Create Secure Mesh Site

Published April 5, 2023 | Last modified July 1, 2025

Objective

Important: This is a legacy workflow for deploying Customer Edge (CE) Sites and is not recommended to use. A new workflow for deploying Customer Edge (CE) Sites has been introduced and is now Generally Available (GA). It is recommended to use the new Secure Mesh Site (v2) workflow for all Customer Edge deployments. You can find this workflow here.

This document provides instructions on how to create an F5® Distributed Cloud single-node or multi-node F5 Distributed Cloud Secure Mesh Site object. A Secure Mesh Site object can be used to register and manage a site deployed on-premises (on VMware, KVM, or bare metal) or manual site deployments on public clouds (AWS, Azure, and GCP) using the cloud provider's console or using the cloud provider Terraform.

A Secure Mesh Site is a Distributed Cloud Customer Edge (CE) site engineered specifically to provide ease for users to create sites with any F5® Distributed Cloud Mesh certified hardware.

Using the instructions provided in this document, you can:

  • Create a site token.
  • Create a single-node or multi-node Secure Mesh Site object in the F5® Distributed Cloud Console.
  • Register the site on the F5® Distributed Cloud Console.

Creating the Site nodes is specific to different providers/environments where the site is being deployed. For more information, see the Deploy the Site Nodes section.

Prerequisites

  • An F5 Distributed Cloud Account. If you do not have an account, see Getting Started with Console.

  • One or more devices or VMs consisting of interfaces with Internet reachability for Site installation.

  • Resources required per node: Minimum 4 vCPUs, 14 GB RAM, and 80 GB disk storage. For a full listing of the resources required, see the Customer Edge Site Sizing Reference guide. All the nodes in a given CE Site should have the same resources regarding the compute, memory, and disk storage. When deploying in cloud environments, these nodes should use the same instance flavor.

  • Allow traffic from and to the Distributed Cloud public IP addresses to your network and allowlist related domain names. See Firewall and Proxy Server Allowlist Reference guide for the list of IP addresses and domain names.

  • Internet Control Message Protocol (ICMP) needs to be opened between the CE nodes on the Site Local Outside (SLO) interfaces. This is needed to ensure intra-cluster communication checks.

Important: After you deploy the CE Site, the IP address for the SLO interface cannot be changed. Also, the MAC address cannot be changed.

Create Site Token

Create a site token or use an existing token. If you are configuring a multi-node site, use the same token for all nodes.

Step 1: Navigate to site tokens page.

  • Log into F5® Distributed Cloud Console.

  • Click Multi-Cloud Network Connect.

Figure: Console Homepage

Figure: Console Homepage

  • Select Manage > Site Management > Site Tokens.

  • Click Add Site Token to create a new token.

Figure: Site Tokens

Figure: Site Tokens

Step 2: Generate a new site token.

  • In the Name field, enter the token name.

  • In the Description field, enter a description for the token.

  • Click Save and Exit.

Figure: Site Token Form

Figure: Site Token Form

Step 3: Note down the new token.

  • Find the token previously created or choose an existing token from the list of tokens displayed.

  • Click > to expand the token details in JSON format and note down the value of the uid field.

Figure: UID Field

Figure: UID Field

Create Secure Mesh Site Object

Log into F5 Distributed Cloud Console and perform the following steps to create a single-node or a three-node secure mesh site:

Create Three-Node Secure Mesh Site

Step 1: Start creating Secure Mesh Site object.

  • In Multi-Cloud Network Connect service, navigate to Manage > Site Management > Secure Mesh Sites.

  • Select Add Secure Mesh Site to open the Secure Mesh Site configuration form.

Figure: Navigate to Secure Mesh Site Configuration

Figure: Navigate to Secure Mesh Site Configuration

  • Enter a name in the Metadata section for your Secure Mesh Site object.

  • Optionally, select labels and add a description.

Step 2: Set the fields for basic configuration.

  • From the Generic Server Certified Hardware menu, select an option. The isv-8000-series-voltmesh is selected by default. If the Generic Server Certified Hardware is not listed in the drop-down menu, type in the name for your deployment. This may be needed if you are manually deploying a site in the public cloud using the ClickOps method.

  • Enter the names of the master nodes in the List of Master Nodes field. Select Add item to add the second and third nodes.

  • Enter the public IP in the Public IP field for the master nodes. The IP addresses are only used when a site is part of a Site Mesh Group, and you have selected the Site Mesh Group Connection Via Public Ip option for the Site Mesh Group Connection Type field as shown in Step 4.6. You can leave this blank if your site nodes do not have a public IP address.

  • Optionally, enter the names of worker nodes in the List of Worker Nodes field. Select Add item to add more than one entry.

  • Optionally, enter the following fields:

    • Geographical Address: This derives geographical coordinates.

    • Coordinates: Latitude and longitude.

Important: It is recommended to enter the coordinates so that the CE connects to the geographically closest REs.

Figure: Secure Mesh Site Basic Configuration Section

Figure: Secure Mesh Site Basic Configuration Section

Step 3: Optionally, configure bond interfaces.

In the Bond Configuration section, perform the following:

  • From the Select Bond Configuration menu, select Configure Bond Interfaces.

  • Select Configure to open bond interface configuration page.

  • Select Add Item under the Bond Devices List field.

  • Select on the Bond Device Name field and select See Common Values. You can also type a custom name and click Add item to set the device name while also adding it to the existing options.

  • Select on the Member Ethernet Devices field and select See Common Values for the Ethernet device that is part of this bond. Use Add item option to add more devices.

  • From the Select Bond Mode menu, select the bonding mode. LACP (802.3ad) is selected by default for the bonding mode with the default LACP packet interval as 30 seconds. You can set the bond mode to Active/Backup to set the bond members function in active and backup combination.

  • Select Add Item.

Note: Use the Add item option in the Bond Devices List to add more than one bond device.

  • Select Apply in the Bond Devices page to apply the bond configuration.
Step 4: Optionally, configure network settings.

The network configuration is applied with default settings. To customize network settings, do the following:

  • In the Network Configuration section, select Custom Network Configuration from the Select to Configure Networking menu.

  • Select View Configuration to open the network configuration page and do the following:

Step 4.1: Configure site local network settings.

Site local network is applied with default configuration. Perform the following set of steps to apply custom configuration:

  • Select Configure Site Local Network from the Select Configuration For Site Local Network menu.

  • Select View Configuration.

  • Optionally, set labels for the Network Labels field in the Network Metadata section.

  • Select Manage Static Routes from the Manage Static Routes menu.

  • Select Add Item and perform the following:

    • Enter IP prefixes for the IP Prefixes section. These prefixes will be mapped to the same next-hop and attributes.

    • Select IP Address or Interface or Default Gateway from the Select Type of Next Hop menu and specify IP address or interface accordingly. In the case of Interface, you can select an existing interface or create a new interface using the options for the interface field.

    • Optionally, select one or more options for the Attributes field to set attributes for the static route.

    • Select Apply.

Note: You can use Add Item button in the Static Routes section to add more than one static route.

  • Optionally, configure DC Cluster Group using the following guidelines:

    • Select Member of DC Cluster Group from the Select DC Cluster Group menu.

    • In the Member of DC Cluster Group field, select a DC cluster group. You can also select Create New DC Cluster Group to create a new cluster group. Performing this adds this site to a DC cluster group, enabling full connectivity between the members of the group.

Figure: Site Local Network Configuration

Figure: Site Local Network Configuration

  • Select Apply.

Note: For more information, see the Configure DC Cluster Group guide.

Step 4.2: Configure site local inside network settings.

Site local inside network is applied with default configuration. Perform the following set of steps to apply custom configuration:

  • Select Configure Site Local Inside Network from the Select Configuration For Site Local Network menu.

  • Select Configure.

  • Optionally, set labels for the Network Labels field in the Network Metadata section.

  • Select Manage Static Routes from the Manage Static Routes menu.

  • Select Add Item and perform the following:

    • Enter IP prefixes for the IP Prefixes section. These prefixes will be mapped to the same next-hop and attributes.

    • Select IP Address or Interface or Default Gateway from the Select Type of Next Hop menu and specify IP address or interface accordingly. In the case of Interface, you can select an existing interface or create a new interface using the options for the interface field.

    • Optionally, select one or more options for the Attributes field to set attributes for the static route.

    • Select Apply.

Note: You can use Add Item button in the Static Routes section to add more than one static route.

  • Optionally, configure DC Cluster Group using the following guidelines:

    • Select Member of DC Cluster Group from the Select DC Cluster Group menu.

