Objective

This document presents information and provides instructions on how to configure site mesh group in F5® Distributed Cloud Services. The site mesh group is used to directly connect F5® Distributed Cloud Console CE sites to other arbitrary CE sites using IPsec. Using the site mesh group, connectivity between the CE sites can be direct and not via the RE sites. For more conceptual information on site mesh group, see Site to Site Connectivity.

F5® Distributed Cloud Console supports connecting the CE sites in the following modes:

Hub-Spoke - A hub site routes traffic between the spoke sites.
Full Mesh - All sites have direct connectivity to each other.

Using the instructions provided in this guide, you can configure site mesh group objects and select sites for them.

Prerequisites

The following prerequisites apply:

A valid Account is required.

Note: If you do not have an account, see Create an Account.

Two or more registered site in the enterprise tenant.

Note: If you do not have a registered site, see Site Management.

Virtual site.

Note: If you do not have a virtual site, see Virtual Site.

Port 4500 should be open on the CE sites for ingress traffic.

Restrictions

The following apply:

A spoke can form IPsec tunnels with multiple hubs.
A hub site can be a spoke site for another site mesh group.
A site can be member of either a hub group or a spoke group but not both in the same hub-spoke relation.
Only IPsec tunnel type is supported.
The site mesh group is not supported for the sites deployed using the site management functionality of F5® Distributed Cloud Console. It is only supported for baremetal sites and terraform based cloud deployments.
Path MTU (PMTU) discovery is not supported over the site mesh group.

Configure Hub-Spoke Site Mesh Group

In the Hub-Spoke model, two site mesh groups are required. One group is for the hub sites and the other is for the spoke sites. The spoke sites establish tunnels with all the hub sites. The hub sites form full mesh connectivity with each other. The sites for each mesh group are selected using the virtual site functionality.

Creating hub-spoke site mesh group requires you to first set the site to site tunnel IP address in the configuration of hub sites. After that, create a hub site mesh group and spoke site mesh group. The steps provided in this guide configure site mesh between two CE sites with one as a hub and other as spoke.

Features can be viewed, and managed in multiple services.

This example shows Site Mesh Group setup in Cloud and Edge Sites.

Note: Only one virtual site can be added.

Step 1: Open F5® Distributed Cloud Console, set site to site tunnel IP for the hub sites.

Open F5® Distributed Cloud Console > select Cloud and Edge Sites box.

Note: Homepage is role based, and your homepage may look different due to your role customization. Select All Services drop-down menu to discover all options. Customize Settings: Administration > Personal Management > My Account > Edit work domain & skills button > Advanced box > check Work Domain boxes > Save changes button.

Note: Confirm Namespace feature is in correct namespace, drop-down selector located in upper-left corner. Not available in all services.

Select Manage > Site Management.

Note: If options are not showing available, select Show link in Advanced nav options visible in bottom left corner. If needed, select Hide to minimize options from Advanced nav options mode.

Select AWS VPC Sites in in Cloud Sites section.

Note: Open Cloud Sites option that your site is in to edit.

Identify Site, underlined name, you want to add Site to Site Tunnel IP for Hub.

Select ... on site.
Select Edit in pop-up options window.

Site page opens to edit.

Enter Site To Site Tunnel IP in box at bottom of page.

Get VPC site public IPs from site ... > terraform parameters in Apply Status.

SMG14 1 — Figure: Site To Site Tunnel IP

SMG14 2 — Figure: Site To Site Tunnel IP

Note: The IP address is the public IP of your CE site.

SMG STSIP — Figure: Site To Site Tunnel IP

Select Save and Exit button.

Step 2: Create site mesh group for hub sites.

Open Console > select Cloud and Edge Sites box.

Select Manage > Networking in the System namespace and select Site Mesh Groups in the options.
Select Add site mesh group.

ADVANCEDNETWORKING SITEMESHGROUP 6 — Figure: Navigate to Site Mesh Group

Enter a name for your site mesh group object.
Select Hub in Site Mesh Group Type box.
Select Virtual Site (Sites in this group) drop-down menu option to select the virtual sites that are to be part of this hub group.

Note: You can also create a virtual site.

Note: Leave the Hub (site mesh group) section empty as it is only applicable for the spoke mesh group. The Tunnel Type field is populated as IPsec by default.

Select Save and Exit.

ADVANCEDNETWORKING SITEMESHGROUP 8 — Figure: Hub Site Mesh Group

Step 3: Create site mesh group for spoke sites.

Open Console > select Cloud and Edge Sites box.

Select Manage > Networking in the System namespace and select Site Mesh Groups in the options.
Select Add site mesh group.
Enter a name for your site mesh group object.
Select Spoke in Site Mesh Group Type drop-down menu.

SMG TYPE7 2 — Figure: Spoke Site Mesh Group

Select Virtual Site (Sites in this group) drop-down menu option to select the virtual sites that are to be part of this hub group.

Note: You can also create a virtual site.

Select Hub (site mesh group) created in Step 2.
Select Select hub object to apply the hub to the spoke group configuration.

Note: The Tunnel Type field is populated as IPsec by default.

Select Save and Exit button.

Configure Full Site Mesh Group

Perform the following in F5® Distributed Cloud Console:

Step 1: Start creating full site mesh group object.

Open F5® Distributed Cloud Console > select Cloud and Edge Sites box.

Select Manage > Networking in the System namespace, and select Site Mesh Groups in the options.
Select Add site mesh group button.

Step 2: Set the mesh group type as full mesh.

Set a name for your site mesh group object.
Select Full mesh in the Site Mesh Group Type drop-down menu.

Step 3: Define sites that are part of the full mesh.

Select Virtual Site (Sites in this group) drop-down menu option to select the virtual sites that are to be part of this group.
Select virtual site object to apply the virtual sites to the mesh group configuration.

Step 4: Complete creating the full mesh group.

Select Save and Exit button to create the full mesh group of sites.

Note: The Tunnel Type field is populated as IPsec by default.

Note: Leave the Hub (site mesh group) section empty as it is only applicable for the spoke mesh group.

Verification

The site status shows the status of the IPsec tunnel between the CEs. Apart from connected REs, you can monitor all CE sites that it connects to using IPsec.

Step 1: Open Site.

Log into F5® Distributed Cloud Console > select Cloud and Edge Sites.
Select Sites > Site List.

Select Sites Name that is underlined to open dashboard.

Step 2: Open status objects in site dashboard.

Select > to scroll to more tab options in upper-right of page.

Select Status Objects tab.

SMG STATUSOBJ1 — Figure: Site Status Objects

Select Creator Class underlined CE named object with the Status ID containing string SiteStatusMgr.

SMG STATUSOBJ — Figure: Site Status Objects Page

Step 3: Confirm tunnel status in JSON.

JSON format pop-up window appears to left of page.
Check for site_tunnel_status section in the displayed JSON.
Verify that the state field of the tunnel towards the other CE is TUNNEL_UP.

Site Mesh Group

On This Page: