Forum Discussion

dragonflymr's avatar
dragonflymr
Icon for Cirrostratus rankCirrostratus
Jun 16, 2015

AFM 11.6 and active/active cluster

Hi,

 

I was not playing a lot with AFM in older version so not sure what were limitations on earlier versions considering clustering.

 

In 11.6 Release notes there is info "Advanced Firewall Manager is supported in both active-standby and active-active configurations with BIG-IP systems."

 

I assume that in previous version only active-standby two device cluster with one traffic-group was possible, and in 11.6 it's possible to have SyncFailover Device Group consisting off maximum 8 devices with up to 127 traffic-groups - Am I right?

 

Active-active config mentioned in release notes is not one that can process traffic for the same traffic-group on two devices at the same time (like for example in Palo Alto active-active)?

 

Piotr

 

advanced firewall manager
deployment
design
security

5 Replies

Sort By
  • boneyard's avatar
    boneyard
    Icon for MVP rankMVP
    Jun 21, 2015

    can't say for sure on question 1.

     

    question two is indeed the case, active-active with big-ip in general is having multiple traffic groups active on different big-ips. not having the same traffic group active on multiple big-ips.

     

  • F5Burg_193522's avatar
    F5Burg_193522
    Icon for Nimbostratus rankNimbostratus
    Jul 18, 2015

    Hi Guys, I'm having some issue understanding traffic groups, I can't find doc on the following.

     

    Consider an Active / Active configuration with two traffic groups. Traffic group A is primary on A device, Traffic group B is primary on the B device. Can you share a subnet between the two traffic groups? I would think this might work if each traffic groups had their own primary float, but I can't find doc that specifically says you can or can't do this. With one float, primary being A device - I would think a VIP who is primary on B device would have issues / possibly asymmetric.

     

    I appreciate any insight, or documentation you can point me to on this subject.

     

    • boneyard's avatar
      boneyard
      Icon for MVP rankMVP
      Jul 18, 2015
      your first question can't really be answered, as a subnet isn't something you assign to a traffic group. if the question is, can you assign virtual IP addresses from the same subnet to different traffic groups the answer is yes. the rest of the question depends a lot on how you get traffic to your big-ips and how the big-ips communicate with the poolmembers. but if required a solution with two floats will be able to handle these situations.
  • mockingjay_379's avatar
    mockingjay_379
    Icon for Nimbostratus rankNimbostratus
    Jan 28, 2016

    Hi,

     

    facing similar issue here. I have P2P VLAN between my Viprions and firewall. Also, I have backend VLAN with defined SIPs and FIP addresses - def.gw of servers is FIP address of backend VLAN.

     

    I want to assign some of the virtual servers to one traffic-group and some to another. What failover objects needs to be present in every traffic group? Do I need to have different P2P VLAN for every traffic group? I suppose that I have to have different backend VLANs with for each traffic group? What about VIPs?

     

    Route for backend segment and virtual segment is set on the firewall and it is pointing to FIP of the P2P VLAN.

     

    A.

     

  • boneyard's avatar
    boneyard
    Icon for MVP rankMVP
    Jan 30, 2016

    my previous answer stands, you don't assign subnets to traffic groups, you assign IP addresses, these can be for selfIPs and for Virtual Servers.