Create Secure Mesh Site
Objective
This document provides instructions on how to create an F5® Distributed Cloud single-node or multi-node F5 Distributed Cloud Secure Mesh Site object. A Secure Mesh Site object can be used to register and manage a site deployed on-premises (on VMware, KVM, or bare metal) or manual site deployments on public clouds (AWS, Azure, and GCP) using the cloud provider's console or using the cloud provider Terraform.
A Secure Mesh Site is a Distributed Cloud Customer Edge (CE) site engineered specifically to provide ease for users to create sites with any F5® Distributed Cloud Mesh certified hardware.
Using the instructions provided in this document, you can:
- Create a site token.
- Create a single-node or multi-node Secure Mesh Site object in the F5® Distributed Cloud Console.
- Register the site on the F5® Distributed Cloud Console.
Creating the Site nodes is specific to different providers/environments where the site is being deployed. For more information, see the Deploy the Site Nodes section.
Prerequisites
-
An F5 Distributed Cloud Account. If you do not have an account, see Create an Account.
-
One or more devices or VMs consisting of interfaces with Internet reachability for Site installation.
-
Resources required per node: Minimum 4 vCPUs, 14 GB RAM, and 80 GB disk storage. For a full listing of the resources required, see the Customer Edge Site Sizing Reference guide. All the nodes in a given CE Site should have the same resources regarding the compute, memory, and disk storage. When deploying in cloud environments, these nodes should use the same instance flavor.
-
Allow traffic from and to the Distributed Cloud public IP addresses to your network and allowlist related domain names. See Firewall and Proxy Server Allowlist Reference guide for the list of IP addresses and domain names.
-
Internet Control Message Protocol (ICMP) needs to be opened between the CE nodes on the Site Local Outside (SLO) interfaces. This is needed to ensure intra-cluster communication checks.
Important: After you deploy the CE Site, the IP address for the SLO interface cannot be changed. Also, the MAC address cannot be changed.
Create Site Token
Create a site token or use an existing token. If you are configuring a multi-node site, use the same token for all nodes.
Step 1: Navigate to site tokens page.
-
Log into F5® Distributed Cloud Console.
-
Click
Multi-Cloud Network Connect
.
Figure: Console Homepage
-
Select
Manage
>Site Management
>Site Tokens
. -
Click
Add Site Token
to create a new token.
Figure: Site Tokens
Step 2: Generate a new site token.
-
In the
Name
field, enter the token name. -
In the
Description
field, enter a description for the token. -
Click
Save and Exit
.
Figure: Site Token Form
Step 3: Note down the new token.
-
Find the token previously created or choose an existing token from the list of tokens displayed.
-
Click
>
to expand the token details in JSON format and note down the value of theuid
field.
Figure: UID Field
Create Secure Mesh Site Object
Log into F5 Distributed Cloud Console and perform the following steps to create a single-node or a three-node secure mesh site:
Create Three-Node Secure Mesh Site
Step 1: Start creating Secure Mesh Site object.
-
In
Multi-Cloud Network Connect
service, navigate toManage
>Site Management
>Secure Mesh Sites
. -
Select
Add Secure Mesh Site
to open the Secure Mesh Site configuration form.
Figure: Navigate to Secure Mesh Site Configuration
-
Enter a name in the
Metadata
section for your Secure Mesh Site object. -
Optionally, select labels and add a description.
Step 2: Set the fields for basic configuration.
-
From the
Generic Server Certified Hardware
menu, select an option. Theisv-8000-series-voltmesh
is selected by default. If theGeneric Server Certified Hardware
is not listed in the drop-down menu, type in the name for your deployment. This may be needed if you are manually deploying a site in the public cloud using the ClickOps method. -
Enter the names of the master nodes in the
List of Master Nodes
field. SelectAdd item
to add the second and third nodes. -
Enter the public IP in the
Public IP
field for the master nodes. The IP addresses are only used when a site is part of a Site Mesh Group, and you have selected theSite Mesh Group Connection Via Public Ip
option for theSite Mesh Group Connection Type
field as shown in Step 4.6. You can leave this blank if your site nodes do not have a public IP address. -
Optionally, enter the names of worker nodes in the
List of Worker Nodes
field. SelectAdd item
to add more than one entry. -
Optionally, enter the following fields:
-
Geographical Address: This derives geographical coordinates.
-
Coordinates: Latitude and longitude.
-
Important: It is recommended to enter the coordinates so that the CE connects to the geographically closest REs.
Figure: Secure Mesh Site Basic Configuration Section
Step 3: Optionally, configure bond interfaces.
In the Bond Configuration
section, perform the following:
-
From the
Select Bond Configuration
menu, selectConfigure Bond Interfaces
. -
Select
Configure
to open bond interface configuration page. -
Select
Add Item
under theBond Devices List
field. -
Select on the
Bond Device Name
field and selectSee Common Values
. You can also type a custom name and clickAdd item
to set the device name while also adding it to the existing options. -
Select on the
Member Ethernet Devices
field and selectSee Common Values
for the Ethernet device that is part of this bond. UseAdd item
option to add more devices. -
From the
Select Bond Mode
menu, select the bonding mode.LACP (802.3ad)
is selected by default for the bonding mode with the default LACP packet interval as 30 seconds. You can set the bond mode toActive/Backup
to set the bond members function in active and backup combination. -
Select
Add Item
.
Note: Use the
Add item
option in theBond Devices List
to add more than one bond device.
- Select
Apply
in theBond Devices
page to apply the bond configuration.
Step 4: Optionally, configure network settings.
The network configuration is applied with default settings. To customize network settings, do the following:
-
In the
Network Configuration
section, selectCustom Network Configuration
from theSelect to Configure Networking
menu. -
Select
View Configuration
to open the network configuration page and do the following:
Step 4.1: Configure site local network settings.
Site local network is applied with default configuration. Perform the following set of steps to apply custom configuration:
-
Select
Configure Site Local Network
from theSelect Configuration For Site Local Network
menu. -
Select
View Configuration
. -
Optionally, set labels for the
Network Labels
field in theNetwork Metadata
section. -
Select
Manage Static Routes
from theManage Static Routes
menu. -
Select
Add Item
and perform the following:-
Enter IP prefixes for the
IP Prefixes
section. These prefixes will be mapped to the same next-hop and attributes. -
Select
IP Address
orInterface
orDefault Gateway
from theSelect Type of Next Hop
menu and specify IP address or interface accordingly. In the case ofInterface
, you can select an existing interface or create a new interface using the options for the interface field. -
Optionally, select one or more options for the
Attributes
field to set attributes for the static route. -
Select
Apply
.
-
Note: You can use
Add Item
button in theStatic Routes
section to add more than one static route.
-
Optionally, configure
DC Cluster Group
using the following guidelines:-
Select
Member of DC Cluster Group
from theSelect DC Cluster Group
menu. -
In the
Member of DC Cluster Group
field, select a DC cluster group. You can also selectCreate New DC Cluster Group
to create a new cluster group. Performing this adds this site to a DC cluster group, enabling full connectivity between the members of the group.
-
Figure: Site Local Network Configuration
- Select
Apply
.
Note: For more information, see the Configure DC Cluster Group guide.
Step 4.2: Configure site local inside network settings.
Site local inside network is applied with default configuration. Perform the following set of steps to apply custom configuration:
-
Select
Configure Site Local Inside Network
from theSelect Configuration For Site Local Network
menu. -
Select
Configure
. -
Optionally, set labels for the
Network Labels
field in theNetwork Metadata
section. -
Select
Manage Static Routes
from theManage Static Routes
menu. -
Select
Add Item
and perform the following:-
Enter IP prefixes for the
IP Prefixes
section. These prefixes will be mapped to the same next-hop and attributes. -
Select
IP Address
orInterface
orDefault Gateway
from theSelect Type of Next Hop
menu and specify IP address or interface accordingly. In the case ofInterface
, you can select an existing interface or create a new interface using the options for the interface field. -
Optionally, select one or more options for the
Attributes
field to set attributes for the static route. -
Select
Apply
.