    • In the Member of DC Cluster Group field, select a DC cluster group. You can also select Create New DC Cluster Group to create a new cluster group. Performing this adds this site to a DC cluster group, enabling full connectivity between the members of the group.

  • Select Apply.

Note: For more information, see the Configure DC Cluster Group guide.

Step 4.3: Configure interface settings.

Bootstrap interface configuration is applied by default, and it is based on the certified hardware.

Perform the following to apply custom interface configuration:

  • Select List of Interface from the Select Interface Configuration menu.

  • Click Configure. This opens another interface list configuration page.

  • Select Add Item in the List of Interface table.

  • Optionally, enter an interface description and select labels.

  • Select an option from the Interface Config Type menu, and set one of the interface types using the following instructions:

Ethernet Interface:

  • Select Ethernet Interface and click Configure. This opens Ethernet interface configuration page.

  • Select an option from the Ethernet Device menu using See Common Values. You can also type a custom name to set the device name while also adding it to the existing options.

  • Select Cluster, All Nodes of the Site or Specific Node from the Select Configuration for Cluster or Specific Node menu. In case of specific node, select the specific node from the displayed options of the Specific Node field. You can also type a custom name to set the device name while also adding it to the existing options.

  • Select Untagged or VLAN Id from the Select Untagged or VLAN tagged menu. In case of VLAN ID, enter the VLAN ID in the VLAN Id field.

  • Select an option from the Select Interface Address Method menu in the IP Configuration section. The DHCP Client is selected by default. In case you select a DHCP server, click Configure and set the DHCP server configuration per the options displayed on the DHCP server configuration page and click Apply. This example shows the interface as DHCP client for brevity.

  • Select Site Local Network (Outside), Site Local Network (Inside), or Segment from the Select Virtual Network menu in the Virtual Network section. If you choose Segment, you must also select the segment from the drop-down list. Site Local Network (Outside) is selected by default.

  • Select if the interface is primary from the Select Primary Interface menu. Default is not a primary interface. Ensure that you set only one interface as primary.

  • Select Apply.

Dedicated Interface:

  • Select Dedicated Interface from the Interface Config Type menu.

  • Select a device name from the Interface Device menu using See Common Values. You can also type a custom name to set the device name while also adding it to the existing options.

  • Select Cluster, All Nodes of the Site or Specific Node from the Select Configuration for Cluster or Specific Node menu. In case of specific node, select the specific node from the displayed options from the Specific Node menu. You can also type a custom name to set the device name while also adding it to the existing options.

  • Select if the interface is primary in the Select Primary Interface field. Default is not a primary interface. Ensure that you set only one interface as primary.

  • Select Add Item.

  • Optionally, add more than one interface using the Add item option in the List of Interface page.

  • Select Apply.

Step 4.4: Configure security settings.

In case of security configuration, the firewall policies and forward policies are disabled by default.

In the Security Configuration section, perform the following to apply network and forward policies:

  • Select Active Enhanced Firewall Policies from the Firewall Policy menu and do the following:

    • Click Configure under Enhanced Firewall Policy to switch to enhanced firewall policies list page.
    • Select an enhanced firewall policy object from the Enhanced Firewall Policy drop-down. You can also create and apply a new enhanced firewall policy using the Add Item in the drop-down.
    • Use the Add Item button in the list page to add more than one enhanced firewall policy.

  • Select Active Firewall Policies from the Firewall Policy menu and do the following:

    • Select a firewall policy object from the Firewall Policy drop-down. You can also create and apply a new firewall policy using the Add item option.
    • Use the Add Item button in the list section to add more than one firewall policy.

  • Select one of the following options from the Forward Proxy menu:

    • Select Enable Forward Proxy and Manage Policies to apply specific forward proxy policies. Select a forward proxy policy from the Forward Proxy Policies drop-down. You can also create and apply a new forward proxy policy using the Add Item option. You can apply more than one forward proxy policy using the Add item option in the list section.

    • Select Enable Forward Proxy With Allow All Policy to allow all requests.

Step 4.5: Configure global networks.

  • Enable Show Advanced Fields in the Global Connections section.

  • Select Connect Global Networks from the Global Network Connections drop-down.

  • Click Add Item in the Global Network Connections section to open the global network connections page.

  • Select one of the following for the Select Network Connection Type field:

    • Direct, Site Local Inside to a Global Network to connect site local inside network to global network.

    • Direct, Site Local Outside to a Global Network to connect site local outside network to global network.

  • Select a virtual global network from the Global Virtual Network drop-down. You can also create and apply a new virtual global network using the Add Item button.

  • Click Apply to add global network connection to the Secure Mesh Site configuration.

Note: Use Add Item in the Global Network Connections section to add more than one global network connection.

Step 4.6: Configure Site Mesh Group Connection Type.

The default connection type for incoming tunnels for Site Mesh Group (SMG) is via private IP. This option will use the Site Local Outside interface addresses for creating IPsec tunnels between two sites that are part of the SMG.

To change the connection type, select Site Mesh Group Connection Via Public Ip from the Site Mesh Group Connection Type field. This option will use the statically configured public IPs of each master node for creating IPsec between two sites that are part of the SMG.

Step 4.7: Configure advanced settings.

In the Advanced Configuration section, do the following:

  • Select Enable VRRP for VIP(s) for VIP Advertisement Mode. It is recommended to enable this and BGP if Outside VIP/Inside VIP are configured.

  • Enter a value in milliseconds in the Tunnel Dead Timeout (msec) field to detect dead tunnels within this time. By default, 10000 milliseconds is set.

Click Apply to add the custom network settings to the Secure Mesh Site configuration.

Step 5: Optionally, configure advanced features.

Do the following in the Advanced Configuration section of Secure Mesh Site main configuration page:

  • Select Enable Logs Streaming from the Logs Streaming drop-down and choose a log streaming object from the displayed Enable Logs Streaming drop-down. This enables streaming of logs from the Site to the configured log receiver. For more information on log streaming configuration, see Logs Streaming.

  • Select F5XC Software Version from the F5XC Software Version field and enter a specific version in the enabled F5XC Software Version field. By default, the latest software version is used.

  • Select Operating System Version from the Operating System Version field and enter a specific version in the enabled Operating System Version field. By default, the latest OS version is used.

  • Select Custom Blocked Services Configuration from the Blocked Services field, click Add Item to customize the service type and port you want to block, and click Apply to add the custom blocking configuration.

  • Select Enable Offline Survivability Mode from the Offline Survivability Mode field to enable offline survivability mode.

Figure: Advanced Features

Figure: Advanced Features

  • Select L3 Mode Enhanced Performance from the Performance Mode field and choose to enable or disable jumbo frames using the L3 Mode Enhanced Performance Options field options. The L7 Enhanced Mode is enabled by default for the performance mode.
Step 6: Complete creating the Secure Mesh Site.

Select Save and Exit to complete creating the Secure Mesh Site.

Create Single-Node Secure Mesh Site

Step 1: Start creating Secure Mesh Site object.

  • In Multi-Cloud Network Connect service, navigate to Manage > Site Management > Secure Mesh Sites.

  • Select Add Secure Mesh Site to open the Secure Mesh Site configuration form.

Figure: Navigate to Secure Mesh Site Configuration

Figure: Navigate to Secure Mesh Site Configuration

  • Enter a name in the Metadata section for your Secure Mesh Site object.

  • Optionally, select labels and add a description.

Step 2: Set the fields for basic configuration.

  • From the Generic Server Certified Hardware menu, select an option. The isv-8000-series-voltmesh is selected by default. If the Generic Server Certified Hardware is not listed in the drop-down menu, type in the name for your deployment. This may be needed if you are manually deploying a site in the public cloud using the ClickOps method.

  • Enter the names of the master node in the List of Master Nodes field.

  • Enter the public IP in the Public IP field for the master node. The IP address is only used when a site is part of a Site Mesh Group, and you have selected the Site Mesh Group Connection Via Public Ip option for the Site Mesh Group Connection Type field as shown in Step 4.6.

  • Leave the worker nodes section empty, as worker nodes are not supported for single-node sites.

  • Optionally, enter the following fields:

    • Geographical Address: This derives geographical coordinates.

    • Coordinates: Latitude and longitude.

Important: It is recommended to enter the coordinates so that the CE connects to the geographically closest REs.

Figure: Single-Node Basic Configuration Section

Figure: Single-Node Basic Configuration Section

Step 3: Optionally, configure bond interfaces.

In the Bond Configuration section, perform the following:

  • From the Select Bond Configuration menu, select Configure Bond Interfaces.

  • Select Configure to open bond interface configuration page.

  • Select Add Item under the Bond Devices List field.

  • Select on the Bond Device Name field and select See Common Values. You can also type a custom name and click Add item to set the device name while also adding it to the existing options.

  • Select on the Member Ethernet Devices field and select See Common Values for the Ethernet device that is part of this bond. Use Add item option to add more devices.

  • From the Select Bond Mode menu, select the bonding mode. LACP (802.3ad) is selected by default for the bonding mode with the default LACP packet interval as 30 seconds. You can set the bond mode to Active/Backup to set the bond members function in active and backup combination.

  • Select Add Item.

Note: Use the Add item option in the Bond Devices List to add more than one bond device.

  • Select Apply in the Bond Devices page to apply the bond configuration.
Step 4: Optionally, configure network settings.

The network configuration is applied with default settings. To customize network settings, do the following:

  • In the Network Configuration section, select Custom Network Configuration from the Select to Configure Networking menu.

  • Select View Configuration to open the network configuration page and do the following:

Step 4.1: Configure site local network settings.

Site local network is applied with default configuration. Perform the following set of steps to apply custom configuration:

  • Select Configure Site Local Network from the Select Configuration For Site Local Network menu.

  • Select View Configuration.

  • Optionally, set labels for the Network Labels field in the Network Metadata section.

  • Select Manage Static Routes from the Manage Static Routes menu.

  • Select Add Item and perform the following:

    • Enter IP prefixes for the IP Prefixes section. These prefixes will be mapped to the same next-hop and attributes.

    • Select IP Address or Interface or Default Gateway from the Select Type of Next Hop menu and specify IP address or interface accordingly. In the case of Interface, you can select an existing interface or create a new interface using the options for the interface field.

    • Optionally, select one or more options for the Attributes field to set attributes for the static route.

    • Select Apply.

Note: You can use Add Item button in the Static Routes section to add more than one static route.

  • Optionally, configure DC Cluster Group using the following guidelines:

    • Select Member of DC Cluster Group from the Select DC Cluster Group menu.

    • In the Member of DC Cluster Group field, select a DC cluster group. You can also select Create New DC Cluster Group to create a new cluster group. Performing this adds this site to a DC cluster group, enabling full connectivity between the members of the group.

Figure: Site Local Network Configuration

Figure: Site Local Network Configuration

  • Select Apply.

Note: For more information, see the Configure DC Cluster Group guide.

Step 4.2: Configure site local inside network settings.

Site local inside network is applied with default configuration. Perform the following set of steps to apply custom configuration:

  • Select Configure Site Local Inside Network from the Select Configuration For Site Local Network menu.

  • Select Configure.

  • Optionally, set labels for the Network Labels field in the Network Metadata section.

  • Select Manage Static Routes from the Manage Static Routes menu.

  • Select Add Item and perform the following:

    • Enter IP prefixes for the IP Prefixes section. These prefixes will be mapped to the same next-hop and attributes.

    • Select IP Address or Interface or Default Gateway from the Select Type of Next Hop menu and specify IP address or interface accordingly. In the case of Interface, you can select an existing interface or create a new interface using the options for the interface field.

    • Optionally, select one or more options for the Attributes field to set attributes for the static route.

    • Select Apply.

Note: You can use Add Item button in the Static Routes section to add more than one static route.

  • Optionally, configure DC Cluster Group using the following guidelines:

    • Select Member of DC Cluster Group from the Select DC Cluster Group menu.

    • In the Member of DC Cluster Group field, select a DC cluster group. You can also select Create New DC Cluster Group to create a new cluster group. Performing this adds this site to a DC cluster group, enabling full connectivity between the members of the group.

  • Select Apply.

Note: For more information, see the Configure DC Cluster Group guide.

Step 4.3: Configure interface settings.

Bootstrap interface configuration is applied by default, and it is based on the certified hardware.

Perform the following to apply custom interface configuration:

  • Select List of Interface from the Select Interface Configuration menu.

  • Click Configure. This opens another interface list configuration page.

  • Select Add Item in the List of Interface table.

  • Optionally, enter an interface description and select labels.

  • Select an option from the Interface Config Type menu, and set one of the interface types using the following instructions:

Ethernet Interface:

  • Select Ethernet Interface and click Configure. This opens Ethernet interface configuration page.

  • Select an option from the Ethernet Device menu using See Common Values. You can also type a custom name to set the device name while also adding it to the existing options.

