Lab 8: Device Service Clusters (DSC)

We want to familiarize you with the concept of Device and Traffic Groups as well as the building of Active-Standby, Active-Active BIG-IP pairs. While there is a wizard, for this lab, configuration will be done manually. The wizard will only build A/S HA groups. In order to build Active-Active and beyond a pair you will need to know the four steps to add a device object to a cluster.

Base Networking and HA VLAN

You will be creating a high availability cluster using the second BIG-IP (bigip2) in your lab, so let’s prep our current BIG-IP and create a high availability VLAN.

  1. On archive your configuration in case you need to revert

  2. Go to System >> Archives and create a new archive.

  3. You will be using your third interface (1.3) for Network Failover and ConfigSync. This requires certain ports to be open on the Self IP; TCP port 4353 for ConfigSync, TCP port 1026 for Network Failover and TCP port 6699 for the Master Control Program.

    1. Build a new untagged VLAN ha_vlan on interface 1.3
    2. Add a self-IP address to the VLAN, net mask
    3. Under Port Lockdown, select Allow Default, to open ports required for HA communications.
  4. Go to which is and login.

  5. Bigip102 has already been licensed and provision. You will need to set up the base networking.

    Interface Untagged VLAN Self IP Netmask
    1.1 client_vlan
    1.2 server_vlan
    1.3 ha_vlan
  6. Set Port Lockdown to Allow Default

  7. Build the default gateway destination, mask, gateway ip address

  8. What is the status your BIG-IPs? Check the upper left-hand corner next to the F5 ball.

Configure HA

  1. On each BIG-IP, prior to building the Device Trust, it is recommended to renew the BIG-IP self-signed certificate with valid information and regenerate the local Device Trust certificate

  2. Under System >> Certificate Management >> Device Certificate Management >> Device Certificate, select the Renew… button

    1. Common Name: <the Hostname of the BIG-IP in the upper left corner>
    2. Country: United States (or your country of preference)
    3. Lifetime: 3650
  3. Lifetime is important. If your cert expires your HA setup will fail

  4. Select Finished. Your browser will ask to exchange certs with the BIG-IP again

  5. Under Device Management >> Device Trust >> Local Domain select Reset Device Trust…

  6. In the Certificate Signing Authority select Generate New Self-Signed Authority and hit Update

  7. On each BIG-IP configure the device object failover parameters the BIG-IP will send to other BIG-IPs that want to be a part of a sync-only or sync-failover group

    1. Under Device Management >> Devices, select the local BIG-IP. It will have the (Self) suffix.
    2. Under Device Connectivity on the top bar select:
    3. ConfigSync
    4. Use the Self IP address of the HA VLAN for your Local Address.
    5. Failover Network
  8. In the Failover Unicast Configuration section select the Add button

  9. Use the Self IP address the HA VLAN for your Address

  10. Leave the Port at the default setting of 1026

  11. Note: Multicast is for Viprion chassis’ only

  12. Mirroring

  13. Primary Local Mirror Address: use the Self IP address of the HA VLAN for your

  14. Secondary Local Mirror Address: None

  15. On build the Device Trust.

    1. Under Device Management >> Device Trust >> Device Trust Members and select Add to add other BIG-IP(s) you will trust.
    2. Device IP Address: <management IP address of the BIG-IP to add>
  16. You could use any Self IP if the out-of-band management interface is not configured.

    1. Enter the Administrator Username and Password of the BIG-IP you are trusting
    2. Select Retrieve Device Information
  17. The certificate information and name from the other BIG-IP should appear

    1. Select Device Certificate Matches to proceed
    2. Select Add Device
  18. On each BIG-IP check the other BIG-IP in the Device Trust Members list. Is all the information there?

  19. If some information is missing delete the trust and try again

  20. What are the statuses of your BIG-IPs now?

  21. They should be In Sync. But wait! Although they show in sync, only a Sync-Only group was created. We now need to create a Sync-Failover group to facilitate failover.

  22. On create a new Sync-Failover device group

    1. Under Device Management >> Device Group create a new device group
    2. Name: my-device-group
    3. Group Type: Sync-Failover
    4. Add the members of the group to the Includes box
    5. Check the Network Failover setting for the group
  23. Check Device Groups on each BIG-IP

  24. Did you have to create the Device Group on the other BIG-IP?

  25. Is the full configuration synchronized yet? (No! Only the Device Group is sync’d)

  26. What is your sync status?

  27. It should be Awaiting Initial Sync

    1. Click on the sync status or go to Device Management >> Overview (or click on Awaiting Initial Sync) of the BIG-IP with the good/current configuration
    2. Click the device with the configuration you want to synchronize. Sync Options should appear.
    3. Synchronize to Group. It could take up to 30 seconds for synchronization to complete.


During the Awaiting Initial Sync phase either BIG-IP can perform the synchronization and the other BIG-IP will be overwritten.

  1. What are the statuses of your BIG-IPs? Do you have an active-standby pair?
  2. Are the configurations the same?
  3. Now that you have created your HA environment, HA selections will show up for SNAT addresses (not tied to your base network), persistence profiles and connection mirroring on virtual servers.
    1. Go to your Active BIG-IP
    2. Go to your persistence profile my-src-persistence and check the Mirror Persistence box
    3. Go to your www_vs virtual server and set the Default Persistence Profile to my-src-persistence
    4. Synchronize your changes. Did the changes sync?
    5. On each BIG-IP go to Module Statistics > Local Traffic and bring up the persistence record statistics
    6. Go to the home page of your www_vs web service ( Refresh a few times.
    7. Check the persistence records on each of your BIG-IPs, you should see the records are mirrored on each device
  4. Go to Device Management >> Traffic Groups. As you can see the default traffic group “traffic-group-1” already exists.
    1. Select traffic-group-1. Check out the page information and then select Force to Standby.
    2. What are the statuses of your BIG-IPs? Go to your web page. What is the client IP?
    3. Go to your self-IP addresses. What traffic group are they in? What does it mean?
    4. Archive your work.