<\/span><\/h3>\nWith an Active-Active based deployment traffic is processed by both devices. This is achieved via 2 Traffic Groups, (based on the example below) one Traffic Group is placed as active on Node 1 and the other as active on Node 2. Your failover objects are then assigned to either of the traffic groups, i.e Virtual Server A in traffic group 1 and then Virtual Server B in Traffic Group 2.<\/p>\n
This results in Node 1 processing traffic for Virtual Server A, and Node 2 processing traffic for Virtual Server B.<\/p>\n
Note : It is important to ensure that both nodes are running under 50% capacity. This ensures if either of the devices fail then at the point all traffic is processed by the single node that the devices capacity is not reached.<\/em><\/p>\n <\/p>\n
<\/picture><\/p>\n <\/p>\n
\n
\n
<\/span>Configuration<\/span><\/h2>\nThe first step in configuring DSC is to configure a Trust Domain. Then we configure the traffic groups for either a active-active or active-standby deployment.<\/div>\n
<\/span>Device Trust<\/span><\/h4>\n\nGoto ‘Device Management’ \/ ‘Device Trust’ \/ ‘Peer List’.<\/li>\n Click ‘Add’.<\/li>\n Enter the IP and credentials of the peer device.<\/li>\n Click ‘Retrieve Device Information’<\/li>\n<\/ol>\n<\/span>Device Group<\/span><\/h4>\n\nGoto ‘Device Management’ \/ ‘Device Groups’.<\/li>\n Click ‘Create’.<\/li>\n Enter name, select ‘Sync-Failover’ as the ‘Group Type’, and then add all devices to the ‘Included’ members list.<\/li>\n Enable ‘Network Failover’.<\/li>\n<\/ol>\n<\/div>\n\n
<\/span>Synchronize<\/span><\/h4>\n<\/div>\n\nGoto ‘Device Management’ \/ ‘Overview’.<\/li>\n Click ‘Sync Device to Group’.<\/li>\n Click ‘Sync’.<\/li>\n Wait for the Sync Status of both devices to turn green.<\/li>\n<\/ol>\nNote : To configure the IP used for ConfigSync and Mirroring, along with the the IP, VLAN and Port for Network Failover go to ‘Device Management’ \/ ‘Devices’ \/ ‘<DEVICE NAME>’ \/ Device Connectivity.<\/em><\/div>\n\u00a0<\/em><\/div>\n\n
<\/span>Active-Standby<\/span><\/h3>\nOnce the trust domain is configured the floating IP for each VLAN needs to be configured.<\/p>\n
<\/span>Assign Traffic Group 1<\/span><\/h4>\n<\/div>\n<\/div>\n\nGoto ‘Network’ \/ ‘Self IPs’.<\/li>\n Create a floating Self IP for each VLAN (i.e Internal and External).<\/li>\n For each self IP created configure the ‘Traffic Group’ as ‘traffic-group1-floating’.<\/li>\n<\/ol>\nIn this example we will only be using a single Traffic Group, because of this any virtual servers that are created will be placed into the default (single traffic group).<\/p>\n
Note : Should you require MAC Masquerading, a single traffic group can still be used. However this will result in the same MAC address being advertised for all Self-IPs within the traffic group which may complicate future troubleshooting.<\/em><\/p>\n<\/span>Active-Active<\/span><\/h3>\nOnce the trust domain is configured the floating IP for each VLAN needs to be configured. Once done an additional traffic group is also created.<\/p>\n
<\/span>Assign Traffic Group 1<\/span><\/h4>\n\nGoto ‘Network’ \/ ‘Self IPs’.<\/li>\n Create a floating Self IP for each VLAN (i.e Internal and External).<\/li>\n For each self IP created configure the ‘Traffic Group’ as ‘traffic-group1-floating’.<\/li>\n<\/ol>\n<\/span>Create Traffic Group 2<\/span><\/h4>\n\nGoto ‘Device Management’ \/ ‘Traffic Groups’.<\/li>\n Create a new Traffic Group called ‘traffic-group-2’ using all the default settings.<\/li>\n<\/ol>\n<\/span>Demote Traffic Group 2<\/span><\/h4>\n\nSelect ‘traffic-group-2’ from the list and select ‘Force to Standby’.<\/li>\n<\/ol>\nThe traffic group list will now show your current device running 1 traffic group as active and 1 traffic group as standby.<\/p>\n
<\/span>Assign Traffic Group 2<\/span><\/h4>\n\nVia ‘Local Traffic \/ Virtual Servers \/ Virtual Address List’ select the Virtual Server that you want to assign to ‘traffic-group-2’.<\/li>\n Via ‘Local Traffic \/ Virtual Servers \/ Virtual Server List’ select your Virtual Server. Within the traffic group section select ‘traffic-group-2’.<\/li>\n<\/ol>\n<\/span>Enable SNAT<\/span><\/h4>\n\nUnder ‘Source Address Translation’ select Automap*.<\/li>\n<\/ol>\nOnce complete the default traffic-group will be active on one node and traffic-group-2 will be active on the node.<\/p>\n
*As the SelfIP is assigned to traffic-group-1 without Automap the traffic would be sent through the wrong device.<\/p>\n
<\/span>VE Issues<\/strong><\/span><\/h2>\nWhen configuring DSC on Virtual LTMs (when using the steps above)\u00a0 you may find that both sides show as disconnected. I have only found this in the lab for VE devices on both v11.4 and v11.5.<\/p>\n
To resolve this you will need to change each of the devices certificates to a self-signed certificate and also perform the steps in a slighty different order.<\/p>\n
<\/span>Steps<\/span><\/h3>\nBelow provides a summary of the required steps.<\/p>\n
\nGenerate new self signed cert<\/strong> for each device – Goto Device Management \/ Device Trust \/ Local Domain. Select \u201cGenerate New Self-Sign Authority\u201d.<\/li>\nCreate Sync Interfac<\/strong>e – Create a new VLAN that will be used for synchronization, mirroring, and network failover on both devices.<\/li>\nConfigure ConfigSync\/Mirroring<\/strong> – Configure the interfaces that will be used for mirroring, config sync and network failover on both devices.<\/li>\nConfigure Device Group<\/strong> – Create a Sync-Failover device group on Node 1 and only add local device. Enable Network Failover.<\/li>\nConfigure Trust<\/strong> – On Node 1 configure\u00a0 the Trust Domain.<\/li>\nUpdate Device Group<\/strong> – On Node 1 add the remote peer to the device group.<\/li>\nTraffic Group Assignment<\/strong> – Assign the traffic groups accordingly.<\/li>\nSynchronize<\/strong> – One Node 1 perform an initial synchronization via Sync Device to Group in “Device Management’ \/ ‘Overview”.<\/li>\n<\/ol>\n<\/span>Troubleshooting<\/span><\/h2>\n