-
Note: You can use
Add Item
button in theStatic Routes
section to add more than one static route.
-
Optionally, configure
DC Cluster Group
using the following guidelines:-
Select
Member of DC Cluster Group
from theSelect DC Cluster Group
menu. -
In the
Member of DC Cluster Group
field, select a DC cluster group. You can also selectCreate New DC Cluster Group
to create a new cluster group. Performing this adds this site to a DC cluster group, enabling full connectivity between the members of the group.
-
-
Select
Apply
.
Note: For more information, see the Configure DC Cluster Group guide.
Step 4.3: Configure interface settings.
Bootstrap interface configuration is applied by default, and it is based on the certified hardware.
Perform the following to apply custom interface configuration:
-
Select
List of Interface
from theSelect Interface Configuration
menu. -
Click
Configure
. This opens another interface list configuration page. -
Select
Add Item
in theList of Interface
table. -
Optionally, enter an interface description and select labels.
-
Select an option from the
Interface Config Type
menu, and set one of the interface types using the following instructions:
Ethernet Interface:
-
Select
Ethernet Interface
and clickConfigure
. This opens Ethernet interface configuration page. -
Select an option from the
Ethernet Device
menu usingSee Common Values
. You can also type a custom name to set the device name while also adding it to the existing options. -
Select
Cluster, All Nodes of the Site
orSpecific Node
from theSelect Configuration for Cluster or Specific Node
menu. In case of specific node, select the specific node from the displayed options of theSpecific Node
field. You can also type a custom name to set the device name while also adding it to the existing options. -
Select
Untagged
orVLAN Id
from theSelect Untagged or VLAN tagged
menu. In case of VLAN ID, enter the VLAN ID in theVLAN Id
field. -
Select an option from the
Select Interface Address Method
menu in theIP Configuration
section. TheDHCP Client
is selected by default. In case you select a DHCP server, clickConfigure
and set the DHCP server configuration per the options displayed on the DHCP server configuration page and clickApply
. This example shows the interface as DHCP client for brevity. -
Select
Site Local Network (Outside)
,Site Local Network (Inside)
, orSegment
from theSelect Virtual Network
menu in theVirtual Network
section. If you chooseSegment
, you must also select the segment from the drop-down list.Site Local Network (Outside)
is selected by default. -
Select if the interface is primary from the
Select Primary Interface
menu. Default is not a primary interface. Ensure that you set only one interface as primary. -
Select
Apply
.
Dedicated Interface:
-
Select
Dedicated Interface
from theInterface Config Type
menu. -
Select a device name from the
Interface Device
menu usingSee Common Values
. You can also type a custom name to set the device name while also adding it to the existing options. -
Select
Cluster, All Nodes of the Site
orSpecific Node
from theSelect Configuration for Cluster or Specific Node
menu. In case of specific node, select the specific node from the displayed options from theSpecific Node
menu. You can also type a custom name to set the device name while also adding it to the existing options. -
Select if the interface is primary in the
Select Primary Interface
field. Default is not a primary interface. Ensure that you set only one interface as primary. -
Select
Add Item
. -
Optionally, add more than one interface using the
Add item
option in theList of Interface
page. -
Select
Apply
.
Step 4.4: Configure security settings.
In case of security configuration, the firewall policies and forward policies are disabled by default.
In the Security Configuration
section, perform the following to apply network and forward policies:
-
Select
Active Enhanced Firewall Policies
from theFirewall Policy
menu and do the following:- Click
Configure
underEnhanced Firewall Policy
to switch to enhanced firewall policies list page. - Select an enhanced firewall policy object from the
Enhanced Firewall Policy
drop-down. You can also create and apply a new enhanced firewall policy using theAdd Item
in the drop-down. - Use the
Add Item
button in the list page to add more than one enhanced firewall policy.
- Click
-
Select
Active Firewall Policies
from theFirewall Policy
menu and do the following:- Select a firewall policy object from the
Firewall Policy
drop-down. You can also create and apply a new firewall policy using theAdd item
option. - Use the
Add Item
button in the list section to add more than one firewall policy.
- Select a firewall policy object from the
-
Select one of the following options from the
Forward Proxy
menu:-
Select
Enable Forward Proxy and Manage Policies
to apply specific forward proxy policies. Select a forward proxy policy from theForward Proxy Policies
drop-down. You can also create and apply a new forward proxy policy using theAdd Item
option. You can apply more than one forward proxy policy using theAdd item
option in the list section. -
Select
Enable Forward Proxy With Allow All Policy
to allow all requests.
-
Step 4.5: Configure global networks.
-
Enable
Show Advanced Fields
in theGlobal Connections
section. -
Select
Connect Global Networks
from theGlobal Network Connections
drop-down. -
Click
Add Item
in theGlobal Network Connections
section to open the global network connections page. -
Select one of the following for the
Select Network Connection Type
field:-
Direct, Site Local Inside to a Global Network
to connect site local inside network to global network. -
Direct, Site Local Outside to a Global Network
to connect site local outside network to global network.
-
-
Select a virtual global network from the
Global Virtual Network
drop-down. You can also create and apply a new virtual global network using theAdd Item
button. -
Click
Apply
to add global network connection to the Secure Mesh Site configuration.
Note: Use
Add Item
in theGlobal Network Connections
section to add more than one global network connection.
Step 4.6: Configure Site Mesh Group Connection Type.
The default connection type for incoming tunnels for Site Mesh Group (SMG) is via private IP. This option will use the Site Local Outside interface addresses for creating IPsec tunnels between two sites that are part of the SMG.
To change the connection type, select Site Mesh Group Connection Via Public Ip
from the Site Mesh Group Connection Type
field. This option will use the statically configured public IPs of each master node for creating IPsec between two sites that are part of the SMG.
Step 4.7: Configure advanced settings.
In the Advanced Configuration
section, do the following:
-
Select
Enable VRRP for VIP(s)
forVIP Advertisement Mode
. It is recommended to enable this and BGP if Outside VIP/Inside VIP are configured. -
Enter a value in milliseconds in the
Tunnel Dead Timeout (msec)
field to detect dead tunnels within this time. By default, 10000 milliseconds is set.
Click Apply
to add the custom network settings to the Secure Mesh Site configuration.
Step 5: Optionally, configure advanced features.
Do the following in the Advanced Configuration
section of Secure Mesh Site main configuration page:
-
Select
Enable Logs Streaming
from theLogs Streaming
drop-down and choose a log streaming object from the displayedEnable Logs Streaming
drop-down. This enables streaming of logs from the Site to the configured log receiver. For more information on log streaming configuration, see Logs Streaming. -
Select
F5XC Software Version
from theF5XC Software Version
field and enter a specific version in the enabledF5XC Software Version
field. By default, the latest software version is used. -
Select
Operating System Version
from theOperating System Version
field and enter a specific version in the enabledOperating System Version
field. By default, the latest OS version is used. -
Select
Custom Blocked Services Configuration
from theBlocked Services
field, clickAdd Item
to customize the service type and port you want to block, and clickApply
to add the custom blocking configuration. -
Select
Enable Offline Survivability Mode
from theOffline Survivability Mode
field to enable offline survivability mode.
Figure: Advanced Features
- Select
L3 Mode Enhanced Performance
from thePerformance Mode
field and choose to enable or disable jumbo frames using theL3 Mode Enhanced Performance Options
field options. The L7 Enhanced Mode is enabled by default for the performance mode.
Step 6: Complete creating the Secure Mesh Site.
Select Save and Exit
to complete creating the Secure Mesh Site.
Create Single-Node Secure Mesh Site
Step 1: Start creating Secure Mesh Site object.
