F5 Cluster (N+M) v1.0 - 副本ppt课件

F5Cluster(N+M)v1.0ppt课件LESSONOUTLINEN+M介绍最佳实践配置步骤Troubleshootingppt课件*V11-DeviceServiceClusters在设备组中同步配置简单的Active-Active部署手动自动同步提升扩展能力更高的设备利用率ppt课件WithDSCsyoustillhavetheabilitytocreatethetraditionalA/Spairwithmanualsyncing(althoughautomaticsyncingoffailovergroupsmaybeallowedinthefuture).DeploymentofA/ApairsisgreatlysimplifiedandeasiertomaintainthanunderolderversionsofBIG-IP.Theabilitytoscalebeyondapair.TheabilitytotakeadvantageofallBIG-IPdevicesinacluster,allowingforhigherdeviceutilizationandhighavailability.(considerisallthedevicesranabout20%withburstto40%,anydevicecouldhandlethefailoverofasingledeviceeasily)Andtheabilitytosynccommonconfigurationitems,suchasiApps,iRulesandSSLCertificatesetc,acrossmultipledevicegroups.(moreonthatlater)*V11–DSC基本逻辑ＤＳＣ最基本的逻辑是配置多个设备组和多个流量组设备组，设备组是能够支撑某个业务的设备的集群，该业务可以在这个设备组中进行配置同步或高可用切换流量组：流量组是某个或某些业务的组。该组为人工设定切换或自动切换的基本单位。每个流量组在特定的设备组中进行高可用，每个流量组都可以独立切换。从而实现Ｎ＋Ｍ，即：Ｎ台设备为主设备，Ｍ台设备为被设备。ppt课件WithDSCsyoustillhavetheabilitytocreatethetraditionalA/Spairwithmanualsyncing(althoughautomaticsyncingoffailovergroupsmaybeallowedinthefuture).DeploymentofA/ApairsisgreatlysimplifiedandeasiertomaintainthanunderolderversionsofBIG-IP.Theabilitytoscalebeyondapair.TheabilitytotakeadvantageofallBIG-IPdevicesinacluster,allowingforhigherdeviceutilizationandhighavailability.(considerisallthedevicesranabout20%withburstto40%,anydevicecouldhandlethefailoverofasingledeviceeasily)Andtheabilitytosynccommonconfigurationitems,suchasiApps,iRulesandSSLCertificatesetc,acrossmultipledevicegroups.(moreonthatlater)*什么是设备组（DeviceGroup）？设备组就是处于信任关系中的两台或多台BIG-IP设备，它们可共享资源并确保应用交付的高可用性。 两类设备组，即同步设备组(sync only)与同步故障切换设备组(sync‐failover)。 设备组将系统的冗余扩展为N+M模式，即可能为A/S, A/A, A/A/S,A/S/S,A/A/A/A,A/A/A/S,A/S/A/S等 支持v11平台：VIPRION、机架式或虚拟版本 配置设备组之前必须建立设备间的信任关系。设备同步组（sync only） 设备同步用于文件夹级别的配置对象同步； 对单个设备上的同步类型设备组的数目没有硬性限性 一个设备可以加入多个同步类型设备组中。 ISO、OPSWAT与QUOVA更新不能在组内同步设备同步组（sync only续）对设备进行分组，并建立它们间的信任关系（设备证书）1.有一台机器会作为Authority角色，它拥有dtca.crt；2.有可能有多台其他机器也为Authority的角色，这些Authority也拥证书，但没有私钥 3.所有剩下的其他机器都作为Non‐authority角色 4.所有的机器都有一张自己的dtdi.crt证书，这张证书是用于鉴别该设备的机器名；只要拥有dtca签发出来的证书的设备均可以加入到trust group中。 更改配置后，可以将更改在整组内同步Changetounit1through6,removethelast2*同步故障切换模式用于同步面向发生故障时整个设备配置。(替换HA高可用性)各成员必须是同一平台，并拥有相同的License许可。每台设备只允许一个同步故障切换组。避免应用服务的中断设备故障切换同步组(Fail-overSync)*F5Networks公司*Sync-only类型用于配置同步，例如GTM的配置同步。Sync-only类型支持8台设备。Sync-Failover类型用于高可用的切换，例如LTM的主备切换。Sync-Failover类型支持32台设备。设备组的两种类型应用场景*F5Networks公司*TrafficGroups是可以切换的VS、SNAT、NAT等的集合创建流量组，并指定应用到流量组中分配集群成员到流量组如果某个设备中没有活动的流量组，则该设备处于备机状态。