  • Select Cluster, All Nodes of the Site or Specific Node from the Select Configuration for Cluster or Specific Node menu. In case of specific node, select the specific node from the displayed options of the Specific Node field. You can also type a custom name to set the device name while also adding it to the existing options.

  • Select Untagged or VLAN Id from the Select Untagged or VLAN tagged menu. In case of VLAN ID, enter the VLAN ID in the VLAN Id field.

  • Select an option from the Select Interface Address Method menu in the IP Configuration section. The DHCP Client is selected by default. In case you select a DHCP server, click Configure and set the DHCP server configuration per the options displayed on the DHCP server configuration page and click Apply. This example shows the interface as DHCP client for brevity.

  • Select site local outside or site local inside network from the Select Virtual Network menu in the Virtual Network section. Site Local Network (Outside) is selected by default.

  • Select if the interface is primary from the Select Primary Interface menu. Default is not a primary interface. Ensure that you set only one interface as primary.

  • Select Apply.

Dedicated Interface:

  • Select Dedicated Interface from the Interface Config Type menu.

  • Select a device name from the Interface Device menu using See Common Values. You can also type a custom name to set the device name while also adding it to the existing options.

  • Select Cluster, All Nodes of the Site or Specific Node from the Select Configuration for Cluster or Specific Node menu. In case of specific node, select the specific node from the displayed options from the Specific Node menu. You can also type a custom name to set the device name while also adding it to the existing options.

  • Select if the interface is primary in the Select Primary Interface field. Default is not a primary interface. Ensure that you set only one interface as primary.

  • Select Add Item.

  • Optionally, add more than one interface using the Add item option in the List of Interface page.

  • Select Apply.

Step 4.4: Configure security settings.

In case of security configuration, the firewall policies and forward policies are disabled by default.

In the Security Configuration section, perform the following to apply network and forward policies:

  • Select Active Enhanced Firewall Policies from the Firewall Policy menu and do the following:

    • Click Configure under Enhanced Firewall Policy to switch to enhanced firewall policies list page.
    • Select an enhanced firewall policy object from the Enhanced Firewall Policy drop-down. You can also create and apply a new enhanced firewall policy using the Add Item in the drop-down.
    • Use the Add Item button in the list page to add more than one enhanced firewall policy.

  • Select Active Firewall Policies from the Firewall Policy menu and do the following:

    • Select a firewall policy object from the Firewall Policy drop-down. You can also create and apply a new firewall policy using the Add item option.
    • Use the Add Item button in the list section to add more than one firewall policy.

  • Select one of the following options from the Forward Proxy menu:

    • Select Enable Forward Proxy and Manage Policies to apply specific forward proxy policies. Select a forward proxy policy from the Forward Proxy Policies drop-down. You can also create and apply a new forward proxy policy using the Add Item option. You can apply more than one forward proxy policy using the Add item option in the list section.

    • Select Enable Forward Proxy With Allow All Policy to allow all requests.

Step 4.5: Configure global networks.

  • Enable Show Advanced Fields in the Global Connections section.

  • Select Connect Global Networks from the Global Network Connections drop-down.

  • Click Add Item in the Global Network Connections section to open the global network connections page.

  • Select one of the following for the Select Network Connection Type field:

    • Direct, Site Local Inside to a Global Network to connect site local inside network to global network.

    • Direct, Site Local Outside to a Global Network to connect site local outside network to global network.

  • Select a virtual global network from the Global Virtual Network drop-down. You can also create and apply a new virtual global network using the Add Item button.

  • Click Apply to add global network connection to the Secure Mesh Site configuration.

Note: Use Add Item in the Global Network Connections section to add more than one global network connection.

Step 4.6: Configure Site Mesh Group Connection Type.

The default connection type for incoming tunnels for Site Mesh Group (SMG) is via private IP. This option will use the Site Local Outside interface addresses for creating IPsec tunnels between two sites that are part of the SMG.

To change the connection type, select Site Mesh Group Connection Via Public Ip from the Site Mesh Group Connection Type field. This option will use the statically configured public IPs of each master node for creating IPsec between two sites that are part of the SMG.

Step 4.7: Configure advanced settings.

In the Advanced Configuration section, do the following:

  • Select Enable VRRP for VIP(s) for VIP Advertisement Mode. It is recommended to enable this and BGP if Outside VIP/Inside VIP are configured.