-
In
Multi-Cloud Network Connect
service, navigate toManage
>Site Management
>Secure Mesh Sites
. -
Select
Add Secure Mesh Site
to open the Secure Mesh Site configuration form.
Figure: Navigate to Secure Mesh Site Configuration
-
Enter a name in the
Metadata
section for your Secure Mesh Site object. -
Optionally, select labels and add a description.
Step 2: Set the fields for basic configuration.
-
From the
Generic Server Certified Hardware
menu, select an option. Theisv-8000-series-voltmesh
is selected by default. If theGeneric Server Certified Hardware
is not listed in the drop-down menu, type in the name for your deployment. This may be needed if you are manually deploying a site in the public cloud using the ClickOps method. -
Enter the names of the master node in the
List of Master Nodes
field. -
Enter the public IP in the
Public IP
field for the master node. The IP address is only used when a site is part of a Site Mesh Group, and you have selected theSite Mesh Group Connection Via Public Ip
option for theSite Mesh Group Connection Type
field as shown in Step 4.6. -
Leave the worker nodes section empty, as worker nodes are not supported for single-node sites.
-
Optionally, enter the following fields:
-
Geographical Address: This derives geographical coordinates.
-
Coordinates: Latitude and longitude.
-
Important: It is recommended to enter the coordinates so that the CE connects to the geographically closest REs.
Figure: Single-Node Basic Configuration Section
Step 3: Optionally, configure bond interfaces.
In the Bond Configuration
section, perform the following:
-
From the
Select Bond Configuration
menu, selectConfigure Bond Interfaces
. -
Select
Configure
to open bond interface configuration page. -
Select
Add Item
under theBond Devices List
field. -
Select on the
Bond Device Name
field and selectSee Common Values
. You can also type a custom name and clickAdd item
to set the device name while also adding it to the existing options. -
Select on the
Member Ethernet Devices
field and selectSee Common Values
for the Ethernet device that is part of this bond. UseAdd item
option to add more devices. -
From the
Select Bond Mode
menu, select the bonding mode.LACP (802.3ad)
is selected by default for the bonding mode with the default LACP packet interval as 30 seconds. You can set the bond mode toActive/Backup
to set the bond members function in active and backup combination. -
Select
Add Item
.
Note: Use the
Add item
option in theBond Devices List
to add more than one bond device.
- Select
Apply
in theBond Devices
page to apply the bond configuration.
Step 4: Optionally, configure network settings.
The network configuration is applied with default settings. To customize network settings, do the following:
-
In the
Network Configuration
section, selectCustom Network Configuration
from theSelect to Configure Networking
menu. -
Select
View Configuration
to open the network configuration page and do the following:
Step 4.1: Configure site local network settings.
Site local network is applied with default configuration. Perform the following set of steps to apply custom configuration:
-
Select
Configure Site Local Network
from theSelect Configuration For Site Local Network
menu. -
Select
View Configuration
. -
Optionally, set labels for the
Network Labels
field in theNetwork Metadata
section. -
Select
Manage Static Routes
from theManage Static Routes
menu. -
Select
Add Item
and perform the following:-
Enter IP prefixes for the
IP Prefixes
section. These prefixes will be mapped to the same next-hop and attributes. -
Select
IP Address
orInterface
orDefault Gateway
from theSelect Type of Next Hop
menu and specify IP address or interface accordingly. In the case ofInterface
, you can select an existing interface or create a new interface using the options for the interface field. -
Optionally, select one or more options for the
Attributes
field to set attributes for the static route. -
Select
Apply
.
-
Note: You can use
Add Item
button in theStatic Routes
section to add more than one static route.
-
Optionally, configure
DC Cluster Group
using the following guidelines:-
Select
Member of DC Cluster Group
from theSelect DC Cluster Group
menu. -
In the
Member of DC Cluster Group
field, select a DC cluster group. You can also selectCreate New DC Cluster Group
to create a new cluster group. Performing this adds this site to a DC cluster group, enabling full connectivity between the members of the group.
-
Figure: Site Local Network Configuration
- Select
Apply
.
Note: For more information, see the Configure DC Cluster Group guide.
Step 4.2: Configure site local inside network settings.
Site local inside network is applied with default configuration. Perform the following set of steps to apply custom configuration:
-
Select
Configure Site Local Inside Network
from theSelect Configuration For Site Local Network
menu. -
Select
Configure
. -
Optionally, set labels for the
Network Labels
field in theNetwork Metadata
section. -
Select
Manage Static Routes
from theManage Static Routes
menu. -
Select
Add Item
and perform the following:-
Enter IP prefixes for the
IP Prefixes
section. These prefixes will be mapped to the same next-hop and attributes. -
Select
IP Address
orInterface
orDefault Gateway
from theSelect Type of Next Hop
menu and specify IP address or interface accordingly. In the case ofInterface
, you can select an existing interface or create a new interface using the options for the interface field. -
Optionally, select one or more options for the
Attributes
field to set attributes for the static route. -
Select
Apply
.
-
Note: You can use
Add Item
button in theStatic Routes
section to add more than one static route.
-
Optionally, configure
DC Cluster Group
using the following guidelines:-
Select
Member of DC Cluster Group
from theSelect DC Cluster Group
menu. -
In the
Member of DC Cluster Group
field, select a DC cluster group. You can also selectCreate New DC Cluster Group
to create a new cluster group. Performing this adds this site to a DC cluster group, enabling full connectivity between the members of the group.
-
-
Select
Apply
.
Note: For more information, see the Configure DC Cluster Group guide.
Step 4.3: Configure interface settings.
Bootstrap interface configuration is applied by default, and it is based on the certified hardware.
Perform the following to apply custom interface configuration:
-
Select
List of Interface
from theSelect Interface Configuration
menu. -
Click
Configure
. This opens another interface list configuration page. -
Select
Add Item
in theList of Interface
table. -
Optionally, enter an interface description and select labels.
-
Select an option from the
Interface Config Type
menu, and set one of the interface types using the following instructions:
Ethernet Interface:
-
Select
Ethernet Interface
and clickConfigure
. This opens Ethernet interface configuration page. -
Select an option from the
Ethernet Device
menu usingSee Common Values
. You can also type a custom name to set the device name while also adding it to the existing options. -
Select
Cluster, All Nodes of the Site
orSpecific Node
from theSelect Configuration for Cluster or Specific Node
menu. In case of specific node, select the specific node from the displayed options of theSpecific Node
field. You can also type a custom name to set the device name while also adding it to the existing options. -
Select
Untagged
orVLAN Id
from theSelect Untagged or VLAN tagged
menu. In case of VLAN ID, enter the VLAN ID in theVLAN Id
field. -
Select an option from the
Select Interface Address Method
menu in theIP Configuration
section. TheDHCP Client
is selected by default. In case you select a DHCP server, clickConfigure
and set the DHCP server configuration per the options displayed on the DHCP server configuration page and clickApply
. This example shows the interface as DHCP client for brevity. -
Select site local outside or site local inside network from the
Select Virtual Network
menu in theVirtual Network
section.Site Local Network (Outside)
is selected by default. -
Select if the interface is primary from the
Select Primary Interface
menu. Default is not a primary interface. Ensure that you set only one interface as primary. -
Select
Apply
.
Dedicated Interface:
-
Select
Dedicated Interface
from theInterface Config Type
menu. -
Select a device name from the
Interface Device
menu usingSee Common Values
. You can also type a custom name to set the device name while also adding it to the existing options. -
Select
Cluster, All Nodes of the Site
orSpecific Node
from theSelect Configuration for Cluster or Specific Node
menu. In case of specific node, select the specific node from the displayed options from theSpecific Node
menu. You can also type a custom name to set the device name while also adding it to the existing options. -
Select if the interface is primary in the
Select Primary Interface
field. Default is not a primary interface. Ensure that you set only one interface as primary. -
Select
Add Item
. -
Optionally, add more than one interface using the
Add item
option in theList of Interface
page. -
Select
Apply
.
