One of the first things I configured on the F5 BIG-IP was TACACS+. As the first step of getting the load balancer setup, it was my first configuration failure. I had the unit racked in the data center and I configured the management IP address information by using the front panel on the chassis. By use of the management port, I connected the BIG-IP to the network so I could manage it. No other cables were connected
After spending hours trying to get TACACS+ to work, I moved on to other parts of the configuration. After completing the VLAN’s and Self IP’s I got the cables connected to the network for the data connectivity. After I did this I went back to troubleshooting the TACACS+ configuration.
I found that the BIG-IP was using the data VLAN and self IP to communicate with the TACACS+ server instead of the management port IP address. After setting up the Self IP address in the TACACS+ server, it started working. This was on a BIG-IP not using Partitions and Route Groups.
When the BIG-IP is configured for Partitions and Route Groups, it does use the Management port as the source when communicating with TACACS+.
I found this to be difficult to figure out, there was little documentation.
Have any of you run into similar issues with your BIG-IP?
I hope this helps you setup TACACS+ on your BIG-IP.
If you enjoyed this article, please consider sharing it!
Now that Cisco had left the load balancing market there are going to be a large number of companies moving to other companies load balancers. Currently I’m in the process of migrating off of some Cisco CSS’s onto F5 BIG-IP load balancers. There are many different methods of replacing load balancers. Unfortunately I cannot copy the configuration off of the CSS and paste it into the new load balancer. This cannot be done even if you move from the Cisc CSS to the Cisco ACE. The Cisco ACE is completely different from the CSS.
You always have an option of performing the Flash Cut. If you are not familiar, a flash cut is when you configure the new unit before the cut over. At the time of cut over, you simply move the cables from the old unit to the new unit. When I replace switches or routers, I would use this method. I’m very familiar with routers and switches and my confidence level is very high with this approach on those devices.
When moving to the F5 BIG-IP, my confidence wasn’t so high. It was a new device to me with an operating system that I was not familiar with. Due to this along with many other reasons, we decided to move the servers and services to the new load balancer one by one. This consisted of new IP’s for some VIP’s (Virtual IP) and servers. At the very least a default gateway change on the server.
I configured the services on the load balancer and installed it in parallel to the old one. One service at a time, IP’s and/or the default gateway was changed. The DNS pointed to a new IP and the service was moved.
This method has worked very well to have time to troubleshoot each service before moving onto the next. If one service had an issue, it didn’t affect any others. The business liked this method because of the reduced potential for mass outages. On the other hand, it caused a lot of coordination of maintenance windows in off hours.
What methods have you used to migrate to another load balancer?
What load balancer are you moving to?
How do you like the new load balancer compaired to your old one?