Forum Discussion
Jim_McCarron_44
Jun 20, 2011Historic F5 Account
Derek,
Re: your question below:
Do I need to have 2 in-band management IP's if the only vlan 32 address is going to be the VIPs?
Yes. I would highly recommend having in-band Management IP's on any VLANs that the ARX's connect to. There are some functions such as critical route monitoring which will need a Management IP address to probe from. You'll want to setup critical routes on both your VLANs when you setup the redundancy.
I would recommend holding off on any global-config until you get the units paired up. Looks like you have not yet enabled redundancy and configured the quorum disk. You'll need to enable redundancy mode, add the peer address, and quorum disk location. You also need to add the key word "redundancy" to one of your VLANs.... I recommend adding it to the proxy IP VLAN like I have done below for one of your ARX's:
On ARX1:
interface vlan 114
ip address 10.17.114.165 255.255.254.0
redundancy
no shutdown
exit
On ARX2:
interface vlan 114
ip address 10.17.114.175 255.255.254.0
redundancy
no shutdown
exit
Next you need to enable redundancy and configure the required parameters (something like this below): You'll need to provide a proper quorum disk location (the example below shows an NFS location with IP address 1.1.1.1.
on ARX1:
redundancy
peer 10.17.114.175
quorum-disk 1.1.1.1:/vol/vol1/quorum nfs3tcp
enable
exit
on ARX2:
redundancy
peer 10.17.114.165
quorum-disk 1.1.1.1:/vol/vol1/quorum nfs3tcp
enable
exit
As for this question:
With regards to static routes, you mention that if storage doesn't live on the same network as the proxy IP's I need a static host route. Will this also work for other servers (AD, NTP etc..)?
Yes. You can use subnet based routes using a gateway that lives on the Proxy IP subnet. But if you also have clients that will access an ARX VIP, that live on the same subnet as those devices (AD, NIS, etc), then you will want to enter static host IP routes to any authentication services (NIS/AD). NTP /SNMP etc... use Management IP's not Proxy IP addresses.
The UNIX/AD mapping is probably beyond what we can cover here, and you'd probably want an F5 SE to look into the environment deeper to cover all the bases, but from a high level the mapping is done behind ARX (usermap.cfg as an example on NetApp). ARX does not talk to LDAP, only AD, but if the filer is doing LDAP for file system security (NFS), then it should be transparent forARX. The ARX does not alter UID/GID from the user into the file system. If you use LDAP for NFS mount based security, then ARX does not currently support that function today.
The ARX and upstream L2 switch should use all ports in the channel. As with any L2/L3 device the distribution will typically be some sort of hash on the IP addresses.
re: the question:
If I have arx1 1/1 to 1/4 going to switch 1 and arx1 1/5 to 1/8 going to switch 2, if they are all part of the same channel the ARX has no way to determine which switch/interfaces it should be sending packets to if the 2 back-end switches are not configured as a single logical switch? Correct?
Yes this is correct.
If I had the same setup above, but I had 2 channels, would I be able to achieve a multi homed setup if I was using 2 channels?
It may work, but it is not a deployment mode we test. My concern is having 2 different channel in the same subnet/VLAN. This could "potentially" cause MAC address flapping if MAC addresses appear to move from one port to another. Upstream L2 switches are not happy when this occurs. Like I said this may work, but without formally qualifying in this deployment mode I can't comment on what the exact behavoir will be. I can only point out what I see are potential Gotcha's.
hope this helps.
Jim