Step 4.4: Configure security settings.
In case of security configuration, the firewall policies and forward policies are disabled by default.
In the Security Configuration
section, perform the following to apply network and forward policies:
-
Select
Active Enhanced Firewall Policies
from theFirewall Policy
menu and do the following:- Click
Configure
underEnhanced Firewall Policy
to switch to enhanced firewall policies list page. - Select an enhanced firewall policy object from the
Enhanced Firewall Policy
drop-down. You can also create and apply a new enhanced firewall policy using theAdd Item
in the drop-down. - Use the
Add Item
button in the list page to add more than one enhanced firewall policy.
- Click
-
Select
Active Firewall Policies
from theFirewall Policy
menu and do the following:- Select a firewall policy object from the
Firewall Policy
drop-down. You can also create and apply a new firewall policy using theAdd item
option. - Use the
Add Item
button in the list section to add more than one firewall policy.
- Select a firewall policy object from the
-
Select one of the following options from the
Forward Proxy
menu:-
Select
Enable Forward Proxy and Manage Policies
to apply specific forward proxy policies. Select a forward proxy policy from theForward Proxy Policies
drop-down. You can also create and apply a new forward proxy policy using theAdd Item
option. You can apply more than one forward proxy policy using theAdd item
option in the list section. -
Select
Enable Forward Proxy With Allow All Policy
to allow all requests.
-
Step 4.5: Configure global networks.
-
Enable
Show Advanced Fields
in theGlobal Connections
section. -
Select
Connect Global Networks
from theGlobal Network Connections
drop-down. -
Click
Add Item
in theGlobal Network Connections
section to open the global network connections page. -
Select one of the following for the
Select Network Connection Type
field:-
Direct, Site Local Inside to a Global Network
to connect site local inside network to global network. -
Direct, Site Local Outside to a Global Network
to connect site local outside network to global network.
-
-
Select a virtual global network from the
Global Virtual Network
drop-down. You can also create and apply a new virtual global network using theAdd Item
button. -
Click
Apply
to add global network connection to the Secure Mesh Site configuration.
Note: Use
Add Item
in theGlobal Network Connections
section to add more than one global network connection.
Step 4.6: Configure Site Mesh Group Connection Type.
The default connection type for incoming tunnels for Site Mesh Group (SMG) is via private IP. This option will use the Site Local Outside interface addresses for creating IPsec tunnels between two sites that are part of the SMG.
To change the connection type, select Site Mesh Group Connection Via Public Ip
from the Site Mesh Group Connection Type
field. This option will use the statically configured public IPs of each master node for creating IPsec between two sites that are part of the SMG.
Step 4.7: Configure advanced settings.
In the Advanced Configuration
section, do the following:
-
Select
Enable VRRP for VIP(s)
forVIP Advertisement Mode
. It is recommended to enable this and BGP if Outside VIP/Inside VIP are configured. -
Enter a value in milliseconds in the
Tunnel Dead Timeout (msec)
field to detect dead tunnels within this time. By default, 10000 milliseconds is set.
Click Apply
to add the custom network settings to the Secure Mesh Site configuration.
Step 5: Optionally, configure advanced features.
Do the following in the Advanced Configuration
section of Secure Mesh Site main configuration page:
-
Select
Enable Logs Streaming
from theLogs Streaming
drop-down and choose a log streaming object from the displayedEnable Logs Streaming
drop-down. This enables streaming of logs from the Site to the configured log receiver. For more information on log streaming configuration, see Logs Streaming. -
Select
F5XC Software Version
from theF5XC Software Version
field and enter a specific version in the enabledF5XC Software Version
field. By default, the latest software version is used. -
Select
Operating System Version
from theOperating System Version
field and enter a specific version in the enabledOperating System Version
field. By default, the latest OS version is used. -
Select
Custom Blocked Services Configuration
from theBlocked Services
field, clickAdd Item
to customize the service type and port you want to block, and clickApply
to add the custom blocking configuration. -
Select
Enable Offline Survivability Mode
from theOffline Survivability Mode
field to enable offline survivability mode.