如果设备出现故障，流量组迁移到集群中的另一台BIG-IP设备ppt课件Howdotrafficgroupswork?Trafficgroupsarecollectionsoflisteners,suchasvirtualservers,thatsupportanapplicationoraseriesofapplications.Let’ssaywehaveaDSCcomposedof3BIG-IPs.ThesedeviceshavealreadybeenconfiguredforHA,establishedtrustsandbeenassignedtothesamesync-failoverdevicegroup.Allourapplicationshavebeenbuiltonthefirstdevice.Anapplicationorapplicationsareplacedintoatrafficgroup,byassigningtheirsupportinglistenerstothattrafficgroup(Alistenerisavirtualserveraddress,SNATaddressorfloatingselfIPaddress,nextslide)WethendesignatewhichBIG-IPisresponsibleforwhichtrafficgroupInthiscaseweassigntwotrafficgroupsgreenandredtothemiddleBIG-IPThethirdBIG-IPhasnoactivetrafficgroupssoitisinSTANDBYmodeSowehaveanA-A-SsetupupIftheaclustermemberfailsallthetrafficgroupsonthefaileddevicemigratetoanotherBIG-IPThisBIG-IPischosenbasedoninternalmetrics*©F5Networks,Inc.*什么是流量组（Trafficgroup）？ 流量组就是一组floatingIP地址、虚拟地址与SNAT，它们可在BIG-IP设备组中的设备间漂移以维持高可用性。流量组-1默认设备：设备2流量组-2默认设备：设备1流量组-3默认设备：设备3流量组只有虚拟地址、floatingIP、NAT与SNAT地址转换可以加入流量组。一个虚拟地址、floatingIP、NAT与SNAT地址转换只能作为成员加入一个流量组。因此，一个应用程序不能同时在两个设备上处于活动状态。每个流量组均存在一个默认设备，即该流量组对象中的活动设备。在v11.3版本及之前版本，不能通过设置策略确定故障时切换到哪台设备，当故障切换事件发生时，流量组的接管概率是均匀分布的（通过流量组对每台设备的计数打分）。但是可以指定手动切换的接管顺序。V11.4之后可以指定在故障切换时的接管顺序。流量组-1默认设备：设备2流量组-2默认设备：设备1流量组-3默认设备：设备3流量组的类型 Active/Standby在配置过程中，创建一个同步故障切换设备组；所有流量对象（虚拟地址、floatingIP、NAT与SNAT地址转换)都将会分配到单个流量组中。ActiveDevice将被标记为默认设备。流量组类型（续） Active/Active创建第二个流量组将流量对象设定到新流量组中，请确保所有与应用程序有关联的流量对象都加入了同一流量组将默认设备设置为设备2流量组类型（续） Active/Active/Standby在授权设备1与设备3间建立设备间的信任关系将设备3添加到设备组中相应地调整流量组成员和默认设备（例如Traffic1和2的默认设备设为device1，traffic3的默认设备设为device3） Takeouttrafficgroup2*LESSONOUTLINE目录N+M介绍最佳实践配置步骤Troubleshootingppt课件*多活模式最佳实践根据实际情况和各用户的情况来看，建议采用3+1或4+2的模式。根据需要建议把所有业务分为N类，每类业务运行在一台F5设备。切换顺序，建议前两个顺序手动设置，后面的顺序自动选择。 双活模式建议DC1DC2APP1APP2ActiveAPP2APP1ActiveLESSONOUTLINE目录N+M介绍最佳实践配置步骤Troubleshootingppt课件*前期准备 NTP设置。 确认设备软件版本一致。 确认设备license一致。 设备mgmt地址，掩码，路由。 当然设备TMOS必须得是v11.x,且版本一样。 确保用于同步的Vlan的PortLockdown选项不为AllowNone。V11的PortLockdown默认为AllowNone。DSCdeplomentworksheetDevicesinadevicegroupmustmatchascloselyaspossiblewithrespecttoproductlicensingandmoduleprovisioning.但是我在搭建环境测试发现provisioning一样，但license不一样也不行。*基础信息确认方法*设备DSC基础配置（每台设备分别配置）设备ConfigSync地址：*设备DSC基础配置设备failover地址：所指定的FailoverIP地址必须属于routedomain0。设备DSC基础配置设备Mirror地址：只能做TCP和UDP的mirror,不支持不同硬件平台之间mirror，最大可以mirror15台设备。MirroringusedTCPport1028.TheBIG-IPsystemmanagesconnectionmirroringatthetrafficgrouplevel.Note: TheBIG-IPsystemcanmirrorconnectionsforasmanyas15activetrafficgroupssimultaneously同时.*配置peerlist通过此选项把多台远程设备加入到localtrustdomain。DeviceIPAddress:建议配置DeviceConnectivity中配置的地址AdministratorUsername:adminAdministratorPassword:adminpasswordNote:AnyBIG-IPdevicesthatyouintendtoaddtoadevicegroupatalaterpointmustbemembersofthesamelocaltrustdomain.AdeviceinthetrustdomaincanbeamemberofbothaSync-FailovergroupandaSync-Onlygroupsimultaneously.AspecificBIG-IPdeviceinatrustdomaincanbelongtooneSync-Failoverdevicegrouponly.Adeviceinatrustdomaincanbeamemberofmorethanonesync-onlydevicegroup,AdevicecanalsobeamemberaSync-FailovergroupandaSync-onlygroupsimultaneously.