Forum Discussion

Piotr_Lewandows's avatar
Piotr_Lewandows
Icon for Altostratus rankAltostratus
Feb 08, 2016

Full mesh HA to FW with disrect cabling

Hi,

 

I wonder if there are any issues to be expected when HA will be implemented as on attached picture.

 

I assume that when two ports (1.1, 1.2) are assigned to the same VLAN BIG-IP will behave like a L2 switch:

 

  • When there is no entry in ARP cache for given IP (let's say DG set on LTM) ARP request and because it's targeted to brodcast MAC then it's flooded via both 1.1 and 1.2
  • Because only one SonicWall (SW) is active and using Floating IP then ARP response will be received only via 1.1
  • MAC address from ARP response will be assigned in FDB to port 1.1
  • All unicast traffic to 192.168.1.254 will be send to active SW port 1.1 via LTM port 1.1

In case of active SW failure second unit will take over Floating IP. As far as I know new active will generate GARP so:

 

  • Active LTM will receive GARP on port 1.2
  • FDB will be updated with SW MAC on port 1.2
  • All unicast traffic to 192.168.1.254 will be send to active SW (second unit) port 1.1 via LTM port 1.2

I assume as well that when active LTM will fail second LTM become active and in a same way will be able to send traffic via port 1.2 on active SW.

 

Is above correct or I am missing something?

 

If not what setup on SW and LTM will be optimal to minimize connection loss and speed up convergence?

 

  • SW have option to set up Virtual MAC, so in case of failure same MAC is used on second unit for 192.168.1.254. Additionally SW issues GARP so FDB entries should be updated (MAC dleted from port 1.1 and added to 1.2). Should it be enabled? Assuming that anyway FDB on LTM has to be updated either by moving Virtual MAC from port 1.1 to port 1.2 or new mapping created for static SW MAC (when Virtual MAC is not used) will using Virtual MAC provide any advantage?
  • Assuming that there is only one DG available for LTM and one and the same for SW (one link to Internet) is using Gateway failsafe necessary? Or maybe VLAN failsafe? Or there is no advantage because in case of active SW failure there is no need to failover active LTM to passive (active LTM is not loosing access to Internet when active SW fails). If Internet access will fail no failover on LTM will help - same link to Internet is used by both LTMs
  • If Virtual MAC is used should Auto Last Hop (ALH) be set to enabled or it safer to disable it? I think that when Virtual MAC on SW is not used ALH should be disabled as LTM will be trying to use MAC address of failed SW not MAC address of next unit that took over?

Piotr

 

BIG-IP
devops
ha
LTM
sonicwall

1 Reply

Sort By
  • Kai_Wilke's avatar
    Kai_Wilke
    Icon for MVP rankMVP
    Feb 08, 2016

    Hi Piotr,

     

    Piotr wrote: I assume that when two ports (1.1, 1.2) are assigned to the same VLAN BIG-IP will behave like a L2 switch

     

    I dont think so. You'll will get just two independent HOST-interfaces (either tagged or untagged). But I'm very unsure if LTMs would behave like a full featured Switch...

     

    Note: Personaly I would never use cross-over HOST-to-HOST cabelings. I always tend to use full-featured switches to agregate the different HOST-Ports. Depending on the switch capabilities, you may use a ONE:ONE assignment, so that the primary SW and F5 are getting connected to the primary Switch (and vice versa for the secondaries) or use fault tolerant LACP channels for the F5s and SWs that gettings spanned across the primary and secondary switches.(aka. vPC configurations)

     

    Update: Seems so that LTMs would be able to operate as an switch. Hmm... but I highly doubt that I ever would use this feature^^ ;-)

     

    Cheers, Kai