Figure: Advanced Features
- Select
L3 Mode Enhanced Performance
from thePerformance Mode
field and choose to enable or disable jumbo frames using theL3 Mode Enhanced Performance Options
field options. The L7 Enhanced Mode is enabled by default for the performance mode.
Step 6: Complete creating the Secure Mesh Site.
Select Save and Exit
to complete creating the Secure Mesh Site.
Deploy the Site Nodes
A secure mesh site can be created on any supported provider. The steps to create the actual site nodes will differ based on the environment/cloud where the site is being created.
Follow the deployment steps detailed in the document appropriate to your environment/cloud:
- Create VMware Site
- Create KVM Site
- Create Baremetal Site
- Deploy Site with AWS Console ClickOps
- Deploy Site with Azure Console ClickOps
- Deploy Site with GCP Console ClickOps
Register Site
After you install the Distributed Cloud Services Node, you must register it as a site in the Distributed Cloud Console.
Perform registration per the following instructions:
Register Multi-Node Site
Step 1: Navigate to the site registration page.
-
Log into Console.
-
Click
Multi-Cloud Network Connect
. -
Click
Manage
>Site Management
>Registrations
.
Step 2: Accept the registration requests.
Registration requests are displayed in the Pending Registrations
tab.
-
Click
Accept
to accept the registration requests from themaster-0
,master-1
, andmaster-2
nodes. The node names will differ. -
Enter the same values for the following parameters for all the registration requests:
-
In the
Cluster name
field, enter a name for the cluster. Ensure that all master nodes have the same name. -
In the
Cluster size
field, enter3
. Ensure that all master nodes have the same cluster size.
-
-
Enter all mandatory fields marked with the asterisk (
*
) character. -
Click
Save and Exit
.
Step 3: Check site status and health.
It may take a few minutes for the site health and connectivity score information to update.
-
Click
Overview
>Infrastructure
>Sites
. -
Click on your site name. The
Dashboard
tab appears, along with many other tabs to inspect your site. -
Click the
Site Status
tab to verify the following:-
The
Update Status
field has aSuccessful
value for theF5 OS Status
section. -
The
Update Status
field has aSuccessful
value for theF5 Software Status
section. -
The
Tunnel status
andControl Plane
fields under theRE Connectivity
section haveup
values.
-
Note: The factory reset functionality is not supported. To update a site node, power off and then destroy it. Perform the same procedure as above to recreate a virtual machine (VM). After you create and register your site, you can access the local user interface (UI) to perform certain configuration and management functions. For more information, see the Access Site Local User Interface guide.
Register Single-Node Site
Step 1: Navigate to the site registration page.
-
Log into Console.
-
Click
Multi-Cloud Network Connect
. -
Click
Manage
>Site Management
>Registrations
.
Step 2: Accept the registration requests.
Registration requests are displayed in the Pending Registrations
tab.
-
Click
Accept
to accept the registration request for the node. -
In the form that appears, enter all mandatory fields marked with the asterisk (
*
) character. -
Enter latitude and longitude values if you did not previously.
-
Enter other configuration information, if needed.
-
Click
Save and Exit
.
Step 3: Check site status and health.
It may take a few minutes for the site health and connectivity score information to update.
-
Click
Overview
>Infrastructure
>Sites
. -
Click on your site name. The
Dashboard
tab appears, along with many other tabs to inspect your site. -
Click the
Site Status
tab to verify the following:-
The
Update Status
field has aSuccessful
value for theF5 OS Status
section. -
The
Update Status
field has aSuccessful
value for theF5 Software Status
section. -
The
Tunnel status
andControl Plane
fields under theRE Connectivity
section haveup
values.
-
Note: The factory reset functionality is not supported. To update a site node, power off and then destroy it. Perform the same procedure as above to recreate a virtual machine (VM). After you create and register your site, you can access the local user interface (UI) to perform certain configuration and management functions. For more information, see the Access Site Local User Interface guide.