*查看设备状态把多台设备加入到localtrustdomain后可以通过DeviceList看到这些设备的信息。点击设备名称还可以看到每个设备具体的license，SN，timezone等。。CreateDeviceGroupsSync-FailoverTypeSync-onlyTypeSync-failover比Sync-only只多一个Networkfailover。ThedevicegroupassignedtoafoldermustcontainthelocalBIG-IPdevice.Also，youcannotremovethelocalBIG-IPdevicefromtheSync-Failoverdevicegroupassignedtoafolder.*DeviceGroup配置选项说明 名称 含义 Name Devicegroup名称 Description 注释 GroupType Devicegroup类型，sync-only或者sync-failover Members 添加属于此Devicegroup的成员，前提是先要在peerlist中添加 NetworkFailover 是否对此Devicegroup的设备进行NetworkFailover AutomaticSync 是否让设备间进行自动同步。 FullSync 是全局同步还是增量同步，默认不勾选为增量同步。 MaximumIncrementalSyncSize(KB) 默认值为1024KB，增量最大到1024k，如果增量的配置超过1024k,自动变为fullsync。*CreateTrafficGroupAutofailbacktimeout选项生效后，手动把一个设备forcetostandby不会failback。把设备offline在online后会failback。*TrafficGroup配置选项说明只有当配置了FailoverOrder时，Auto-failback才能生效，如果配置failoverorder，且failoverorder中没有available设备时，才会执行HALoadFactor（load-aware）。 名称 含义 Name Trafficgroup名称 Description 注释 HALoadFactor 设备的负载值，用于load-aware MACMasqueradeAddress 创建虚拟MAC欺骗地址 AutoFailback 是否进行自动回切。如果auto-failback开启，但是在FailoverOrderlist中firstdevice是unavailable，不会进行auto-failback行为。 AutoFailbackTimeout 可以设置的值为0-300秒，默认是60秒，为了保障mirror工作正常，建议设置为40-60秒。 FailoverOrder 指定切换顺序，如果下一个为unavailable，跳过此设备，直到切换到available设备。Autofailbacktimeout选项生效后，手动把一个设备forcetostandby不会failback。把设备offline在online后会failback。AutoFailback是与failoveorder紧密相关的。勾选autofailbackfailover列必须有东西。Youcanenableauto-failbackonlywhenyouconfiguretheFailoverOrdersetting.Thissettingisoptional.OnlydevicesthataremembersoftherelevantSync-Failoverdevicegroupareavailableforinclusionintheorderedlist.Ifauto-failbackisenabledandthefirstdeviceinthe FailoverOrder listisunavailable,noauto-failbackoccursandthetrafficgroupcontinuestorunonthecurrentdevice.Also,ifnoneofthedevicesinthelistiscurrentlyavailablewhenfailoveroccurs,theBIG-IPsystemignoresthe FailoverOrder settingandperformsload-awarefailoverinstead,usingthe HALoadFactor setting.Avalueof40to60secondsallowsforstatemirroringinformationtobere-mirroredfortrafficgroups.*LESSONOUTLINE目录N+M介绍最佳实践配置步骤Troubleshootingppt课件*Troubleshooting 当cluster发生问题的时候，Troubleshooting步骤为：1、排查所有devicegroup成员的各种同步是否正确（ConfigSyncoperation)。2、排查DeviceServiceClustering。如果同步错误，BIG-IP会产生同步状态信息，可以通过这些信息来排查错误。Troubleshooting*1.ConfigSyncoperation 1.1确定DSC/ConfigSync的基本元素： Requirement Description GUIlocation tmsh Licensing/provisioning Devicesinadevicegroupmustmatchascloselyaspossiblewithrespecttoproductlicensingandmoduleprovisioning. System >License tmshshow/syslicensetmshshow/sysprovision Softwareversions ThedevicegroupmembersmustrunthesameBIG-IPsoftwareversion. System >SoftwareManagement tmshshow/syssoftware ManagementIP EachdevicemusthaveauniquemgmtIPaddress,anetmask,andamgmtroute. System >Platform list/sysmanagement-iplist/sysmanagement-route NTP NTPisrequiredforalldevicegroupmembers. System >Configuration> Device > NTP tmshlist/sysntpservers ConfigSyncIP TheselfIPaddressesusedforConfigSyncmustbedefinedandberoutablebetweendevicegroupmembers.F5recommendsthattheaddressesresideonadedicatedHAVLAN. DeviceManagement >Devices tmshlist/cmdevice<device>configsync-ip FailoverIP TheselfIPaddressesusedforfailovermustbedefinedandroutablebetweendevicegroupmembers(forsync-failoverdevicegroups). DeviceManagement >Devices tmshlist/cmdevice<device>unicast-address Ports Thedevicegroupmembersshouldbeabletocommunicateoverports443,4353,1026(UDP),and22(recommended). N/A N/A Devicetrust Devicetrustmustbeestablishedfordevicegroupmembers. DeviceManagement >DeviceTrust tmshshow/cmdevice-groupdevice_trust_group1.ConfigSyncoperation 1.2确定commitID：运行tmsh命令：tmshrun/cmwatch-devicegroup-device在每台设备上执行上述命令，查看结果中的cid.id是否相同，如果不同，则说明某台设备缺少了最新的配置，则进行下一步的强制同步。1.ConfigSyncoperation 1.3验证配置同步操作：通过GUI，DeviceManagementOverviewDevices，选择上一步看到的cid.id最大的设备，进行强制配置同步或者运行tmsh命令：tmshrun/cmconfig-syncto-group<device_group>tmshrun/cmconfig-syncfrom-group<device_group>1.ConfigSyncoperation 1.4确定同步状态：通过GUI，DeviceManagementOverview：或者运行tmsh命令：tmshshow/cmsync-status1.ConfigSyncoperation 1.5DeviceGroup同步状态信息说明（一）： SyncStatus Summary Details Recommendation AwaitingInitialSync ThedevicegroupisawaitingtheinitialConfigSync Thedevicegroupwasrecentlycreatedandhaseithernotyetmadeaninitialsync,orthedevicehasnoconfigurationchangestobesynced. Synconeofthedevicestothegroup AwaitingInitialSync hostname-1,hostname-2,etc.awaitingtheinitialconfigsync Oneormoredevicegroupmemberhaseithernotyetsynchronizeditsdatatothedevicegroupmembersorhasnotyetreceivedasyncfromothermember. Syncthedevicewiththemostcurrentconfigurationtothesyncgroup ChangesPending ChangesPending Oneormoredevicegroupmemberhasrecentconfigurationchangesthathavenotyetbeensynchronizedtotheothermembersofthedevicegroup. Syncthedevicewiththemostcurrentconfigurationtothesyncgroup ChangesPending Thereisapossiblechangeconflictbetweenhostname-1,hostname-2,etc. Thereisapossibleconflictamongtwoormoredevicesbecausemorethanonedevicecontainschangesthathavenotbeensynchronizedtothedevicegroup. Viewtheindividualsyncstatusofeachdevicegroupmember,andthensyncthedevicewiththemostcurrentconfigurationtothedevicegroup NotAllDevicesSynced hostname-1,hostname-2,etc.didnotreceivelastsyncsuccessfully Oneormoreofthedevicesinthedevicegroupdoesnotcontainthemostcurrentconfiguration. Viewtheindividualsyncstatusofeachdevicegroupmember,andthensyncthedevicewiththemostcurrentconfigurationtothedevicegroup1.ConfigSyncoperation 1.5DeviceGroup同步状态信息说明（二）： SyncStatus Summary Details Recommendation SyncFailure Avalidationerroroccurredwhilesyncingtoaremotedevice Thedevicewasunabletoacceptasyncduetoavalidationerror. Reviewthe /var/log/ltm logfileontheaffecteddevice Unknown Thelocaldeviceisnotamemberoftheselecteddevicegroup Thedevicethatyouareloggedintoisnotamemberoftheselecteddevicegroup. Addthelocaldevicetothedevicegroup Unknown Notloggedintotheprimaryclustermember Thesystemcannotdeterminethesyncstatusofthedevicegroupbecauseyouareloggedintoasecondaryclustermemberinsteadoftheprimaryclustermember.PertainstoVIPRIONsystemsonly. Logintotheprimaryclustermember,usingtheprimaryclusterIPaddress Unknown Errorintrustdomain Thetrustrelationshipsamongdevicesinthedevicegrouparenotproperlyestablished. Onthelocaldevice,resetdevicetrustandthenre-addallrelevantdevicestothelocaltrustdomain None XdeviceswithYdifferentconfigurations Theconfigurationtimefortwoormoredevicesinthedevicegroupdiffersfromtheconfigurationtimeoftheotherdevicegroupmembers.Thisconditioncausesoneofthesestatusmessagestoappearforeachrelevantdevice:Device_nameawaitinginitialconfigsyncDevice_namemadelastconfigurationchangeondate_time Syncthedevicewiththemostcurrentconfigurationtothesyncgroup1.ConfigSyncoperation 1.6Device同步状态信息说明（一）： SyncStatus Summary Recommendation AwaitingInitialSync ThelocaldeviceisawaitingtheinitialConfigSync.Thedevicehasnotyetreceivedasyncfromanotherdeviceandhasnoconfigurationchangestobesyncedtoothermembersofthedevicegroup. Determinewhatdevicehasthelatest/desiredconfigurationandperformaConfigSyncfromthedevice ChangesPending Thedevicehasrecentconfigurationchangesthathavenotyetbeensynchronizedtotheothermembersofthedevicegroup. Synchronizethedevicetothegroup AwaitingInitialSyncwithChangesPending Theconfigurationonthedevicehaschangedsincejoiningthedevicegroup,orthedevicehasnotreceivedasyncfromanotherdevicebuthasconfigurationchangestobesyncedtoothermembersofthedevicegroup. Determinethedevicewiththelatest/desiredconfigurationandperformaConfigSyncfromthedevice Doesnothavethelastsyncedconfiguration,andhaschangespending Thedevicereceivedatleastonesyncpreviouslybutdidnotreceivethelastsyncedconfiguration,andtheconfigurationonthedevicehaschangedsincethelastsync. Determinethedevicewiththelatest/desiredconfigurationandperformaConfigSyncfromthedevice1.ConfigSyncoperation 1.6Device同步状态信息说明（二）： SyncStatus Summary Recommendation Disconnected TheiQuerycommunicationchannelbetweenthedeviceswasterminatedordisrupted.Thismaybearesultofoneofthefollowing:*Thedisconnecteddeviceisnotamemberofthelocaltrustdomain*Thedisconnecteddevicedoesnothavenetworkaccesstooneormoredevicegroupmembers *Jointhedisconnecteddevicetothelocaltrustdomain*VerifythatthedeviceshavenetworkaccessusingtheConfigSyncIPaddresses Devicedoesnotrecognizemembershipinthisgroup Thelocaldevicedoesnotrecognizethatitisamemberofthedevicegroup. Addthedevicetothedevicegroup Noconfigsyncaddresshasbeenspecifiedforthisdevice ThedevicedoesnothaveaConfigSyncaddress. ConfigureaConfigSyncIPaddressforthedevice Doesnothavethelastsyncedconfiguration Thedevicepreviouslyreceivedtheconfigurationfromothermembersofthedevicegroupbutdidnotreceivethelastsyncedconfiguration. PerformaConfigSyncoperationwhichsyncsthegrouptothelocaldevice1.ConfigSyncoperation 1.7确定log信息：运行linux命令：查看 /var/log/ltm 文件：cat/var/log/ltm查看有关DSC/CMI的信息：grep-icmi/var/log/ltm查看有关ConfigSync的信息：grep-iconfigsync/var/log/ltm2.DeviceServiceClustering 2.1确定devicetrust状态：运行tmsh命令：tmshshow/cmdevice-groupdevice_trust_group2.DeviceServiceClustering 2.1确定devicetrust状态：运行tmsh命令：tmshshow/cmdevice-groupdevice_trust_group2.DeviceServiceClustering 2.2确定devicegroup成员的同步时间：运行linux命令：date;tmshlist/sysntp在每台设备上运行该命令，确认每台设备的时间2.DeviceServiceClustering 2.3确认设备同步的地址：确认同步地址：tmshlist/cmdeviceconfigsync-ip确认网络连通性：ping<remote_configsync-ip>确认进程信息：netstat-pan|grep-E6699确认DSC同步状态信息：run/cmsniff-updates在每台设备上运行该命令，确认每台设备的时间2.DeviceServiceClustering 2.4确认守护进程信息：DSC需要下列守护进程：devmgmtd:Responsibleforestablishing/maintainingdevicegroupfunctionalitymcpd:Allows userland daemonstocommunicatewithtmmsod:Providesfailoverandrestartcapabilitytmm:Performstrafficmanagementforthesystem使用命令确认其信息：bigstartstatusdevmgmtdmcpdsodtmm2.DeviceServiceClustering 2.5重新设置Devicetrust关系（一）：通过GUI，DeviceManagementDeviceTrustLocalDomainResetDeviceTrust：2.DeviceServiceClustering 2.5重新设置Devicetrust关系（二）：通过GUI，DeviceManagementDeviceTrustPeerListAdd，重新建立trust关系：2.DeviceServiceClustering 2.6重新设置所有devicetrust关系：分别登陆各台设备，重建所有设备的trust关系Troubleshooting工具：最后提供部分Troubleshooting工具，可以查看需要的信息：使用方法：tmshrun/cmsniff-updatestmshrun/cmwatch-devicegroup-devicetmshrun/cmwatch-sys-devicetmshrun/cmwatch-trafficgroup-deviceppt课件*WithDSCsyoustillhavetheabilitytocreatethetraditionalA/Spairwithmanualsyncing(althoughautomaticsyncingoffailovergroupsmaybeallowedinthefuture).DeploymentofA/ApairsisgreatlysimplifiedandeasiertomaintainthanunderolderversionsofBIG-IP.Theabilitytoscalebeyondapair.TheabilitytotakeadvantageofallBIG-IPdevicesinacluster,allowingforhigherdeviceutilizationandhighavailability.(considerisallthedevicesranabout20%withburstto40%,anydevicecouldhandlethefailoverofasingledeviceeasily)Andtheabilitytosynccommonconfigurationitems,suchasiApps,iRulesandSSLCertificatesetc,acrossmultipledevicegroups.(moreonthatlater)*WithDSCsyoustillhavetheabilitytocreatethetraditionalA/Spairwithmanualsyncing(althoughautomaticsyncingoffailovergroupsmaybeallowedinthefuture).DeploymentofA/ApairsisgreatlysimplifiedandeasiertomaintainthanunderolderversionsofBIG-IP.Theabilitytoscalebeyondapair.TheabilitytotakeadvantageofallBIG-IPdevicesinacluster,allowingforhigherdeviceutilizationandhighavailability.(considerisallthedevicesranabout20%withburstto40%,anydevicecouldhandlethefailoverofasingledeviceeasily)Andtheabilitytosynccommonconfigurationitems,suchasiApps,iRulesandSSLCertificatesetc,acrossmultipledevicegroups.(moreonthatlater)*Changetounit1through6,removethelast2**F5Networks公司**F5Networks公司*Howdotrafficgroupswork?Trafficgroupsarecollectionsoflisteners,suchasvirtualservers,thatsupportanapplicationoraseriesofapplications.Let’ssaywehaveaDSCcomposedof3BIG-IPs.ThesedeviceshavealreadybeenconfiguredforHA,establishedtrustsandbeenassignedtothesamesync-failoverdevicegroup.Allourapplicationshavebeenbuiltonthefirstdevice.Anapplicationorapplicationsareplacedintoatrafficgroup,byassigningtheirsupportinglistenerstothattrafficgroup(Alistenerisavirtualserveraddress,SNATaddressorfloatingselfIPaddress,nextslide)WethendesignatewhichBIG-IPisresponsibleforwhichtrafficgroupInthiscaseweassigntwotrafficgroupsgreenandredtothemiddleBIG-IPThethirdBIG-IPhasnoactivetrafficgroupssoitisinSTANDBYmodeSowehaveanA-A-SsetupupIftheaclustermemberfailsallthetrafficgroupsonthefaileddevicemigratetoanotherBIG-IPThisBIG-IPischosenbasedoninternalmetrics*©F5Networks,Inc.*Takeouttrafficgroup2***V11的PortLockdown默认为AllowNone。DSCdeplomentworksheetDevicesinadevicegroupmustmatchascloselyaspossiblewithrespecttoproductlicensingandmoduleprovisioning.但是我在搭建环境测试发现provisioning一样，但license不一样也不行。***MirroringusedTCPport1028.TheBIG-IPsystemmanagesconnectionmirroringatthetrafficgrouplevel.Note: TheBIG-IPsystemcanmirrorconnectionsforasmanyas15activetrafficgroupssimultaneously同时.*Note:AnyBIG-IPdevicesthatyouintendtoaddtoadevicegroupatalaterpointmustbemembersofthesamelocaltrustdomain.AdeviceinthetrustdomaincanbeamemberofbothaSync-FailovergroupandaSync-Onlygroupsimultaneously.AspecificBIG-IPdeviceinatrustdomaincanbelongtooneSync-Failoverdevicegrouponly.Adeviceinatrustdomaincanbeamemberofmorethanonesync-onlydevicegroup,AdevicecanalsobeamemberaSync-FailovergroupandaSync-onlygroupsimultaneously.*ThedevicegroupassignedtoafoldermustcontainthelocalBIG-IPdevice.Also，youcannotremovethelocalBIG-IPdevicefromtheSync-Failoverdevicegroupassignedtoafolder.**Autofailbacktimeout选项生效后，手动把一个设备forcetostandby不会failback。把设备offline在online后会failback。*Autofailbacktimeout选项生效后，手动把一个设备forcetostandby不会failback。把设备offline在online后会failback。AutoFailback是与failoveorder紧密相关的。勾选autofailbackfailover列表必须有东西。Youcanenableauto-failbackonlywhenyouconfiguretheFailoverOrdersetting.Thissettingisoptional.OnlydevicesthataremembersoftherelevantSync-Failoverdevicegroupareavailableforinclusionintheorderedlist.Ifauto-failbackisenabledandthefirstdeviceinthe FailoverOrder listisunavailable,noauto-failbackoccursandthetrafficgroupcontinuestorunonthecurrentdevice.Also,ifnoneofthedevicesinthelistiscurrentlyavailablewhenfailoveroccurs,theBIG-IPsystemignoresthe FailoverOrder settingandperformsload-awarefailoverinstead,usingthe HALoadFactor setting.Avalueof40to60secondsallowsforstatemirroringinformationtobere-mirroredfortrafficgroups.**Troubleshooting*