device Management ›› Device Groups
CLI - tmsh create cm device-group sync-fail devices add { <Device_Names> } network-failover enabledThe Type should be Sync-Failover and both devices are selected.
Now one of the devices will become standby ( If not - check steps above)
Now all we have to do is initiate a sync between the devices - Device Management ›› Overview ›› Sync
CLI - run cm config-sync to-group sync-fail
Select the device containing the newest configuration, select "Sync Device to Group" and click "Sync"
I like to create a more proactive configuration by adding a pool which consists of a couple of servers as the representation of the LAN and the ISP \ FW as the representation of the WAN, so as long as this pool is active we have both LAN and WAN connectivity from the device and if the pool fails F5 lost WAN\LAN access so we need to failover.
Then add the pool as a trigger for a failover - System ›› High Availability
CLI - create sys ha-group HA active-bonus 0 enabled pools add { <Pool_Name> { weight 80 } }
*The highest Weight will become active
BTC Address: 1CnyMpjd1RntRDxSus2hu2aDMyzL4Kj29N
LTC Address: LUqrKbzGihTU2GEnL3EwsuuLHCsxCJMdtR
0 Comments:
Post a Comment