  • Enter a value in milliseconds in the Tunnel Dead Timeout (msec) field to detect dead tunnels within this time. By default, 10000 milliseconds is set.

Click Apply to add the custom network settings to the Secure Mesh Site configuration.

Step 5: Optionally, configure advanced features.

Do the following in the Advanced Configuration section of Secure Mesh Site main configuration page:

  • Select Enable Logs Streaming from the Logs Streaming drop-down and choose a log streaming object from the displayed Enable Logs Streaming drop-down. This enables streaming of logs from the Site to the configured log receiver. For more information on log streaming configuration, see Logs Streaming.

  • Select F5XC Software Version from the F5XC Software Version field and enter a specific version in the enabled F5XC Software Version field. By default, the latest software version is used.

  • Select Operating System Version from the Operating System Version field and enter a specific version in the enabled Operating System Version field. By default, the latest OS version is used.

  • Select Custom Blocked Services Configuration from the Blocked Services field, click Add Item to customize the service type and port you want to block, and click Apply to add the custom blocking configuration.

  • Select Enable Offline Survivability Mode from the Offline Survivability Mode field to enable offline survivability mode.

Figure: Advanced Features

Figure: Advanced Features

  • Select L3 Mode Enhanced Performance from the Performance Mode field and choose to enable or disable jumbo frames using the L3 Mode Enhanced Performance Options field options. The L7 Enhanced Mode is enabled by default for the performance mode.
Step 6: Complete creating the Secure Mesh Site.

Select Save and Exit to complete creating the Secure Mesh Site.

Deploy the Site Nodes

A secure mesh site can be created on any supported provider. The steps to create the actual site nodes will differ based on the environment/cloud where the site is being created.

Follow the deployment steps detailed in the document appropriate to your environment/cloud:

Register Site

After you install the Distributed Cloud Services Node, you must register it as a site in the Distributed Cloud Console.

Perform registration per the following instructions:

Register Multi-Node Site

Step 1: Navigate to the site registration page.

  • Log into Console.

  • Click Multi-Cloud Network Connect.

  • Click Manage > Site Management > Registrations.

Step 2: Accept the registration requests.

Registration requests are displayed in the Pending Registrations tab.

  • Click Accept to accept the registration requests from the master-0, master-1, and master-2 nodes. The node names will differ.

  • Enter the same values for the following parameters for all the registration requests:

    • In the Cluster name field, enter a name for the cluster. Ensure that all master nodes have the same name.

    • In the Cluster size field, enter 3. Ensure that all master nodes have the same cluster size.

  • Enter all mandatory fields marked with the asterisk (*) character.

  • Click Save and Exit.

Step 3: Check site status and health.

It may take a few minutes for the site health and connectivity score information to update.

  • Click Overview > Infrastructure > Sites.

  • Click on your site name. The Dashboard tab appears, along with many other tabs to inspect your site.

  • Click the Site Status tab to verify the following:

    • The Update Status field has a Successful value for the F5 OS Status section.

    • The Update Status field has a Successful value for the F5 Software Status section.

    • The Tunnel status and Control Plane fields under the RE Connectivity section have up values.

Note: The factory reset functionality is not supported. To update a site node, power off and then destroy it. Perform the same procedure as above to recreate a virtual machine (VM).

Register Single-Node Site

Step 1: Navigate to the site registration page.

  • Log into Console.

  • Click Multi-Cloud Network Connect.

  • Click Manage > Site Management > Registrations.

Step 2: Accept the registration requests.

Registration requests are displayed in the Pending Registrations tab.

  • Click Accept to accept the registration request for the node.

  • In the form that appears, enter all mandatory fields marked with the asterisk (*) character.

  • Enter latitude and longitude values if you did not previously.

  • Enter other configuration information, if needed.

  • Click Save and Exit.

Step 3: Check site status and health.

It may take a few minutes for the site health and connectivity score information to update.

  • Click Overview > Infrastructure > Sites.

  • Click on your site name. The Dashboard tab appears, along with many other tabs to inspect your site.

  • Click the Site Status tab to verify the following:

    • The Update Status field has a Successful value for the F5 OS Status section.

    • The Update Status field has a Successful value for the F5 Software Status section.

    • The Tunnel status and Control Plane fields under the RE Connectivity section have up values.

Note: The factory reset functionality is not supported. To update a site node, power off and then destroy it. Perform the same procedure as above to recreate a virtual machine (VM).

Concepts

On this page: